Tradeoffs between Anonymity and Quality of Services in Data Networking and Signaling Games

Timing analysis has long been used to compromise users\u27 anonymity in networks. Even when data is encrypted, an adversary can track flows from sources to the corresponding destinations by merely using the correlation between the inter-packet timing on incoming and outgoing streams at intermediate routers. Anonymous network systems, where users communicate without revealing their identities, rely on the idea of Chaum mixing to hide `networking information\u27. Chaum mixes are routers or proxy servers that randomly reorder the outgoing packets to prevent an eavesdropper from tracking the flow of packets. The effectiveness of such mixing strategies is, however, diminished under constraints on network Quality of Services (QoS)s such as memory, bandwidth, and fairness. In this work, two models for studying anonymity, packet based anonymity and flow based anonymity, are proposed to address these issues quantitatively and a trade-off between network constraints and achieved anonymity is studied. Packet based anonymity model is proposed to study the short burst traffic arrival models of users such as in web browsing. For packet based anonymity, an information theoretic investigation of mixes under memory constraint and fairness constraint is established. Specifically, for memory constrained mixes, the first single letter characterization of the maximum achievable anonymity for a mix serving two users with equal arrival rates is provided. Further, for two users with unequal arrival rates the anonymity is expressed as a solution to a series of finite recursive equations. In addition, for more than two users and arbitrary arrival rates, a lower bound on the convergence rate of anonymity is derived as buffer size increases and it is shown that under certain arrival configurations the lower bound is tight. The adverse effects of requirement of fairness in data networking on anonymous networking is also studied using the packet based anonymity model and a novel temporal fairness index is proposed to compare the tradeoff between fairness and achieved anonymity of three diverse and popular fairness paradigms: First Come First Serve, Fair Queuing and Proportional Method. It is shown that FCFS and Fair Queuing algorithms have little inherent anonymity. A significant improvement in anonymity is therefore achieved by relaxing the fairness paradigms. The analysis of the relaxed FCFS criterion, in particular, is accomplished by modeling the problem as a Markov Decision Process (MDP). The proportional method of scheduling, while avoided in networks today, is shown to significantly outperform the other fair scheduling algorithms in anonymity, and is proven to be asymptotically optimal as the buffer size of the scheduler is increased. Flow based anonymity model is proposed to study long streams traffic models of users such as in media streaming. A detection theoretic measure of anonymity is proposed to study the optimization of mixing strategies under network constraints for this flow based anonymity model. Specifically, using the detection time of the adversary as a metric, the effectiveness of mixing strategies is maximized under constraints on memory and throughput. A general game theoretic model is proposed to study the mixing strategies when an adversary is capable of capturing a fraction of incoming packets. For the proposed multistage game, existence of a Nash equilibrium is proven, and the optimal strategies for the mix and adversary were derived at the equilibrium condition.It is noted in this work that major literature on anonymity in Internet is focused on achieving anonymity using third parties like mixes or onion routers, while the contributions of users\u27 individual actions such as accessing multiple websites to hide the targeted websites, using multiple proxy servers to hide the traffic routes are overlooked. In this thesis, signaling game model is proposed to study specifically these kind of problems. Fundamentally, signaling games consist of two players: senders and receivers and each sender belongs to one of multiple types. The users who seek to achieve anonymity are modeled as the sender of a signaling game and their types are identified by their personal information that they want to hide. The eavesdroppers are modeled as the receiver of the signaling game. Senders transmit their messages to receivers. The transmission of these messages can be seen as inevitable actions that a user have to take in his/her daily life, like the newspapers he/she subscribes on the Internet, online shopping that he/she does, but these messages are susceptible to reveal the user identity such as his/her political affiliation or his/her affluence level. The receiver (eavesdropper) uses these messages to interpret the senders\u27 type and take optimal actions according to his belief of senders\u27 type. Senders choose their messages to increase their reward given that they know the optimal policies of the receivers for choosing the action based on the transmitted message. However, sending the messages that increases senders\u27 reward may reveal their type to receivers thus violating their privacy and can be used by eavesdropper in future to harm the senders. In this work, the payoff of a signalling game is adjusted to incorporate the information revealed to an eavesdropper such that this information leakage is minimized from the users\u27 perspective. The existence of Bayesian-Nash equilibrium is proven in this work for the signaling games even after the incorporation of users\u27 anonymity. It is also proven that the equilibrium point is unique if the desired anonymity is below a certain threshold

Privacy Enhanced Secure Tropos: A Privacy Modeling Language for GDPR Compliance

Euroopa Liidu isikuandmete kaitse üldmäärusele (GDPR) vastavuse tagamine saab õiguslikult hädavajalikuks kõigis tarkvarasüsteemides, mis töötlevad ja haldavad isikuandmeid. Sellest tulenevalt tuleb GDPR vastavuse ja privaatsuse komponentidega arvestada arendusprotsessi varajastes etappides ning tarkvarainsenerid peaksid analüüsima mitte ainult süsteemi, vaid ka selle keskkonda. Käesolev uuring keskendub viimasel ajal tähepepanu pälvinud modelleerimiskeelele Privacy Enhanced Secure Tropos (PESTOS), mis põhineb Tropos metoodikal, hõlmates eesmärkide ja reeglite vaatenurka, mis aitab tarkvarainseneridel hinnata erinevaid Privacy-enhancing Technologies (PET-e) kandidaate, arendades samas privaatsustundlikke süsteeme, et need oleksid GDPR-iga kooskõlas.Kuigi GDPR artikli 5 lõikes 2 sätestatakse, et vastutuse põhimõtte kohaselt peavad organisatsioonid suutma näidata vastavust GDPR põhimõtetele (meie teadmiste kohaselt ei ole praegu veel ühtegi teist privaatsuse modelleerimise keelt, mis keskendub eelkõige GDPR nõuetele ja mis põhineb Security Risk-Aware Secure Tropos metoodikal), ei olnud saadaval ühtegi praktilist modelleerimise keelt, mis rahuldaks tööstus- ja ärivajadusi. See on Euroopa Liidu piirkonna avalikele asutustele ja erasektorile tõsine probleem, kuna GDPR toob vastutavatele ja volitatud töötlejatele kaasa väga tõsiseid trahve. Organisatsioonid ei oma piisavat kindlustunnet regulatsioonide täitmise osas ja tarkvarainseneridel puuduvad meetodid saamaks ülevaadet infosüsteemide muutmistaotlustest. Käesolevas lõputöös rakendatakse struktureeritud privaatsuse modelleerimise keelt, mida nimetatakse PESTOS-iks. Selle eesmärk on tagada kõrgetasemeline vastavus GDPR nõuetele kattes PET-e eesmärk-tegija-reegel perspektiivis hindamiseks ka lõimitud andmekaitse põhimõtted. GDPR 99-st artiklist 21 artiklit saab identifitseerida tehniliste nõudmistena, mile osas PESTOS suudab ettvõtetel aidata GDPR-ist tulenevaid kohustusi täita. Identiteedi- ja turvaekspertide seas läbiviidud uuring kinnitab, et kavandatud mudelil on piisav õigsus, täielikkus, tootlikkus ja kasutusmugavus.The European Union General Data Protection Regulation (GDPR) compliance is becoming a legal necessity for software systems that process and manage personal data. As a result of that fact, GDPR compliance and privacy components need to be considered from the early stages of the development process and software engineers should analyze not only the system but also its environment. Hereby with this study, Privacy Enhanced Secure Tropos (PESTOS) is emerging as a privacy modeling language based on Tropos methodology, which covers the goal and rule perspective, for helping software engineers by assessing candidate PETs, while designing privacy-aware systems, in order to make them compatible with GDPR. Although in Article 5(2) of the GDPR, the accountability principle requires organizations to show compliance with the principles of the GDPR, (To the best of our knowledge, currently there is no other privacy modeling language especially focuses on the GDPR compliance and enhanced based on Security Risk-Aware Secure Tropos methodology) there were not any practical social modeling languages supply the demand driven by industrial and commercial needs. This is a serious issue for public institutions and private sector in EU-zone because GDPR brings very serious charges for data controllers and data processors, therefore organizations do not feel themselves ready to face with those regulations and software engineers have a lack of methods for capturing change requests of the information systems. This paper applies a structured privacy modeling language that is called as PESTOS which has a goal-oriented solution domain that aims to bring a high compatibility with GDPR by covering Privacy by Design strategies for assessing proper privacy-enhancing technologies(PETs) in a respect of the goal-actor-rule perspective. Among the 99 articles of GDPR, 21 articles can be identified as technical level of requirements that PESTOS is able to transform them into GDPR goals needs to be fulfilled in order to support business assets. A survey conducted by identity and security experts validates that proposed model has a sufficient level of correctness, completeness, productivity and ease of use

Towards a Collection of Security and Privacy Patterns

Security and privacy (SP)-related challenges constitute a significant barrier to the wider adoption of Internet of Things (IoT)/Industrial IoT (IIoT) devices and the associated novel applications and services. In this context, patterns, which are constructs encoding re-usable solutions to common problems and building blocks to architectures, can be an asset in alleviating said barrier. More specifically, patterns can be used to encode dependencies between SP properties of individual smart objects and corresponding properties of orchestrations (compositions) involving them, facilitating the design of IoT solutions that are secure and privacy-aware by design. Motivated by the above, this work presents a survey and taxonomy of SP patterns towards the creation of a usable pattern collection. The aim is to enable decomposition of higher-level properties to more specific ones, matching them to relevant patterns, while also creating a comprehensive overview of security- and privacy-related properties and sub-properties that are of interest in IoT/IIoT environments. To this end, the identified patterns are organized using a hierarchical taxonomy that allows their classification based on provided property, context, and generality, while also showing the relationships between them. The two high-level properties, Security and Privacy, are decomposed to a first layer of lower-level sub-properties such as confidentiality and anonymity. The lower layers of the taxonomy, then, include implementation-level enablers. The coverage that these patterns offer in terms of the considered properties, data states (data in transit, at rest, and in process), and platform connectivity cases (within the same IoT platform and across different IoT platforms) is also highlighted. Furthermore, pointers to extensions of the pattern collection to include additional patterns and properties, including Dependability and Interoperability, are given. Finally, to showcase the use of the presented pattern collection, a practical application is detailed, involving the pattern-driven composition of IoT/IIoT orchestrations with SP property guarantees

Efficient, Effective, and Realistic Website Fingerprinting Mitigation

Website fingerprinting attacks have been shown to be able to predict the website visited even if the network connection is encrypted and anonymized. These attacks have achieved accuracies as high as 92%. Mitigations to these attacks are using cover/decoy network traffic to add noise, padding to ensure all the network packets are the same size, and introducing network delays to confuse an adversary. Although these mitigations have been shown to be effective, reducing the accuracy to 10%, the overhead is high. The latency overhead is above 100% and the bandwidth overhead is at least 30%. We introduce a new realistic cover traffic algorithm, based on a user’s previous network traffic, to mitigate website fingerprinting attacks. In simulations, our algorithm reduces the accuracy of attacks to 14% with zero latency overhead and about 20% bandwidth overhead. In real-world experiments, our algorithms reduces the accuracy of attacks to 16% with only 20% bandwidth overhead