4471 anonymous communications - computer science and...

Anonymous Communications

CSE 4471: Information SecurityInstructor: Adam C. Champion, Ph.D.

Outline

• Overview of Anonymous Communications• Invisible Traceback over Anonymous

Communications• Final Remarks

2

Overview: Anonymous Communications

• Network communications among parties concealing parties’ identity, existence of communications– Applications: whistleblowing, privacy-preserving

free expression, voting in elections, etc.– Systems: Tor [1], I2P [2], Anonymizer [3], etc.– Practice: Users’ communications cloaked by

partitioning into application-layer chunks, relayed among users in system [4]

3

Case Study: How Tor Works

Source: [1]

4

Outline


Communications–Motivation– Flow marking traceback technique– Prototyping– Implementation and Evaluation– Related Work

• Final Remarks5

Motivation: Invisible Traceback (1)

• Traceback in the real world

Animal traceback Mail traceback Family traceback [5]

6

Motivation: Invisible Traceback (2)

• Internet is breeding ground for many crimes:

• Criminal enterprises like anonymous communications…• For such cases, law enforcement investigators need to

determine parties responsible for crimes

Credit Card Fraud Sharing © Files(without permission)

Cyber-Terrorism Malware Distribution

7

Motivation: Invisible Traceback (3)• Traceback aims to determine “whodunit”:

– Origin of a packet/message– Unauthorized distributors, downloaders of © files– Evil cybercriminals communicating with each other

Evil Evil

Investigator

8

Motivation: Invisible Traceback (4)• Critical point: investigator’s traceback activity

needs to be invisible to suspects (e.g., illegal file sharers, cybercriminals)

• Without invisibility:– Suspects would cease criminal activity, do it

elsewhere, develop countermeasures to fool investigators, etc.

– Investigator would have no evidence of wrongdoing• Traceback helps hold cybercriminals responsible

for their actions

9

Challenges to Invisible Traceback (1)

• The nature of the Internet:– Large scale, loose control– Destination oriented routing and forwarding ⟹

easy to spoof source IP addresses– Intermediate nodes record very little information

10

Challenges to Invisible Traceback (2)

• Availability of anonymous communication systems

Anonymous Communication

Sender Receiver

A

B

Human Spy Network

S to A

B to R

A to B

11

Our Focus

• Suppose a sender sends traffic through an encrypted anonymous channel. How can the investigator trace and confirm the receiver’s identity?

• Papers [4] and [6] (S&P 2007, ToN 2012)

ReceiverSender

Anonymous Channel

12

Outline



• Final Remarks13

An Intuitive Solution

• Packet marking: mark certain packets

Sender

AnonymousNetwork

Receiver

• However, packets are encrypted in anonymous communication systems– Carelessly marked packets fail decryption ⟹

visible to the attacker!14

Our Solution

• Flow marking– Change traffic flow rates– Traffic rate changes represent a “mark,” i.e.,

special secret code

AnonymousChannel

Investigator knows that Sender communicates with Receiver!

Investigator

Sender AnonymousNetwork

Interferer

Receiver

Sniffer

15

Key Differences Between Flow and Packet Marking

• Packet marking– Mark embedded in packets – Packet content is changed– It is very difficult, if impossible, to hide such

changes when packets are encrypted • Flow marking– Mark is embedded in flow rate changes– No packet content is changed– It is feasible to hide flow rate changes in the

Internet, typically with dynamic traffic 16

Questions About Flow Marking

• A “detail” question:– How is a mark embedded into flow rate changes?

• Two “big picture” questions:– How do we make the traffic rate changes invisible

to cybercriminals?– How do we make the traffic changes robust to

burst traffic interference in the Internet?

17

Embedding Mark Into Flow Rate Changes

• Mark decides flow rate changes– Key to flow rate changes’ invisibility and

robustness: choose an appropriate mark– Direct Sequence Spread Spectrum (DSSS)

-1111 1 -1 -1Mark

Flow

18

Basic Direct Sequence Spread Spectrum (DSSS)

• A pseudo-noise (PN) code is used for spreading a signal and despreading a spread signal

DespreadingSpreading

PN Code

Original Signal

tb

ct

dt

PN Code

cr

Recovered Signal

noisychannel

Interferer Snifferrb dr

19

Example: Spreading and Despreading• Signal • PN code (i.e. DSSS code) •

– One symbol is “represented” by 7 chips– PN code is random; not visible in time or frequency domains

• tb is the mark!• Despreading is the reverse process of spreading

+1

–1dt t

ct

+1

–1

Tc (chip)

t

NcTc

t

tb

Mark

20

Invisibility of Flow Marking

• Marks show a white noise-like pattern in both time, frequency domains

• Mark amplitude can be very small• As suspects don’t know the code, it’s very hard

for them to recognize marks

21

Accuracy of Flow Marking Recognition

• Spreading/despreading processes make the mark immune to burst interference introduced by Internet background traffic

+1

–1dt t

ct

+1

–1

Tc (chip)

t

tb

Mark

22

Outline



• Final Remarks23

A Prototype System

ReceiverSender

SnifferInterferer

AnonymousNetwork

Signal Modulator

Flow Modulator Flow Demodulator

Signal Modulator

Recovered Signal

24

Embedding Signal into Traffic at Interferer

1. Choose a random signalof length n: (1 -1)

2. Signal modulator: obtain the spread signal

3. Flow modulator: modulate a target traffic flow by appropriate interference• Bit +1: without interference• Bit –1: with interference

PN Code

Signal

FlowModulator

Internet

spread signal + noise

Signal Modulator

25

Recovering Signal at Sniffer1. Flow demodulator:

• Sniff target traffic• Sample target traffic to derive traffic

rate time series• Use high-pass filter to remove direct

component by Fast Fourier Transform (FFT)

2. Signal demodulator: • Despreading by the PN code• Use low-pass filter to remove high-

frequency noise

3. Decision rule:• Recovered signal == Original signal?

PN Code

Decision Rule

spread signal + noise

High-pass Filter

Low-pass Filter

Flow Demodulator

Signal Demodulator

26

Analytical Results• 1 bit signal detection rate: probability that we recognize 1

signal bit if we know when the signal appears

where erfc(⋅) is complementary error function,

Nc is PN code length• n-bit signal detection rate• SNR influences accuracy as well as invisibility

A

Signal to Noise Ratio (SNR)

27

Outline



• Final Remarks28

Real World Experimental Setup

• The flow modulator at the interferer uses denial of service attack in wired networks

29

Evaluation Setup

Interfere

r SnifferSender

Receiver

30

Traceback Invisibility

• Overlapping traffic rate curves for traffic without marks in time and frequency domains

31

Traceback Accuracy

32

Transformation into a Real-World Tool

• Remaining issues– Not totally invisible– Not accurate to low rate traffic– Robustness

• Applied to different scenarios– One-to-one ⟹ group • Orthogonal codes ⟹ parallel flow marking

–Wireless/wired networks

33

Outline



• Final Remarks34

Related Work• IP packet marking based traceback (UC Berkeley, Purdue U.) [7, 8]

– Each router on path adds its IP address to packet; victim reads path from packet– Con: requires extra space in packet; requires network infrastructure involvement

• Packet inter-arrival time based traceback (NCSU, George Mason U.) [9, 10]– Adjusts packet inter-arrival time conveying information– Pro: fewer packets– Con: sensitive to interference; needs more controlled network segments

• Correlation based traceback (UT Arlington, U. of Cambridge) [11, 12]– Correlates traffic at different locations (passively or actively)– Pro: passive, no target traffic interference (good secrecy)– Con: needs threshold to determine whether traffic at different locations is related

35

Outline


Communications• Final Remarks

36

Final Remarks

• Anonymous communication systems useful, but can be abused by cybercriminals

• Invisible traceback: important, hard problem• We proposed novel traceback technique based

on flow marking with spread spectrum• We prototyped a system based on this

technique• Technique has strong potential for

development as a real-world tool37

References (1)1. Tor Project, “Tor: Anonymity Online,” http://torproject.org/about/overview.html.en2. “I2P Anonymous Network,” http://www.i2p2.de/3. Anonymizer, Inc., http://www.anonymizer.com4. Z. Ling, J. Luo, W. Yu, X. Fu, D. Xuan, and W. Jia, “A New Cell-Counting-Based Attack

Against Tor,” ACM/IEEE Trans. on Networking (ToN), vol. 20, no. 4, Aug. 2012, pp. 1245–1261.

5. http://www.englishexercises.org/makeagame/viewgame.asp?id=4536. W. Yu, X. Fu, S. Graham, D. Xuan, and W. Zhao, “DSSS-Based Flow Marking Technique

for Invisible Traceback,” Proc. IEEE Symp. on Security and Privacy (S&P), 2007, pp. 18–31.

7. D. X. Song and A. Perrig, “Advanced and authenticated marking schemes for IP traceback”, in Proc. IEEE INFOCOM, 2001

8. K. Park and H. Lee, “On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack”, in Proc. IEEE INFOCOM, 2001.

9. X. Wang, S. Chen, and S. Jajodia, “Tracking anonymous peer-to-peer voip calls on the internet,” in Proc. ACM Conf. on Computer Communications Security (CCS), 2005.

10. P. Peng, P. Ning, and D. S. Reeves, “On the secrecy of timing-based active watermarking trace-back techniques,” in Proc. IEEE Symp. on Security and Privacy (S&P), 2006.

38

http://torproject.org/about/overview.html.en

http://www.i2p2.de/

http://www.anonymizer.com

http://www.englishexercises.org/makeagame/viewgame.asp?id=453

References (2)11. Y. Zhu, X. Fu, B. Graham, R. Bettati, and W. Zhao, “On flow correlation attacks and

countermeasures in mix networks,” in Proc. Workshop on Privacy Enhancing Technologies (PET), 2004.

12. B. N. Levine, M. Reiter, C. Wang, and M. Wright, “Timing analysis in low-latency mix systems,” in Proc. Int’l. Conf. on Financial Cryptography, 2004.

39

4471 anonymous communications - computer science and...

Documents