ebook img

Traffic Confirmation Attacks Despite Noise PDF

0.27 MB·
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Traffic Confirmation Attacks Despite Noise

Traffic Confirmation Attacks Despite Noise Jamie Hayes University College London [email protected] Abstract—We propose a traffic confirmation attack on low- OR networks since attack accuracy is expected to suffer due latencyanonymouscommunicationprotocolsbasedoncomputing to background noise and network conditions. The base rate robust real-time binary hashes of network traffic flows. Firstly, fallacy, the cost of exfiltration, processing and storage of data 6 weadapttheCoskun-MemonAlgorithmtoconstructhashesthat are expected to be contributing factors that negatively affect 1 can withstand network impairments to allow fast matching of attack accuracy [15]. We present a new traffic confirmation 0 network flows. The resulting attack has a low startup cost and attackwhichmitigatessomeofthesefears,whereanadversary 2 achieves a true positive match rate of 80% when matching one can learn a short binary hash representation of a network flow out of 9000 with less than 2% false positives, showing b flow in real-time and then compare it against a library of traffic confirmation attacks can be highly accurate even when e hashes recorded at another location in the network. Because onlypartofthenetworktrafficflowisseen.Secondly,weattack F probabilistic padding schemes achieving a match rate of over an adversary only needs to store a short hash per network 2 90%from9000networktrafficflows,showingadvancedpadding traffic flow the attack requires a low storage cost, the hashes 1 techniques are still vulnerable to traffic confirmation attacks. are easy to exfiltrate from network traffic flows and provide a framework for computationally low cost matching and local ] I. INTRODUCTION evaluation. Our attack succeeds even when the adversary can R only observe a fraction of the total transmission or when the Internet communication traffic is commonly encrypted to C network uses probabilistic padding schemes. hide its content using TLS. However, TLS encrypted traffic . s is vulnerable to traffic analysis since it does not hide packet c metadata, such as the time a packet was sent or received or II. BACKGROUND&MOTIVATION [ the size of the packet. Traffic confirmation attacks in low-latency mix networks 2 Low-latency mix networks attempt to provide anonymous are an active area of research [3], [6], [12] and fall in v communication by obscuring the flow of traffic through the to two categories, passive and active attacks. In a passive 3 network. Intermediate mixing of messages removes sender- attack an adversary aims to link a sender and receiver of a 9 receiverlinkability.AnOnionRouting(OR)networkobscures communication by inferring statistical properties of observed 8 sender-receiver linkability in a similar fashion but security is network traffic flows. In an active attack, commonly referred 4 obtained through route unpredictability; mixing of messages toastaggingorwatermarking,theadversarymodifiesnetwork 0 is not typically required. A client that browses to a website traffic flows introducing patterns that be can observed at 1. throughanORnetwork[8]willhavetheirtrafficrelayedbefore another location in the network, allowing the adversary to de- 0 it reaches its destination. Each relay only knows where to anonymize clients using the mix network [24]. Active attacks 6 send the traffic next, so under the assumption that relays do can be detected [16] or at least rendered no more powerful 1 not collude with one another, an adversary observing traffic thanpassiveattacksunderpaddingschemessincepaddingmay : at a relay will not be able to infer both the origin and remove the signature imposed by the adversary on the flow. v destinationoftheclientscommunications.Thoughlow-latency i Simple passive attacks such as counting the number of X mix networks and OR networks differ in how they operate, packets in network flows have been shown to yield strong both are susceptible to timing attacks because communication r results [19]. Levine et al. [11] shows that by dividing flows a patterns are not intentionally delayed for long periods. in to time windows and counting the packets within the Weconsiderapassivetrafficconfirmationattack,wherean windows a more powerful attack can be performed. Packet adversary eavesdrops on two ends of the network and aims to monitoring at scale becomes challenging due to adversary link the sender and receiver of a communication over the OR bandwidth restraints; Chakravarty et al. [5] showed that large network. Research has shown that if an adversary can view scale attacks using less fine grained information is possible traffic at both the entry and exit relay, traffic confirmation by monitoring network flow statistics as captured by servers attacks are possible [9], [11], [14], [15], [19], [21]. However suchasCisco’sNetFlow.Notethatthepossibilityoflargescale doubthasbeencastupontheefficiencyoftrafficanalysisover trafficconfirmationattacksisnotmerelyanacademicconcern. As of October 2015 all ISPs in Australia must maintain NetFlow-like data for a minimum of two years [1]. One may Permission to freely reproduce all or part of this paper for noncommercial wonder, if the adversary is a nation state or ISP with plenty purposesisgrantedprovidedthatcopiesbearthisnoticeandthefullcitation of available bandwidth do they need a method for converting onthefirstpage. Reproductionforcommercialpurposesisstrictlyprohibited withoutthepriorwrittenconsentoftheInternetSociety,thefirst-namedauthor network traffic to short hashes? It has been shown that data (for reproduction of an entire paper only), and the author’s employer if the exfiltration is expensive even for an adversary with a lot of paperwaspreparedwithinthescopeofemployment. bandwidthtoutilize[10],[18].Dataiscommonlycompressed UEOP’16,21February2016,SanDiego,CA,USA before exfiltration; a method for converting traffic signals to Copyright2016InternetSociety,ISBN1-891562-44-4 shorthasheswhilepreservingthecontainedinformationwould http://dx.doi.org/10.14722/ueop.2016.23007 Entry Middle Exit Clients Websites relays relays relays Flows captured by adversary Flow captured by adversary Fig. 1: Architecture of threat model. greatly improve the speed and amount of data that can be against traffic analysis. exfiltrated and subsequently matched. III. METHODOLOGY DeterministicpaddinginORnetworkswhileofferingguar- anteesofsecurity,areusuallyexpensiveintermsoflatencyand A. Threat Model bandwidth overheads [22]. If constant rate padding is applied withtherequirementofnolatencyoverheads,packetsmustbe We study communications between a client and a website injectedataratelessthanorequaltothesmallestinter-arrival over an OR network as depicted in Figure 1, where a network time between packets. Since short-lived website connections flowpassesthroughthreerelaysbeforereachingitsdestination. areburstyinnature,addingconstantratecovertrafficislikely Theadversaryhasthecapabilitytorecordallnetworktrafficin to incur large bandwidth overheads. Probabilistic techniques some local area network, possibly from multiple senders. The such as Adaptive Padding (AP) [20] aim to protect anonymity adversaryalsoeavesdropsbetweenanexitrelayandawebsite. byintroducingtrafficintostatisticallyunlikelydelaysbetween The ultimate goal is to link the network flow observed after packets in a flow. This limits the amount of extra bandwidth theexitrelaytothecorrectnetworkflowintheLANobserved required and does not incur any latency costs as packets are before reaching the entry relay. All communications in our forwarded as soon as they are received. AP uses previously model are sent simultaneously; if only one network flow was computedhistogramsofinter-arrivalpackettimesfromwebsite sent and captured during some time period, linking of flows loads to determine when a packet should be injected. The would be trivial. We assume that there is enough diversity in AP algorithm consists of two modes, gap and burst. When the network that the probability of a relay being an entry and anetworktrafficflowhasanaturaldelayinpacketsAPenters exit for the same network flow is statistically unlikely. gap mode and increases the probability of injecting a dummy packet. This destroys natural fingerprints created by the gaps B. Data Collection & Feature Selection in flows. In burst mode, AP recognizes that traffic is flowing at a high rate, and so reduces the probability that a dummy 1)Data Collection: We use the publicly available Wang packet will be injected. et al. data set [22] to test our attacks. The data set consists of 90 instances of 100 sensitive websites that are blocked in We apply our attack to the most popular low-latency OR countries such as China, UK and Saudi Arabia. This data set network, Tor [8]. Currently packets are sent through the Tor wascollectedviaTorwhichpadsallpacketstoafixedsizeof network using TCP which guarantees reliable transmission. 512-bytes1, so the only metadata from which we can leverage HoweverTCPflowcontrolhasbeenidentifiedasamajorcause information is the time a packet was seen and the direction of oflatencyinTor;therehasbeensuggestionstoincorporatethe the packet. User Datagram Protocol (UDP) which would reduce queue This data was collected at the client side, to generate lengths on relays and allow for better congestion management network traffic traces that an adversary would capture server [13],[17].IfthereductionoflatencyinTorortheuseofVoIP side we construct an inter-packet delay variation (IPDV) dis- and similar protocols is desired, it may be prudent to allow tribution. The IPDV distribution represents the jitter in the UDPoverTor.Inthiscasepacketsmaybedropped;motivating network between observing a website load at the client side our study of attack tolerance when packets are not reliably and observing a website load at the server side. Modifications transmitted over Tor. We note that Tor only aims to protect are applied to the Wang et al. data set to construct the server against traffic analysis attacks such as website fingerprinting side data set as follows: [4],[22],itdoesnotaimtoprotectagainsttrafficconfirmation attacks. Nevertheless, we show that highly accurate traffic Probability of dropped packet - 1%, 5%, 10% and analysis can be performed cheaply and quantify the amount • 30%. of anonymity leaked when the full network flow is not seen and under proposed padding defenses [9] that aim to protect 1Commonlyreferredtoascells. 2 Obfuscationoftimestamps-Eachpackettimestamp Data: network flow, number of time windows N • was modified by adding u to it. Where u is randomly Result: binary hash of network flow drawn from the experimentally derived IPDV distri- 1 H =[0,0,...,0]; bution . 2 Extract number of packets in time windows T0, ..., TN; 3 for i 0 to N do The IPDV distribution is constructed through real world 4 if←i=0 then experiments on the Tor network. We set up a simple webpage 5 H H + [R1(T¯0),...,Rm(T¯0)]; hostedonfivegeo-locatedAmazon EC2instances2.Foreach 6 end ← ofthefiveinstancesweloadedthewebpage100timesthrough 7 if i>0 then Tor and recorded the packet time arrivals at both client and 8 B¯i Bi Bi 1; sever, giving the inter-packet delay variation that an adversary 9 H ←H +−B¯i[−R1(T¯i),...,Rm(T¯i)]; can expect between client and server when collecting traces ← 10 end over Tor. In line with the threat model, our Tor client was 11 h = sign(H) configured to use one exit relay to simulate an adversary 12 end collecting traffic at one exit. Guard relays were not used, Algorithm 1: Computes a binary hash of a network traffic simulating an adversary collecting traffic over some local flow. network where a client could potentially use any entry node in the network. We found that although the IPDV distribution exhibited a high degree of variance, the average value was Algorithm 1 describes how we compute the binary hash close to 0ms and resembled a normal distribution 3. of a network traffic flow. The algorithm takes a network traffic flow and computes the cumulative number of packets We decided not to run a live implementation of our attack in each time window as described in section III-B.. Then it overTorastheapplicationoftheexperimentallyderivedIPDV initializes a list, H, of m integers all set at 0. For each time distribution to the public data set collected over Tor reliably window T , .., T it extracts the time, T¯, and the number simulates traffic collected at the server side. If we instead ran 0 N i of packets in that window, B , for i 0,...,n . For every and recorded traffic at an exit relay we would either have to i ∈ { } time window after the first it computes the relative difference (1) configure the exit relay so it accepts no other traffic than in number of packets seen, B¯ = B B . For each time our own; this would not accurately capture how the influence i i i 1 window it projects T¯ on to m pseudo−-rand−om bases R () 4. ofothertrafficinthenetworkaffectsIPDV,or(2)acceptother i a The pseudo-random bases were chosen so that packets with connectionsandfilterthemoutaftertraffichasbeenrecorded. similar timings will be projected to values on the bases that Since clients use Tor to preserve their anonymity we decided areclosetooneanother,resultinginsimilarhashesforsimilar againstcapturingbackgroundtraffic.Ourmethodofsimulating network traffic flows. H is then updated by multiplying each network traffic instances at the server side has the best of projection with B¯. Finally once this has been done for every both worlds, we do not capture other Tor clients traffic but i time window a hash h is produced by setting h = sign(H) accurately mimic the delay variations produced by loading a where: website load over Tor. 2)Feature Selection: Feature sets are usually constructed based on some prior assumption of importance that may turn 1 if H >0 h =sign(H )= a for a 1,..,m . out to be false and as a consequence degrade the accuracy of a a 0 if H 0 ∈{ } the classifier. Our set of features is designed to be low-level, (cid:26) a ≤ meaning we make no assumptions about the importance of The adversary stores the computed hashes at either end of certainfeaturessuchasconcentrationsofincomingoroutgoing the network, which will then be used for comparison. packets, orderings of packets, and directions of packets. Oncethetransmissionofaflowhasfinished,theflowissplitin IV. ATTACKONUNPADDEDMIXES toN evenlyspacedtimewindows,whereN isdecidedonprior tocomputation.Thenumberofpacketsseeninatimewindow We evaluate the performance of our attack by performing iscountedandrecorded.Thisinformationisthenusedtocreate experiments simulating a traffic confirmation attack. First we the hash of the network traffic flow. When a network flow describe the attack setup and then explain the results of our containsfewerpacketsthanthetotalnumberoftimewindows, experiments. we simply discard this network flow - note that this happened We assume communication is done over an OR network infrequently due to the small time windows chosen. andtheadversarycanobservetrafficatsomepointbetweenthe clientandentryrelayandagainatsomepointbetweentheexit C. Coskun-Memon Algorithm relay and destination of traffic. Typically an adversary cannot We adapt the algorithm from Coskun et al. [7] to compute expect to compute the same hash since network impairments the binary hash of a network traffic flow. The algorithm was suchaspacketdelayswillalterthestructureofanetworkflow. originally used to identify matching VoIP flows, but has been Therefore we test the ability for an adversary to successfully modified since VoIP flows contain both the time and size of link flows under simulated network impairments. Since the packets. 4Wechosethefunction 2InstancewerehostedinOregon,Ireland,Tokyo,Sydney,Sa˜oPaulo. Ra(x)=sin(x+a)/5+sin((x+a) ra) ra 3Inter-packetdelayvariationminimum=-1418ms,inter-packetdelayvari- · · ationaverage=21ms,inter-packetdelayvariationmaximum=1735ms. wherera isauniquerandomvaluebetween-1and1anda 1,...,m . ∈{ } 3 1.0 1.0 0.9 e at n r0.8 o 0.8 ecti0.7 et D 0.6 e e rat0.6 0.5 900 1800 2700 3600 4500 5400 6300 7200 8100 9000 v siti 1.0 Number of network flows o p ue 0.4 0.9 Tr ate n r0.8 0.2 15%% ppaacckkeett ddrroopp etectio0.7 10% packet drop D0.6 30% packet drop 0.0 0.5 0.00 0.05 0.10 0.15 0.20 10 20 30 40 50 60 70 80 90 100 False positive rate Number of websites (a) ROC for varied fractions of dropped packets. Hash length is (b) The success of perfect network flow matching and website set at 256-bits. matching for 1% packet drop rate over repeated experiments. Fig. 2: Traffic confirmation attack accuracy. dataset consists of 90 instances of each of the 100 websites mademorecomplicatedsinceourdatasetcontainsmanyflows we test the ability of the adapted algorithm to both correctly thatlooksimilartooneanother.Thisisbecausenetworkflows linkanetworkflowandtheabilitytocorrectlylinkflowsfrom weregeneratedbyloadingasmallnumberofwebsites.Wecan the same website. This is the problem of matching the correct expect any network flow to look similar to 1%5 of the entire network flow out of 9000 network flows. collection of network flows. Under this new metric of success the following experiment was performed - for each network We compute the Hamming distance between the hash of traffic flow we recorded the IDs of the modified network the original flow and the hash of the modified flow and mark flows6 whose hash had minimum Hamming distance. If any it a correct identification if the distance is below a threshold. of the IDs were the true modified network flow counterpart We also compute the Hamming distance between the hash of weconsideredthisaperfectmatch.IfanyoftheIDsbelonged the original flow and the hash of a random modified flow. If to the same website we considered this a successful match, the distance is below the same threshold we mark this a false as an adversary would assign the flow to the correct website. positive match. Figure 2b shows the match success rate of linking flows to flows and flows to websites. The rate of attack degradation A. Results is gradual as the amount of data grows. If the aim of the attack is to infer which website a client is visiting out of a Figure2agivestheROCcurvefordifferentprobabilitiesof list of 50 monitored websites (of 90 instances each) then an dropped packets as the threshold value is changed. Figure 2a adversary can expect accurate classification over 80% of the showsthatmatchaccuracydecreasesasthefractionofdropped time and drops to 72% when monitoring 100 websites. An packets increases. This is to be expected, as the total number adversarycanexpectperfectnetworkflowmatching72%-74% of packets shared between the original and modified flows when monitoring 4500 network flows (50 websites) and drops decreases,theHammingdistancebetweenthetwohasheswill to 65% when monitoring 9000 network flows (100 websites). riseresultinginfewertruepositivematches.Nevertheless,even if 10% of packets in a network traffic flow are dropped an V. ATTACKONPADDEDMIXES adversarycancorrectlymatchover80%ofnetworkflowswith only a 2% false positive rate. We note that Tor uses TCP/IP We now consider a traffic confirmation attack over an OR which guarantees transmission of every packet and so we can network that uses Adaptive Padding (AP). All flows that are expect our attack to be even more successful on Tor than on seen before the entry relay are padded by AP with padding OR networks using unreliable protocols such as UDP. removedbysometrustedrelayinthenetworkbeforearrivingat thedestinationofthecommunication.Intheoppositedirection Figure 2a shows that an adversary can successfully match we assume AP is applied before an adversary captures traffic hash pairs given some boundary from which to decide if the (eitherbydirectlyapplyingAPatthewebsever,oratatrusted match is a success. We now consider a stronger metric for classification; for each network flow hash we compute the 590outof9000networktrafficflows. distance with all modified network flow hashes and check if 6Hash length = 256-bits, probability of dropped packet = 1% and packet the hash with minimum distance is its true pair. Our task is timestampobfuscationadded. 4 bridge) and is removed before an adversary captures traffic at 1.0 the end of the circuit. window size = 5.0 window size = 1.0 Data: one unpadded network flow U= Uin,Uout , 0.8 window size = 0.5 padded network flows P = P {, ..., P } and window size = 0.2 in { in0 inl} P = P , ..., P , length of time window k out { out0 outl} Result: Match prediction between U and 0.6 1 for i Pint=a{nPdinot,uPtoudtot} for t ∈{1,...,l} h rate 2 sp←lit Ui and Pi in to non-overlapping time windows Matc of size k; 0.4 3 h = []; 4 for m 0 to l do ← 5 hm = number of windows with an equal number 0.2 of packets between U and P ; i im 6 Append hm to h; 7 end 0.0 8 Pix where x=index(max(h)); 0.0 0.2 P0a.4cket delay (s0e.c6) 0.8 1.0 9 end 10 if x is equal for both Pinx and Poutx then Fig. 3: The average successful match rate between all padded flows 11 Return U = Px and an unpadded flow with packet jitter added. 12 end Algorithm2:Howtocomputeamatchbetweenanunpadded flow and padded flows. time window is predetermined, resulting in different numbers oftimewindowsfordifferentflows.Eachpaddedflowisgiven ascorethatcorrespondstothenumberofwindowswhichshare A. Evaluation anequalnumberofpacketswiththeunpaddedflow.Adapted- We applied AP to network flows at a padding rate of SCC takes the score for both incoming and outgoing padded 54% - using AP with a padding rate over 50% was shown flows,ifthehighestscoreoftheincomingandoutgoingflowis by Shmatikov et al. [20] to significantly degrade the perfor- thefromthesamenetworktrafficflowweconsiderthispadded manceofatrafficconfirmationattackconsistingofcorrelating flow as the match of the unpadded flow. inter-arrival packet times on two links. For both incoming and outgoing network flows, we created histograms of inter- C. Results arrival packet times by crawling the top 25K alexa sites7. We then applied AP to each of the 9000 traces in our data Figure 3 shows the success rate of adapted-SCC against set, to simulate the padded flows collected by the adversary AP as the IPDV average is increased for different window at the start of communication. We also apply IPDV in the periods. Generally we see that the smaller the window size same fashion as section IV to the 9000 traces to simulate the more accurate the attack, since a smaller window time various network impairments in the OR network, these are is able to capture the bursts in flows that were not padded thesimulatedunpaddedflowstheadversarycollects.Notethat by AP. With an IPDV average of 200ms an adversary is still theadversaryisonlyconcernedwithclassifyingoneunpadded able to match over 50% of streams correctly, the match rate network flow at any one time. increases to over 75% when the IPDV average is 100ms. At the experimentally observed IPDV of 21ms, adapted-SCC is B. Algorithm abletomatchover90%offlowscorrectly.Weobservedalmost nofalsepositivessinceadapted-SCCrequiresboththepadded Algorithm 2 presents adapted-SCC, a time window based incoming and outgoing streams to agree to make a prediction. traffic confirmation attack based on selective cross-correlation While this did not happen, we observed a rate of failure of (SCC) [2]. Adapted-SCC links an unpadded flow with its prediction almost equal to (1 - match prediction rate). paddedcounterpart.Adapted-SCCisappliedbyfirstseparating all observed flows in to incoming or outgoing flows - in our VI. DISCUSSION&CONCLUSION case,thesebothconsistof9000flows.SinceAPinsertsdummy packetstogapsinaflow,thepaddedflowisasuper-setofthe We consider the threat model where an adversary collects original flow. Importantly packet times are preserved in both 9000 hashes of network flows simultaneously on the client padded and unpadded flows (with some minor packet time side, and collects flow hashes over time on the server side, variability), allowing for comparison between the number of matching against the client side collected data. Tor metrics8 bursts in the padded flow and the unpadded flow. Similar to estimatetheretobeovertwomilliondailyusersofTorandso sectionIII-B.,adapted-SCCsplitsaflowintonon-overlapping we estimate that there are enough concurrent connections in windows of time. The difference is that in section III-B., the Tor for this model to be realistic. Our results show that traffic number of time windows is predetermined, so all flows are confirmation attacks are possible and accurate at scale. Using splitintoanequalnumberofsections.Herethelengthofone simple packet counting schemes a relatively weak adversary 7http://www.alexa.com/topsites 8https://metrics.torproject.org/userstats-relay-country.html 5 can build robust short fingerprints of network traffic flows [7] Baris Coskun and Nasir D. Memon. Tracking encrypted voip calls to perform powerful traffic analysis attacks when only an via robust hashing of network flows. In Proceedings of the IEEE incomplete fraction of network traffic is visible or when InternationalConferenceonAcoustics,Speech,andSignalProcessing, ICASSP2010,14-19March2010,SheratonDallasHotel,Dallas,Texas, probabilistic padding schemes are used. We note that packet USA,pages1818–1821,2010. delays were drawn independently from the IPDV distribution, [8] Roger Dingledine, Nick Mathewson, and Paul Syverson. Tor: The inrealitythiswillnotbethecase,packetdelaysaredependent second-generationonionrouter. InProceedingsofthe13thConference on the load of the network at the time of request. As a next onUSENIXSecuritySymposium-Volume13,SSYM’04,pages21–21, stepaliveimplementationoftheattackcouldbeperformedon Berkeley,CA,USA,2004.USENIXAssociation. Tor,butthisrequirescaresincewedonotwishtocaptureother [9] NicholasHopper,EugeneY.Vasserman,andEricChan-Tin.Howmuch clients traffic yet we need to ensure that background traffic is anonymity does network latency leak? ACM Trans. Inf. Syst. Secur., 13(2),2010. present. [10] MWR INFOSECURITY. Detecting and deterring data exfiltration. We note that while our attack on padding schemes faith- Guide&TechnicalReport,Feb2014. fully replicates the proposed form of AP applied to an OR [11] BrianNeilLevine,MichaelK.Reiter,ChenxiWang,andMatthewK. network, AP can only be applied to Tor in its current form in Wright.Timingattacksinlow-latencymixsystems(extendedabstract). InFinancialCryptography,8thInternationalConference,FC2004,Key the forward direction. Relays do not share session keys with West,FL,USA,February9-12,2004.RevisedPapers,pages251–265, another; session keys are shared between a relay and a client. 2004. Relays do not have the ability to generate multi-hop dummy [12] ZhenLing,JunzhouLuo,WeiYu,XinwenFu,DongXuan,andWeijia cells,insteadclientsmustprovidethedummycells.Theability Jia. A new cell counter based attack against tor. In Proceedings of for relays to generate dummy cells would also violate Tor’s the16thACMConferenceonComputerandCommunicationsSecurity, integritycheckssincetherunningdigestmustbesynchronized CCS’09,pages578–589,NewYork,NY,USA,2009.ACM. between client and relays, but a client has no way to check [13] S. J. Murdoch. Comparison of tor datagram designs. Tor Project TechnicalReport,Nov2011. if a relay has generated new dummy cells. Before AP can [14] Steven J. Murdoch and George Danezis. Low-cost traffic analysis of be applied in Tor either a protocol change must be applied tor. In 2005 IEEE Symposium on Security and Privacy (S&P 2005), or web servers must be persuaded to generate dummy cells 8-11May2005,Oakland,CA,USA,pages183–195,2005. serverside,whichisclearlyanunrealisticrequestforstandard [15] Steven J. Murdoch and Piotr Zielinski. Sampled traffic analysis by websites but may be tolerable for hidden services. internet-exchange-level adversaries. In Privacy Enhancing Technolo- gies, 7th International Symposium, PET 2007 Ottawa, Canada, June Probabilistic padding defenses that do not purposefully 20-22,2007,RevisedSelectedPapers,pages167–183,2007. delay packets are still vulnerable to simple yet powerful [16] PaiPeng,PengNing,andDouglasS.Reeves.Onthesecrecyoftiming- timing attacks. We expect to evaluate next alternative padding basedactivewatermarkingtrace-backtechniques. InIEEESymposium schemes such as dependent link padding [23] or adding in- onSecurityandPrivacy,pages334–349.IEEEComputerSociety,2006. tentional delays to packets. As Figure 3 shows, adapted-SCC [17] Joel Reardon and Ian Goldberg. Improving tor using a tcp-over-dtls becomesineffectiveasthevolatilityofjitterincreases.Adding tunnel. In Proceedings of the 18th Conference on USENIX Security Symposium, SSYM’09, pages 119–134, Berkeley, CA, USA, 2009. small random packet delays could foil timing attacks without USENIXAssociation. incurring a high latency overhead. [18] IntelSecurity. Grandtheftdata.dataexfiltrationstudy:Actors,tactics, anddetection. TechnicalReport,Sep2015. VII. ACKNOWLEDGEMENTS [19] Andrei Serjantov and Peter Sewell. Passive attack analysis for connection-based anonymity systems. In In Proceedings of European We would like to thank the anonymous reviewers and SymposiumonResearchinComputerSecurity(ESORICS,pages116– George Danezis for their helpful comments. 131,2003. [20] VitalyShmatikovandMing-HsiuWang.Timinganalysisinlow-latency REFERENCES mix networks: Attacks and defenses. In ESORICS, Lecture Notes in ComputerScience.Springer,2006. [1] AustralianGovernmentDataRetentionPolicy. https://www.ag.gov.au/ NationalSecurity/DataRetention/Documents/Dataset.pdf,2015.[Online; [21] Yixin Sun, Anne Edmundson, Laurent Vanbever, Oscar Li, Jennifer accessedNovember-2015]. Rexford,MungChiang,andPrateekMittal. RAPTOR:routingattacks onprivacyintor. CoRR,abs/1503.03940,2015. [2] T.AbrahamandM.Wright.Selectivecrosscorrelationinpassivetiming analysis attacks against low-latency mixes. In Global Telecommuni- [22] TaoWang,XiangCai,RishabNithyanand,RobJohnson,andIanGold- cationsConference(GLOBECOM 2010),2010IEEE,pages 1–5,Dec berg.Effectiveattacksandprovabledefensesforwebsitefingerprinting. 2010. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA,USA,August20-22,2014.,pages143–157,2014. [3] Kevin Bauer, Damon McCoy, Dirk Grunwald, Tadayoshi Kohno, and DouglasSicker. Low-resourceroutingattacksagainsttor. InProceed- [23] Wei Wang, Mehul Motani, and Vikram Srinivasan. Dependent link ingsofthe2007ACMWorkshoponPrivacyinElectronicSociety,2007. padding algorithms for low latency anonymity systems. In Proceed- ings of the 15th ACM Conference on Computer and Communications [4] XiangCai,XinChengZhang,BrijeshJoshi,andRobJohnson.Touching Security,CCS’08,pages323–332,NewYork,NY,USA,2008.ACM. from a distance: website fingerprinting attacks and defenses. In the ACMConferenceonComputerandCommunicationsSecurity,CCS’12, [24] X.Fu and Z.Ling. One cell is enough to break tors anonymity. In Raleigh,NC,USA,October16-18,2012,pages605–616,2012. ProceedingsofBlackHatTechnicalSecurityConference,,2009. [5] Sambuddho Chakravarty, Marco V. Barbera, Georgios Portokalidis, MichalisPolychronakis,andAngelosD.Keromytis. Ontheeffective- nessoftrafficanalysisagainstanonymitynetworksusingflowrecords. In Proceedings of the 15th International Conference on Passive and ActiveMeasurement-Volume8362,2014. [6] SambuddhoChakravarty,AngelosStavrou,andAngelosD.Keromytis. Trafficanalysisagainstlow-latencyanonymitynetworksusingavailable bandwidth estimation. In Computer Security ESORICS 2010, pages 249–267.SpringerBerlinHeidelberg,2010. 6

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.