UC Riverside UC Riverside Electronic Theses and Dissertations Title Scalable Techniques for Security and Anonymity in Distributed Systems Permalink https://escholarship.org/uc/item/03c0z1bh Author Akhoondi, Masoud Publication Date 2015 Peer reviewed|Thesis/dissertation eScholarship.org Powered by the California Digital Library University of California UNIVERSITYOFCALIFORNIA RIVERSIDE ScalableTechniquesforSecurityandAnonymityinDistributedSystems ADissertationsubmittedinpartialsatisfaction oftherequirementsforthedegreeof DoctorofPhilosophy in ComputerScience by MasoudAkhoondi December2015 DissertationCommittee: Dr. HarshaV.Madhyastha,Co-Chairperson Dr. SrikanthV.Krishnamurthy,Co-Chairperson Dr. ZhiyunQian Dr. VagelisHristidis Copyrightby MasoudAkhoondi 2015 TheDissertationofMasoudAkhoondiisapproved: CommitteeCo-Chairperson CommitteeCo-Chairperson UniversityofCalifornia,Riverside Acknowledgments It is an honor for me to have had the opportunity to work with my advisor Prof. Harsha V. Madhyastha. I am deeply grateful to Harsha for the invaluable guidance and his generous support during my PhD. Without his brilliant and insightful advice he has given me, thisdissertationwouldnothavebeenpossibleandthiswillcontinuetobenefitmyentireresearch life. HarshaisveryenthusiasticandoneofthesmartestpeoplethatIknow,hewasveryadequate inourmeetingsorwhenitcametothoselatenightdeadlines. IhopethatIcouldbeashelpful, energetic,anddedicatedasHarshais. IamextremelyfortunatetocollaborateandworkwithProf. SrikanthKrishnamurthy during second year of my PhD. I would like to express my deepest gratitude to him for his scientificadvice,knowledge,manyinsightfuldiscussionsandsuggestions. IwouldliketoexpressimmenseappreciationtoProf. ZhiyunQianforhisadviceand mentoringnotonlywhenIwasinternatNECLaboratories,butalsoduringfifthyearofmyPhD on the project that I started during my internship. I would also like to thank all the people at NECLaboratoriesthatIworkedwith. A big shout-out to my labmates Dorian, Curtis, Zhe, Indrajeet and Ali at distributed systemslabwithwhomIspenthoursunderstandingproblemsandprovidinggreatfeedbackon all the aspects of the work done on this dissertation. I would also like to thank all my friends at UCR for being part of this wonderful journey. I will forever cherish the memorable times at UCRwithmyfriendsHamid,Mohammad,Moloud,Pamela,ShailendraandSteve. Icannotfindwordstoexpressmygratitudetomyfamily,especiallytomyparentsfor theirconstantlove,patienceandsupportthroughmylife. Withoutthem,Icouldnothavemade thisachievement. iv Tomyparentsfortheirconstantsupportandunconditionallove. v ABSTRACTOFTHEDISSERTATION ScalableTechniquesforSecurityandAnonymityinDistributedSystems by MasoudAkhoondi DoctorofPhilosophy,GraduatePrograminComputerScience UniversityofCalifornia,Riverside,December2015 Dr. HarshaV.Madhyastha,Co-Chairperson Dr. SrikanthV.Krishnamurthy,Co-Chairperson Security and privacy in distributed systems are long-standing hard problems. On the one hand, solutions for anonymous communications over the Internet are either vulnerable to traffic analysis or offer poor performance. On the other hand, compromises within enterprises remainhardtotrackdownduetocomplexdependenciesbetweenhosts,applications,andtheir data. In this thesis, I develop two solutions to improve the anonymity vs. performance trade-offforcommunicationsovertheInternet. LASTorimprovesperformanceofTorbymod- ifyingpathselectionalgorithmanditalsomitigatetrafficanalysisattackbydetectingcommon autonomous system (AS) across the entry and exit segments of a circuit and avoiding using those paths. LASTor reduces median latencies of visiting top 200 websites by 25% while the false negative rate of not detecting a potential snooping AS from 57% to 11%. Next solution, Innominate, is a new framework for anonymous online communication that both offers traffic analysis resistant strong anonymity and scalable performance. Innominate adopts relay-based techniqueforlowlatencycommunication, howeverinsteadofasingleclientserversasarelay, grouprelayisusedtoprovidestronganonymity. As of security inside enterprises, I develop DeltaTrack, the first enterprise attack vi forensics system that leverages differential dependency tracking to automate the pruning of irrelevant nodes and edges in the backtracking graph. DeltaTrack continuously monitors sys- temcalleventsfromallhostsandsummarizestheircommonexecutionbehaviorsinareference model. Then,thereferencemodelisleveragedtopruneawayfrequentlyobservedeventsacross many hosts since they are unlikely to be relevant to the intrusion. DeltaTrack can reduce the number of nodes and edges of the backtracking graph by up to 131x and 512x, respectively, whilemaintainingitsaccuracy. vii Contents ListofFigures xi ListofTables xiv 1 Introduction 1 1.1 AnonymousCommunications . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 DependencyTrackingforAttackForensicsinEnterprises . . . . . . . . . . . . 3 1.3 ThesisandContributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3.1 PrivacyinDistributedSystems . . . . . . . . . . . . . . . . . . . . . . 4 1.3.2 LASTor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3.3 Innominate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3.4 SecurityinDistributedSystems . . . . . . . . . . . . . . . . . . . . . 7 1.4 Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2 LASTor: ALow-LatencyAS-AwareTorClient 9 2.1 Backgroundandmotivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.1.1 Toroverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.1.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.2.1 Problemstatement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.2.2 Measurementdatasets . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.3 PathSelection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.3.1 Preferentialselectionoflow-latencypaths . . . . . . . . . . . . . . . . 20 2.3.2 Clusteringofrelays . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.3.3 Accountingfordistributeddestinations . . . . . . . . . . . . . . . . . 27 2.3.4 Latencyversusanonymitytradeoff . . . . . . . . . . . . . . . . . . . . 29 2.4 ASAwareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.4.1 ASsetestimation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.4.2 AvoidingsnoopingASes . . . . . . . . . . . . . . . . . . . . . . . . . 35 2.4.3 EvaluationofAS-awareness . . . . . . . . . . . . . . . . . . . . . . . 37 2.4.4 ImpactofAS-awarenessonpathlatency . . . . . . . . . . . . . . . . . 39 2.5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 2.5.1 Clientinaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 2.5.2 ModificationofdefaultTorclient . . . . . . . . . . . . . . . . . . . . 42 2.5.3 Inputdatasets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 2.6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 viii 2.6.1 Accountingfordynamicload. . . . . . . . . . . . . . . . . . . . . . . 44 2.6.2 Loadbalancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.7 RelatedWork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 3 Innominate: Strongly Anonymous, Yet Scalably Performant, Online Communica- tions 52 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 3.2 BackgroundandRelatedWork . . . . . . . . . . . . . . . . . . . . . . . . . . 55 3.3 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.3.1 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.3.2 ThreatModel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 3.4 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 3.4.1 DistributedAnonymitySetsCreation . . . . . . . . . . . . . . . . . . . 63 3.4.2 DistributedGroupCreation. . . . . . . . . . . . . . . . . . . . . . . . 66 3.4.3 Group-basedTrafficRouting . . . . . . . . . . . . . . . . . . . . . . . 70 3.5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 3.5.1 Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 3.5.2 Communicationwithdestination. . . . . . . . . . . . . . . . . . . . . 71 3.6 AnonymityAnalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 3.6.1 ControlPlane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 3.6.2 DataPlane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 3.6.2.1 GroupAnonymity . . . . . . . . . . . . . . . . . . . . . . . 75 3.6.2.2 TheoriginatorAnonymity . . . . . . . . . . . . . . . . . . . 75 3.7 PerformanceAnalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 3.7.1 InnominateInstantiation . . . . . . . . . . . . . . . . . . . . . . . . . 78 3.7.1.1 AnalysisofAnonymitySetsinSocialNetworks . . . . . . . 79 3.7.1.2 Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 3.7.2 Facilitators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 3.7.3 ThroughputofInnominate . . . . . . . . . . . . . . . . . . . . . . . . 83 4 DeltaTrack: DifferentialDependencyTrackingforAttackForensics 86 4.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 4.1.1 SourcesofDependencyExplosion . . . . . . . . . . . . . . . . . . . . 91 4.1.2 LimitationsofExistingHeuristics . . . . . . . . . . . . . . . . . . . . 95 4.2 ChallengesandAssumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 4.2.1 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 4.2.2 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 4.2.3 ThreatModel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 4.3 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 4.3.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 4.3.2 TheReferenceModelofRelevancyScores . . . . . . . . . . . . . . . 101 4.3.3 K-hopBacktrackingAlgorithm . . . . . . . . . . . . . . . . . . . . . 104 4.3.4 SecurityAnalysisoftheK-hopAlgorithm . . . . . . . . . . . . . . . . 105 4.4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 4.5 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 4.5.1 AnalysisofRealAttacks . . . . . . . . . . . . . . . . . . . . . . . . . 111 4.5.2 ReferenceModelEvaluation . . . . . . . . . . . . . . . . . . . . . . . 117 4.6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 4.7 RelatedWork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 ix