Adaptive Traffic Fingerprinting for Darknet Threat Intelligence

Darknet technology such as Tor has been used by various threat actors for organising illegal activities and data exfiltration. As such, there is a case for organisations to block such traffic, or to try and identify when it is used and for what purposes. However, anonymity in cyberspace has always been a domain of conflicting interests. While it gives enough power to nefarious actors to masquerade their illegal activities, it is also the cornerstone to facilitate freedom of speech and privacy. We present a proof of concept for a novel algorithm that could form the fundamental pillar of a darknet-capable Cyber Threat Intelligence platform. The solution can reduce anonymity of users of Tor, and considers the existing visibility of network traffic before optionally initiating targeted or widespread BGP interception. In combination with server HTTP response manipulation, the algorithm attempts to reduce the candidate data set to eliminate client-side traffic that is most unlikely to be responsible for server-side connections of interest. Our test results show that MITM manipulated server responses lead to expected changes received by the Tor client. Using simulation data generated by shadow, we show that the detection scheme is effective with false positive rate of 0.001, while sensitivity detecting non-targets was 0.016+-0.127. Our algorithm could assist collaborating organisations willing to share their threat intelligence or cooperate during investigations.Comment: 26 page

ToR K-Anonymity against deep learning watermarking attacks

It is known that totalitarian regimes often perform surveillance and censorship of their communication networks. The Tor anonymity network allows users to browse the Internet anonymously to circumvent censorship filters and possible prosecution. This has made Tor an enticing target for state-level actors and cooperative state-level adversaries, with privileged access to network traffic captured at the level of Autonomous Systems(ASs) or Internet Exchange Points(IXPs). This thesis studied the attack typologies involved, with a particular focus on traffic correlation techniques for de-anonymization of Tor endpoints. Our goal was to design a test-bench environment and tool, based on recently researched deep learning techniques for traffic analysis, to evaluate the effectiveness of countermeasures provided by recent ap- proaches that try to strengthen Tor’s anonymity protection. The targeted solution is based on K-anonymity input covert channels organized as a pre-staged multipath network. The research challenge was to design a test-bench environment and tool, to launch active correlation attacks leveraging traffic flow correlation through the detection of in- duced watermarks in Tor traffic. To de-anonymize Tor connection endpoints, our tool analyses intrinsic time patterns of Tor synthetic egress traffic to detect flows with previ- ously injected time-based watermarks. With the obtained results and conclusions, we contributed to the evaluation of the security guarantees that the targeted K-anonymity solution provides as a countermeasure against de-anonymization attacks.Já foi extensamente observado que em vários países governados por regimes totalitários existe monitorização, e consequente censura, nos vários meios de comunicação utilizados. O Tor permite aos seus utilizadores navegar pela internet com garantias de privacidade e anonimato, de forma a evitar bloqueios, censura e processos legais impostos pela entidade que governa. Estas propriedades tornaram a rede Tor um alvo de ataque para vários governos e ações conjuntas de várias entidades, com acesso privilegiado a extensas zonas da rede e vários pontos de acesso à mesma. Esta tese realiza o estudo de tipologias de ataques que quebram o anonimato da rede Tor, com especial foco em técnicas de correlação de tráfegos. O nosso objetivo é realizar um ambiente de estudo e ferramenta, baseada em técnicas recentes de aprendizagem pro- funda e injeção de marcas de água, para avaliar a eficácia de contramedidas recentemente investigadas, que tentam fortalecer o anonimato da rede Tor. A contramedida que pre- tendemos avaliar é baseada na criação de multi-circuitos encobertos, recorrendo a túneis TLS de entrada, de forma a acoplar o tráfego de um grupo anonimo de K utilizadores. A solução a ser desenvolvida deve lançar um ataque de correlação de tráfegos recorrendo a técnicas ativas de indução de marcas de água. Esta ferramenta deve ser capaz de correla- cionar tráfego sintético de saída de circuitos Tor, realizando a injeção de marcas de água à entrada com o propósito de serem detetadas num segundo ponto de observação. Aplicada a um cenário real, o propósito da ferramenta está enquadrado na quebra do anonimato de serviços secretos fornecidos pela rede Tor, assim como os utilizadores dos mesmos. Os resultados esperados irão contribuir para a avaliação da solução de anonimato de K utilizadores mencionada, que é vista como contramedida para ataques de desanonimi- zação

Атака на анонімність користувача в системі Tor та способи протидії ним

Дипломна робота має обсяг 90 сторінок, містить 4 таблиці та 10 рисунків, а також 45 бібліографічних джерел. Актуальною науковою тенденцією є розробка та впровадження нових механізмів забезпечення анонімності в мережі Інтернет. Механізм, що використовується у даній роботі, дозволяє забезпечити збільшення анонімності в системі Tor. Тому це актуально для користувачів, які використовують систему Tor, щоб забезпечити збільшення анонімності проти атак типу аналізу трафіку й часу. Об’єктом дослідження є система Tor. Предметом дослідження є атаки на систему Tor і способи протидії ним: з теоретичної та технічної точки зору. Метою роботи є дослідження принципів цибулевої маршрутизації, механізмів системи Tor, атак на анонімність користувача в системі та способів протидії ним та розробка рішень, які допоможуть запобігти найбільш популярним з цих атак. Дана робота містить опис цибулевої маршрутизації та системи Tor, огляд чинних атак та способи протидії ним. У ході роботи отримано програмне рішення для додавання затримок при посиланні та прийнятті пакетів, яке відрізняється використанням криптографічного генератора псевдовипадкових чисел при формуванні величин затримок. Надалі, отриманий результат у вигляді програмного рішення можна використовувати забезпечення підвищення анонімності в мережі Tor.The thesis contains 90 pages, 4 tables and 10 figures as well as 45 names of bibliographic sources. The actual scientific trend is the development and implementation of new mechanisms for ensuring anonymity on the Internet. The mechanism used in this work allows to increase the anonymity in the Tor system. There is why it is important for users who use the Tor system to increase the anonymity against of attacks such as traffic analysis and time analysis. The object of the study is the Tor system. The subject of the study is the attacks on the Tor system and countermeasures: from a theoretical and technical point of view. The aim of the work is to study the principles of onion routing, the mechanisms of the Tor system, and attacks on the anonymity of the user in the system and methods to counteract it, and develop solutions that will help prevent the most popular of these attacks. This work contains a description of onion routing and Tor systems, an overview of existing attacks, and methods to counteract it. In the course of work, a software solution obtained to add delays in the sending and acceptance of packets, what differs in use cryptographic pseudorandom number generator in the formation of delays values. In the future, the resulting result in the form of a software solution can be using to increase the anonymity of the Tor network

Attack on WiFi-based Location Services and SSL using Proxy Servers

Wireless LANs are very common in any household or business today. It allows access to their home or business network and the Internet without using wires. Their wireless nature allows mobility and convenience for the user and that opens up a lot of new possibilities in mobile devices such as smartphones and tablets. One application that makes use of wireless LANs is positioning, which can be used in areas where Global Positioning Systems may have trouble functioning or not at all. However, a drawback of using wireless communication is that it is susceptible to eavesdropping and jamming. Once the wireless signal is jammed, an attacker can set up fake access points on different channels or frequencies to impersonate a legitimate access point. In this thesis, this attack is performed specifically to trick WiFi-based location services. The attack is shown to work on Skyhook, Google, Apple and Microsoft location services, four of the major location service providers, and on dual-band hardware. Some countermeasures to such an attack are also presented. The web is an important part of many people’s lives nowadays. People expect that their privacy and confidentiality is preserved when they use the web. Previously, web traffic uses HTTP which meant traffic is all unencrypted and can be intercepted and read by attackers. This is clearly a security problem so many websites now default to using a more secure protocol, namely HTTPS which uses HTTP with SSL, and forces the user to HTTPS if they connect to the no SSL protocol. SSL works by exchanging keys between the client and server and the actual data is protected using the key and the cipher suite that is negotiated between the two. However, if a network uses a proxy server, it works slightly different. The SSL connection is broken up into two separate ones and that creates the potential for man-in-the-middle attacks that allow an attacker to intercept the data being transmitted. This thesis analyzes several scenarios in which an adversary can conduct such a man-in-the-middle attack, and potential detection and mitigation methods