Practical Traffic Analysis Attacks on Secure Messaging Applications

Instant Messaging (IM) applications like Telegram, Signal, and WhatsApp have become extremely popular in recent years. Unfortunately, such IM services have been targets of continuous governmental surveillance and censorship, as these services are home to public and private communication channels on socially and politically sensitive topics. To protect their clients, popular IM services deploy state-of-the-art encryption mechanisms. In this paper, we show that despite the use of advanced encryption, popular IM applications leak sensitive information about their clients to adversaries who merely monitor their encrypted IM traffic, with no need for leveraging any software vulnerabilities of IM applications. Specifically, we devise traffic analysis attacks that enable an adversary to identify administrators as well as members of target IM channels (e.g., forums) with high accuracies. We believe that our study demonstrates a significant, real-world threat to the users of such services given the increasing attempts by oppressive governments at cracking down controversial IM channels. We demonstrate the practicality of our traffic analysis attacks through extensive experiments on real-world IM communications. We show that standard countermeasure techniques such as adding cover traffic can degrade the effectiveness of the attacks we introduce in this paper. We hope that our study will encourage IM providers to integrate effective traffic obfuscation countermeasures into their software. In the meantime, we have designed and deployed an open-source, publicly available countermeasure system, called IMProxy, that can be used by IM clients with no need for any support from IM providers. We have demonstrated the effectiveness of IMProxy through experiments

Design and Implementation of Algorithms for Traffic Classification

Traffic analysis is the practice of using inherent characteristics of a network flow such as timings, sizes, and orderings of the packets to derive sensitive information about it. Traffic analysis techniques are used because of the extensive adoption of encryption and content-obfuscation mechanisms, making it impossible to infer any information about the flows by analyzing their content. In this thesis, we use traffic analysis to infer sensitive information for different objectives and different applications. Specifically, we investigate various applications: p2p cryptocurrencies, flow correlation, and messaging applications. Our goal is to tailor specific traffic analysis algorithms that best capture network traffic’s intrinsic characteristics in those applications for each of these applications. Also, the objective of traffic analysis is different for each of these applications. Specifically, in Bitcoin, our goal is to evaluate Bitcoin traffic’s resilience to blocking by powerful entities such as governments and ISPs. Bitcoin and similar cryptocurrencies play an important role in electronic commerce and other trust-based distributed systems because of their significant advantage over traditional currencies, including open access to global e-commerce. Therefore, it is essential to the consumers and the industry to have reliable access to their Bitcoin assets. We also examine stepping stone attacks for flow correlation. A stepping stone is a host that an attacker uses to relay her traffic to hide her identity. We introduce two fingerprinting systems, TagIt and FINN. TagIt embeds a secret fingerprint into the flows by moving the packets to specific time intervals. However, FINN utilizes DNNs to embed the fingerprint by changing the inter-packet delays (IPDs) in the flow. In messaging applications, we analyze the WhatsApp messaging service to determine if traffic leaks any sensitive information such as members’ identity in a particular conversation to the adversaries who watch their encrypted traffic. These messaging applications’ privacy is essential because these services provide an environment to dis- cuss politically sensitive subjects, making them a target to government surveillance and censorship in totalitarian countries. We take two technical approaches to design our traffic analysis techniques. The increasing use of DNN-based classifiers inspires our first direction: we train DNN classifiers to perform some specific traffic analysis task. Our second approach is to inspect and model the shape of traffic in the target application and design a statistical classifier for the expected shape of traffic. DNN- based methods are useful when the network is complex, and the traffic’s underlying noise is not linear. Also, these models do not need a meticulous analysis to extract the features. However, deep learning techniques need a vast amount of training data to work well. Therefore, they are not beneficial when there is insufficient data avail- able to train a generalized model. On the other hand, statistical methods have the advantage that they do not have training overhead

Les Botmasters et leurs rôles dans le marché des botnets

Travail dirigé présenté à la Faculté des études supérieures et postdoctorales en vue de l’obtention du grade de Maîtrise ès Sciences (M.Sc.) en Criminologie option Criminalistique et informationLes botnets continuent à présenter une préoccupation réelle dans la sphère virtuelle. Ces réseaux d’ordinateurs corrompus facilitent la prolifération des crimes en ligne de façon à atteindre une quantité énorme de victimes. De nombreuses études traitent ainsi des mécanismes d’infection de machines ainsi que des comportements de ces botnets. D’ailleurs, les conséquences qui en découlent sont elles aussi bien documentées. On constate cependant un manque dans la littérature en ce qui concerne les botmasters, les pirates informatiques qui créent et contrôlent de tels réseaux. À l’aide d’analyses de contenus du forum Dark0de, 88 botmasters ont été identifiés et catégorisés en fonction des rôles qu’ils occupent dans le marché de botnets. Cette étude exploratoire vise à évaluer le statut, la réputation, le taux d’activité ainsi que les expertises de ces botmasters, soit : les codeurs, les commerçants, les distributeurs, les opérateurs, les curieux, ainsi que les individus qui monétisent les botnets et qui affirment être expérimentés dans ce domaine. Cette étude permet de conclure que les distributeurs et les opérateurs de botnets sont les membres les plus réputés dans leur communauté. C’est auprès des commerçants ainsi que des botmasters d’expériences que l’on retrouve les membres avec les meilleurs statuts du forum. Les catégories de botmasters les plus actifs au sein de Dark0de sont les opérateurs et les commerçants. La plupart des botmasters à l’étude ont été identifiés dans un forum de piratages différent de Dark0de, ou aucun. Pour finir, à part pour les codeurs, dont plus de la moitié se spécialise en programmation, et les botmasters d’expérience, dont le tiers n’ont qu’une seule spécialisation, les autres sujets possèdent diverses expertises non reliées au botnets.Botnets still represent one of the biggest threats in cyberspace. These corrupted computer networks are used to facilitate the propagation of cybercrime and to reach simultaneously an important number of victims. Previous studies have covered subjects such as the bot infection mechanisms, botnets’ behaviour and also the consequences of their usage. While botnets are well documented, there is a gap in literature regarding botmasters, the hackers responsible for creating and controlling these networks. To understand better those individuals, a content analysis of the underground forum Dark0de helped identify a pool of 88 botmasters that were categorised according to their roles in the botnet market. This preliminary study aims to measure the status, reputation, activity and expertise of botmasters according to their groups: coding, business, distribution, operation, monetization, interest and experience. Preliminary results indicate that distributors and operators have a better reputation in their community, while traders and experienced botmasters have higher statuses in the forum. Operators and traders are the most active botmasters in this forum. Also, most of the botmasters in this study have been found in another forum or none. Finally, except for half of the coders and a third of experienced botmasters, most of these individuals possess many expertise in different fields than botnets