liberate, (n) - sigcomm · evasion techniques • observation: •
TRANSCRIPT
![Page 1: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/1.jpg)
liberate, (n): A library for exposing (traffic-classification) rules
and avoiding them efficiently
1
Fangfan Li, Abbas Razaghpanah, Arash Molavi Kakhki, Arian Akhavan Niaki, David Choffnes, Phillipa Gill, Alan Mislove
![Page 2: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/2.jpg)
Traffic management
2
![Page 3: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/3.jpg)
Traffic management
2
Throttling
Internet Service Provider
![Page 4: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/4.jpg)
Traffic management
2
Blocking
Throttling
Internet Service Provider
![Page 5: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/5.jpg)
Traffic management
2
Blocking
Throttling
Internet Service Provider
![Page 6: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/6.jpg)
Traffic management
2
Blocking
Zero rating
Throttling
Internet Service Provider
![Page 7: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/7.jpg)
Traffic management
2
Blocking
Zero rating
Throttling
Internet Service Provider
![Page 8: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/8.jpg)
Example policy
3
![Page 9: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/9.jpg)
Example policy
3
![Page 10: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/10.jpg)
Example policy
3
![Page 11: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/11.jpg)
Example policy
3
![Page 12: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/12.jpg)
Lack of user control
4
Throttling
![Page 13: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/13.jpg)
Lack of user control
4
Throttling
• Policies are implemented by DPI (Deep Packet Inspection) devices [IMC 16]
![Page 14: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/14.jpg)
Lack of user control
4
Throttling
• Policies are implemented by DPI (Deep Packet Inspection) devices [IMC 16]
Youtube
![Page 15: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/15.jpg)
Lack of user control
4
Throttling
• Policies are implemented by DPI (Deep Packet Inspection) devices [IMC 16]
• Differentiation policy can be harmful or unwanted to users/content providers
Youtube
![Page 16: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/16.jpg)
Lack of user control
4
Throttling
• Policies are implemented by DPI (Deep Packet Inspection) devices [IMC 16]
• Differentiation policy can be harmful or unwanted to users/content providers
• Users/content providers have no control over these policies
Youtube
![Page 17: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/17.jpg)
Previous work
![Page 18: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/18.jpg)
Previous work• Approaches:
• VPNs and proxies
• Covert channels
• Obfuscating traffic
• Domain fronting
![Page 19: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/19.jpg)
Previous work• Approaches:
• VPNs and proxies
• Covert channels
• Obfuscating traffic
• Domain fronting
• Limitations:
![Page 20: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/20.jpg)
Previous work• Approaches:
• VPNs and proxies
• Covert channels
• Obfuscating traffic
• Domain fronting
• Limitations:
• Brittle
![Page 21: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/21.jpg)
Previous work• Approaches:
• VPNs and proxies
• Covert channels
• Obfuscating traffic
• Domain fronting
• Limitations:
• Brittle
• Development effort
![Page 22: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/22.jpg)
Previous work• Approaches:
• VPNs and proxies
• Covert channels
• Obfuscating traffic
• Domain fronting
• Limitations:
• Brittle
• Development effort
• Performance
![Page 23: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/23.jpg)
Previous work• Approaches:
• VPNs and proxies
• Covert channels
• Obfuscating traffic
• Domain fronting
• Limitations:
• Brittle
• Development effort
• Performance
• Manual inspection
![Page 24: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/24.jpg)
Goals of liberate
6
Evade throttling
liberate
![Page 25: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/25.jpg)
Goals of liberate
6
• A technical solution for detecting and evading unwanted policies
Evade throttling
liberate
![Page 26: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/26.jpg)
Goals of liberate
6
• A technical solution for detecting and evading unwanted policies
• Enables unmodified applications to evade
Evade throttling
liberate
![Page 27: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/27.jpg)
Goals of liberate
6
• A technical solution for detecting and evading unwanted policies
• Enables unmodified applications to evade
• Automatically
Evade throttling
liberate
![Page 28: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/28.jpg)
Goals of liberate
6
• A technical solution for detecting and evading unwanted policies
• Enables unmodified applications to evade
• Automatically
• Adaptively
Evade throttling
liberate
![Page 29: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/29.jpg)
Goals of liberate
6
• A technical solution for detecting and evading unwanted policies
• Enables unmodified applications to evade
• Automatically
• Adaptively
• Unilaterally
Evade throttling
liberate
![Page 30: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/30.jpg)
Goals of liberate
6
• A technical solution for detecting and evading unwanted policies
• Enables unmodified applications to evade
• Automatically
• Adaptively
• Unilaterally
• With low overhead
Evade throttling
liberate
![Page 31: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/31.jpg)
Goals of liberate
6
• A technical solution for detecting and evading unwanted policies
• Enables unmodified applications to evade
• Automatically
• Adaptively
• Unilaterally
• With low overhead
Evade throttling
Unknown
liberate
![Page 32: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/32.jpg)
Outline• Design and implementation
• Traffic-classification rules detection
• Evasion techniques
• Implementation
• Evaluation
• Effectiveness across multiple networks
7
![Page 33: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/33.jpg)
Overview of liberate
8
![Page 34: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/34.jpg)
Overview of liberate
8
![Page 35: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/35.jpg)
Overview of liberate
8
![Page 36: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/36.jpg)
Overview of liberate
8
![Page 37: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/37.jpg)
Overview of liberate
8
![Page 38: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/38.jpg)
Overview of liberate
8
![Page 39: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/39.jpg)
Outline• Design and implementation
• Traffic-classification rules detection
• Evasion techniques
• Implementation
• Evaluation
• Effectiveness across multiple networks
9
![Page 40: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/40.jpg)
Design Traffic-classification rules detection
10
![Page 41: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/41.jpg)
Design Traffic-classification rules detection
10
VPN Channel
VPN serverClient
Recordedtraffic
• How to detect differentiation?
• Record and Replay [IMC 15]
![Page 42: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/42.jpg)
Design Traffic-classification rules detection
10
Replay Client
Replay server
VPN Channel
VPN serverClient
Recordedtraffic
RecordedtrafficRecorded
traffic
• How to detect differentiation?
• Record and Replay [IMC 15]
![Page 43: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/43.jpg)
Design Traffic-classification rules detection
10
Replay Client
Replay server
VPN Channel
VPN serverClient
Recordedtraffic
RecordedtrafficRecorded
traffic
• How to detect differentiation?
• Record and Replay [IMC 15]
![Page 44: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/44.jpg)
Design Traffic-classification rules detection
10
Replay Client
Replay server
VPN Channel
VPN serverClient
Recordedtraffic
RecordedtrafficRecorded
traffic
• How to detect differentiation?
• Record and Replay [IMC 15]
• How to evade differentiation efficiently?
![Page 45: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/45.jpg)
Design Traffic-classification rules detection
10
Replay Client
Replay server
VPN Channel
VPN serverClient
Recordedtraffic
RecordedtrafficRecorded
traffic
• How to detect differentiation?
• Record and Replay [IMC 15]
• How to evade differentiation efficiently?
• Understand classification rules [IMC 16]
![Page 46: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/46.jpg)
Design Traffic-classification rules detection
10
Replay Client
Replay server
VPN Channel
VPN serverClient
Recordedtraffic
RecordedtrafficRecorded
traffic
• How to detect differentiation?
• Record and Replay [IMC 15]
• How to evade differentiation efficiently?
• Understand classification rules [IMC 16]
GET /url Host: www.googlevideo.com
…
![Page 47: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/47.jpg)
Design Traffic-classification rules detection
10
Replay Client
Replay server
VPN Channel
VPN serverClient
Recordedtraffic
RecordedtrafficRecorded
traffic
• How to detect differentiation?
• Record and Replay [IMC 15]
• How to evade differentiation efficiently?
• Understand classification rules [IMC 16]
GET /url Host: www.googlevideo.com
…
Header Example matching content
URI site.js{…}-nbcsports-com
Host Host: www.spotify.com
User-Agent User-Agent: Pandora 5.0{…}
Content-Type Content-Type: video
SNI googlevideo.com
![Page 48: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/48.jpg)
Outline• Design and implementation
• Traffic-classification rules detection
• Evasion techniques
• Implementation
• Evaluation
• Effectiveness across multiple networks
11
![Page 49: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/49.jpg)
Design Example classification
12
How does classifier classify application B?
![Page 50: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/50.jpg)
Design Example classification
12
How does classifier classify application B?
![Page 51: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/51.jpg)
Design Example classification
12
How does classifier classify application B?
![Page 52: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/52.jpg)
Design Example classification
12
How does classifier classify application B?
![Page 53: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/53.jpg)
Design Example classification
12
How does classifier classify application B?
![Page 54: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/54.jpg)
Design Example classification
12
How does classifier classify application B?
![Page 55: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/55.jpg)
Design Example classification
12
How does classifier classify application B?
Matching contents : ‘GET /B’
![Page 56: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/56.jpg)
Design Evasion techniques
13* Christian Kreibich et al. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics.
Using a small TTL value
![Page 57: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/57.jpg)
Design Evasion techniques
• Observation:
• ‘Match and forget’ behavior
13* Christian Kreibich et al. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics.
Using a small TTL value
![Page 58: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/58.jpg)
Design Evasion techniques
• Observation:
• ‘Match and forget’ behavior
• Incomplete views of the connection
13* Christian Kreibich et al. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics.
Using a small TTL value
![Page 59: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/59.jpg)
Design Evasion techniques
• Observation:
• ‘Match and forget’ behavior
• Incomplete views of the connection
• Inert packet insertion* : Traffic processed only by a classifier but not endpoint
13* Christian Kreibich et al. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics.
Using a small TTL value
![Page 60: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/60.jpg)
Design Evasion techniques
• Observation:
• ‘Match and forget’ behavior
• Incomplete views of the connection
• Inert packet insertion* : Traffic processed only by a classifier but not endpoint
13* Christian Kreibich et al. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics.
Using a small TTL value
![Page 61: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/61.jpg)
Design Evasion techniques
• Observation:
• ‘Match and forget’ behavior
• Incomplete views of the connection
• Inert packet insertion* : Traffic processed only by a classifier but not endpoint
13* Christian Kreibich et al. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics.
Using a small TTL value
![Page 62: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/62.jpg)
Design Evasion techniques
• Observation:
• ‘Match and forget’ behavior
• Incomplete views of the connection
• Inert packet insertion* : Traffic processed only by a classifier but not endpoint
13* Christian Kreibich et al. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics.
Using a small TTL value
App B is classified as App A
![Page 63: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/63.jpg)
Design Evasion techniques
14Fragmenting the IP packet
ACK
SYN, ACK
SYN
TCP 80
TCP 80
TCP 80
IPID 1 OFF 0 GE
IPID 1 OFF 2 T
IPID 1 OFF 4 /A
IPID 1 OFF 6 \r\n
TCP 80
TCP 80
TCP 80TCP 80
![Page 64: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/64.jpg)
Design Evasion techniques
• Observation:
• Each packet is searched independently for matching contents
14Fragmenting the IP packet
ACK
SYN, ACK
SYN
TCP 80
TCP 80
TCP 80
IPID 1 OFF 0 GE
IPID 1 OFF 2 T
IPID 1 OFF 4 /A
IPID 1 OFF 6 \r\n
TCP 80
TCP 80
TCP 80TCP 80
![Page 65: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/65.jpg)
Design Evasion techniques
• Observation:
• Each packet is searched independently for matching contents
• Splitting/Reordering: splitting the matching contents across multiple packets
14Fragmenting the IP packet
ACK
SYN, ACK
SYN
TCP 80
TCP 80
TCP 80
IPID 1 OFF 0 GE
IPID 1 OFF 2 T
IPID 1 OFF 4 /A
IPID 1 OFF 6 \r\n
TCP 80
TCP 80
TCP 80TCP 80
![Page 66: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/66.jpg)
Design Evasion techniques
• Observation:
• Each packet is searched independently for matching contents
• Splitting/Reordering: splitting the matching contents across multiple packets
14Fragmenting the IP packet
ACK
SYN, ACK
SYN
TCP 80
TCP 80
TCP 80
IPID 1 OFF 0 GE
IPID 1 OFF 2 T
IPID 1 OFF 4 /A
IPID 1 OFF 6 \r\n
TCP 80
TCP 80
TCP 80TCP 80
![Page 67: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/67.jpg)
Design Evasion techniques
• Observation:
• Each packet is searched independently for matching contents
• Splitting/Reordering: splitting the matching contents across multiple packets
14Fragmenting the IP packet
ACK
SYN, ACK
SYN
TCP 80
TCP 80
TCP 80
IPID 1 OFF 0 GE
IPID 1 OFF 2 T
IPID 1 OFF 4 /A
IPID 1 OFF 6 \r\n
TCP 80
TCP 80
TCP 80TCP 80
App A is unclassified
![Page 68: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/68.jpg)
Design Evasion techniques
15Inserting large delays
ACK
SYN, ACK
SYN
TCP 80
TCP 80
TCP 80
TCP 80SEQ 1 GET /B
![Page 69: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/69.jpg)
Design Evasion techniques
• Observation:
• Classifiers do no retain classification results indefinitely
15Inserting large delays
ACK
SYN, ACK
SYN
TCP 80
TCP 80
TCP 80
TCP 80SEQ 1 GET /B
![Page 70: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/70.jpg)
Design Evasion techniques
• Observation:
• Classifiers do no retain classification results indefinitely
• Flushing: causing the classifier to remove the classification state for the flow
15Inserting large delays
ACK
SYN, ACK
SYN
TCP 80
TCP 80
TCP 80
TCP 80SEQ 1 GET /B
![Page 71: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/71.jpg)
Design Evasion techniques
• Observation:
• Classifiers do no retain classification results indefinitely
• Flushing: causing the classifier to remove the classification state for the flow
15Inserting large delays
ACK
SYN, ACK
SYN
TCP 80
TCP 80
TCP 80
TCP 80SEQ 1 GET /B
![Page 72: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/72.jpg)
Design Evasion techniques
• Observation:
• Classifiers do no retain classification results indefinitely
• Flushing: causing the classifier to remove the classification state for the flow
15Inserting large delays
ACK
SYN, ACK
SYN
TCP 80
TCP 80
TCP 80
TCP 80SEQ 1 GET /B
App B is unclassified
![Page 73: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/73.jpg)
Outline• Design and implementation
• Traffic-classification rules detection
• Evasion techniques
• Implementation
• Evaluation
• Effectiveness across multiple networks
16
![Page 74: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/74.jpg)
Implementation
17
liberate Proxy
Replay Server
ServerApp
![Page 75: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/75.jpg)
Implementation• Phase 1: liberate does the analysis using a replay server
17
liberate Proxy
Replay Server
ServerApp
Phase 1
![Page 76: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/76.jpg)
Implementation• Phase 1: liberate does the analysis using a replay server
17
liberate Proxy
Replay Server
ServerApp
Phase 1
Phase 1
![Page 77: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/77.jpg)
Implementation• Phase 1: liberate does the analysis using a replay server
• Phase 2: liberate applies evasion technique to traffic in-flight
17
liberate Proxy
Replay Server
ServerApp
Phase 1
Phase 2
Phase 2 liberate Proxy
Replay Server
ServerApp
Phase 1
Phase 2
Phase 2
![Page 78: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/78.jpg)
Implementation• Phase 1: liberate does the analysis using a replay server
• Phase 2: liberate applies evasion technique to traffic in-flight
17
liberate Proxy
Replay Server
ServerApp
Phase 1
Phase 2
Phase 2
liberate Proxy
Replay Server
ServerApp
Phase 1
Phase 2
Phase 2
Phase 2Phase 1
![Page 79: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/79.jpg)
Outline• Design and implementation
• Traffic-classification rules detection
• Evasion techniques
• Implementation
• Evaluation
• Effectiveness across multiple networks
18
![Page 80: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/80.jpg)
Evaluation Testbed and in the wild
19
liberate
Client Server
![Page 81: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/81.jpg)
Evaluation Testbed and in the wild
19
• Testbed evaluation
liberate
Client Server
![Page 82: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/82.jpg)
Evaluation Testbed and in the wild
19
• Testbed evaluation
• Evaluation “in the wild”
liberate
Client Server
liberate
ClientServer
![Page 83: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/83.jpg)
Evaluation Testbed and in the wild
19
• Testbed evaluation
• Evaluation “in the wild”
liberate
Client Server
liberate
ClientServer
![Page 84: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/84.jpg)
Evaluation Testbed and in the wild
19
• Testbed evaluation
• Evaluation “in the wild”
liberate
Client Server
liberate
ClientServer
![Page 85: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/85.jpg)
Evaluation Results
20
![Page 86: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/86.jpg)
Evaluation Example result table
21
Technique Test case 1 Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP Wrong sequence number
UDP Wrong checksum
Payload Splitting
Payload Reordering Reverse the transmission of first two fragments
Classification flushing
![Page 87: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/87.jpg)
Evaluation Example result table
21
Technique Test case 1 Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP Wrong sequence number
UDP Wrong checksum
Payload Splitting
Payload Reordering Reverse the transmission of first two fragments
Classification flushing
![Page 88: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/88.jpg)
Evaluation Example result table
21
Technique Test case 1 Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP Wrong sequence number
UDP Wrong checksum
Payload Splitting
Payload Reordering Reverse the transmission of first two fragments
Classification flushing
![Page 89: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/89.jpg)
Evaluation Example result table
21
Technique Test case 1 Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP Wrong sequence number
UDP Wrong checksum
Payload Splitting
Payload Reordering Reverse the transmission of first two fragments
Classification flushing
![Page 90: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/90.jpg)
Evaluation Testbed results
22
Technique Testbed Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP Wrong sequence number
UDP Wrong checksum
Payload Splitting Break packet into two IP fragments
Payload Reordering Reverse the transmission of first two fragments
Classification flushing TTL-limited RST packet before classification
![Page 91: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/91.jpg)
Evaluation Testbed results
22
Technique Testbed Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP Wrong sequence number
UDP Wrong checksum
Payload Splitting Break packet into two IP fragments
Payload Reordering Reverse the transmission of first two fragments
Classification flushing TTL-limited RST packet before classification
• Efficiency:• One-time overhead (phase 1) : 13 minutes
![Page 92: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/92.jpg)
Evaluation Testbed results
22
Technique Testbed Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP Wrong sequence number
UDP Wrong checksum
Payload Splitting Break packet into two IP fragments
Payload Reordering Reverse the transmission of first two fragments
Classification flushing TTL-limited RST packet before classification
• Efficiency:• One-time overhead (phase 1) : 13 minutes
![Page 93: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/93.jpg)
Evaluation Testbed results
22
Technique Testbed Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP Wrong sequence number
UDP Wrong checksum
Payload Splitting Break packet into two IP fragments
Payload Reordering Reverse the transmission of first two fragments
Classification flushing TTL-limited RST packet before classification
• Efficiency:• One-time overhead (phase 1) : 13 minutes• Run-time overhead (phase 2) : tens of bytes per flow
![Page 94: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/94.jpg)
Evaluation Testbed results
22
Technique Testbed Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP Wrong sequence number
UDP Wrong checksum
Payload Splitting Break packet into two IP fragments
Payload Reordering Reverse the transmission of first two fragments
Classification flushing TTL-limited RST packet before classification
• Efficiency:• One-time overhead (phase 1) : 13 minutes• Run-time overhead (phase 2) : tens of bytes per flow
• Effectiveness:• All types of techniques were effective in testbed
![Page 95: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/95.jpg)
Evaluation T mobile ‘Binge On’
23
Technique Testbed T mobile Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP
UDP
Payload Splitting Break packet into five TCP segments
Payload Reordering Reverse the transmission of first two segments
Classification flushing TTL-limited RST packet before classification
![Page 96: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/96.jpg)
Evaluation T mobile ‘Binge On’
23
Technique Testbed T mobile Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP
UDP
Payload Splitting Break packet into five TCP segments
Payload Reordering Reverse the transmission of first two segments
Classification flushing TTL-limited RST packet before classification
• Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated• Efficiency:
• One-time overhead (phase 1) : 30 minutes• Run-time overhead (phase 2) : tens of bytes per flow
![Page 97: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/97.jpg)
Evaluation T mobile ‘Binge On’
23
Technique Testbed T mobile Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP
UDP
Payload Splitting Break packet into five TCP segments
Payload Reordering Reverse the transmission of first two segments
Classification flushing TTL-limited RST packet before classification
• Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated• Efficiency:
• One-time overhead (phase 1) : 30 minutes• Run-time overhead (phase 2) : tens of bytes per flow
• Effectiveness:• UDP traffic (e.g., Youtube video in QUIC) was not classified
![Page 98: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/98.jpg)
Evaluation T mobile ‘Binge On’
23
Technique Testbed T mobile Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP
UDP
Payload Splitting Break packet into five TCP segments
Payload Reordering Reverse the transmission of first two segments
Classification flushing TTL-limited RST packet before classification
• Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated• Efficiency:
• One-time overhead (phase 1) : 30 minutes• Run-time overhead (phase 2) : tens of bytes per flow
• Effectiveness:• UDP traffic (e.g., Youtube video in QUIC) was not classified • Breaking packet into 5 TCP segments evaded classification
![Page 99: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/99.jpg)
Evaluation T mobile ‘Binge On’
23
Technique Testbed T mobile Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP
UDP
Payload Splitting Break packet into five TCP segments
Payload Reordering Reverse the transmission of first two segments
Classification flushing TTL-limited RST packet before classification
• Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated• Efficiency:
• One-time overhead (phase 1) : 30 minutes• Run-time overhead (phase 2) : tens of bytes per flow
• Effectiveness:• UDP traffic (e.g., Youtube video in QUIC) was not classified • Breaking packet into 5 TCP segments evaded classification• Reversing the order of initial packets was effective
![Page 100: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/100.jpg)
Evaluation T mobile ‘Binge On’
23
Technique Testbed T mobile Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP
UDP
Payload Splitting Break packet into five TCP segments
Payload Reordering Reverse the transmission of first two segments
Classification flushing TTL-limited RST packet before classification
• Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated• Efficiency:
• One-time overhead (phase 1) : 30 minutes• Run-time overhead (phase 2) : tens of bytes per flow
• Effectiveness:• UDP traffic (e.g., Youtube video in QUIC) was not classified • Breaking packet into 5 TCP segments evaded classification• Reversing the order of initial packets was effective
![Page 101: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/101.jpg)
Evaluation The Great Firewall of China
24
Technique Testbed T mobile GFC Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP Wrong Checksum
UDP
Payload Splitting
Payload Reordering
Classification flushing Pause for t seconds before classification
![Page 102: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/102.jpg)
Evaluation The Great Firewall of China
24
Technique Testbed T mobile GFC Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP Wrong Checksum
UDP
Payload Splitting
Payload Reordering
Classification flushing Pause for t seconds before classification
• Classified HTTP content was blocked by 3-5 RST packets• Efficiency:
• One-time overhead (phase 1) : 20 minutes• Run-time overhead (phase 2) : tens of bytes per flow
![Page 103: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/103.jpg)
Evaluation The Great Firewall of China
24
Technique Testbed T mobile GFC Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP Wrong Checksum
UDP
Payload Splitting
Payload Reordering
Classification flushing Pause for t seconds before classification
• Classified HTTP content was blocked by 3-5 RST packets• Efficiency:
• One-time overhead (phase 1) : 20 minutes• Run-time overhead (phase 2) : tens of bytes per flow
• Effectiveness:• Both IP/ TCP inert insertion succeeded
![Page 104: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/104.jpg)
Evaluation The Great Firewall of China
24
Technique Testbed T mobile GFC Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP Wrong Checksum
UDP
Payload Splitting
Payload Reordering
Classification flushing Pause for t seconds before classification
• Classified HTTP content was blocked by 3-5 RST packets• Efficiency:
• One-time overhead (phase 1) : 20 minutes• Run-time overhead (phase 2) : tens of bytes per flow
• Effectiveness:• Both IP/ TCP inert insertion succeeded• Flushing classification by pausing succeeded
![Page 105: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/105.jpg)
Evaluation The Great Firewall of China
24
Technique Testbed T mobile GFC Example technique
Inert packet insertion
IP Lower TTL to only reach classifier
TCP Wrong Checksum
UDP
Payload Splitting
Payload Reordering
Classification flushing Pause for t seconds before classification
• Classified HTTP content was blocked by 3-5 RST packets• Efficiency:
• One-time overhead (phase 1) : 20 minutes• Run-time overhead (phase 2) : tens of bytes per flow
• Effectiveness:• Both IP/ TCP inert insertion succeeded• Flushing classification by pausing succeeded
![Page 106: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/106.jpg)
Evaluation The Great Firewall of China
25
Time-of-day effects when flushing classification
![Page 107: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/107.jpg)
Evaluation The Great Firewall of China
25
Time-of-day effects when flushing classification
![Page 108: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/108.jpg)
Evaluation The Great Firewall of China
25
Time-of-day effects when flushing classification
![Page 109: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/109.jpg)
Evaluation The Great Firewall of China
25
Time-of-day effects when flushing classification
2:30 AM
60 seconds successfully evaded
![Page 110: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/110.jpg)
Evaluation The Great Firewall of China
25
Time-of-day effects when flushing classification
2:30 AM
60 seconds successfully evaded
4:00 AM
240 seconds failed to evade
![Page 111: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/111.jpg)
Evaluation The Great Firewall of China
25
Time-of-day effects when flushing classification
![Page 112: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/112.jpg)
Evaluation The Great Firewall of China
25
Time-of-day effects when flushing classification
quiet hours (4:00 AM to 9:00 AM) — using long delays did not evade
![Page 113: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/113.jpg)
Evaluation The Great Firewall of China
25
Time-of-day effects when flushing classification
quiet hours (4:00 AM to 9:00 AM) — using long delays did not evade
busy hours (3:00 PM to 10:00 PM) — using short delays evaded
![Page 114: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/114.jpg)
Conclusion• A tool that automatically and efficiently evades differentiation
• A taxonomy of evasion techniques
• An empirical measurement of traffic classifiers
• liberate evaded classifiers with low run-time overhead
• Public, open-source tools and datasets
• Future work: more resilient evasion techniques
26
![Page 115: liberate, (n) - SIGCOMM · Evasion techniques • Observation: •](https://reader031.vdocuments.site/reader031/viewer/2022022603/5b5b3af27f8b9ab8578d9b91/html5/thumbnails/115.jpg)
Thanks
For more details about liberate, code, and data : http://dd.meddle.mobi/liberate
27