Andriy Panchenko

Website fingerprinting in onion routing based anonymization networks

Low-latency anonymization networks such as Tor and JAP claim to hide the recipient and the content of communications from a local observer, i.e., an entity that can eavesdrop the traffic between the user and the first anonymization node. Especially users in totalitarian regimes strongly depend on such networks to freely communicate. For these people, anonymity is particularly important and an analysis of the anonymization methods against various attacks is necessary to ensure adequate protection. In this paper we show that anonymity in Tor and JAP is not as strong as expected so far and cannot resist website fingerprinting attacks under certain circumstances. We first define features for website fingerprinting solely based on volume, time, and direction of the traffic. As a result, the subsequent classification becomes much easier. We apply support vector machines with the introduced features. We are able to improve recognition results of existing works on a given state-of-the-art dataset in Tor from 3% to 55% and in JAP from 20% to 80%. The datasets assume a closed-world with 775 websites only. In a next step, we transfer our findings to a more complex and realistic open-world scenario, i.e., recognition of several websites in a set of thousands of random unknown websites. To the best of our knowledge, this work is the first successful attack in the open-world scenario. We achieve a surprisingly high true positive rate of up to 73% for a false positive rate of 0.05%. Finally, we show preliminary results of a proof-of-concept implementation that applies camouflage as a countermeasure to hamper the fingerprinting attack. For JAP, the detection rate decreases from 80% to 4% and for Tor it drops from 55% to about 3%.

NISAN: network information service for anonymization networks

Network information distribution is a fundamental service for any anonymization network. Even though anonymization and information distribution about the network are two orthogonal issues, the design of the distribution service has a direct impact on the anonymization. Requiring each node to know about all other nodes in the network (as in Tor and AN.ON -- the most popular anonymization networks) limits scalability and offers a playground for intersection attacks. The distributed designs existing so far fail to meet security requirements and have therefore not been accepted in real networks. In this paper, we combine probabilistic analysis and simulation to explore DHT-based approaches for distributing network information in anonymization networks. Based on our findings we introduce NISAN, a novel approach that tries to scalably overcome known security problems. It allows for selecting nodes uniformly at random from the full set of all available peers, while each of the nodes has only limited knowledge about the network. We show that our scheme has properties similar to a centralized directory in terms of preventing malicious nodes from biasing the path selection. This is done, however, without requiring to trust any third party. At the same time our approach provides high scalability and adequate performance. Additionally, we analyze different design choices and come up with diverse proposals depending on the attacker model. The proposed combination of security, scalability, and simplicity, to the best of our knowledge, is not available in any other existing network information distribution system.

Performance Analysis of Anonymous Communication Channels Provided by Tor

Providing anonymity for end-users on the Internet is a very challenging and difficult task. There are currently only a few systems that are of practical relevance for the provision of low-latency anonymity. One of the most important to mention is the Tor network that is based on onion routing. Practical usage of the system often leads to delays which are not tolerated by the average end-user. This, in return, discourages many of them from the use of such systems and hence indirectly lowers the protection of remaining users due to a smaller user base. In this paper we show to which extend overloaded nodes and links, as well as geographical diversity of nodes have an influence on the general performance of Tor communication channels. After that, we propose new methods of path selection for performance-improved onion routing which are based on actively measured latencies and estimated available capacities using passive observations of link- wise throughput.

Self-certified Sybil-free pseudonyms

Accurate and trusted identifiers are a centerpiece for any security architecture. Protecting against Sybil attacks in a privacy-friendly manner is a non-trivial problem in wireless infrastructureless networks, such as mobile ad hoc networks. In this paper, we introduce self-certified Sybil-free pseudonyms as a means to provide privacy-friendly Sybil-freeness without requiring continuous online availability of a trusted third party. These pseudonyms are self-certified and computed by the users themselves from their cryptographic long term identities. Contrary to identity certificates, we preserve location privacy and improve protection against some notorious attacks on anonymous communication systems.

Path Selection Metrics for Performance-Improved Onion Routing

Providing anonymity for users on the Internet is a very challenging and difficult task. Currently there are only a few systems that are of practical relevance for the provision of low-latency anonymity. One of the most important to mention is Tor which is based on onion routing. Practical client usage of Tor often leads to delays that are not tolerated by the average end-user, which, in return, discourages many of them from using the system. In this paper we propose new methods of path selection that allow performance-improved onion routing. These are based on actively measured latencies and estimations of available link-wise capacities using passive observations of throughput. We evaluate the proposed methods in the public Tor network and present a practical approach to empirically analyze the strength of anonymity certain methods of path selection provide in comparison to each other.

Towards practical attacker classification for risk analysis in anonymous communication

There are a number of attacker models in the area of anonymous communication. Most of them are either very simplified or pretty abstract – therefore difficult to generalize or even identify in real networks. While some papers distinct different attacker types, the usual approach is to present an anonymization technique and then to develop an attacker model for it in order to identify properties of the technique. Often such a model is abstract, unsystematic and it is not trivial to identify the exact threats for the end-user of the implemented system. This work follows another approach: we propose a classification of attacker types for the risk analysis and attacker modelling in anonymous communication independently of the concrete technique. The classes are designed in the way, that their meaning can be easily communicated to the end-users and management level. We claim that the use of this classification can lead to a more solid understanding of security provided by anonymizing networks, and therewith improve their development. Finally, we will classify some well known techniques and security issues according to the proposal and thus show the practical relevance and applicability of the proposed classification.

Improving performance and anonymity in the Tor network

Anonymous communication aims to hide the relationship between communicating parties on the Internet. It is the technical basis for achieving privacy and overcoming censorship. Presently there are only a few systems that are of practical relevance for providing anonymity. One of the most widespread and well researched is Tor which is based on onion routing. Usage of Tor, however, often leads to long delays which are not tolerated by end-users. This, in return, discourages many of them from using the system and lowers the protection for the remaining ones. In this paper we analyze the bottlenecks in the Tor network and propose new methods of path selection that better utilize available capacities in the heterogeneous network and allow performance-improved onion routing. Our methods are based on the combination of remotely measured current load of the nodes and an estimation of their maximum capacity. We evaluate the proposed methods in a Tor network running in PlanetLab where we tried as far as possible to recreate real-world conditions. Finally, we present a practical approach to empirically analyze the strength of anonymity that different methods of path selection provide in comparison to each other. We show the risk of the currently used method for path selection in Tor and provide a countermeasure to protect against this risk by effectively detecting nodes that lie about their capacity.

Clock skew based remote device fingerprinting demystified

Commonly used identifiers for IEEE 802.11 access points (APs), such as network name (SSID), MAC, or IP address can be easily spoofed. This allows an attacker to fake a real AP and intercept, collect, or alter (potentially even encrypted) data. In this paper, we address the aforementioned problem by studying limits of unique remote physical device identification based on their clock skew—an unavoidable phenomenon that causes clocks to run at marginal but measurably different speed. To this end, we propose an algorithm for passive fingerprinting using timestamps regularly sent by APs in beacon frames. The major advantages of our method are that it is online and that we are able to eliminate the influence of clock skew of the measurement device. Hence, fingerprints performed by different devices become comparable. We calculate the precision of our clock skew measurement algorithm and provide a termination criterion for estimation of the clock skew with arbitrary precision. Moreover, conducting a large scale evaluation, we study the stability and uniqueness of clock skew as a means for remote wireless device identification.

SHALON: Lightweight Anonymization Based on Open Standards

In this paper, we introduce a novel lightweight anonymization technique called Shalon. It is based on onion routing, aims to reduce complexity, and delivers high bandwidth. We have, compared to the widely known approach Tor, slightly reduced the level of security in favor for greatly increased performance. The most significant advantage compared to other approaches is that Shalon is fully based on standardized protocols, which makes our approach highly efficient and easy to deploy. It also makes Shalon easier to understand for normal users, eases protocol reviews, and increases the chance of having several implementations of Shalon available. In this work, we provide a description of the design and implementation of Shalon, a performance and anonymity analysis, and a discussion on the scalability properties.

Undesired relatives: protection mechanisms against the evil twin attack in IEEE 802.11

Commonly used identifiers for IEEE 802.11 access points (APs), such as network name (SSID), MAC (BSSID), or IP address can be trivially spoofed. Impersonating existing APs with faked ones to attract their traffic is referred to in the literature as the \emph{evil twin attack}. It allows an attacker with little effort and expenditure to fake a genuine AP and intercept, collect, or alter (potentially even encrypted) data. Due to its severity, the topic has gained remarkable research interest in the past decade. In this paper, we introduce a differentiated attacker model to express the attack in all its facets. We propose a taxonomy for classifying and structuring countermeasures and apply it to existing approaches. We are the first to conduct a comprehensive survey in this domain to reveal the potential and the limits of state-of-the-art solutions. Our study discloses an important attack scenario which has not been addressed so far, i.e., the usage of specialized software to mount the attack. We propose and experimentally validate a novel method to detect evil twin APs operated by software within a few seconds.