Protecting Users’ Privacy when Tracing Network Traffic Stefan Saroiu and Troy Ronda University of Toronto.

Slides:

Advertisements

Similar presentations

A look into Bullet Proof Hosting November DefCamp 5 Silviu Sofronie – Head of Forensics

Advertisements

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

What is Spam  Any unwanted messages that are sent to many users at once.  Spam can be sent via , text message, online chat, blogs or various other.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Cyber X-Force-SMS alert system for threats.

1 Network Measurements of a Wireless Classroom Network Carey Williamson Nuha Kamaluddeen Department of Computer Science University of Calgary.

1 LAN Traffic Measurements Carey Williamson Department of Computer Science University of Calgary.

October 22, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint, Part II SOEN321-Information-Systems Security.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

URL Obscuring COEN 152/252 Computer Forensics  Thomas Schwarz, S.J

© 2008 Andreas Haeberlen, MPI-SWS 1 Pretty Good Packet Authentication Andreas Haeberlen MPI-SWS / Rice University Rodrigo Rodrigues MPI-SWS Peter Druschel.

Impact of BGP Dynamics on Intra-Domain Traffic Patterns in the Sprint IP Backbone Sharad Agarwal, Chen-Nee Chuah, Supratik Bhattacharyya, Christophe Diot.

Copyright © 2005 Department of Computer Science CPSC 641 Winter LAN Traffic Measurements Some of the first network traffic measurement papers were.

Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.

Bunker: A Tamper Resistant Platform for Network Tracing Stefan Saroiu University of Toronto.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

AND SPAM BY OLUWATOBI BAKARE

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Internet safety By Lydia Snowden.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Introduction to Honeypot, Botnet, and Security Measurement

Forensic and Investigative Accounting

Signatures As Threats to Privacy Brian Neil Levine Assistant Professor Dept. of Computer Science UMass Amherst.

Bluebear: Exploring Privacy Threats in the Internet Arnaud Legout EPI, Planète

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.

Section 11.1 Identify customer requirements Recommend appropriate network topologies Gather data about existing equipment and software Section 11.2 Demonstrate.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

COEN 252 Computer Forensics

BitTorrent How it applies to networking. What is BitTorrent P2P file sharing protocol Allows users to distribute large amounts of data without placing.

Covert Communications Simple Nomad DC Feb2004.

Lecture#2 on Internet and World Wide Web. Internet Applications Electronic Mail ( ) Electronic Mail ( ) Domain mail server collects incoming mail.

A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006.

COEN 252 Computer Forensics Collecting Network-based Evidence.

Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.

CIS 450 – Network Security Chapter 3 – Information Gathering.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

IT internet security. The Internet The Internet - a physical collection of many networks worldwide which is referred to in two ways: The internet (lowercase.

MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.

Security at NCAR David Mitchell February 20th, 2007.

8/30/2010CS 686 Definition of Security/Privacy EJ Jung CS 686 Special Topics in CS Privacy and Security.

WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.

Chapter 9 Sending and Attachments. 2Practical PC 5 th Edition Chapter 9 Getting Started In this Chapter, you will learn: − How works − How.

1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

Denial of Service Datakom Ht08 Jesper Christensen, Patrick Johansson, Robert Kajic A short introduction to DoS.

Topic 5: Basic Security.

Anonymity - Background R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide.

BY: CHRIS GROVES Privacy in the Voting Booth. Reason for Privacy Voters worry that their vote may be held against them in the future  People shouldn’t.

Lesson 20. E-commerce Software Intershop Enfinity WebSphere Commerce Professional Edition Microsoft Commerce Server 2002.

Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocols Namibia Angola 1. N 2. E(N,K) SAAF Impala Russian MIG 1 Military needs many specialized.

Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.

Chapter 9 Sending and Attachments. Sending and Attachments FAQs: – How does work? – How do I use local ? – How do I use Web-based.

Introduction Web analysis includes the study of users’ behavior on the web Traffic analysis – Usage analysis Behavior at particular website or across.

Instant Messaging. Magnitude of the Problem Radicati reports that 85% of enterprises today use IM. Furthermore, Radicati predicts IM usage increases will.

Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Network Management Security in distributed and remote network management protocols.

IT443 – Network Security Administration Instructor: Bo Sheng

Due: a start of class Oct 26

6.6 Firewalls Packet Filter (=filtering router)

Starting TCP Connection – A High Level View

Hyperlinks and Protocols

Outline Using cryptography in networks IPSec SSL and TLS.

Wireshark(Ethereal).

Transport Layer Identification of P2P Traffic

CryptoSpike Ransomware Protection & File System Auditing Robert Graf

Presentation transcript:

Protecting Users’ Privacy when Tracing Network Traffic Stefan Saroiu and Troy Ronda University of Toronto

Challenge: Protect Users’ Privacy Network tracing today must capture payloads: Network tracing today must capture payloads:  Challenge: protect users’ privacy Typically, privacy protected via 3-step process: Typically, privacy protected via 3-step process: 1. Gather raw data, 2. Anonymize it off-line by hashing information Preserve some info: IP prefix-sharing, object sizes, etc.. Preserve some info: IP prefix-sharing, object sizes, etc.. 3. Throw-away raw data Trace analysis is done on anonymized data Trace analysis is done on anonymized data  Anonymized data could become publicly available

3-step process is inadequate from a privacy standpoint!

3-Step Anonymization Doesn’t Work Known mapping attacks: Known mapping attacks:  e.g., one IP address shares no prefix with all others  e.g., CEO is biggest recipient of Inferred mapping attacks: Inferred mapping attacks:  e.g., we could guess what websites are top 10 most popular  google.com, etc..  e.g., one 700MB file became a hot download on 11/3/2006  The Borat movie was released on the same date Data injection attacks: Data injection attacks:  Attacker injects carefully constructed traffic  Traffic easy to distinguish in hashed trace Crypto attacks: Crypto attacks:  Finding MD5 collisions takes 8 hours on a laptop today!!!  Would today hashed trace be trivial to break 20 years from now?

Even More Attacks are Possible Attacks on tracing infrastructure: Attacks on tracing infrastructure:  Network intrusions  Physical intrusions Unanticipated attacks: Unanticipated attacks:  Hard to foresee future ways to attack anonymization scheme  e.g., OS could be revealed based on ACKs’ timestamps Legal complications (attacks?): Legal complications (attacks?):  Tracing infrastructure could be subpoena-ed  Precedents exist: e.g., RIAA vs. Verizon

Lessons Learned No plaintext data can be written to disk. Ever. No plaintext data can be written to disk. Ever.  Subpoenas can reveal whole profiles  Very serious attack with serious privacy implications Gathered traces cannot be made public Gathered traces cannot be made public  Mapping attacks could reveal private information  Subject to future crypto attacks  a PDA will break MD5 in under 1 second in 20 years  Unanticipated attacks are problematic

Internet St. George campus Mississauga campus Picture not up to scale!

Internet St. George campus Mississauga campus Port Mirroring Single Tracing Machine Stable Storage RAM One-way link

Internet St. George campus Mississauga campus Port Mirroring Packet Capture TCP Reconstruction HTTP Reconstruction App.-level Reconstruction Anonymization Single Tracing Machine Stable Storage RAM

Internet St. George campus Mississauga campus Port Mirroring Packet Capture TCP Reconstruction HTTP Reconstruction App.-level Reconstruction Anonymization Single Tracing Machine Stable Storage RAM When Unplug from Power

Summary Our infrastructure protects against: Our infrastructure protects against:  Intrusion attacks  Disconnected from Internet  Legal attacks to recover raw data  All raw data manipulation done in RAM  Mapping, crypto, unanticipated, data injection attacks  Traces will not be made publicly available Mapping, crypto, unanticipated attacks still possible if anonymized trace is subpoena-ed Mapping, crypto, unanticipated attacks still possible if anonymized trace is subpoena-ed  Once analysis complete, destroy trace permanently

Phishing Measurement Statistics (Very Preliminary) Tracing 200Mbps and approximately 5K users Tracing 200Mbps and approximately 5K users  20GB of data collected per day Longest uninterrupted trace: 56 hours Longest uninterrupted trace: 56 hours usage statistics (spam) usage statistics (spam)  213 Hotmail users, 721 messages received  22 (3%) spam in Inbox (missed by Hotmail’s filters)