Joss Wright

Towards Measuring Resilience in Anonymous Communication Networks

Prior research on anonymous communication networks has focused, to a large extent, on achieving, measuring, and evaluating anonymity properties. In this work we address another important security property that has so far received much less attention, namely resilience against denial-of-service attacks that degrade the performance of the network. We formally define resilience and propose a metric for quantifying the resilience of anonymous communication networks (ACNs) against active adversaries. Our metric expresses the degradation in quality of service of an ACN as the decrease in performance resulting from the adversarial removal or disabling of network nodes. We illustrate the practicality of the metric by applying it to a simulated version of the Tor network, and providing an evaluation of the resilience of Tor towards various adversarial strategies.

A practical complexity-theoretic analysis of mix systems

The Minimal-Hitting-Set attack (HS-attack) [10] is a well-known passive intersection attack againstMix-based anonymity systems, applicable in cases where communication behaviour is non-uniform and unknown. The attack allows an observer to identify uniquely the fixed set of communication partners of a particular user by observing the messages of all senders and receivers using a Mix. Whilst the attack makes use of a provably minimal number of observations, it also requires solving an NP-complete problem. No prior research, to our knowledge, analyses the average complexity of this attack as opposed to its worst case. We choose to explore the HS-attack, as opposed to statistical attacks, to provide a baseline metric and a practical attack for unambiguously identifying anonymous users. We show that the average complexity of the HS-attack can vary between a worst-case exponential complexity and a linear-time complexity according to the Mix parameters. We provide a closed formula for this relationship, giving a precise measure of the resistance of Mixes against the HS-attack in practice, and allowing adjustment of their parameters to reach a desired level of strength.

Poisoning the Well: Exploring the Great Firewall's Poisoned DNS Responses

One of the primary filtering methods that the Great Firewall of China (GFW) relies on is poisoning DNS responses for certain domains. When a DNS request is poisoned by the GFW, multiple DNS responses are received - both legitimate and poisoned responses. While most prior research into the GFW focuses on the poisoned responses, ours also considers the legitimate responses from the DNS servers themselves. We find that even when we ignored the immediate poisoned responses, the cache from the DNS servers themselves are also poisoned. We also find and discuss the IP addresses within the DNS responses we get; in particular 9 IP addresses that are returned as a result for many different poisoned domains. We present the argument that this type of attack may not be primarily targeted directly at users, but at the underlying DNS infrastructure within China.

FilteredWeb: A framework for the automated search-based discovery of blocked URLs

Various methods have been proposed for creating and maintaining lists of potentially filtered URLs to allow for measurement of ongoing internet censorship around the world. Whilst testing a known resource for evidence of filtering can be relatively simple, given appropriate vantage points, discovering previously unknown filtered web resources remains an open challenge. We present a novel framework for automating the process of discovering filtered resources through the use of adaptive queries to well-known search engines. Our system applies information retrieval algorithms to isolate characteristic linguistic patterns in known filtered web pages; these are used as the basis for web search queries. The resulting URLs of these searches are checked for evidence of filtering, and newly discovered blocked resources will be fed back into the system to detect further filtered content. Our implementation of this framework, applied to China as a case study, shows the approach is demonstrably effective at detecting significant numbers of previously unknown filtered web pages, making a significant contribution to the ongoing detection of internet filtering as it develops. When deployed, this system was used to discover 1355 poisoned domains within China as of Feb 2017 — 30 times more than in the most widely-used published filter list of the time. Of these, 759 are outside of the Alexa Top 1000 domains list, demonstrating the capability of this framework to find more obscure filtered content. Further, our initial analysis of filtered URLs, and the search terms that were used to discover them, gives further insight into the nature of the content currently being blocked in China.

Platform Criminalism – The ‘Last-Mile’ Geography of the Darknet Market Supply Chain

Does recent growth of darknet markets signify a slow reorganisation of the illicit drug trade? Where are darknet markets situated in the global drug supply chain? In principle, these platforms allow producers to sell directly to end users, bypassing traditional trafficking routes. And yet, there is evidence that many offerings originate from a small number of highly active consumer countries, rather than from countries that are primarily known for drug production. In a large-scale empirical study, we determine the darknet trading geography of three plant-based drugs across four of the largest darknet markets, and compare it to the global footprint of production and consumption for these drugs. We present strong evidence that cannabis and cocaine vendors are primarily located in a small number of consumer countries, rather than producer countries, suggesting that darknet trading happens at the »last mile», possibly leaving old trafficking routes intact. A model to explain trading volumes of opiates is inconclusive. We cannot find evidence for significant production-side offerings across any of the drug types or marketplaces. Our evidence further suggests that the geography of darknet market trades is primarily driven by existing consumer demand, rather than new demand fostered by individual markets.

Set Difference Attacks in Wireless Sensor Networks

We show that existing proposed mechanisms for preserving the privacy of reported data values in wireless sensor networks are vulnerable against a simple and practical form of attack: the set difference attack. These attacks are particularly effective where a number of separate applications are running in a given network, but are not limited to this case. We demonstrate the feasibility of these attacks and assert that they cannot, in general, be avoided whilst maintaining absolute accuracy of sensed data. As an implication of this, we suggest a mechanism based on perturbation of sensor results whereby these attacks can be partially mitigated.

On Identifying Anomalies in Tor Usage with Applications in Detecting Internet Censorship

We develop a means to detect ongoing per-country anomalies in the daily usage metrics of the Tor anonymous communication network, and demonstrate the applicability of this technique to identifying likely periods of internet censorship and related events. The presented approach identifies contiguous anomalous periods, rather than daily spikes or drops, and allows anomalies to be ranked according to deviation from expected behaviour. The developed method is implemented as a running tool, with outputs published daily by mailing list. This list highlights per-country anomalous Tor usage, and produces a daily ranking of countries according to the level of detected anomalous behaviour. This list has been active since August 2016, and is in use by a number of individuals, academics, and NGOs as an early warning system for potential censorship events. We focus on Tor, however the presented approach is more generally applicable to usage data of other services, both individually and in combination. We demonstrate that combining multiple data sources allows more specific identification of likely Tor blocking events. We demonstrate the our approach in comparison to existing anomaly detection tools, and against both known historical internet censorship events and synthetic datasets. Finally, we detail a number of significant recent anomalous events and behaviours identified by our tool.

Automated Discovery of Internet Censorship by Web Crawling

Censorship of the Internet is widespread around the world. As access to the web becomes increasingly ubiquitous, filtering of this resource becomes more pervasive. Transparency about specific content and information that citizens are denied access to is atypical. To counter this, numerous techniques for maintaining URL filter lists have been proposed by various individuals, organisations and researchers. These aim to improve empirical data on censorship for benefit of the public and wider censorship research community, while also increasing the transparency of filtering activity by oppressive regimes. We present a new approach for discovering filtered domains in different target countries. This method is fully automated and requires no human interaction. The system uses web crawling techniques to traverse between filtered sites and implements a robust method for determining if a domain is filtered. We demonstrate the effectiveness of the approach by running experiments to search for filtered content in four different censorship regimes. Our results show that we perform better than the current state of the art and have built domain filter lists an order of magnitude larger than the most widely available public lists as of April 2018. Further, we build a dataset mapping the interlinking nature of blocked content between domains and exhibit the tightly networked nature of censored web resources.

KEMF: Key Management for Federated Sensor Networks

We present a lightweight key management protocol that provides secured device registration and communication in federated sensor networks. The protocol is designed for zero configuration and use in small packet low power wireless networks; protocol messages may fit into single packets. We use the Casper security protocol analyser to examine the behaviour and security properties of the protocol model. Within the assumptions of the model, we demonstrate forward secrecy, security against man-in-the-middle attacks, and local network key protection, comparing favourably with related protocols. Our experimental analysis shows that the protocol may feasibly be deployed on current sensor platforms with 256-bit elliptic curve cryptography.

Enforcing behaviour with anonymity

We discuss applications of an underlying anonymous infrastructure to enforce fair behaviour on participants in a distributed resource-sharing system. This approach aims to prevent users from forming self-rewarding cliques in order to gain unfair advantages in the use of shared resources. We deliberately avoid considering the more traditional applications of anonymous systems in an attempt to show the potential for the use of restricted access to identifying user information in applications where privacy is not the main motivation. We also briefly explore the problem of enforcing anonymity on users who may not wish to be anonymous, and consider the effect that low-level identification may have on the overall behaviour that we seek to enforce.