Extracting Association Patterns in Network Communications

In network communications, mixes provide protection against observers hiding the appearance of messages, patterns, length and links between senders and receivers. Statistical disclosure attacks aim to reveal the identity of senders and receivers in a communication network setting when it is protected by standard techniques based on mixes. This work aims to develop a global statistical disclosure attack to detect relationships between users. The only information used by the attacker is the number of messages sent and received by each user for each round, the batch of messages grouped by the anonymity system. A new modeling framework based on contingency tables is used. The assumptions are more flexible than those used in the literature, allowing to apply the method to multiple situations automatically, such as email data or social networks data. A classification scheme based on combinatoric solutions of the space of rounds retrieved is developed. Solutions about relationships between users are provided for all pairs of users simultaneously, since the dependence of the data retrieved needs to be addressed in a global sense

New statistical disclosure attacks on anonymous communications networks

Tesis inédita de la Universidad Complutense de Madrid, Facultad de Informática, Departamento de Ingeniería del Software e Inteligencia Artificial, leída el 5-02-2016.El anonimato es una dimensi on de la privacidad en la que una persona se reserva su identidad en las relaciones sociales que mantiene. Desde el punto de vista del area de las comunicaciones electr onicas, el anonimato posibilita mantener oculta la informaci on que pueda conducir a la identi caci on de las partes involucradas en una transacci on. Actualmente, conservar el anonimato en las transacciones de informaci on en red representa uno de los aspectos m as importantes. Con este n se han desarrollado diversas tecnolog as, com unmente denominadas tecnolog as para la mejora de la privacidad. Una de las formas m as populares y sencillas de proteger el anonimato en las comunicaciones entre usuarios son los sistemas de comunicaci on an onima de baja latencia basados en redes de mezcladores. Estos sistemas est an expuestos a una serie de ataques basados en an alisis de tr a co que comprometen la privacidad de las relaciones entre los usuarios participantes en la comunicaci on, esto es, que determinan, en mayor o menor medida, las identidades de emisores y receptores. Entre los diferentes tipos de ataques destacan los basados en la inundaci on de la red con informaci on falsa para obtener patrones en la red de mezcladores, los basados en el control del tiempo, los basados en el contenido de los mensajes, y los conocidos como ataques de intersecci on, que pretenden inferir, a trav es de razonamientos probabil sticos o de optimizaci on, patrones de relaciones entre usuarios a partir de la informaci on recabada en lotes o durante un per odo de tiempo por parte del atacante. Este ultimo tipo de ataque es el objeto de la presente tesis...Anonymity is a privacy dimension related to people's interest in preserving their identity in social relationships. In network communications, anonymity makes it possible to hide information that could compromise the identity of parties involved in transactions. Nowadays, anonymity preservation in network information transactions represents a crucial research eld. In order to address this issue, a number of Privacy Enhancing Technologies have been developed. Low latency communications systems based on networks of mixes are very popular and simple measures to protect anonymity in users communications. These systems are exposed to a series of attacks based on tra c analysis that compromise the privacy of relationships between user participating in communications, leading to determine the identity of sender and receiver in a particular information transaction. Some of the leading attacks types are attacks based on sending dummy tra c to the network, attacks based on time control, attacks that take into account the textual information within the messages, and intersections attacks, that pretend to derive patterns of communications between users using probabilistic reasoning or optimization algorithms. This last type of attack is the subject of the present work. Intersection attacks lead to derive statistical estimations of the communications patterns (mean number of sent messages between a pair of users, probability of relationship between users, etc). These models were named Statistical Disclosure Attacks, and were soon considered able to compromise seriously the anonymity of networks based on mixes. Nevertheless, the hypotheses assumed in the rst publications for the concrete development of the attacks were excessively demanding and unreal. It was common to suppose that messages were sent with uniform probability to the receivers, to assume the knowledge of the number of friends an user has or the knowledge a priori of some network parameters, supposing similar behavior between users, etc...Depto. de Ingeniería de Software e Inteligencia Artificial (ISIA)Fac. de InformáticaTRUEunpu

Cost Analysis of Query-Anonymity on the Internet of Things

A necessary function of the Internet of Things (IoT) is to sense the real-world from the fabric of everyday environments. Wireless Sensor Networks (WSNs) are widely deployed as part of IoT for environmental sensing, industrial monitoring, health care, and military purposes. Traditional WSNs are limited in terms of their management and usage model. As an alternative paradigm for WSN management, the sensor-cloud virtualizes physical sensors. While this model has many benefits, there are privacy issues that are not yet addressed. The query-anonymity arises when the client wants the destination physical sensor-node to be indistinguishable from other potential destinations. In particular, we consider the k-anonymous query scheme in which the query destination is indistinguishable from other k-1 probable destinations, where k is the offered level-of-anonymity. Moreover, we are interested in a communication-based approach in which the client is required to send k queries to at least k destinations including the node of interest in order to achieve a level-of-anonymity k. Thus, the communication-cost increases with the level-of-anonymity k. Consequently, there is a natural trade-off between the offered query-anonymity and the incurred communication-cost. The analysis of such trade-off is the main problem we address in this work. We firstly aim at a novel theoretical framework that quantifies the security of a general k-anonymous query scheme. Towards that, we adopt two approaches based on well-known security models namely, ciphertext indistinguishability under chosen plaintext attack (IND-CPA), and information theoretic notion of perfect secrecy. Next, we provide a construction of a secure k-anonymous query scheme, and introduce its detailed design and implementation, including the partition algorithm, anonymity-sets construction methods, query routing algorithm, and querying protocol. Then we establish a set of average-case and worst-case bounds on the cost-anonymity trade-off. We are committed to answer two important questions: what is the communication-cost, on average and in the worst-case, that is necessary? and what is the communication-cost that is sufficient to achieve the required secure query k-anonymity? Finally, we conduct extensive simulations to analyze various performance-anonymity trade-offs to study the average and worst-case bounds on them, and investigate several variations of anonymity-sets constructions methods. Confirming our theoretical analysis, our evaluation results show that the bounds of the average and worst-case cost change from quadratic asymptotic dependence on the network diameter to the same dependence on the level-of-anonymity when the later surpasses the former. Furthermore, most of the obtained bounds on various performance anonymity trade-offs can be expressed precisely in terms of the offered level-of-anonymity and network diameter

The Hitting Set Attack on Anonymity Protocols

A passive attacker can compromise a generic anonymity protocol by applying the so called disclosure attack, i.e. a special traffic analysis attack. In this work we present a more efficient way to accomplish this goal, i.e. we need less observations by looking for unique minimal hitting sets. We call this the hitting set attack or just HS-attack. In general, solving the minimal hitting set problem is NP-hard. Therefore, we use frequency analysis to enhance the applicability of our attack. It is possible to apply highly efficient backtracking search algorithms. We call this approach the statistical hitting set attack or SHS-attack. However, the statistical hitting set attack is prone to wrong solutions with a given small probability. We use here duality checking algorithms to resolve this problem. We call this final exact attack the HS*-attack

Private and censorship-resistant communication over public networks

Society’s increasing reliance on digital communication networks is creating unprecedented opportunities for wholesale surveillance and censorship. This thesis investigates the use of public networks such as the Internet to build robust, private communication systems that can resist monitoring and attacks by powerful adversaries such as national governments. We sketch the design of a censorship-resistant communication system based on peer-to-peer Internet overlays in which the participants only communicate directly with people they know and trust. This ‘friend-to-friend’ approach protects the participants’ privacy, but it also presents two significant challenges. The first is that, as with any peer-to-peer overlay, the users of the system must collectively provide the resources necessary for its operation; some users might prefer to use the system without contributing resources equal to those they consume, and if many users do so, the system may not be able to survive. To address this challenge we present a new game theoretic model of the problem of encouraging cooperation between selfish actors under conditions of scarcity, and develop a strategy for the game that provides rational incentives for cooperation under a wide range of conditions. The second challenge is that the structure of a friend-to-friend overlay may reveal the users’ social relationships to an adversary monitoring the underlying network. To conceal their sensitive relationships from the adversary, the users must be able to communicate indirectly across the overlay in a way that resists monitoring and attacks by other participants. We address this second challenge by developing two new routing protocols that robustly deliver messages across networks with unknown topologies, without revealing the identities of the communication endpoints to intermediate nodes or vice versa. The protocols make use of a novel unforgeable acknowledgement mechanism that proves that a message has been delivered without identifying the source or destination of the message or the path by which it was delivered. One of the routing protocols is shown to be robust to attacks by malicious participants, while the other provides rational incentives for selfish participants to cooperate in forwarding messages