Xinwen Fu

On flow correlation attacks and countermeasures in mix networks

In this paper, we address issues related to flow correlation attacks and the corresponding countermeasures in mix networks. Mixes have been used in many anonymous communication systems and are supposed to provide countermeasures that can defeat various traffic analysis attacks. In this paper, we focus on a particular class of traffic analysis attack, flow correlation attacks, by which an adversary attempts to analyze the network traffic and correlate the traffic of a flow over an input link at a mix with that over an output link of the same mix. Two classes of correlation methods are considered, namely time-domain methods and frequency-domain methods. Based on our threat model and known strategies in existing mix networks, we perform extensive experiments to analyze the performance of mixes. We find that a mix with any known batching strategy may fail against flow correlation attacks in the sense that for a given flow over an input link, the adversary can correctly determine which output link is used by the same flow. We also investigated methods that can effectively counter the flow correlation attack and other timing attacks. The empirical results provided in this paper give an indication to designers of Mix networks about appropriate configurations and alternative mechanisms to be used to counter flow correlation attacks.

DSSS-Based Flow Marking Technique for Invisible Traceback

Law enforcement agencies need the ability to conduct electronic surveillance to combat crime, terrorism, or other malicious activities exploiting the Internet. However, the proliferation of anonymous communication systems on the Internet has posed significant challenges to providing such traceback capability. In this paper, we develop a new class of flow marking technique for invisible traceback based on direct sequence spread spectrum (DSSS), utilizing a pseudo-noise (PN) code. By interfering with a senders traffic and marginally varying its rate, an investigator can embed a secret spread spectrum signal into the senders traffic. The embedded signal is carried along with the traffic from the sender to the receiver, so the investigator can recognize the corresponding communication relationship, tracing the messages despite the use of anonymous networks. The secret PN code makes it difficult for others to detect the presence of such embedded signals, so the traceback, while available to investigators is, effectively invisible. We demonstrate a practical flow marking system which requires no training, and can achieve both high detection and low false positive rates. Using a combination of analytical modeling, simulations, and experiments on Tor (a popular Internet anonymous communication system), we demonstrate the effectiveness of the DSSS-basedflow marking technique.

A new cell counter based attack against tor

Various low-latency anonymous communication systems such as Tor and Anoymizer have been designed to provide anonymity service for users. In order to hide the communication of users, many anonymity systems pack the application data into equal-sized cells (e.g., 512 bytes for Tor, a known real-world, circuit-based low-latency anonymous communication network). In this paper, we investigate a new cell counter based attack against Tor, which allows the attacker to confirm anonymous communication relationship among users very quickly. In this attack, by marginally varying the counter of cells in the target traffic at the malicious exit onion router, the attacker can embed a secret signal into the variation of cell counter of the target traffic. The embedded signal will be carried along with the target traffic and arrive at the malicious entry onion router. Then an accomplice of the attacker at the malicious entry onion router will detect the embedded signal based on the received cells and confirm the communication relationship among users. We have implemented this attack against Tor and our experimental data validate its feasibility and effectiveness. There are several unique features of this attack. First, this attack is highly efficient and can confirm very short communication sessions with only tens of cells. Second, this attack is effective and its detection rate approaches 100% with a very low false positive rate. Third, it is possible to implement the attack in a way that appears to be very difficult for honest participants to detect (e.g. using our hopping-based signal embedding).

NetCamo: camouflaging network traffic for QoS-guaranteed mission critical applications

This paper presents the general approach, design, implementation, and evaluation of NetCamo, which is a system to prevent traffic analysis in systems with real-time requirements. Integrated support for both security and real-time is becoming necessary for computer networks that support mission critical applications. This study focuses on how to integrate both the prevention of traffic analysis and guarantees for worst-case delays in an internetwork. We propose and analyze techniques that efficiently camouflage network traffic and correctly plan and schedule the transmission of payload traffic so that both security and real-time requirements are met. The performance evaluation shows that our NetCamo system is effective and efficient. By using the error between target camouflaged traffic and the observed (camouflaged) traffic as metric to measure the quality of the camouflaging, we show that NetCamo achieves very high levels of camouflaging without compromising real-time requirements.

A New Replay Attack Against Anonymous Communication Networks

Tor is a real-world, circuit-based low-latency anonymous communication network, supporting TCP applications on the Internet. In this paper, we present a new class of attack, the replay attack, against Tor. Compared with other existing attacks, the replay attack can confirm communication relationships quickly and accurately and poses a serious threat against Tor. In this attack, a malicious entry onion router duplicates cells of a stream from a sender. The original cell and duplicate cell traverse middle onion routers and arrive at an exit onion router along a circuit. Since Tor uses the counter mode AES (AES-CTR) for encryption of cells, the duplicate cell disrupts the normal counter at middle and exit onion routers and the decryption at the exit onion router incurs cell recognition errors. If an accomplice of the attacker at the entry onion router controls the exit onion router and detects such decryption errors, the communication relationship between the sender and receiver will be discovered. The replay attack can also be used as a denial of service attack. We implement the replay attack on Tor and our experiments validate the feasibility and effectiveness of the attack. We also present guidelines to defending against the replay attack.

An optimal strategy for anonymous communication protocols

For many Internet applications, the ability to protect the identity of participants in a distributed applications is critical. For such applications, a number of anonymous communication systems have been realized over the recent years. The effectiveness of these systems relies greatly on the way messages are routed among the participants. (We call this the route selection strategy.) In this paper we describe how to select routes so as to maximize the ability of the anonymous communication systems to protect anonymity To measure this ability, we define a metric (anonymity degree), and we design and evaluate an optimal route selection strategy that maximizes the anonymity degree of a system. Our analytical and experimental data shows that the anonymity degree may not always monotonically increase as the length of communication paths increase. We also found that variable path-length strategies perform better than fixed-length strategies.

A Novel En-Route Filtering Scheme Against False Data Injection Attacks in Cyber-Physical Networked Systems

In Cyber-Physical Networked Systems (CPNS), attackers could inject false measurements to the controller through compromised sensor nodes, which not only threaten the security of the system, but also consumes network resources. To deal with this issue, a number of en-route filtering schemes have been designed for wireless sensor networks. However, these schemes either lack resilience to the number of compromised nodes or depend on the statically configured routes and node localization, which are not suitable for CPNS. In this paper, we propose a Polynomial-based Compromised-Resilient En-route Filtering scheme (PCREF), which can filter false injected data effectively and achieve a high resilience to the number of compromised nodes without relying on static routes and node localization. Particularly, PCREF adopts polynomials instead of MACs (message authentication codes) for endorsing measurement reports to achieve the resilience to attacks. Each node stores two types of polynomials: authentication polynomial and check polynomial derived from the primitive polynomial, and used for endorsing and verifying the measurement reports. Via extensive theoretical analysis and simulation experiments, our data show that PCREF achieves better filtering capacity and resilience to the large number of compromised nodes in comparison to the existing schemes.

Fingerprint attack against touch-enabled devices

Oily residues left by tapping fingers on a touch screen may breach user privacy. In this paper, we introduce the fingerprint attack against touch-enabled devices. We dust the touch screen surface to reveal fingerprints, and use an iPhone camera to carefully photograph fingerprints while striving to remove the virtual image of the phone from the fingerprint image. We then sharpen the fingerprints in an image via various image processing techniques and design effective algorithms to automatically map fingerprints to a keypad in order to infer tapped passwords. Extensive experiments were conducted on iPad, iPhone and Android phone and the results show that the fingerprint attack is effective and efficient in inferring passwords from fingerprint images. To the best of our knowledge, we are the first using fingerprint powder on touch screen and inferring passwords from fingerprints. Video at http://www.youtube.com/watch?v=vRUbJIcV9vg shows the dusting process on iPhone and video at http://www.youtube.com/watch?v=6jS6KroER3Y shows the dusting process on iPad. After dusting, password characters for login are clearly disclosed.

Detecting worms via mining dynamic program execution

Worm attacks have been major security threats to the Internet. Detecting worms, especially new, unseen worms, is still a challenging problem. In this paper, we propose a new worm detection approach based on mining dynamic program executions. This approach captures dynamic program behavior to provide accurate and efficient detection against both seen and unseen worms. In particular, we execute a large number of real-world worms and benign programs (executables), and trace their system calls. We apply two classifier-learning algorithms (Naive Bayes and Support Vector Machine) to obtain classifiers from a large number of features extracted from the system call traces. The learned classifiers are further used to carry out rapid worm detection with low overhead on the end-host. Our experimental results clearly demonstrate the effectiveness of our approach to detect new worms in terms of a very high detection rate and a low false positive rate.

Self-Disciplinary Worms and Countermeasures: Modeling and Analysis

In this paper, we address issues related to the modeling, analysis, and countermeasures of worm attacks on the Internet. Most previous work assumed that a worm always propagates itself at the highest possible speed. Some newly developed worms (e.g., “Atak” worm) contradict this assumption by deliberately reducing the propagation speed in order to avoid detection. As such, we study a new class of worms, referred to as self-disciplinary worms. These worms adapt their propagation patterns in order to reduce the probability of detection, and eventually, to infect more computers. We demonstrate that existing worm detection schemes based on traffic volume and variance cannot effectively defend against these self-disciplinary worms. To develop proper countermeasures, we introduce a game-theoretic formulation to model the interaction between the worm propagator and the defender. We show that an effective integration of multiple countermeasure schemes (e.g., worm detection and forensics analysis) is critical for defending against self-disciplinary worms. We propose different integrated schemes for fighting different self-disciplinary worms, and evaluate their performance via real-world traffic data.