This document discusses network flow watermarking as an active traffic analysis technique. It begins with background on anonymity systems and passive traffic analysis attacks. It then introduces the concept of active traffic analysis by watermarking network flows to perturb traffic characteristics like packet timing. The document focuses on the RAINBOW watermarking scheme, which embeds a spread spectrum watermark in the inter-packet delay. It describes the watermarking and detection process, analyzes the detection performance, and discusses applications like stepping stone detection and anonymity compromise.
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
21-TrafAnal.pptx
1. Traffic Analysis:
Network Flow Watermarking
Amir Houmansadr
CS660: Advanced Information Assurance
Spring 2015
1
CS660 - Advanced Information Assurance -
UMassAmherst
2. Previously
• Two popular forms of anonymous
communications
– Onion Routing (Tor)
– Mix Networks
• They aim to be low-latency to be used for
interactive application, e.g., web browsing,
IM, VoIP, etc.
Gives birth to attacks
2
CS660 - Advanced Information Assurance -
UMassAmherst
3. Attacks on anonymity systems
• Traffic analysis attacks
• Intersection attacks
• Fingerprinting attacks
• DoS attacks
• …
3
CS660 - Advanced Information Assurance -
UMassAmherst
4. Who Wants to Attack Tor?
• Who has the ability to attack Tor?
CS660 - Advanced Information Assurance -
UMassAmherst
4
5. • How NSA tries to break Tor
– Tor stinks
5
CS660 - Advanced Information Assurance -
UMassAmherst
6. Why do they want to break Tor
(or, what do they say?)
6
CS660 - Advanced Information Assurance -
UMassAmherst
14. Discussion
• Should privacy-enhancing technologies (e.g.,
Tor) have backdoors for the law-enforcement?
CS660 - Advanced Information Assurance -
UMassAmherst
14
15. Traffic Analysis
• Definition: inferring sensitive information
from communication patterns, instead of
traffic contents, no matter if encrypted
• Related fields
– Traffic shaping
– Data mining
15
CS660 - Advanced Information Assurance -
UMassAmherst
16. Use cases of traffic analysis
• Inferring encrypted data (SSH, VoIP)
• Inferring events
• Linking network flows in low-latency
networking applications
• …
16
CS660 - Advanced Information Assurance -
UMassAmherst
17. Outline
• Traffic analysis in low-latency scenarios
• Passive traffic analysis
• Active traffic analysis: watermarks
17
CS660 - Advanced Information Assurance -
UMassAmherst
21. Some literature
Stepping stone detection
– Character frequencies [Staniford-Chen et al., S&P’95]
– ON/OFF behavior of interactive connections [Zhang et al., SEC’00]
– Correlating inter-packet delays [Wang et al., ESORICS’02]
– Flow-sketches [Coskun et al., ACSAC’09]
Compromising anonymity
– Analysis of onion routing [Syverson et al., PET’00]
– Freedom and PipeNet [Back et al., IH’01]
– Mix-based systems: [Raymond et al., PET’00], [Danezis et al., PET’04]
21
CS660 - Advanced Information Assurance -
UMassAmherst
22. Passive Traffic analysis
• Based on inter-packet delays of network flows
[Wang et al., ESORICS’02]
– Min/Max Sum Ratio (MMS)
– Statistical Correlation (STAT)
– Normalized Dot Product (NDP)
22
CS660 - Advanced Information Assurance -
UMassAmherst
23. Passive Traffic analysis
• ON/OFF behavior of interactive connections
[Zhang et al., SEC’00]
• Based on flow sketches [Coskun et al.,
ACSAC’09]
23
CS660 - Advanced Information Assurance -
UMassAmherst
24. Issues of passive traffic analysis
• Intrinsic correlation of flows
– High false error rates
– Need long flows for detection
24
CS660 - Advanced Information Assurance -
UMassAmherst
26. Issues of passive traffic analysis
• Intrinsic correlation of flows
– High false error rates
– Need long flows for detection
• Massive computation and communication
– Not scalable: O(n) communication, O(n2) computation
26
CS660 - Advanced Information Assurance -
UMassAmherst
36. RAINBOW: Robust And Invisible
Non-Blind Watermark
NDSS 2009
With Negar Kiyavash and Nikita Borisov
36
CS660 - Advanced Information Assurance -
UMassAmherst
37. 37
RAINBOW Scheme
• Insert spread spectrum watermark within Inter-Packet
Delay (IPD) information
– At the watermarker: IPDW= IPD + WM
– At the detector: IPDR - IPD = WM + Jitter
• IPD Database
– Last n packets, removed after connection ends
– Low memory resources for moderate-size enterprises
Watermarker Receiver
Detector
Sender
IPD Database
IPD IPDW
IPD
IPDR
IPD
WM
• Non-Blind watermarking: provide invisibility
CS660 - Advanced Information Assurance -
UMassAmherst
38. 38
Detection Analysis
• Using the last n samples of IPD
– Y= IPDR - IPD = WM + Jitter
– Normalized correlation
– Detection threshold η
• System parameters:
– a: watermark amplitude
– b: standard deviation of jitter
– represents the SNR
– n: watermark length
• Detection analysis: Hypothesis testing
)
2
)
(
exp(
5
.
0
)
2
exp(
5
.
0 n
FN
n
FP
b
a
Subtraction
IPDR
IPD
Normalized
Correlation
Decision
IPD Database
Watermark
Detector
Y
CS660 - Advanced Information Assurance -
UMassAmherst
39. 39
System Design
• Cross-Over Error Rate
(COER) versus system
parameters
• Increasing
– Lower error, more visible
• Increasing n
– lower error, slower
detection
• a can be traded for n
• a should be adjusted to
jitter
CS660 - Advanced Information Assurance -
UMassAmherst
40. 40
Evaluation
• Devise a selective correlation to compensate for
packet-level modifications
– Sliding window
• Invisibility analyzed using
– Kolmogorov-Smirnov test
– Entropy-based tools of [Gianvecchio, CCS07]
• Performance summary
– Fast detection
– Detection time ≈ 3 min of SSH traffic (400 packets)
– False errors of order 10-6
CS660 - Advanced Information Assurance -
UMassAmherst
41. Other applications
• Linking flows in low-latency applications
– Stepping stone detection
– Compromising anonymous networks
– Long path attack
– IRC-based botnet detection
– VoIP de-anonymization
– …
41
CS660 - Advanced Information Assurance -
UMassAmherst
43. Acknowledgement
• Some of the slides, content, or pictures are borrowed from
the following resources, and some pictures are obtained
through Google search without being referenced below:
• Tor stinks
44
CS660 - Advanced Information Assurance -
UMassAmherst