About NCSA    Projects    User Info    News     

University of Illinois
at Urbana-Champaign

FLAIM Logo
About
LAIM WG Home
License
Download
Installation
Documentation
Support
NSF Logo
ONRLogo

Research is funded in part or whole by the National Science Foundation and the Office of Naval Research.

Valid HTML 4.01 Strict
Valid CSS!

FLAIM (Framework for Log Anonymization and Information Management)

FLAIM is a general framework, created to support the anonymization of heterogeneous logs to multiple levels. It is developed by the LAIM Working Group at the NCSA. As the developers of FLAIM, our main contributions are to provide (1) the anonymization engine containing a broad set of anonymization algorithms for various datatypes, (2) the XML based policy engine which validates and parses users' XML policies against a variety of schemas (we incorporate Relax NG, Schematron, XML and XSLT technologies here), and (3) a simple yet strict API governing how parsing modules (loaded dynamically at run-time) can pass records back and forth with FLAIM's anonymization engine.

The reason for creating an API and dynamically loadable modules is to allow others to more easily expand FLAIM's use beyond the few types of logs that we initially supported (e.g., pcap headers, netfilter, NetFlows, process accounting). The typical user will just download FLAIM and the appropriate module for their log type. However, we foresee other, more advanced users that would like to expand FLAIM to other logs for their special needs. For example, they could write a module that supports streaming (This is possible because the the methods to read and write data are abstracted away from FLAIM), one that parses a new type of log, or a module to perform pre/post-processing.

For information on the architecture and design of FLAIM, look at the Publications page on the LAIM home. The Documentation page has the user guides and MAN page. The Installation pages contains installation instructions.

Real World Use

FLAIM has hundreds of users and has been used both internally at the NCSA and by many other organizations. At the NCSA, we have anonymized network data to share with AT&T Research for their studies on visualizing botnet propagation. Researchers at Accenture have enhanced FLAIM by adding on an anonymization risk estimator to measure entropy loss when anonymizing data. These, and many others, have used FLAIM to share sensitive computer and network logs.

We are, however, always looking to expand FLAIM's application. One potential future application is to anonymize IDS data at the individual sensors for large-scale, collaborative intrusion detection. Others have proposed modifying FLAIM for use on forensic corpora shared for research. In a completely different domain, we may be applying FLAIM to anonymization of student records in the future.

©2005–2008 Board of Trustees of the University of Illinois.