[转载]Levels of Anonymity and Traceability (LEVANT) Project
原始连接:[url]http://www.cert.org/sse/levant.html[/url]Problem Addressed
Existing internet protocols were never engineered for today’s internet, where the trustworthiness of users cannot be assumed and where high-stakes mission-critical applications increasingly reside. Malicious users exploit the severe weakness in existing internet protocols to achieve anonymity, and use that anonymity as a safe haven from which to launch repeated attacks on their victims. Hence, service providers and other victims of cyber attack want and need traceability for accountability, redress, and deterrence. Unfortunately, our current track-and-trace capability is limited in the extreme by the existing protocol and infrastructure design and requires a major re-engineering effort from both technical and policy perspectives, as described in an SEI special report sponsored by the U.S. State Department [1]. On the other hand, internet users often want or need anonymity for a variety of legitimate reasons. The engineering challenge is to balance the apparently conflicting needs of privacy and security.
Problem Addressed
Traceability and anonymity are attributes that are central to the security and survivability of mission-critical systems. We believe that principled, fine-grained tradeoffs between traceability and anonymity are pivotal to the future viability of the internet. However, such tradeoffs are rarely explicitly made, the current capability to make such tradeoffs is extremely limited, and the tradeoffs between these attributes have occurred on an ad hoc basis at best.
The LEVANT project is investigating the feasibility of a disciplined engineering design of Internet protocols (in the context of key policy issues) to allow optimal, fine-grained tradeoffs between traceability and anonymity to be made on the basis of specific mission requirements. We see this project as a first step toward the development of a discipline of Internet engineering, which would translate traditional design and engineering processes, such as thorough requirements gathering and attribute tradeoff analyses, into the unique context of the Internet environment and its associated security and survivability risks [2].
In any Internet transaction, trust ultimately depends not on IP addresses but on particular relationships among individuals and their roles within organizations and groups (which may be economic, political, educational, or social). Trust cannot be established while maintaining total anonymity of the actors involved. It goes without saying that there is a great need for privacy on the Internet, and it must be carefully guarded. However, trust and privacy tradeoffs are a normal part of human social, political, and economic interactions, and such tradeoffs can be resolved in a number of venues, for example in the marketplace. Consider the telephone system, in particular the caller identification (caller ID) feature, which displays the phone number, and often the name, associated with incoming calls. Caller ID is a feature for which many customers are willing to pay extra in return for the privacy benefits associated with having some idea of who’s calling before answering a call. However, callers are sometimes given the option of being anonymous (i.e., not identifiable by the caller ID feature) by default or on a call-by-call basis. To more fully protect their privacy, the caller ID customer can choose to block all incoming calls from anonymous callers. The anonymous caller is notified of this fact by an automated message. For callers that pre-arrange with their phone company to be anonymous by default, the only way to complete the call is to enter a key sequence to remove the anonymity for this particular call and to redial. Customers that achieve anonymity on a call-by-call basis (by entering a specific key sequence) can choose to redial without entering the key sequence that denotes anonymity. This choice is a form of negotiation between the caller and the intended recipient of the call, and it is a tradeoff between anonymity and trust that is supported by the technology of caller ID and the marketplace. There is no government mandate that all calls must be anonymous or that no calls are allowed to be anonymous. The individual caller chooses whether or not to relinquish anonymity (or some degree of privacy) in exchange for the perceived value of completing the call by increasing the degree of trust as seen by the recipient.
One can envision next-generation Internet protocols supporting this kind of marketplace negotiation of trust versus privacy tradeoffs. For example, we are exploring the possibility of third-party certifying authorities, which would serve as brokers of trust. These certifying authorities would provide mechanisms whereby packets would be cryptographically signed with very fine-grained authentication credentials of the sender. This is not the same as having an individual digitally sign a message, as a digitally signed message may be too coarse-grained for a particular scenario and may reveal too much. Another capability might be the escrowing, by these certifying authorities, of complete identifying information for a specified period of time, to be revealed in the event that one or more of a user’s packets have been identified as participating in a confirmed attack.
We are investigating the feasibility of a disciplined engineering design of Internet protocols (in the context of key policy issues) to allow optimal, fine-grained tradeoffs between traceability and anonymity to be made on the basis of specific mission requirements. Our goal is to provide an exemplar for the application of principled software and systems engineering practices in the unique context of the Internet. A key part of this process is our exploration of alternative designs for new Internet protocols that allow the originator and the recipient of an Internet transaction or service to negotiate what levels of traceability and anonymity to accept.
Meaning of k-anonymity
In order to design and evaluate Internet protocols that support negotiated tradeoffs between anonymity and traceability, we need some way to quantify and measure levels of anonymity and traceability. The concept of k-anonymity provides some useful theoretical underpinnings.
We say that a user is k-anonymous in a network context if the user is only traceable to a set of measure k, where this could mean either a set of size k or a set of radius k in the topological sense of the network (as shown in Figure 1). Our goal is to explore the design of Internet protocols that assure traceability, but only to a group of k actors. Latanya Sweeney originally defined the notion of k-anonymity in the privacy context for medical patient data [3].
Figure 1: Examples of k-anonymity
[attach]3312[/attach]
User and Service Provider Goals Effective anonymity and traceability tradeoffs require an in-depth understanding of the specific goals of users and service providers. User goals may differ on a case-by-case basis. Some examples:
User may want to hide its location and identity entirely (large k).
User may want to hide its location somewhat (e.g., reveal the city, but not street address).
User may want to hide its location, but not its identity.
Similarly, service providers may have different goals and/or requirements. Some examples:
Provider may want to know both user’s location and identity.
Provider may want to know user’s location somewhat.
Provider may want to know user’s identity, but does not care about user’s location.
Some additional information on the LEVANT project is available in a summary report on SEI independent research and development projects for FY2004 [4].
Benefits
In this era of open, highly distributed, complex systems, vulnerabilities abound and adequate security, using defensive measures alone, can never be guaranteed. As with all other aspects of crime and conflict, deterrence plays an essential role in protecting society. Hence, the ability to track and trace attackers is crucial, because in an environment of total anonymity, deterrence is impossible, and an attacker can endlessly experiment with countless attack strategies and techniques until success is achieved. The ability to accurately and precisely assign responsibility for cyber attacks to entities or individuals (or to interrupt attacks in progress) would allow society’s legal, political, and economic mechanisms to work both domestically and internationally to deter future attacks and motivate evolutionary improvements in relevant laws, treaties, policies, and engineering technology. On the other hand, there are many legal, political, economic, and social contexts in which some protection of anonymity or privacy is essential. Without some degree of anonymity or privacy, individuals or entities whose cooperation is vitally needed may not fully participate (or participate at all) in the use or operation of systems that support the critical functions of the global information society.
Hence, traceability and anonymity are attributes that are central to the security and survivability of mission-critical systems. The LEVANT project is exploring the essential engineering and policy issues associated with traceability and anonymity tradeoffs. A primary objective is to investigate the feasibility of a disciplined engineering design of Internet protocols (in the context of key policy issues) to allow optimal, fine-grained tradeoffs between traceability and anonymity to be made on the basis of specific mission requirements. An ultimate benefit of these protocols would be greatly improved security and traceability for critical applications, with strong privacy and anonymity protection for legitimate users.
2004 Accomplishments
The principal investigators for the LEVANT project are Howard Lipson and Sven Dietrich. The project team also includes Ashish Shah, a doctoral student at the Department of Engineering and Public Policy at Carnegie Mellon University. In addition to SEI internal research and development funding, Howard Lipson and Sven Dietrich have been awarded two consecutive Carnegie Mellon CyLab “seed grants” for the LEVANT project. The first award provided doctoral student support during the past academic year, and the second award will provide continued doctoral student support for the 2004-2005 academic year. In June 2004, the SEI special report, Tracking and Tracing Cyber-Attacks – Technical Challenges and Global Policy Issues [1], which helped initiate the LEVANT project, won an Award of Merit from the Society for Technical Communication.
We have been working to establish a solid theoretical foundation on which to base principled engineering tradeoffs between traceability and anonymity. Progress includes an extensive examination of the research literature and work on a new conceptual model that helps clarify the relationships between anonymity and traceability. We expect the model to continue to evolve into a foundation for understanding and expressing the full range of engineering requirements for the design of Internet protocols that support attribute tradeoffs and negotiations, as well as help us to generate examples of specific user requirements for anonymity and traceability that must be satisfied for particular applications, systems, or missions. A primary goal of our conceptual model is to help us better delineate the space of possible tradeoffs between traceability and anonymity, and to evaluate the feasibility of designing general-purpose Internet protocols that implement the largest possible range of anonymity–traceability tradeoffs. One of the key engineering requirements for the design of such protocols is that they effectively support anonymity–traceability tradeoff negotiations between service providers and their clients.
Finally, we have surveyed this research area from an economic and public policy perspective. We’ve tried to better understand the economic aspects of personal privacy and the economics of anonymity and traceability. We’ve looked at the economic incentives and disincentives for service providers to support various anonymity and traceability services.
2005 Plans
The LEVANT project plans for FY2005 include publication of one or more technical reports or papers, along with additional research to further develop and refine the conceptual model on which the tradeoff negotiation protocol will be based. We will also explore in greater depth several of the economic and public policy issues relevant to this research area.
References
[1] Lipson, Howard F. Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues (CMU/SEI-2002-SR-009, ADA408853). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2002. [url]http://www.cert.org/archive/pdf/02sr009.pdf[/url] (pdf).
[2] Lipson, Howard F. & Fisher, David A. "Survivability – A New Technical and Business Perspective on Security." Proceedings of the 1999 New Security Paradigms Workshop. Caledon Hills, ON, Sept. 21-24, 1999. New York, NY: Association for Computing Machinery. [url]http://www.cert.org/archive/pdf/busperspec.pdf.[/url] (pdf)
[3] Sweeney, Latanya. "k-anonymity: A Model for Protecting Privacy." International Journal on Uncertainty, Fuzziness and Knowledge-based Systems 10, 5 (October 2002): 557-570.
[4] Lipson, H. & Dietrich, S. "Levels of Anonymity and Traceability (LEVANT)." In Bergey, J.; Dietrich, S.; Firesmith, D.; Forrester, E.; Jordan, A.; Kazman, R.; Lewis, G.; Lipson, H.; Mead, N.; Morris, E.; O’Brien, L.; Siviy, J.; Smith, D.; & Woody, C. Results of SEI Independent Research and Development Projects and Report on Emerging Technologies and Technology Trends (CMU/SEI-2004-TR-018), pp. 4-12. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2004. [url]http://www.sei.cmu.edu/publications/documents/04.reports/04tr018.html.[/url]
页:
[1]