FLAIM

Last updated
FLAIM
FlaimLogo1.jpg
Developer(s) The LAIM Working Group - NCSA
Stable release
0.7.0 / February 29, 2008
Operating system Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X
Type Security / Privacy
License BSD license
Website http://flaim.ncsa.uiuc.edu/

FLAIM (Framework for Log Anonymization and Information Management) is a modular tool designed to allow computer and network log sharing through application of complex data sanitization policies. [1]

Contents

FLAIM is aimed at 3 different user communities. First, FLAIM can be used by the security engineer who is investigating a broad incident spanning multiple organizations. Because of the sensitivity inherent in security relevant logs, many organizations are reluctant to share them. However, this reluctance inhibits the sharing necessary to investigate intrusions that commonly span organizational boundaries. Second, anyone designing log analysis or computer forensics tools needs data with which they can test their tools. [2] The larger and more diverse the data set, the more robust they can make their tools. For many, this means they must gather many logs from outside sources, not just what they can generate in-house. Again, this requires log sharing. Third, researchers in many computer science disciplines (e.g., network measurements, computer security, etc.) need large and diverse data sets to study. Having data sanitization tools available makes organizations more willing to share with these researchers their own logs.

FLAIM is available under the Open Source Initiative approved University of Illinois/NCSA Open Source License. This is BSD-style license. [3] It runs on Unix and Unix-like systems, including Linux, FreeBSD, NetBSD, OpenBSD and Mac OS X.

While FLAIM is not the only log anonymizer, it is unique in its flexibility to create complex XML policies and its support for multiple log types. [1] More specifically, it is the only such tool to meet the following 4 goals. (1) FLAIM provides a diverse set of anonymization primitives. (2) FLAIM supports multiple log type, including linux process accounting logs, netfilter alerts, tcpdump traces and NFDUMP NetFlows. [4] (3) With a flexible anonymization policy language, complex policies that make trade-offs between information loss and security can be made. (4) FLAIM is modular and easily extensible to new types of logs and data. The anonymization engine is agnostic to the syntax of the actual log.

History

Work on log anonymization began in 2004 at the NCSA. At first this was for anonymizing logs in-house to share with the SIFT group. Soon there was a need for more powerful anonymization and anonymization of different types of logs. [5] CANINE was created to anonymize and convert between multiple formats of NetFlows. [6] [7] This was a Java GUI-based tool. Later, Scrub-PA was created to anonymize Process Accounting logs. [8] Scrub-PA was based on the Java code used for CANINE. The development of both of these tools were funded under the Office of Naval Research NCASSR research center through the SLAGEL project. [9]

It was quickly realized that building one-off tools for each new log format was not the way to go. Also, the earlier tools were limited in that they could not be scripted from the command line. It was decided that a new, modular command line-based UNIX tool was needed. Because speed was also a concern, this tool need to be written in C++. With the successful acquisition of a Cyber Trust grant from the National Science Foundation, the LAIM Working Group was formed at the NCSA. [10] From this project headed by the PI, Adam Slagell, FLAIM was developed to overcome these limitations of CANINE and Scrub-PA. The first public version of FLAIM, 0.4., was released on July 23, 2006. [11]

Features

Related Research Articles

Executable and Linkable Format Standard file format for executables, object code, shared libraries, and core dumps

In computing, the Executable and Linkable Format, is a common standard file format for executable files, object code, shared libraries, and core dumps. First published in the specification for the application binary interface (ABI) of the Unix operating system version named System V Release 4 (SVR4), and later in the Tool Interface Standard, it was quickly accepted among different vendors of Unix systems. In 1999, it was chosen as the standard binary file format for Unix and Unix-like systems on x86 processors by the 86open project.

Mosaic (web browser) web browser

NCSA Mosaic was one of the first web browsers. It was instrumental in popularizing the World Wide Web and the general Internet by integrating multimedia such as text and graphics. It is a client for earlier internet protocols such as File Transfer Protocol, Network News Transfer Protocol, and Gopher. It was named for its support of multiple Internet protocols. Its intuitive interface, reliability, personal computer support, and simple installation all contributed to its popularity within the web. Mosaic is the first browser to display images inline with text instead of in a separate window. It is often described as the first graphical web browser, though it was preceded by WorldWideWeb, the lesser-known Erwise, and ViolaWWW.

Packet analyzer Computer network equipment or software that analyzes network traffic

A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or part of a network. Packet capture is the process of intercepting and logging traffic. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.

tcpdump Data-network packet analyzer

tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software.

Squid (software) Caching and forwarding HTTP web proxy

Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including Internet Gopher, SSL, TLS and HTTPS. Squid does not support the SOCKS protocol, unlike Privoxy, with which Squid can be used in order to provide SOCKS support.

Unix security refers to the means of securing a Unix or Unix-like operating system. A secure environment is achieved not only by the design concepts of these operating systems, but also through vigilant user and administrative practices.

The Unix file system (UFS) is a file system supported by many Unix and Unix-like operating systems. It is a distant descendant of the original filesystem used by Version 7 Unix.

The Berkeley r-commands are a suite of computer programs designed to enable users of one Unix system to log in or issue commands to another Unix computer via TCP/IP computer network. The r-commands were developed in 1982 by the Computer Systems Research Group at the University of California, Berkeley, based on an early implementation of TCP/IP.

NetFlow Communications protocol

NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion. A typical flow monitoring setup consists of three main components:

Kismet (software) Network detector, packet sniffer, and intrusion detection system

Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic. The program runs under Linux, FreeBSD, NetBSD, OpenBSD, and Mac OS X. The client can also run on Microsoft Windows, although, aside from external drones, there's only one supported wireless hardware available as packet source.

History of Unix History of Unix

The history of Unix dates back to the mid-1960s when the Massachusetts Institute of Technology, AT&T Bell Labs, and General Electric were jointly developing an experimental time-sharing operating system called Multics for the GE-645 mainframe. Multics introduced many innovations, but had many problems.

In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of packet capture, that is not the API's proper name. Unix-like systems implement pcap in the libpcap library; for Windows, there is a port of libpcap named WinPcap that is no longer supported or developed, and a port named Npcap for Windows 7 and later that is still supported.

Metasploit Project Computer security testing tool

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7.

Argus – Audit Record Generation and Utilization System

Argus – the Audit Record Generation and Utilization System is the first implementation of network flow monitoring, and is an ongoing open source network flow monitor project. Started by Carter Bullard in 1984 at Georgia Tech, and developed for cyber security at Carnegie Mellon University in the early 1990s, Argus has been an important contributor to Internet cyber security technology over its 30 years..

Wireshark Network traffic analyzer

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues.

Omnipeek is a packet analyzer software tool from Savvius, a LiveAction company, for network troubleshooting and protocol analysis. It supports an application programming interface (API) for plugins.

The Berkeley Packet Filter (BPF) is a technology used in certain computer operating systems for programs that need to, among other things, analyze network traffic. It provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received. BPF is available on most Unix-like operating systems and eBPF for Linux and for Microsoft Windows. In addition, if the driver for the network interface supports promiscuous mode, it allows the interface to be put into that mode so that all packets on the network can be received, even those destined to other hosts.

The LAIM Working Group is a NSF and ONR funded research group at the National Center for Supercomputing Applications under the direction of Adam Slagell. Work from this group focuses upon log anonymization and Internet privacy. The LAIM group, established in 2005, has released 3 different log anonymization tools: CANINE, Scrub-PA, and FLAIM. FLAIM is their only tool still under active development.

Unix Family of computer operating systems that derive from the original AT&T Unix

Unix is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and others.

ngrep

ngrep is a network packet analyzer written by Jordan Ritter. It has a command-line interface, and relies upon the pcap library and the GNU regex library.

References

  1. 1 2 Slagell, A., Lakkaraju, K., and Luo, K., "FLAIM: A Multi-level Anonymization Framework for Computer and Network Logs," 20th USENIX Large Installation System Administration Conference (LISA '06), Washington, D.C., Dec., 2006.
  2. Garfinkel, S. "Forensic Corpora: A Challenge for Forensic Research" (PDF). Retrieved 2007-12-04.
  3. "FLAIM License". Archived from the original on 2007-06-28. Retrieved 2007-12-04.
  4. "FLAIM (Framework for Log Anonymization and Information Management)". Archived from the original on 2007-08-27. Retrieved 2007-12-04.
  5. Slagell, A., Li, Y., and Luo, K., "Sharing Network Logs for Computer Forensics: A New Tool for the Anonymization of NetFlow Records," Computer Network Forensics Research (CNFR) Workshop, Athens, Greece, Sep., 2005.
  6. Luo, K., Li, Y., Slagell, A., and Yurcik, W., "CANINE: A NetFlow Converter/Anonymizer Tool for Format Interoperability and Secure Sharing," FLOCON — Network Flow Analysis Workshop, Pittsburgh, PA, Sep., 2005.
  7. Li, Y., Slagell, A., Luo, K., and Yurcik, W., "CANINE: A Combined Conversion and Anonymization Tool for Processing NetFlows for Security," 10th International Conference on Telecommunication Systems, Modeling and Analysis, Dallas, TX, Nov., 2005.
  8. Luo, K., Li, Y., Ermopoulos, C., Yurcik, W., and Slagell, A., "Scrub-PA: A Multi-level, Multi-Dimensional Anonymization Tool for Process Accounting," ACM Computing Research Repository (CoRR), Technical Report cs.CR/0601079, Jan., 2006.
  9. "SLAGEL (System Log Anonymization for Greater Exchange of Logs)" . Retrieved 2007-12-04.[ permanent dead link ]
  10. "Log Anonymization and Information Management (LAIM) Working Group". Archived from the original on 2007-08-18. Retrieved 2007-12-04.
  11. "NCSA news archive 2006" . Retrieved 2007-12-04.

Luo, K., Li, Y., Slagell, A., and Yurcik, W., "CANINE: A NetFlow Converter/Anonymizer Tool for Format Interoperability and Secure Sharing," FLOCON — Network Flow Analysis Conference, Pittsburgh, PA, Sep., 2005.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.