FLAIM

Last updated
FLAIM
Developer(s) The LAIM Working Group - NCSA
Stable release
0.7.0 / February 29, 2008
Operating system Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X
Type Security / Privacy
License BSD license
Website flaim.ncsa.uiuc.edu

FLAIM (Framework for Log Anonymization and Information Management) is a modular tool designed to allow computer and network log sharing through application of complex data sanitization policies. [1]

Contents

FLAIM is aimed at 3 different user communities. First, FLAIM can be used by the security engineer who is investigating a broad incident spanning multiple organizations. Because of the sensitivity inherent in security relevant logs, many organizations are reluctant to share them. However, this reluctance inhibits the sharing necessary to investigate intrusions that commonly span organizational boundaries. Second, anyone designing log analysis or computer forensics tools needs data with which they can test their tools. [2] The larger and more diverse the data set, the more robust they can make their tools. For many, this means they must gather many logs from outside sources, not just what they can generate in-house. Again, this requires log sharing. Third, researchers in many computer science disciplines (e.g., network measurements, computer security, etc.) need large and diverse data sets to study. Having data sanitization tools available makes organizations more willing to share with these researchers their own logs.

FLAIM is available under the Open Source Initiative approved University of Illinois/NCSA Open Source License. This is BSD-style license. [3] It runs on Unix and Unix-like systems, including Linux, FreeBSD, NetBSD, OpenBSD and Mac OS X.

While FLAIM is not the only log anonymizer, it is unique in its flexibility to create complex XML policies and its support for multiple log types. [1] More specifically, it is the only such tool to meet the following 4 goals. (1) FLAIM provides a diverse set of anonymization primitives. (2) FLAIM supports multiple log type, including linux process accounting logs, netfilter alerts, tcpdump traces and NFDUMP NetFlows. [4] (3) With a flexible anonymization policy language, complex policies that make trade-offs between information loss and security can be made. (4) FLAIM is modular and easily extensible to new types of logs and data. The anonymization engine is agnostic to the syntax of the actual log.

History

Work on log anonymization began in 2004 at the NCSA. At first this was for anonymizing logs in-house to share with the SIFT group. Soon there was a need for more powerful anonymization and anonymization of different types of logs. [5] CANINE was created to anonymize and convert between multiple formats of NetFlows. [6] [7] This was a Java GUI-based tool. Later, Scrub-PA was created to anonymize Process Accounting logs. [8] Scrub-PA was based on the Java code used for CANINE. The development of both of these tools were funded under the Office of Naval Research NCASSR research center through the SLAGEL project. [9]

It was quickly realized that building one-off tools for each new log format was not the way to go. Also, the earlier tools were limited in that they could not be scripted from the command line. It was decided that a new, modular command line-based UNIX tool was needed. Because speed was also a concern, this tool need to be written in C++. With the successful acquisition of a Cyber Trust grant from the National Science Foundation, the LAIM Working Group was formed at the NCSA. [10] From this project headed by the PI, Adam Slagell, FLAIM was developed to overcome these limitations of CANINE and Scrub-PA. The first public version of FLAIM, 0.4., was released on July 23, 2006. [11]

Features

Related Research Articles

The Advanced Maryland Automatic Network Disk Archiver (Amanda) is an open source computer archiving tool that is able to back up data residing on multiple computers on a network. It uses a client–server model, where the server contacts each client to perform a backup at a scheduled time.

fsck System tool for checking the consistency of a file system

The system utility fsck is a tool for checking the consistency of a file system in Unix and Unix-like operating systems, such as Linux, macOS, and FreeBSD. The equivalent programs on MS-DOS and Microsoft Windows are CHKDSK, SFC, and SCANDISK.

tcpdump Data-network packet analyzer

tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software.

<span class="mw-page-title-main">Squid (software)</span> Caching and forwarding HTTP web proxy

Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching World Wide Web (WWW), Domain Name System (DNS), and other network lookups for a group of people sharing network resources, and aiding security by filtering traffic. Although used for mainly HTTP and File Transfer Protocol (FTP), Squid includes limited support for several other protocols including Internet Gopher, Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Hypertext Transfer Protocol Secure (HTTPS). Squid does not support the SOCKS protocol, unlike Privoxy, with which Squid can be used in order to provide SOCKS support.

The Unix file system (UFS) is a family of file systems supported by many Unix and Unix-like operating systems. It is a distant descendant of the original filesystem used by Version 7 Unix.

PF is a BSD licensed stateful packet filter, a central piece of software for firewalling. It is comparable to netfilter (iptables), ipfw, and ipfilter.

This is a list of operating systems specifically focused on security. Similar concepts include security-evaluated operating systems that have achieved certification from an auditing organization, and trusted operating systems that provide sufficient support for multilevel security and evidence of correctness to meet a particular set of requirements.

file (command) Standard Unix program

The file command is a standard program of Unix and Unix-like operating systems for recognizing the type of data contained in a computer file.

<span class="mw-page-title-main">History of Unix</span> Operating system

The history of Unix dates back to the mid-1960s, when the Massachusetts Institute of Technology, AT&T Bell Labs, and General Electric were jointly developing an experimental time-sharing operating system called Multics for the GE-645 mainframe. Multics introduced many innovations, but also had many problems. Bell Labs, frustrated by the size and complexity of Multics but not its aims, slowly pulled out of the project. Their last researchers to leave Multics – among them Ken Thompson, Dennis Ritchie, Doug McIlroy, and Joe Ossanna – decided to redo the work, but on a much smaller scale.

<span class="mw-page-title-main">Metasploit</span> Computer security testing tool

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company, Rapid7.

<span class="mw-page-title-main">Argus – Audit Record Generation and Utilization System</span>

Argus – the Audit Record Generation and Utilization System is the first implementation of network flow monitoring, and is an ongoing open source network flow monitor project. Started by Carter Bullard in 1984 at Georgia Tech, and developed for cyber security at Carnegie Mellon University in the early 1990s, Argus has been an important contributor to Internet cyber security technology over its 30 years..

<span class="mw-page-title-main">Wireshark</span> Network traffic analyzer

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues.

Omnipeek is a packet analyzer software tool from Savvius, a LiveAction company, for network troubleshooting and protocol analysis. It supports an application programming interface (API) for plugins.

The LAIM Working Group is a NSF and ONR funded research group at the National Center for Supercomputing Applications under the direction of Adam SlagellArchived 2007-02-22 at the Wayback Machine. Work from this group focuses upon log anonymization and Internet privacy. The LAIM group, established in 2005, has released 3 different log anonymization tools: CANINE, Scrub-PA, and FLAIM. FLAIM is their only tool still under active development.

syslog-ng is a free and open-source implementation of the syslog protocol for Unix and Unix-like systems. It extends the original syslogd model with content-based filtering, rich filtering capabilities, flexible configuration options and adds important features to syslog, like using TCP for transport. As of today, syslog-ng is developed by Balabit IT Security Ltd. It has three editions with a common codebase. The first is called syslog-ng Open Source Edition (OSE) with the license LGPL. The second is called Premium Edition (PE) and has additional plugins (modules) under a proprietary license. The third is called Storebox (SSB), which comes as an appliance with a Web-based UI as well as additional features including ultra-fast-text search, unified search, content-based alerting and a premier tier support.

<span class="mw-page-title-main">Berkeley Software Distribution</span> Unix operating system

The Berkeley Software Distribution or Berkeley Standard Distribution (BSD) is a discontinued operating system based on Research Unix, developed and distributed by the Computer Systems Research Group (CSRG) at the University of California, Berkeley. The term "BSD" commonly refers to its open-source descendants, including FreeBSD, OpenBSD, NetBSD, and DragonFly BSD.

<span class="mw-page-title-main">Unix</span> Family of computer operating systems

Unix is a family of multitasking, multi-user computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and others.

Tiger is a security software for Unix-like computer operating systems. It can be used both as a security audit tool and a host-based intrusion detection system and supports multiple UNIX platforms. Tiger is free under the GPL license and unlike other tools, it needs only of POSIX tools, and is written entirely in shell language.

ngrep Packet analyser

ngrep is a network packet analyzer written by Jordan Ritter. It has a command-line interface, and relies upon the pcap library and the GNU regex library.

<span class="mw-page-title-main">SDF Public Access Unix System</span> Shell provider

Super Dimension Fortress is a non-profit public access UNIX shell provider on the Internet. It has been in continual operation since 1987 as a non-profit social club. The name is derived from the Japanese anime series Super Dimension Fortress Macross; the original SDF server was a Bulletin board system created by Ted Uhlemann for fellow Japanese anime fans. From its BBS roots, which have been well documented as part of the BBS: The Documentary project, SDF has grown into a feature-rich provider serving members around the world.

References

  1. 1 2 Slagell, A., Lakkaraju, K., and Luo, K., "FLAIM: A Multi-level Anonymization Framework for Computer and Network Logs," 20th USENIX Large Installation System Administration Conference (LISA '06), Washington, D.C., Dec., 2006.
  2. Garfinkel, S. "Forensic Corpora: A Challenge for Forensic Research" (PDF). Retrieved 2007-12-04.
  3. "FLAIM License". Archived from the original on 2007-06-28. Retrieved 2007-12-04.
  4. "FLAIM (Framework for Log Anonymization and Information Management)". Archived from the original on 2007-08-27. Retrieved 2007-12-04.
  5. Slagell, A., Li, Y., and Luo, K., "Sharing Network Logs for Computer Forensics: A New Tool for the Anonymization of NetFlow Records," Computer Network Forensics Research (CNFR) Workshop, Athens, Greece, Sep., 2005.
  6. Luo, K., Li, Y., Slagell, A., and Yurcik, W., "CANINE: A NetFlow Converter/Anonymizer Tool for Format Interoperability and Secure Sharing," FLOCON — Network Flow Analysis Workshop, Pittsburgh, PA, Sep., 2005.
  7. Li, Y., Slagell, A., Luo, K., and Yurcik, W., "CANINE: A Combined Conversion and Anonymization Tool for Processing NetFlows for Security," 10th International Conference on Telecommunication Systems, Modeling and Analysis, Dallas, TX, Nov., 2005.
  8. Luo, K., Li, Y., Ermopoulos, C., Yurcik, W., and Slagell, A., "Scrub-PA: A Multi-level, Multi-Dimensional Anonymization Tool for Process Accounting," ACM Computing Research Repository (CoRR), Technical Report cs.CR/0601079, Jan., 2006.
  9. "SLAGEL (System Log Anonymization for Greater Exchange of Logs)" . Retrieved 2007-12-04.[ permanent dead link ]
  10. "Log Anonymization and Information Management (LAIM) Working Group". Archived from the original on 2007-08-18. Retrieved 2007-12-04.
  11. "NCSA news archive 2006" . Retrieved 2007-12-04.

Luo, K., Li, Y., Slagell, A., and Yurcik, W., "CANINE: A NetFlow Converter/Anonymizer Tool for Format Interoperability and Secure Sharing," FLOCON — Network Flow Analysis Conference, Pittsburgh, PA, Sep., 2005. Archived 2006-06-25 at the Wayback Machine