39,319 research outputs found
An Empirical Study of the I2P Anonymity Network and its Censorship Resistance
Tor and I2P are well-known anonymity networks used by many individuals to
protect their online privacy and anonymity. Tor's centralized directory
services facilitate the understanding of the Tor network, as well as the
measurement and visualization of its structure through the Tor Metrics project.
In contrast, I2P does not rely on centralized directory servers, and thus
obtaining a complete view of the network is challenging. In this work, we
conduct an empirical study of the I2P network, in which we measure properties
including population, churn rate, router type, and the geographic distribution
of I2P peers. We find that there are currently around 32K active I2P peers in
the network on a daily basis. Of these peers, 14K are located behind NAT or
firewalls.
Using the collected network data, we examine the blocking resistance of I2P
against a censor that wants to prevent access to I2P using address-based
blocking techniques. Despite the decentralized characteristics of I2P, we
discover that a censor can block more than 95% of peer IP addresses known by a
stable I2P client by operating only 10 routers in the network. This amounts to
severe network impairment: a blocking rate of more than 70% is enough to cause
significant latency in web browsing activities, while blocking more than 90% of
peer IP addresses can make the network unusable. Finally, we discuss the
security consequences of the network being blocked, and directions for
potential approaches to make I2P more resistant to blocking.Comment: 14 pages, To appear in the 2018 Internet Measurement Conference
(IMC'18
A Broad Evaluation of the Tor English Content Ecosystem
Tor is among most well-known dark net in the world. It has noble uses,
including as a platform for free speech and information dissemination under the
guise of true anonymity, but may be culturally better known as a conduit for
criminal activity and as a platform to market illicit goods and data. Past
studies on the content of Tor support this notion, but were carried out by
targeting popular domains likely to contain illicit content. A survey of past
studies may thus not yield a complete evaluation of the content and use of Tor.
This work addresses this gap by presenting a broad evaluation of the content of
the English Tor ecosystem. We perform a comprehensive crawl of the Tor dark web
and, through topic and network analysis, characterize the types of information
and services hosted across a broad swath of Tor domains and their hyperlink
relational structure. We recover nine domain types defined by the information
or service they host and, among other findings, unveil how some types of
domains intentionally silo themselves from the rest of Tor. We also present
measurements that (regrettably) suggest how marketplaces of illegal drugs and
services do emerge as the dominant type of Tor domain. Our study is the product
of crawling over 1 million pages from 20,000 Tor seed addresses, yielding a
collection of over 150,000 Tor pages. We make a dataset of the intend to make
the domain structure publicly available as a dataset at
https://github.com/wsu-wacs/TorEnglishContent.Comment: 11 page
Modeling Structure and Resilience of the Dark Network
While the statistical and resilience properties of the Internet are no more
changing significantly across time, the Darknet, a network devoted to keep
anonymous its traffic, still experiences rapid changes to improve the security
of its users. Here, we study the structure of the Darknet and we find that its
topology is rather peculiar, being characterized by non-homogenous distribution
of connections -- typical of scale-free networks --, very short path lengths
and high clustering -- typical of small-world networks -- and lack of a core of
highly connected nodes.
We propose a model to reproduce such features, demonstrating that the
mechanisms used to improve cyber-security are responsible for the observed
topology. Unexpectedly, we reveal that its peculiar structure makes the Darknet
much more resilient than the Internet -- used as a benchmark for comparison at
a descriptive level -- to random failures, targeted attacks and cascade
failures, as a result of adaptive changes in response to the attempts of
dismantling the network across time.Comment: 8 pages, 5 figure
OnionBots: Subverting Privacy Infrastructure for Cyber Attacks
Over the last decade botnets survived by adopting a sequence of increasingly
sophisticated strategies to evade detection and take overs, and to monetize
their infrastructure. At the same time, the success of privacy infrastructures
such as Tor opened the door to illegal activities, including botnets,
ransomware, and a marketplace for drugs and contraband. We contend that the
next waves of botnets will extensively subvert privacy infrastructure and
cryptographic mechanisms. In this work we propose to preemptively investigate
the design and mitigation of such botnets. We first, introduce OnionBots, what
we believe will be the next generation of resilient, stealthy botnets.
OnionBots use privacy infrastructures for cyber attacks by completely
decoupling their operation from the infected host IP address and by carrying
traffic that does not leak information about its source, destination, and
nature. Such bots live symbiotically within the privacy infrastructures to
evade detection, measurement, scale estimation, observation, and in general all
IP-based current mitigation techniques. Furthermore, we show that with an
adequate self-healing network maintenance scheme, that is simple to implement,
OnionBots achieve a low diameter and a low degree and are robust to
partitioning under node deletions. We developed a mitigation technique, called
SOAP, that neutralizes the nodes of the basic OnionBots. We also outline and
discuss a set of techniques that can enable subsequent waves of Super
OnionBots. In light of the potential of such botnets, we believe that the
research community should proactively develop detection and mitigation methods
to thwart OnionBots, potentially making adjustments to privacy infrastructure.Comment: 12 pages, 8 figure
How Do Tor Users Interact With Onion Services?
Onion services are anonymous network services that are exposed over the Tor
network. In contrast to conventional Internet services, onion services are
private, generally not indexed by search engines, and use self-certifying
domain names that are long and difficult for humans to read. In this paper, we
study how people perceive, understand, and use onion services based on data
from 17 semi-structured interviews and an online survey of 517 users. We find
that users have an incomplete mental model of onion services, use these
services for anonymity and have varying trust in onion services in general.
Users also have difficulty discovering and tracking onion sites and
authenticating them. Finally, users want technical improvements to onion
services and better information on how to use them. Our findings suggest
various improvements for the security and usability of Tor onion services,
including ways to automatically detect phishing of onion services, more clear
security indicators, and ways to manage onion domain names that are difficult
to remember.Comment: Appeared in USENIX Security Symposium 201
Adaptive Traffic Fingerprinting for Darknet Threat Intelligence
Darknet technology such as Tor has been used by various threat actors for
organising illegal activities and data exfiltration. As such, there is a case
for organisations to block such traffic, or to try and identify when it is used
and for what purposes. However, anonymity in cyberspace has always been a
domain of conflicting interests. While it gives enough power to nefarious
actors to masquerade their illegal activities, it is also the cornerstone to
facilitate freedom of speech and privacy. We present a proof of concept for a
novel algorithm that could form the fundamental pillar of a darknet-capable
Cyber Threat Intelligence platform. The solution can reduce anonymity of users
of Tor, and considers the existing visibility of network traffic before
optionally initiating targeted or widespread BGP interception. In combination
with server HTTP response manipulation, the algorithm attempts to reduce the
candidate data set to eliminate client-side traffic that is most unlikely to be
responsible for server-side connections of interest. Our test results show that
MITM manipulated server responses lead to expected changes received by the Tor
client. Using simulation data generated by shadow, we show that the detection
scheme is effective with false positive rate of 0.001, while sensitivity
detecting non-targets was 0.016+-0.127. Our algorithm could assist
collaborating organisations willing to share their threat intelligence or
cooperate during investigations.Comment: 26 page
Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences
In this survey, we first briefly review the current state of cyber attacks,
highlighting significant recent changes in how and why such attacks are
performed. We then investigate the mechanics of malware command and control
(C2) establishment: we provide a comprehensive review of the techniques used by
attackers to set up such a channel and to hide its presence from the attacked
parties and the security tools they use. We then switch to the defensive side
of the problem, and review approaches that have been proposed for the detection
and disruption of C2 channels. We also map such techniques to widely-adopted
security controls, emphasizing gaps or limitations (and success stories) in
current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages.
Listing abstract compressed from version appearing in repor
Foreword
The collection of articles in this Special Issue is based on an international conference on Advances in the Behavioral Analysis of Law: Markets, Institutions, and Contracts that took place on December 8, 2009 at the University of Haifa Faculty of Law in Israel. The conference addressed cuttingedge legal issues at the intersection of law, economics, and psychology from a diverse set of viewpoints, bringing together scholars engaged in both theoretical and experimental behavioral analyses of law
- …