近年來隨著網際網路的快速普及，網路攻擊與入侵日益增加。為了防治這多且複雜的網路攻擊，大範圍防禦概念越來越受重視。在此架構下，資訊分享者會將自己收集到的資安警訊或封包資訊分享給各方的資安系統，去進行分析、判斷，了解目前有哪些網路威脅，快速有效的防範網路攻擊。無論如何，封包酬載中會有許多資訊分享者的個人隱私資訊，若此資料被不法人士取得，後果將不堪設想，因此需要對封包酬載做隱私防護。目前對封包酬載做隱私防護之研究主要為哥倫比亞大學提出的Anagram，系統產生的酬載特徵具有惡意碼特徵比對之能力，但此方法缺點是對於短的惡意酬載碼，其特徵比對效果不佳，且系統的門檻值設定也會影響偵測結果。
本研究提出一套封包酬載轉換機制: G-D酬載轉換法。此方法以酬載碼所對應的群組與碼間的差值去對封包酬載進行編碼轉換，其產生的編碼酬載具不可逆的特性，所以不法者無法從編碼酬載中得知分享者原始酬載資訊,且編碼後的酬載也保有原始酬載特徵，能比對找出惡意酬載。最後本研究提出一隱私防護指標去衡量G-D酬載轉換法，讓分享者了解所設定的編碼參數是否為最佳化。

The emergence of the internet has provided convenient way to exchange information, but many cybercrime incidents and network attacks has been discovered. In order to prevent from numerous and complicated network attacks, defending against a large scale attacks become more popular. In this architecture, individual organizations from anywhere would collect alerts or packets to share with SOC.
However, packet payload has a lot of privacy information about corporations, we need to protect payload content. Anagram enables privacy-preserving payload sharing by using Bloom Filters. Generated payload signature still keep malicious signature, researcher can find anomalous payload, but Anagram has a poor detection rate when it detects short malicious signature and adjusting threshold is very difficult.
We propose a payload transformative method: Group-Difference payload transformation. It would calculate groups and differences of payload character to encode the payload. Produced code is irreversible, attackers cannot get the original payload content. Produced code still keep signature of original payload, researcher can find malicious payload from produced code. Finally, we propose a privacy-preserving indicator to evaluate Group-Distance payload transformation, user can understand whether encode parameters are optimization or not.

中文參考文獻：
[林昶志 2008]林昶志，具隱私防護與關聯能力之資安警訊轉換機制研究，國立中央大學資訊管理學系碩士論文，2008。
[陳威宇 2005]陳威宇，安全管理營運中心中警訊整合與關聯呈現之研究與實作，國立成功大學電腦與通信工程研究所碩士論文，2005。
[翁興國 2004]翁興國，「資訊安全營運中心之事件關聯處理的根本問題分析」，2004 網際網路安全工程研討會論文集，台北，2004。
[樊國楨 2006]樊國楨、林樹國、歐崇明，資安監控中心之終極目標：資訊分享與分析中心初探，資通安全分析專論T95002，http://ics.stpi.org.tw/Treatise/doc/17.pdf，2006。
英文參考文獻：
[BBB 2008] Martin Burkhart, Daniela Brauckhoff, Elisa Boschi, “The risk-utility tradeoff for IP address truncation,” Conference on Computer and Communications Security , Proceedings of the 1st ACM workshop on Network data anonymization, 2008.
[BLOO 1970] Bloom, B.H., “Space/time trade-offs in Hash Coding with Allowable Errors,” Communications of the ACM, 1970. 13(7): p. 422-426.
[CTB 2006] T. Cover, J. Thomas, M. Burns, “ Elements of Information Theory,” Wiley Series in Telecommunications and Signal Processing, 2006.
[CWK 2008] S. E. Coull, C. V. Wright, A. D. Keromytis et al., “ Taming the Devil: Techniques for Evaluating Anonymized Network Data,” In NDSS ’08:
15th Annual Network and Distributed System Security Symposium,2008.
[DAPP 1999] MIT Lincoln Laboratory - DARPA Intrusion Detection Evaluation Data Sets, http://www.ll.mit.edu/IST/ideval/data/data_index.html,1999
[DEFC] DEFCON® Hacking Conference, http://www.defcon.org/.
[DSC 2002] C. Dıaz, B. Seys, J. Claessens, “Towards Measuring Anonymity ,” In Proceedings of Privacy Enhacing Technologies, pages 54–68, 2002.
[FLEG 2007] Ulrich Flegel, “Privacy-Respecting Intrusion detection,” volume 35 in Advances in Information Security, Springer, Page(s):62.107.325, 2007 .
[FMB 2008] Amer Farroukh, Nabil Mukadam, Elie Bassil,
“Distributed and Collaborative Intrusion Detection Systems ,“ American University of Beirut, 2008
[GBB 2007] Abdoul Karim Ganame, Julien Bourgeois, Renaud Bidou, “A Global Security Architecture for Intrusion Detection on Computer Networks,” Universit de Franche Comt, 2007.
[KDL 2006] O. Kolesnikov, D. Dagon, W. Lee, “Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic,” in USENIX Security Symposium. 2006, 2006.
[KING 2008] Justin King, "A Taxonomy, Model, and Method for Secure Network Log Anonymization," Master''s Thesis, University of Illinois at Urbana-Champaign, Apr., 2008.
[LHF 2000] Richard Lippmann, Joshua W. Haines, David J. Fried, “The 1999 DARPA Off-Line Intrusion Detection Evaluation,” Computer Networks, Vol. 34, No. 4, page(s): 579-595, 2000.
[LPS 2004] Patrick Lincoln, Phillip Porras, Vitaly Shmatikov, “Privacy-Preserving Sharing and Correlation of Security Alerts," in 13th USENIX Security Symposium, 2004.
[LS 2007] Grigorios Loukides, Jianhua Shao, “Capturing Data Usefulness and Privacy Protection in K-Anonymisation,” SAC07, March 11-15, 2007.
[NCS 2002] Peng Ning, Yun Cui, Douglas S. Reeves, “Constructing Attack Scenarios through Correlation of Intrusion Alerts," in Proceedings of the 9th ACM Conference on Computer & Communications Security, page(s):245--254, November 2002.
[NZ 2007] Yi Niu, Quanju Zhang, “Security Operation Center Based on Immune System,“ Computational Intelligence and Security Workshops, Page(s):97-103, 2007.
[PAP 2006] Ruoming Pangy, Mark Allmanz, Vern Paxson “The Devil and Packet Trace Anonymization,” SIGCOMM Computer Communication Review, Volume 36 Issue 1, 2006.
[PWS 2006] Janak J. Parekh, Ke Wang, Salvatore J. Stolfo, “Privacy-Preserving Payload-Based Correlation for Accurate Malicious Traffic Detection,” Department of Computer Science, Columbia University, 2006.
[RCMT 2008] Bruno Ribeiro, Weifeng Chen, Gerome Miklau, Don Towsley, “Analyzing Privacy in Enterprise Packet Trace Anonymization,” In Proceedings of the 15 th Network and Distributed Systems Security Symposium, 2008.
[RW 2007] Ramaswamy Ramaswamy, Tilman Wolf, “High-Speed Prefix-Preserving IP Address Anonymization for Passive Measurement Systems,” IEEE/ACM transactions on NETWORKING, VOL. 15, NO. 1, 2007.
[SB 2008] Francoise Sailhan, Julien Bourgeois, “Log-based Distributed Intrusion Detection for Hybrid Networks,” Proceedings of the 4th annual workshop on Cyber security and information intelligence research, Vol. 288, 2008.
[SHMO] Shmoo Group, http://cctf.shmoo.com.
[SNOR] SNORT IDS homepage, http://snort.org.
[SLL 2006] A. Slagell, K. Lakkaraju, K. Luo, “FLAIM: A Multi-level Anonymization Framework for Computer and Network Logs," 20th USENIX Large Installation System Administration Conference, 2006.
[SS 1998] P. Samarati, L. Sweeney, “Protecting privacy when disclosing information: k-anonymity and its enforcement through generalization and suppression,” SRI Technical Report SRICSL-98-04, 1998.
[SW 2005] A. Slagell, W. Yurcik, “Sharing Computer Network Logs for Security and Privacy: A Motivation for New Methodologies of Anonymization," SECOVAL: The Workshop on the Value of Security through Collaboration, Athens, Greece, Sep., 2005.
[SWEE 2002] L. Sweeney, “k-anonymity: A model for protecting privacy.” International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 2002.
[SWEE 2002] L. Sweeney, “Achieving k-anonymity privacy protection using generalization and suppression,” International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 2002.
[SYMA 2009] Internet Security Threat Report,
http://www.symantec.com/business/theme.jsp?themeid=threatreport, 2009.
[TMI 2007] Keisuke Takemori, Yutaka Miyake, Chie Ishida, “A SOC Framework for ISP Federation and Attack Forecast by Learning Propagation Patterns ,” Intelligence and Security Informatics, 2007 IEEE , page(s): 172-179, 2007.
[WCS 2006] Ke Wang, Gabriela Cretu, Salvatore J. Stolfo, “Anomalous Payload-based Worm Detection and Signature Generation,” Computer Science Department, Columbia University, 2006.
[WFMB 2003] Yu-Sung Wu, Bingrui Foo, Yongguo Mei, Saurabh Bagchi, “Collaborative Intrusion Detection System (CIDS): A Framework for Accurate and Efficient IDS,” 19th Annual Computer Security Applications Conference December 8-12, 2003.
[WFWP 2007] Raymond ChiWing Wong, Ada WaiChee Fu, Ke Wang, Jian Pei, “Minimality attack in privacy preserving data publishing,” Proceedings of the 33rd international conference on Very large data bases, page(s) 543-554, 2007.
[WLFW 2006] Raymond Chi-Wing Wong, Jiuyong Li, Ada Wai-Chee Fu, Ke Wang, “(α,k)-Anonymity: An Enhanced-Anonymity Model for Privacy-Preserving Data Publishing,” KDD’06, 2006.
[WPS 2006] Ke Wang, Janak J. Parekh, Salvatore J. Stolfo, “Anagram: A Content Anomaly Detector Resistant to Mimicry Attack”, Computer Science Department, Columbia University, http://www1.cs.columbia.edu/ids/publications/anagram-camera-fixed.pdf , 2006.
[WS 2004] K. Wang, S. Stolfo, “Anomalous payload-based network intrusion detection,” In Recent Advances in Intrusion Detection, RAID 2004.
[XFA 2007] Jun Xu, Jinliang Fan, Mostafa H. Ammar, “High-Speed Prefix-Preserving IP Address Anonymization for Passive Measurement Systems,” IEEE/ACM Transactions on Networking, Volume 15, 2007.
[XN 2005] Dingbang Xu, Peng Ning, “Privacy-Preserving Alert Correlation: A Concept Hierarchy Based Approach,” Annual Computer Security Applications Conference, 2005.
[XN 2006] Dingbang Xu and Peng Ning, “A Flexible Approach to Intrusion Alert Anonymization and Correlation,” Securecomm and Workshops, page(s): 1-10 , 2006.
[XWW 2006] Jian Xu, Wei Wang, Xiaoyuan Wang, “UtilityBased Anonymization for Privacy Preservation with Less Information Loss,” 12th ACM SIGKDD, 2006.
[YWH 2007] William Yurcik, Clay Woolam, and Greg Hellings, “Toward Trusted Sharing of Network Packet traces Using Anonymization,” University of Texas at Dallas, 2007.
[ZYN 2005] Sheng Zhong, Zhiqiang Yang, Rebecca N.Wright, “Privacy Enhancing k-Anonymization of Customer Data,” Principles of Database Systems , 2005.