FLAIM (Framework for Log Anonymization and Information Management) is a modular tool designed to allow computer and network log sharing through application of complex data sanitization policies.Slagell, A., Lakkaraju, K., and Luo, K., "FLAIM: A Multi-level Anonymization Framework for Computer and Network Logs," 20th USENIX Large Installation System Administration Conference (LISA '06), Washington, D.C., Dec., 2006. FLAIM is aimed at 3 different user communities. First, FLAIM can be used by the security engineer who is investigating a broad incident spanning multiple organizations. Because of the sensitivity inherent in security relevant logs, many organizations are reluctant to share them. However, this reluctance inhibits the sharing necessary to investigate intrusions that commonly span organizational boundaries. Second, anyone designing log analysis or

computer forensics Computer forensics (also known as computer forensic science) is a branch of digital forensics, digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital me ...

tools needs data with which they can test their tools. The larger and more diverse the data set, the more robust they can make their tools. For many, this means they must gather many logs from outside sources, not just what they can generate in-house. Again, this requires log sharing. Third, researchers in many

computer science Computer science is the study of computation, information, and automation. Computer science spans Theoretical computer science, theoretical disciplines (such as algorithms, theory of computation, and information theory) to Applied science, ...

disciplines (e.g., network measurements,

computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...

, etc.) need large and diverse data sets to study. Having data sanitization tools available makes organizations more willing to share with these researchers their own logs. FLAIM is available under the

Open Source Initiative The Open Source Initiative (OSI) is a California public benefit corporation "actively involved in Open Source community-building, education, and public advocacy to promote awareness and the importance of non-proprietary software". Governance The ...

approved University of Illinois/NCSA Open Source License. This is

BSD-style license BSD licenses are a family of permissive free software licenses, imposing minimal restrictions on the use and distribution of covered software. This is in contrast to copyleft licenses, which have share-alike requirements. The original BSD licens ...

. It runs on

Unix Unix (, ; trademarked as UNIX) is a family of multitasking, multi-user computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, a ...

and

Unix-like A Unix-like (sometimes referred to as UN*X, *nix or *NIX) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Uni ...

systems, including

Linux Linux ( ) is a family of open source Unix-like operating systems based on the Linux kernel, an kernel (operating system), operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically package manager, pac ...

FreeBSD FreeBSD is a free-software Unix-like operating system descended from the Berkeley Software Distribution (BSD). The first version was released in 1993 developed from 386BSD, one of the first fully functional and free Unix clones on affordable ...

NetBSD NetBSD is a free and open-source Unix-like operating system based on the Berkeley Software Distribution (BSD). It was the first open-source BSD descendant officially released after 386BSD was fork (software development), forked. It continues to ...

OpenBSD OpenBSD is a security-focused operating system, security-focused, free software, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by fork (software development), forking NetBSD ...

and

Mac OS X macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...

. While FLAIM is not the only ''log anonymizer'', it is unique in its flexibility to create complex

XML Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing data. It defines a set of rules for encoding electronic document, documents in a format that is both human-readable and Machine-r ...

policies and its support for multiple log types. More specifically, it is the only such tool to meet the following 4 goals. (1) FLAIM provides a diverse set of anonymization primitives. (2) FLAIM supports multiple log type, including linux process accounting logs, netfilter alerts,

tcpdump tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distr ...

traces and NFDUMP NetFlows. (3) With a flexible anonymization policy language, complex policies that make trade-offs between information loss and security can be made. (4) FLAIM is modular and easily extensible to new types of logs and data. The anonymization engine is agnostic to the syntax of the actual log.

History

Work on ''log anonymization'' began in 2004 at the NCSA. At first this was for anonymizing logs in-house to share with the SIFT group. Soon there was a need for more powerful anonymization and anonymization of different types of logs. CANINE was created to anonymize and convert between multiple formats of NetFlows. This was a Java GUI-based tool. Later, Scrub-PA was created to anonymize Process Accounting logs. Scrub-PA was based on the Java code used for CANINE. The development of both of these tools were funded under the

Office of Naval Research The Office of Naval Research (ONR) is an organization within the United States Department of the Navy responsible for the science and technology programs of the U.S. Navy and Marine Corps. Established by Congress in 1946, its mission is to plan ...

NCASSR research center through the SLAGEL project. It was quickly realized that building one-off tools for each new log format was not the way to go. Also, the earlier tools were limited in that they could not be scripted from the command line. It was decided that a new, modular command line-based

UNIX Unix (, ; trademarked as UNIX) is a family of multitasking, multi-user computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, a ...

tool was needed. Because speed was also a concern, this tool need to be written in

C++ C++ (, pronounced "C plus plus" and sometimes abbreviated as CPP or CXX) is a high-level, general-purpose programming language created by Danish computer scientist Bjarne Stroustrup. First released in 1985 as an extension of the C programmin ...

. With the successful acquisition of a Cyber Trust grant from the

National Science Foundation The U.S. National Science Foundation (NSF) is an Independent agencies of the United States government#Examples of independent agencies, independent agency of the Federal government of the United States, United States federal government that su ...

, the

LAIM Laim (Central Bavarian: ''Loam'') is a district of Munich, Germany Germany, officially the Federal Republic of Germany, is a country in Central Europe. It lies between the Baltic Sea and the North Sea to the north and the Alps to the sout ...

Working Group was formed at the NCSA. From this project headed by the PI, Adam Slagell, FLAIM was developed to overcome these limitations of CANINE and Scrub-PA. The first public version of FLAIM, 0.4., was released on July 23, 2006.

Features

* Flexible

policy language * Modular to support simple plugins for new log types * Support for major

UNIX-like A Unix-like (sometimes referred to as UN*X, *nix or *NIX) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Uni ...

Operating Systems An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...

* Built-in support for several anonymization primitives * Plugin for NFDUMP format NetFlows * Plugin for netfilter firewall logs * Plugin for

pcap In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of ''packet capture'', that is not the API's proper name. Unix-like systems ...

traces form

* Plugin for linux process accounting logs

References

Luo, K., Li, Y., Slagell, A., and Yurcik, W.,
CANINE: A NetFlow Converter/Anonymizer Tool for Format Interoperability and Secure Sharing
" FLOCON — Network Flow Analysis Conference, Pittsburgh, PA, Sep., 2005.

External links

Official FLAIM Home PageLAIM Working Group Official HomeUSENIX LISA paper on FLAIMCRAWDAD entry on FLAIM at Dartmouth
{{DEFAULTSORT:Flaim Anonymity Internet privacy software Free security software Software using the BSD license