4471 anonymous communications

7/29/2019 4471 Anonymous Communications

1/39

Anonymous Communications


2/39

Outline

Overview of Anonymous Communications

Invisible Traceback over Anonymous

Communications

Final Remarks


3/39

Overview: Anonymous

Communications

Network communications among parties

concealing parties identity, existence of

communications

Applications: whistleblowing, privacy-preserving

free expression, voting in elections, etc.

Systems: Tor [1], I2P [2], Anonymizer [3], etc.

Practice: Users communications cloaked bypartitioning into application-layer chunks, relayed

among users in system [4]


4/39

Case Study: How Tor Works

Source: [1]


5/39

Outline



Communications

Motivation

Flow marking traceback technique

Prototyping

Implementation and Evaluation

Related Work

Final Remarks


6/39

Motivation: Invisible Traceback (1)

Traceback in the real world

Animal traceback Mail traceback Family traceback [5]


7/39


Internet is breeding ground for many crimes:

Criminal enterprises like anonymous communications

For such cases, law enforcement investigators need to

determine parties responsible for crimes

Credit Card Fraud Sharing Files(without permission)

Cyber-Terrorism Malware Distribution


8/39


Traceback aims to determine whodunit:

Origin of a packet/message

Unauthorized distributors, downloaders of files

Evil cybercriminals communicating with each other

Evil Evil

Investigator


9/39


Critical point: investigators traceback activityneeds to be invisible to suspects (e.g., illegal filesharers, cybercriminals)

Without invisibility: Suspects would cease criminal activity, do it

elsewhere, develop countermeasures to foolinvestigators, etc.

Investigator would have no evidence of wrongdoing

Traceback helps hold cybercriminals responsiblefor their actions


10/39

Challenges to Invisible Traceback (1)

The nature of the Internet:

Large scale, loose control

Destination oriented routing and forwarding

easy to spoof source IP addresses

Intermediate nodes record very little information


11/39

Challenges to Invisible Traceback (2)

Availability of anonymous communication systems

Anonymous Communication

Sender Receiver

A

B

Human Spy Network

S to A

B to R

A to B


12/39

Our Focus

Suppose a sender sends traffic through an encrypted

anonymous channel. How can the investigator trace

and confirm the receivers identity?

Papers [4] and [6] (S&P 2007, ToN 2012)

ReceiverSender

Anonymous

Channel


13/39

Outline



Communications

Motivation


Prototyping


Related Work

Final Remarks


14/39

An Intuitive Solution

Packet marking: mark certain packets

Sender

AnonymousNetwork

Receiver

However, packets are encrypted inanonymous communication systems Carelessly marked packets fail decryption

visible to the attacker!


15/39

Our Solution

Flow marking

Change traffic flow rates

Traffic rate changes represent a mark, i.e.,

special secret code

Anonymous

Channel

Investigator knows that Sender communicates with Receiver!

Investigator

Sender Anonymous

Network

Interferer

Receiver

Sniffer


16/39

Key Differences Between Flow and

Packet Marking Packet marking

Mark embedded in packets

Packet content is changed

It is very difficult, if impossible, to hide suchchanges when packets are encrypted

Flow marking

Mark is embedded in flow rate changes No packet content is changed

It is feasible to hide flow rate changes in theInternet, typically with dynamic traffic


17/39

Questions About Flow Marking

A detail question:

How is a mark embedded into flow rate changes?

Two big picture questions:

How do we make the traffic rate changes invisible

to cybercriminals?

How do we make the traffic changes robustto

burst traffic interference in the Internet?


18/39

Embedding Mark Into Flow Rate

Changes

Mark decides flow rate changes

Key to flow rate changes invisibility and

robustness: choose an appropriate mark

Direct Sequence Spread Spectrum (DSSS)

-1111 1 -1 -1Mark

Flow


19/39

Basic Direct Sequence Spread

Spectrum (DSSS)

A pseudo-noise (PN) code is used for spreading

a signal and despreading a spread signal

DespreadingSpreading

PN Code

Original

Signaltb

ct

dt

PN Code

cr

Recovered

Signalnoisy

channel

Interferer Snifferrb dr


20/39

Example: Spreading and Despreading

Signal PN code (i.e. DSSS code)

One symbol is represented by 7 chips

PN code is random; not visible in time or frequency domains

tb

is the mark!

Despreading is the reverse process of spreading

+1

1dt t

ct+1

1

Tc(chip)

t

NcTc

t

tb

Mark


21/39

Invisibility of Flow Marking

Marks show a white noise-like pattern in both

time, frequency domains

Mark amplitude can be very small

As suspects dont know the code, its very hard

for them to recognize marks


22/39

Accuracy of Flow Marking

Recognition

Spreading/despreading processes make the

mark immune to burst interference introduced

by Internet background traffic

+1

1dt t

ct+1

1

Tc(chip)

t

tb

Mark


23/39

Outline



Communications

Motivation


Prototyping


Related Work

Final Remarks


24/39

A Prototype System

ReceiverSender

SnifferInterferer

Anonymous

Network

Signal Modulator

Flow Modulator Flow Demodulator

Signal Modulator

Recovered Signal


25/39

Embedding Signal into Traffic at

Interferer

1. Choose a random signalof length n: (1 -1)

2. Signal modulator: obtain thespread signal

3. Flow modulator: modulate a

target traffic flow byappropriate interference Bit 1: without interference

Bit1: with interference

PN

Code

Signal

Flow

Modulator

Internet

spread signal + noise

Signal Modulator


26/39

Recovering Signal at Sniffer

1. Flow demodulator: Sniff target traffic

Sample target traffic to derive trafficrate time series

Use high-pass filter to remove directcomponent by Fast Fourier Transform(FFT)

2. Signal demodulator: Despreading by the PN code

Use low-pass filter to remove high-frequency noise

3. Decision rule: Recovered signal == Original signal?

PN

Code

Decision

Rule

spread signal + noise

High-pass

Filter

Low-pass

Filter

Flow Demodulator

Signal Demodulator


27/39

Analytical Results

1 bit signal detection rate: probability that we recognize 1

signal bit if we know when the signal appears

where erfc() is complementary error function,

Nc is PN code length n-bit signal detection rate

SNR influences accuracy as well as invisibility

A

Signal to Noise Ratio (SNR)


28/39

Outline



Communications

Motivation


Prototyping


Related Work

Final Remarks


29/39

Real World Experimental Setup

The flow modulator at the interferer uses denial of service attack in wirednetworks


30/39

Evaluation Setup

Sender

Receiver


31/39

Traceback Invisibility

Overlapping traffic rate curves for traffic

without marks in time and frequency domains


32/39

Traceback Accuracy


33/39

Transformation into a Real-World Tool

Remaining issues

Not totally invisible

Not accurate to low rate traffic

Robustness

Applied to different scenarios

One-to-one group

Orthogonal codes parallel flow marking

Wireless/wired networks


34/39

Outline



Communications

Motivation


Prototyping


Related Work

Final Remarks


35/39

Related Work

IP packet marking based traceback (UC Berkeley, Purdue U.) [7, 8]

Each router on path adds its IP address to packet; victim reads path from packet

Con: requires extra space in packet; requires network infrastructure involvement

Packet inter-arrival time based traceback (NCSU, George Mason U.)

[9, 10]

Adjusts packet inter-arrival time conveying information

Pro: fewer packets

Con: sensitive to interference; needs more controlled network segments

Correlation based traceback (UT Arlington, U. of Cambridge) [11, 12] Correlates traffic at different locations (passively or actively)

Pro: passive, no target traffic interference (good secrecy)

Con: needs threshold to determine whether traffic at different locations is related


36/39

Outline



Communications

Final Remarks


37/39

Final Remarks

Anonymous communication systems useful,

but can be abused by cybercriminals

Invisible traceback: important, hard problem

We proposed novel traceback technique based

on flow marking with spread spectrum

We prototyped a system based on this

technique

Technique has strong potential for

development as a real-world tool


38/39

References (1)

1. Tor Project, Tor: Anonymity Online,http://torproject.org/about/overview.html.en

2. I2P Anonymous Network,http://www.i2p2.de/

3. Anonymizer, Inc., http://www.anonymizer.com

4. Z. Ling, J. Luo, W. Yu, X. Fu, D. Xuan, and W. Jia,A New Cell-Counting-Based Attack

Against Tor,ACM/IEEE Trans. on Networking (ToN), vol. 20, no. 4, Aug. 2012, pp. 1245

1261.

5. http://www.englishexercises.org/makeagame/viewgame.asp?id=453

6. W. Yu, X. Fu, S. Graham, D. Xuan, and W. Zhao, DSSS-Based Flow Marking Technique

for Invisible Traceback,Proc. IEEE Symp. on Security and Privacy (S&P), 2007, pp. 18

31.

7. D. X. Song and A. Perrig, Advanced and authenticated marking schemes for IP traceback,

inProc. IEEE INFOCOM, 2001

8. K. Park and H. Lee, On the Effectiveness of Probabilistic Packet Marking for IP Traceback

under Denial of Service Attack, inProc. IEEE INFOCOM, 2001.

9. X. Wang, S. Chen, and S. Jajodia, Tracking anonymous peer-to-peer voip calls on the

internet, inProc. ACM Conf. on Computer Communications Security (CCS), 2005.

10. P. Peng, P. Ning, and D. S. Reeves, On the secrecy of timing-based active watermarking

trace-back techniques, inProc. IEEE Symp. on Security and Privacy (S&P), 2006.
http://torproject.org/about/overview.html.enhttp://www.i2p2.de/http://www.anonymizer.com/http://www.englishexercises.org/makeagame/viewgame.asp?id=453http://www.englishexercises.org/makeagame/viewgame.asp?id=453http://www.anonymizer.com/http://www.i2p2.de/http://torproject.org/about/overview.html.en


39/39

References (2)

11. Y. Zhu, X. Fu, B. Graham, R. Bettati, and W. Zhao,On flow correlation attacks and

countermeasures in mix networks, inProc. Workshop on Privacy Enhancing Technologies

(PET), 2004.

12. B. N. Levine, M. Reiter, C. Wang, and M. Wright, Timing analysis in low-latency mix

systems, inProc. Intl. Conf. on Financial Cryptography, 2004.

4471 anonymous communications

Documents