10 research outputs found
Towards Provably Invisible Network Flow Fingerprints
Network traffic analysis reveals important information even when messages are
encrypted. We consider active traffic analysis via flow fingerprinting by
invisibly embedding information into packet timings of flows. In particular,
assume Alice wishes to embed fingerprints into flows of a set of network input
links, whose packet timings are modeled by Poisson processes, without being
detected by a watchful adversary Willie. Bob, who receives the set of
fingerprinted flows after they pass through the network modeled as a collection
of independent and parallel queues, wishes to extract Alice's embedded
fingerprints to infer the connection between input and output links of the
network. We consider two scenarios: 1) Alice embeds fingerprints in all of the
flows; 2) Alice embeds fingerprints in each flow independently with probability
. Assuming that the flow rates are equal, we calculate the maximum number of
flows in which Alice can invisibly embed fingerprints while having those
fingerprints successfully decoded by Bob. Then, we extend the construction and
analysis to the case where flow rates are distinct, and discuss the extension
of the network model
The Flow Fingerprinting Game
Linking two network flows that have the same source is essential in intrusion
detection or in tracing anonymous connections. To improve the performance of
this process, the flow can be modified (fingerprinted) to make it more
distinguishable. However, an adversary located in the middle can modify the
flow to impair the correlation by delaying the packets or introducing dummy
traffic.
We introduce a game-theoretic framework for this problem, that is used to
derive the Nash Equilibrium. As obtaining the optimal adversary delays
distribution is intractable, some approximations are done. We study the
concrete example where these delays follow a truncated Gaussian distribution.
We also compare the optimal strategies with other fingerprinting schemes. The
results are useful for understanding the limits of flow correlation based on
packet timings under an active attacker.Comment: Workshop on Information Forensics and Securit
TARANET: Traffic-Analysis Resistant Anonymity at the NETwork layer
Modern low-latency anonymity systems, no matter whether constructed as an
overlay or implemented at the network layer, offer limited security guarantees
against traffic analysis. On the other hand, high-latency anonymity systems
offer strong security guarantees at the cost of computational overhead and long
delays, which are excessive for interactive applications. We propose TARANET,
an anonymity system that implements protection against traffic analysis at the
network layer, and limits the incurred latency and overhead. In TARANET's setup
phase, traffic analysis is thwarted by mixing. In the data transmission phase,
end hosts and ASes coordinate to shape traffic into constant-rate transmission
using packet splitting. Our prototype implementation shows that TARANET can
forward anonymous traffic at over 50~Gbps using commodity hardware
Practical Traffic Analysis Attacks on Secure Messaging Applications
Instant Messaging (IM) applications like Telegram, Signal, and WhatsApp have
become extremely popular in recent years. Unfortunately, such IM services have
been targets of continuous governmental surveillance and censorship, as these
services are home to public and private communication channels on socially and
politically sensitive topics. To protect their clients, popular IM services
deploy state-of-the-art encryption mechanisms. In this paper, we show that
despite the use of advanced encryption, popular IM applications leak sensitive
information about their clients to adversaries who merely monitor their
encrypted IM traffic, with no need for leveraging any software vulnerabilities
of IM applications. Specifically, we devise traffic analysis attacks that
enable an adversary to identify administrators as well as members of target IM
channels (e.g., forums) with high accuracies. We believe that our study
demonstrates a significant, real-world threat to the users of such services
given the increasing attempts by oppressive governments at cracking down
controversial IM channels.
We demonstrate the practicality of our traffic analysis attacks through
extensive experiments on real-world IM communications. We show that standard
countermeasure techniques such as adding cover traffic can degrade the
effectiveness of the attacks we introduce in this paper. We hope that our study
will encourage IM providers to integrate effective traffic obfuscation
countermeasures into their software. In the meantime, we have designed and
deployed an open-source, publicly available countermeasure system, called
IMProxy, that can be used by IM clients with no need for any support from IM
providers. We have demonstrated the effectiveness of IMProxy through
experiments
TARANET: Traffic-Analysis Resistant Anonymity at the Network Layer
Modern low-latency anonymity systems, no matter whether constructed as an overlay or implemented at the network layer, offer limited security guarantees against traffic analysis. On the other hand, high-latency anonymity systems offer strong security guarantees at the cost of computational overhead and long delays, which are excessive for interactive applications. We propose TARANET, an anonymity system that implements protection against traffic analysis at the network layer, and limits the incurred latency and overhead. In TARANET's setup phase, traffic analysis is thwarted by mixing. In the data transmission phase, end hosts and ASes coordinate to shape traffic into constant-rate transmission using packet splitting. Our prototype implementation shows that TARANET can forward anonymous traffic at over 50 Gbps using commodity hardware
The Need for Flow Fingerprints to Link Correlated Network Flows
Abstract. Linking network flows is an important problem in the detection of stepping stone attacks as well as in compromising anonymity systems. Traffic analysis is an effective tool for linking flows, which works by correlating their communication patterns, e.g., their packet timings. To improve scalability and performance of this process, recent proposals suggest to perform traffic analysis in an active manner by injecting invisible tags into the traffic patterns of network flows; this approach is commonly known as flow watermarking. In this paper, we study an under-explored type of active traffic analysis that we call it flow fingerprinting. Information theoretically, flow watermarking aims at conveying a single bit of information whereas flow fingerprinting tries to reliably send multiple bits of information, hence it is a more challenging problem. Such additional bits help a fingerprinter deliver extra information in addition to the existence of the tag, such as the network origin of the flow and the identity of the fingerprinting entity. In this paper, we introduce and formulate the flow fingerprinting problem and contrast its application scenarios from that of the well-studied flow watermarking. We suggest the use of coding theory to build fingerprinting schemes based on the existing watermarks. In particular, we design a non-blind fingerprint, Fancy, and evaluate its performance. We show that Fancy can reliably fingerprint millions of network flows by tagging only as few as tens of packets from each flow