PRISM: Private Retrieval of the Internet’s Sensitive Metadata

The Internet is producing a wealth of data about its own operation, in the form of NetFlow records, routing table entries, traffic statistics, etc. Several previous works—including, for instance, Clark’s “knowledge plane”— have considered the idea of building a giant distributed database that (at least conceptually) contains all of this information. Such a database could have many attractive uses, including distributed troubleshooting, attack mitigation, or traffic management. However, so far the idea has not been realized, and it is likely that privacy concerns have played a role.

In this paper, we ask whether differential privacy could provide the strong privacy guarantees that would be needed to put this idea into practice. We discuss some key concerns that have been raised about differential privacy, such as its limited scalability and its finite “privacy budget”, and we point out several characteristics of the Internet that could mitigate these concerns. We also sketch the design of PRISM, a system for differentially private queries on NetFlow records that could form the basis of a potential “knowledge plane”.