Enabling collaborative network security with privacy-preserving data aggregation

Today, there is a fundamental imbalance in cybersecurity. While attackers act more and more globally and coordinated, e.g., by using botnets, their counterparts trying to manage and defend networks are limited to examine local information only. Collaboration across network boundaries would substantially strengthen network defense by enabling collaborative intrusion and anomaly detection. Also, general network management tasks, such as multi-domain traffic engineering and collection of performance statistics, could substantially profit from collaborative approaches. Unfortunately, privacy concerns largely prevent collaboration in multidomain networking. Data protection legislation makes data sharing illegal in certain cases, especially if PII (personally identifying information) is involved. Even if it were legal, sharing sensitive network internals might actually reduce security if the data fall into the wrong hands. Furthermore, if data are supposed to be aggregated with those of a competitor, sensitive business secrets are at risk. To address these privacy concerns, a large number of data anonymization techniques and tools have been developed. The main goal of these techniques is to sanitize a data set before it leaves an administrative domain. Sensitive information is obscured or completely stripped off the data set. Sanitized properly, organizations can safely share their anonymized data sets and aggregate information. However, these anonymization techniques are generally not lossless. Therefore, organizations face a delicate privacy-utility tradeoff. While stronger sanitization improves data privacy, it also severely impairs data utility. In the first part of this thesis, we analyze the effect of state-of-the-art data anonymization techniques on both data utility and privacy. We find that for some use cases only requiring highly aggregated data, it is possible to find an acceptable tradeoff. However, for anonymization techniques which do not