Bryan Graham

On flow correlation attacks and countermeasures in mix networks

In this paper, we address issues related to flow correlation attacks and the corresponding countermeasures in mix networks. Mixes have been used in many anonymous communication systems and are supposed to provide countermeasures that can defeat various traffic analysis attacks. In this paper, we focus on a particular class of traffic analysis attack, flow correlation attacks, by which an adversary attempts to analyze the network traffic and correlate the traffic of a flow over an input link at a mix with that over an output link of the same mix. Two classes of correlation methods are considered, namely time-domain methods and frequency-domain methods. Based on our threat model and known strategies in existing mix networks, we perform extensive experiments to analyze the performance of mixes. We find that a mix with any known batching strategy may fail against flow correlation attacks in the sense that for a given flow over an input link, the adversary can correctly determine which output link is used by the same flow. We also investigated methods that can effectively counter the flow correlation attack and other timing attacks. The empirical results provided in this paper give an indication to designers of Mix networks about appropriate configurations and alternative mechanisms to be used to counter flow correlation attacks.

Analytical and empirical analysis of countermeasures to traffic analysis attacks

We study countermeasures to traffic analysis attacks. A common strategy for such countermeasures is link padding. We consider systems where payload traffic is padded so that packets have either constant inter-arrival times or variable inter-arrival times. The adversary applies statistical recognition techniques to detect the payload traffic rates by using statistical measures like sample mean, sample variance, or sample entropy. We evaluate quantitatively the ability of the adversary to make a correct detection and derive closed-form formulas for the detection rate based on analytical models. Extensive experiments were carried out to validate the system performance predicted by the analytical method. Based on the systematic evaluations, we develop design guidelines for the proper configuration of a system in order to minimize the detection rate

Correlation-Based Traffic Analysis Attacks on Anonymity Networks

In this paper, we address attacks that exploit the timing behavior of TCP and other protocols and applications in low-latency anonymity networks. Mixes have been used in many anonymous communication systems and are supposed to provide countermeasures to defeat traffic analysis attacks. In this paper, we focus on a particular class of traffic analysis attacks, flow-correlation attacks, by which an adversary attempts to analyze the network traffic and correlate the traffic of a flow over an input link with that over an output link. Two classes of correlation methods are considered, namely time-domain methods and frequency-domain methods. Based on our threat model and known strategies in existing mix networks, we perform extensive experiments to analyze the performance of mixes. We find that all but a few batching strategies fail against flow-correlation attacks, allowing the adversary to either identify ingress and egress points of a flow or to reconstruct the path used by the flow. Counterintuitively, some batching strategies are actually detrimental against attacks. The empirical results provided in this paper give an indication to designers of Mix networks about appropriate configurations and mechanisms to be used to counter flow-correlation attacks.

On countermeasures to traffic analysis attacks

We make three contributions. First, we propose Shannons perfect secrecy theory as a foundation for developing countermeasures to traffic analysis attacks on information security systems. A system violating the perfect secrecy conditions can leak mission critical information. Second, we suggest statistical pattern recognition as a fundamental technology to test an information systems security. This technology can cover a large category of testing approaches because of statistical pattern recognitions maturity and abundant techniques. Third, researchers have proposed traffic padding as countermeasures to traffic analysis attacks. By applying the proposed information assurance testing framework, we find that constant rate traffic padding does not satisfy Shannons perfect secrecy conditions because of its implementation mechanism. We design a variant rate traffic padding strategy as an alternative, which is validated by both theoretical analysis and empirical results.

Empirical and theoretical evaluation of active probing attacks and their countermeasures

A variety of remote sensing attacks allow adversaries to break flow confidentiality and gather mission-critical information in distributed systems. Such attacks are easily supplemented by active probing attacks, where additional workload (e.g., ping packets) is injected into the victim system. This paper presents statistical pattern recognition as a fundamental technology to evaluate the effectiveness of active probing attacks. Our theoretical analysis and empirical results show that even if sophisticated approaches of link padding are used, sample entropy of probing packets’ round trip time is an effective and robust feature statistic to discover the user payload traffic rate, which is important for maintaining anonymous communication. Extensive experiments on local network, campus network, and the Internet were carried out to validate the system security predicted by the theoretical analysis. We give some guidelines to reduce the effectiveness of such active probing attacks.

Using covert channels to evaluate the effectiveness of flow confidentiality measures

With an increasing amount of Internet traffic becoming encrypted, traffic analysis attacks have become a more important topic lately. One of the most common and effective ways to prevent traffic analysis is link padding, where dummy traffic is added to hide the real traffic pattern. In principle, link padding can perfectly hide the underlying traffic. In practice however, it has been shown to be very difficult to implement correctly and has also been shown to be ineffective if not correctly implemented. In this paper we provide an information theoretic analysis of the effectiveness of a link padding implementation. We represent the imperfections of a padding implementation as a covert channel and determine the capacity of the information leakage. We show experimental results and present models that describe how practical aspects, such as cross-traffic and network congestion affect the information leakage of link padding.