Matthew K. Wright
Brian Neil Levine
Skip Abstract Section
Abstract
Using analysis, simulation, and experimentation, we examine the threat against anonymous communications posed by passive-logging attacks. In previous work, we analyzed the success of such attacks under various assumptions. Here, we evaluate the effects of these assumptions more closely. First, we analyze the Onion Routing-based model used in prior work in which a fixed set of nodes remains in the system indefinitely. We show that for this model, by removing the assumption of uniformly random selection of nodes for placement in the path, initiators can greatly improve their anonymity. Second, we show by simulation that attack times are significantly lower in practice than bounds given by analytical results from prior work. Third, we analyze the effects of a dynamic membership model, in which nodes are allowed to join and leave the system; we show that all known defenses fail more quickly when the assumption of a static node set is relaxed. Fourth, intersection attacks against peer-to-peer systems are shown to be an additional danger, either on their own or in conjunction with the predecessor attack. Finally, we address the question of whether the regular communication patterns required by the attacks exist in real traffic. We collected and analyzed the Web requests of users to determine the extent to which basic patterns can be found. We show that, for our study, frequent and repeated communication to the same Web site is common.
- <scp>Bächer, P., Holz, T., Kötter, M., and Wicherski, G.</scp> 2005. Know your enemy: Tracking botnets. http://www.honeynet.org/papers/bots. The Honeynet Project and Research Alliance.Google Scholar
- <scp>Back, A., Goldberg, I., and Shostack, A.</scp> 2000. Freedom 2.0 security issues and analysis. White paper. Zero-Knowledge Systems, Inc.Google Scholar
- <scp>Baryshnikov, Y., Coffman, E., Pierre, G., Rubenstein, D., Squillante, M., and Yimwadsana, T.</scp> 2005. Predictability of Web-Server traffic congestion. In <it>Proceedings of the International Workshop on Web Content Caching and Distribution (WCW'05)</it>. 97--103. Google ScholarDigital Library
- <scp>Bauer, K., McCoy, D., Grunwald, D., Kohno, T., and Sicker, D.</scp> 2007. Low-resource routing attacks against anonymous systems. Tech. rep. CU-CS-1025-07, University of Colorado at Boulder.Google Scholar
- <scp>Bellissimo, A., Shenoy, P., and Levine, B. N.</scp> 2004. Exploring the use of BitTorrent as the basis for a large trace repository. Tech. rep. 04-41, Department of Computer Science, University of Massachusetts at Amherst.Google Scholar
- <scp>Berthold, O., Federrath, H., and Köhntopp, M.</scp> 2000. Project Anonymity and unobservability in the Internet. In <it>Proceedings of Computers Freedom and Privacy Conference (CFP'00)</it>. 57--65. Google ScholarDigital Library
- <scp>Berthold, O. and Langos, H.</scp> 2002. Dummy traffic against long term intersection attacks. In <it>Proceedings of Workshop on Privacy Enhancing Technologies (PET'02)</it>. 110--128. Google ScholarDigital Library
- <scp>Bissias, G. D., Liberatore, M., and Levine, B. N.</scp> 2005. Privacy vulnerabilities in encrypted HTTP streams. In <it>Proceedings of Workshop on Privacy Enhancing Technologies (PET'05)</it>. 1--11. Google ScholarDigital Library
- <scp>Chaum, D.</scp> 1988. The dining cryptographers problem: Unconditional sender and recipient untraceability. <it>J. Crypto. 1,</it> 1, 65--75. Google ScholarDigital Library
- <scp>Chu, J., Labonte, K., and Levine, B. N.</scp> 2002. Availability and locality measurements of peer-to-peer file systems. In <it>Proceedings ITCom: Scalability and Traffic Control in IP Networks II Conference</it>. Vol. SPIE 4868. 310--321.Google Scholar
- <scp>Danezis, G.</scp> 2003. Statistical disclosure attacks: Traffic confirmation in open environments. In <it>Proceedings of Security and Privacy in the Age of Uncertainty (SEC'03)</it>. 421--426.Google Scholar
- <scp>Danezis, G.</scp> 2004. The Traffic analysis of continuous-time mixes. In <it>Proceedings Workshop on Privacy Enhancing Technologies (PET'04)</it>. 35--50. Google ScholarDigital Library
- <scp>Danezis, G., Dingledine, R., and Mathewson, N.</scp> 2003. Mixminion: design of a type III anonymous remailer protocol. In <it>Proceedings of the IEEE Symposium on Security and Privacy</it>. 2--15. Google ScholarDigital Library
- <scp>Davison, B.</scp> 2002. Predicting Web actions from HTML content. In <it>Proceedings of the ACM Conference on Hypertext and Hypermedia (HT'02)</it>. 159--168. Google ScholarDigital Library
- <scp>Díaz, C., Seys, S., Claessens, J., and Preneel, B. </scp> 2002. Towards measuring anonymity. In <it>Proceedings of the Workshop on Privacy Enhancing Technologies (PET'02)</it>. 184--188.Google Scholar
- <scp>Diaz, F. and Allan, J.</scp> 2003. Browsing-based user language models for information retrieval. Tech. rep. CIIR IR-279, University of Massachusetts at Amherst.Google Scholar
- <scp>Dingledine, R. and Mathewson, N.</scp> 2007. Tor path specification. http://tor.eff.org/svn/trunk/doc/spec/path-spec.txt.Google Scholar
- <scp>Dingledine, R., Mathewson, N., and Syverson, P.</scp> 2004. TOR: The next-generation onion router. In <it>Proceedings of USENIX Security Symposium</it>. 303---320. Google ScholarDigital Library
- <scp>Douceur, J. R.</scp> 2002. The Sybil attack. In <it>Revised Papers from the 1st International Workshop on Peer-to-Peer Systems</it>. Springer-Verlag, 251--260. Google ScholarDigital Library
- <scp>Duchamp, D.</scp> 1999. Prefetching hyperlinks. In <it>Proceedings of the USENIX Symposium on Internet Technologies and Systems</it>. 127--138. Google ScholarDigital Library
- <scp>Figueiredo, D. R., Nain, P., and Towsley, D.</scp> 2004. On the analysis of the predecessor attack on anonymous protocols. Tech. rep. 04-65, Department of Computer Science. University of Massachusetts.Google Scholar
- <scp>Freedman, M. and Morris, R.</scp> 2002. Tarzan: A peer-to-peer anonymizing network layer. In <it>Proceedings of the ACM Conference on Computer and Communications Security (CCS'02)</it>. 193--206. Google ScholarDigital Library
- <scp>Goldberg, I. and Wagner, D.</scp> 1998. TAZ servers and the rewebber network: Enabling anonymous publishing on the World Wide Web. <it>First Monday</it>.Google Scholar
- <scp>Goldschlag, D., Reed, M., and Syverson, P.</scp> 1996. Hiding routing information. In <it>Proceedings of Information Hiding Workshop (IH'96)</it>. 137--150. Google ScholarDigital Library
- <scp>Gribble, S.</scp> 1997. UC Berkeley home IP HTTP traces. http://www.acm.org/sigcomm/ITA/.Google Scholar
- <scp>Hintz, A.</scp> 2002. Fingerprinting websites using traffic analysis. In <it>Proceedings of the Workshop on Privacy Enhancing Technologies (PET'02)</it>. Springer-Verlag, Lecture Notes in Computer Science, vol. 2482, 229--233. Google ScholarDigital Library
- Honeynet Project 2005. Know your enemy: Tracking botnets -- spreading. http://www.honeynet.org/papers/bots/botnet-spreading.html. The Honeynet Project and Research Alliance.Google Scholar
- <scp>Kesdogan, D., Agarwal, D., and Penz, S.</scp> 2002. Limits of anonymity in open environments. In <it>Proceedings of Information Hiding, 5th International Wkshp (IH'02)</it>. 53--69. Google ScholarDigital Library
- <scp>Kesdogan, D., Egner, J., and Büschkes, R.</scp> 1998. Stop-and-go-MIXes providing probabilistic anonymity in an open system. In <it>Information Hiding</it>. Lecture Notes in Computer Science, vol. 1525. Springer, 83--98.Google Scholar
- <scp>Köpsellbibt, S.</scp> 2003. JAP --- Web mixes. http://www.petworkshop.org/2003/slides/panels/stefan-PET2003panel.pdf.Google Scholar
- <scp>Levine, B., Reiter, M., Wang, C., and Wright, M.</scp> 2004. Timing attacks in low-latency mix systems. In <it>Proceedings of Financial Cryptography (FC'04).</it> (Lecture Notes in Computer Science, vol. 3110). 251---265.Google Scholar
- <scp>Levine, B. and Shields, C.</scp> 2002. Hordes: A protocol for anonymous communication over the Internet. <it>ACM J. Comput. Secur. 10,</it> 3, 213--240. Google ScholarDigital Library
- <scp>Liberatore, M. and Levine, B. N.</scp> 2006. Inferring the source of encrypted HTTP connections. In <it>Proceedings of the ACM Conference on Computer and Communications Security (CCS'06)</it>. 255--263. Google ScholarDigital Library
- <scp>Margolin, N. B. and Levine, B. N.</scp> 2007. Informant: Detecting sybils using incentives. In <it>Proceedings of Financial Cryptography (FC'07)</it>. Google ScholarDigital Library
- <scp>Mathewson, N. and Dingledine, R.</scp> 2004. Practical traffic analysis: Extending and resisting statistical disclosure. In <it>Proceedings of the Workshop on Privacy Enhancing Technologies (PET'04)</it>. Lecture Notes in Computer Science, vol. 3424. 17--34. Google ScholarDigital Library
- <scp>Murdoch, S. J.</scp> 2006. Hot or not: Revealing hidden services by their clock skew. In <it>Proceedings of the ACM Conference on Computer and Communications Security</it>. 27--36. Google ScholarDigital Library
- <scp>Murdoch, S. J. and Danezis, G.</scp> 2005. Low-cost traffic analysis of Tor. In <it>Proceedings of the IEEE Symposium on Security and Privacy</it>. 183--195. Google ScholarDigital Library
- <scp>Øverlier, L. and Syverson, P.</scp> 2006. Locating hidden servers. In <it>Proceedings of the IEEE Symposium on Security and Privacy</it>. 100--114. Google ScholarDigital Library
- <scp>Raymond, J. F.</scp> 2001. Traffic analysis: Protocols, attacks, design issues and open problems. In <it>International Workshop on Design Issues in Anonymity and Unobservability</it>. Lecture Notes in Computer Science, vol. 2009. Springer, 10--29. Google ScholarDigital Library
- <scp>Reiter, M. K. and Rubin, A. D.</scp> 1998. Crowds: Anonymity for Web transactions. <it>ACM Trans. Inform. Syst. Secur. 1,</it> 1, 66--92. Google ScholarDigital Library
- <scp>Rennhard, M. and Plattner, B.</scp> 2004. Practical anonymity for the masses with MorphMix. In <it>Proceedings of Financial Cryptography (FC'04)</it>. 233--250.Google Scholar
- <scp>Saroiu, S., Gummadi, P. K., and Gribble, S.</scp> 2002. A measurement study of peer-to-peer file sharing systems. In <it>Proceedings of the Multimedia Computing and Networking Conference (MMCN'02)</it>. 314--329.Google Scholar
- <scp>Scarlatta, V., Levine, B., and Shields, C.</scp> 2001. Responder anonymity and anonymous peer-to-peer file sharing. In <it>Proceedings of the IEEE International Conference on Network Protocols (ICNP'01)</it>. Google ScholarDigital Library
- <scp>Serjantov, A. and Danezis, G.</scp> 2002. Towards an information theoretic metric for anonymity. In <it>Proceedings of the Workshop on Privacy Enhancing Technologies (PET'02)</it>. Lecture Notes in Computer Science, vol. 2482. 259--263. Google ScholarDigital Library
- <scp>Serjantov, A. and Sewell, P.</scp> 2003. Passive attack analysis for connection-based anonymity systems. In <it>Proceedings of the European Symposium on Research in Computer Security (ESORICS'03)</it>. 116--131.Google Scholar
- <scp>Sherwood, R., Bhattacharjee, B., and Srinivasan, A.</scp> 2005. P5: a protocol for scalable anonymous communication. <it>J. Comput. Secur. 13,</it> 6, 839--876. Google ScholarDigital Library
- <scp>Shmatikov, V.</scp> 2002. Probabilistic analysis of anonymity. In <it>IEEE Computer Security Foundations Workshop</it>. 119--128. Google ScholarDigital Library
- <scp>Sun, Q., Simon, D. R., Wang, Y.-M., Russell, W., Padmanabhan, V. N., and Qiu, L.</scp> 2002. Statistical identification of encrypted Web browsing traffic. In <it>Proceedings of the IEEE Symposium on Security and Privacy</it>. 19--30. Google ScholarDigital Library
- <scp>Syverson, P., Tsudik, G., Reed, M., and Landwehr, C.</scp> 2000. Towards an analysis of onion routing security. In <it>Proceedings Workshop on Design Issues in Anonymity and Unobservability</it>. Lecture Notes in Computer Science, vol. 2009. 96--114. Google ScholarDigital Library
- <scp>The Graphic, Visualization, and Usability Center</scp>. 1998. GVU's 10th WWW User Survey. http://www-static.cc.gatech.edu/user_surveys/survey-1998-10.Google Scholar
- <scp>Wright, M., Adler, M., Levine, B. N., and Shields, C.</scp> 2002. An analysis of the degradation of anonymous protocols. In <it>Proceedings of ISOC Network and Distributed System Security Symposium (NDSS'02)</it>. 38--50.Google Scholar
- <scp>Wright, M., Adler, M., Levine, B. N., and Shields, C.</scp> 2003. Defending anonymous communication against passive logging attacks. In <it>Proceedings of the IEEE Symposium on Security and Privacy</it>. 28--41. Google ScholarDigital Library
- <scp>Wright, M., Adler, M., Levine, B. N., and Shields, C.</scp> 2004. The predecessor attack: An analysis of a threat to anonymous communications systems. <it>ACM Trans. Inform. Syst. Secur. 4,</it> 7, 489--522. Google ScholarDigital Library
Index Terms
Passive-Logging Attacks Against Anonymous Communications Systems
Recommendations
The predecessor attack: An analysis of a threat to anonymous communications systems
There have been a number of protocols proposed for anonymous network communication. In this paper, we investigate attacks by corrupt group members that degrade the anonymity of each protocol over time. We prove that when a particular initiator continues ...
Correlation-Based Traffic Analysis Attacks on Anonymity Networks
In this paper, we address attacks that exploit the timing behavior of TCP and other protocols and applications in low-latency anonymity networks. Mixes have been used in many anonymous communication systems and are supposed to provide countermeasures to ...
Comments