On the Privacy Risks of Publishing Anonymized IP Network Traces

  • D. Koukis
  • S. Antonatos
  • K. G. Anagnostakis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4237)


Networking researchers and engineers rely on network packet traces for understanding network behavior, developing models, and evaluating network performance. Although the bulk of published packet traces implement a form of address anonymization to hide sensitive information, it has been unclear if such anonymization techniques are sufficient to address the privacy concerns of users and organizations.

In this paper we attempt to quantify the risks of publishing anonymized packet traces. In particular, we examine whether statistical identification techniques can be used to uncover the identities of users and their surfing activities from anonymized packet traces. Our results show that such techniques can be used by any Web server that is itself present in the packet trace and has sufficient resources to map out and keep track of the content of popular Web sites to obtain information on the network-wide browsing behavior of its clients. Furthermore, we discuss how scan sequences identified in the trace can easily reveal the mapping from anonymized to real IP addresses.


Privacy Risk Page Request Packet Trace Pairwise Match Local Subnet 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Google’s directory,
  2. 2.
    The internet traffic archive,
  3. 3.
    NLANR network traffic packet header traces,
  4. 4.
    Nlanr passive measurement and analysis,
  5. 5.
    Remote OS detection via TCP/IP Stack FingerPrinting (June 2002),
  6. 6.
    Anagnostakis, K.G., Ioannidis, S., Miltchev, S., Ioannidis, J., Greenwald, M.B., Smith, J.M.: Efficient packet monitoring for network management. In: Proceedings of the 8th IEEE/IFIP Network Operations and Management Symposium (NOMS), April 2002, pp. 423–436 (2002)Google Scholar
  7. 7.
    Berners-Lee, T., Fielding, R., Frystyk, H.: RFC 1945: Hypertext Transfer Protocol — HTTP/1.0 (May 1996)Google Scholar
  8. 8.
    Brewington, B.E., Cybenko, G.: How dynamic is the Web?. Computer Networks (Amsterdam, Netherlands: 1999) 33(1–6), 257–276 (2000)Google Scholar
  9. 9.
    Fielding, R., Gettys, J., Mogul, J., Nielsen, H., Berners-Lee, T.: Hypertext transfer protocol - HTTP/1.1. RFC 2616 (June 1999)Google Scholar
  10. 10.
    Hintz, A.: Fingerprinting websites using traffic analysis. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 171–178. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Jiang, H., Dovrolis, C.: Passive estimation of tcp round-trip times. Computer Communications Review (July 2002)Google Scholar
  12. 12.
    Jin, S., Bestavros, A.: Sources and characteristics of web temporal locality. In: MASCOTS, pp. 28–35 (2000)Google Scholar
  13. 13.
    Mathis, M., Semke, J., Mahdavi, J., Ott, T.: The macroscopic behavior of the TCP congestion avoidance algorithm. ACM Computer Communication Review 27(3) (July 1997)Google Scholar
  14. 14.
    Minshall, G.: Tcpdpriv: Program for eliminating confidential information from traces (2005),
  15. 15.
    Mogul, J.: Trace anonymization misses the point. Presentation on WWW, Panel on Web Measurements (2002)Google Scholar
  16. 16.
    Pang, R., Paxson, V.: A High-Level Programming Environment for Packet Trace Anonymization and Transformation. In: Proceedings of the ACM SIGCOMM Conference (August 2003)Google Scholar
  17. 17.
    Pang, R., Allman, M., Paxson, V., Lee, J.: The devil and packet trace anonymization (January 2006)Google Scholar
  18. 18.
    Paxson, V., Floyd, S.: Wide-area traffic: the failure of Poisson modeling. In: Proceedings of ACM SIGCOMM, pp. 257–268 (August 1994)Google Scholar
  19. 19.
    Sun, Q., Simon, D.R., Wang, Y., Russell, W., Padmanabhan, V.N., Qiu, L.: Statistical identification of encrypted web browsing traffic. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA (May 2002)Google Scholar
  20. 20.
    Ylonen, T.: Thoughts on how to mount an attack on tcpdprivs “-a50” option,

Copyright information

© IFIP International Federation for Information Processing 2006

Authors and Affiliations

  • D. Koukis
    • 1
  • S. Antonatos
    • 1
  • K. G. Anagnostakis
    • 2
  1. 1.Distributed Computing Systems GroupFORTH-ICSGreece
  2. 2.Infocomm Security Department, Institute for Infocomm ResearchSingapore

Personalised recommendations