Traffic Analysis: Network Flow Watermarking Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 1 CS660 - Advanced Information Assurance.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Tor: The Second-Generation Onion Router
Censorship Resistance: Decoy Routing Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.
Information Hiding: Watermarking and Steganography
A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,
Detecting DDoS Attacks on ISP Networks Ashwin Bharambe Carnegie Mellon University Joint work with: Aditya Akella, Mike Reiter and Srinivasan Seshan.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.
Hardware Security: Trusted Platform Module Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources.
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
Message Splitting Against the Partial Adversary Andrei Serjantov The Free Haven Project (UK) Steven J Murdoch University of Cambridge Computer Laboratory.
Western Michigan University Covert Timing Channels Omar Darwish Instructor: Professor Elise de Doncker.
Detecting Traffic Differentiation in Backbone ISPs with NetPolice Ying Zhang Zhuoqing Morley Mao Ming Zhang.
Location-Aware Onion Routing Aaron Johnson U.S. Naval Research Laboratory IEEE Symposium on Security and Privacy May 19, 2015.
Security and Privacy of Future Internet Architectures: Named-Data Networking Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content.
FTDCS 2003 Network Tomography based Unresponsive Flow Detection and Control Authors Ahsan Habib, Bharat Bhragava Presenter Mohamed.
Chapter 2 Basic Encryption and Decryption (part B)
An Effective Defense Against Spam Laundering Paper by: Mengjun Xie, Heng Yin, Haining Wang Presented at:CCS'06 Presentation by: Devendra Salvi.
Toward Understanding Congestion in Tor DC-area Anonymity, Privacy, and Security Seminar January 24 th, 2014 Rob Jansen U.S. Naval Research Laboratory *Joint.
Preventing Active Timing Attacks in Low- Latency Anonymous Communication The 10 th Privacy Enhancing Technologies Symposium July 2010 Joan Feigenbaum Yale.
A Signal Analysis of Network Traffic Anomalies Paul Barford with Jeffery Kline, David Plonka, Amos Ron University of Wisconsin – Madison Summer, 2002.
Information Hiding: Covert Channels Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.
Toward Prevention of Traffic Analysis Fengfeng Tu 11/26/01.
Censorship Resistance: Parrots Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the.
On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)
Traffic Analysis Prevention Chris Conger CIS6935 – Cryptographic Protocols 11/16/2004.
Privacy-Preserving P2P Data Sharing with OneSwarm -Piggy.
Private Information Retrieval Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the last.
Anonymous Communications Adam C. Champion and Dong Xuan CSE 4471: Information Security Autumn 2012.
Amir Houmansadr CS660: Advanced Information Assurance Spring 2015
Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.
Anonymity on the Internet Presented by Randy Unger.
Anonymous Communication -- a brief survey
Educational Research: Competencies for Analysis and Application, 9 th edition. Gay, Mills, & Airasian © 2009 Pearson Education, Inc. All rights reserved.
Usable Security Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the last slide for.
Wire Speed Packet Classification Without TCAMs ACM SIGMETRICS 2007 Qunfeng Dong (University of Wisconsin-Madison) Suman Banerjee (University of Wisconsin-Madison)
Class 8 Introduction to Anonymity CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman
A Test Paradigm for Detecting Changes in Transactional Data Streams Willie Ng and Manoranjan Dash DASFAA 2008.
1 Robust Endpoint Detection and Energy Normalization for Real-Time Speech and Speaker Recognition Qi Li, Senior Member, IEEE, Jinsong Zheng, Augustine.
Successes and Failures applying to SaTC/TWC/TC/CT Nikita Borisov University of Illinois at Urbana- Champaign.
BLAST: Basic Local Alignment Search Tool Altschul et al. J. Mol Bio CS 466 Saurabh Sinha.
Wireless communications and mobile computing conference, p.p , July 2011.
1 A Framework for Measuring and Predicting the Impact of Routing Changes Ying Zhang Z. Morley Mao Jia Wang.
BARD / April BARD: Bayesian-Assisted Resource Discovery Fred Stann (USC/ISI) Joint Work With John Heidemann (USC/ISI) April 9, 2004.
Guard Sets for Onion Routing JOSHUA FREE. Tor Most popular low-latency distributed anonymity network Controversial decisions of guard selection strategies.
Doc.: IEEE /1406r0 Submission Nov 2013 Huai-Rong Shao, et al. (Samsung)Slide 1 Traffic Modeling for HEW Simulation Date: Authors:
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 23 PHILLIPA GILL - STONY BROOK U.
1 He Says vs. She Says Model Validation and Calibration Kevin Chang HNTB Corporation
Tor and Timing Attacks An attack within the accepted attacker model.
Strengthening Tor against Eavesdropping Correlation Attacks Robert Thomas CSCE APR 2015 Audio:
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
How Low Can You Go: Balancing Performance with Anonymity in Tor’ DC-Area Anonymity,Privacy, and Security Seminar May 10 th, 2013 Rob Jansen U.S. Naval.
Mix networks with restricted routes PET 2003 Mix Networks with Restricted Routes George Danezis University of Cambridge Computer Laboratory Privacy Enhancing.
Traffic Correlation in Tor Source and Destination Prediction PETER BYERLEY RINDAL SULTAN ALANAZI HAFED ALGHAMDI.
Web Analytics Xuejiao Liu INF 385F: WIRED Fall 2004.
11 A First Step towards Live Botmaster Traceback Daniel Ramsbrock, Xinyuan Wang, and Xuxian Jiang - the 11th International Symposium on Recent Advances.
MMC LAB Secure Spread Spectrum Watermarking for Multimedia KAIST MMC LAB Seung jin Ryu 1MMC LAB.
11 CS716 Advanced Computer Networks By Dr. Amir Qayyum.
Sanmit Narvekar Department of Computer Science California State University, Los Angeles Advisor: Prof. Valentino Crespi.
1 Anonymity. 2 Overview  What is anonymity?  Why should anyone care about anonymity?  Relationship with security and in particular identification 
1 ICCCN 2003 Modelling TCP Reno with Spurious Timeouts in Wireless Mobile Environments Shaojian Fu School of Computer Science University of Oklahoma.
An Effective Defense Against Spam Laundering Author: Mengjun Xie, Heng Yin, Haining Wang Presented At: CCS’ 06 Prepared By: Amit Shrivastava.
Network Architectures and Services, Georg Carle Faculty of Informatics Technische Universität München, Germany Privacy-Implications of Performance-Based.
On-line Detection of Real Time Multimedia Traffic
A 2 veto for Continuous Wave Searches
CS590B/690B Detecting Network Interference
Privacy-Preserving Dynamic Learning of Tor Network Traffic
Data Warehousing Data Mining Privacy
Improved Spread Spectrum: A New Modulation Technique for Robust Watermarking IEEE Trans. On Signal Processing, April 2003 Multimedia Security.
Rob Jansen, U.S. Naval Research Laboratory
Presentation transcript:

Traffic Analysis: Network Flow Watermarking Amir Houmansadr CS660: Advanced Information Assurance Spring CS660 - Advanced Information Assurance - UMassAmherst

Previously Two popular forms of anonymous communications – Onion Routing (Tor) – Mix Networks They aim to be low-latency to be used for interactive application, e.g., web browsing, IM, VoIP, etc.  Gives birth to attacks 2 CS660 - Advanced Information Assurance - UMassAmherst

Attacks on anonymity systems Traffic analysis attacks Intersection attacks Fingerprinting attacks DoS attacks … 3 CS660 - Advanced Information Assurance - UMassAmherst

Who Wants to Attack Tor? Who has the ability to attack Tor? CS660 - Advanced Information Assurance - UMassAmherst 4

How NSA tries to break Tor – Tor stinks Tor stinks 5 CS660 - Advanced Information Assurance - UMassAmherst

Why do they want to break Tor (or, what do they say?) 6 CS660 - Advanced Information Assurance - UMassAmherst

7

8

9

10 CS660 - Advanced Information Assurance - UMassAmherst

11 CS660 - Advanced Information Assurance - UMassAmherst

12 CS660 - Advanced Information Assurance - UMassAmherst

13 CS660 - Advanced Information Assurance - UMassAmherst

Discussion Should privacy-enhancing technologies (e.g., Tor) have backdoors for the law-enforcement? CS660 - Advanced Information Assurance - UMassAmherst 14

Traffic Analysis Definition: inferring sensitive information from communication patterns, instead of traffic contents, no matter if encrypted Related fields – Traffic shaping – Data mining 15 CS660 - Advanced Information Assurance - UMassAmherst

Use cases of traffic analysis Inferring encrypted data (SSH, VoIP) Inferring events Linking network flows in low-latency networking applications … 16 CS660 - Advanced Information Assurance - UMassAmherst

Outline Traffic analysis in low-latency scenarios Passive traffic analysis Active traffic analysis: watermarks 17 CS660 - Advanced Information Assurance - UMassAmherst

18 Compromising anonymity Anonymous network A B CS660 - Advanced Information Assurance - UMassAmherst

Stepping stone attack 19 CS660 - Advanced Information Assurance - UMassAmherst

Passive Traffic analysis Analyzing network flow patterns by only Observing traffic: – Packet counts – Packet timings – Packet sizes – Flow rate – … 20 CS660 - Advanced Information Assurance - UMassAmherst

Some literature  Stepping stone detection – Character frequencies [Staniford-Chen et al., S&P’95] – ON/OFF behavior of interactive connections [Zhang et al., SEC’00] – Correlating inter-packet delays [Wang et al., ESORICS’02] – Flow-sketches [Coskun et al., ACSAC’09]  Compromising anonymity – Analysis of onion routing [Syverson et al., PET’00] – Freedom and PipeNet [Back et al., IH’01] – Mix-based systems: [Raymond et al., PET’00], [Danezis et al., PET’04] 21 CS660 - Advanced Information Assurance - UMassAmherst

Passive Traffic analysis Based on inter-packet delays of network flows [Wang et al., ESORICS’02] – Min/Max Sum Ratio (MMS) – Statistical Correlation (STAT) – Normalized Dot Product (NDP) 22 CS660 - Advanced Information Assurance - UMassAmherst

Passive Traffic analysis ON/OFF behavior of interactive connections [Zhang et al., SEC’00] Based on flow sketches [Coskun et al., ACSAC’09] 23 CS660 - Advanced Information Assurance - UMassAmherst

Issues of passive traffic analysis Intrinsic correlation of flows – High false error rates – Need long flows for detection 24 CS660 - Advanced Information Assurance - UMassAmherst

Compromising anonymity 25 Anonymity network B A CS660 - Advanced Information Assurance - UMassAmherst

Issues of passive traffic analysis Intrinsic correlation of flows – High false error rates – Need long flows for detection Massive computation and communication – Not scalable: O(n) communication, O(n 2 ) computation 26 CS660 - Advanced Information Assurance - UMassAmherst

Compromising anonymity 27 Anonymity network B A CS660 - Advanced Information Assurance - UMassAmherst

Flow watermarks: Active traffic analysis 28 CS660 - Advanced Information Assurance - UMassAmherst

Flow watermarking Traffic analysis by perturbing network traffic – Packet timings – Packet counts – Packet sizes – Flow rate – … 29 CS660 - Advanced Information Assurance - UMassAmherst

Compromising anonymity 30 Anonymity network B A CS660 - Advanced Information Assurance - UMassAmherst

Stepping stone detection 31 Enterprise network CS660 - Advanced Information Assurance - UMassAmherst

32 Active Traffic Analysis  Improve detection efficiency (lower false errors, fewer packets)  O(1) communication and O(n) computation, instead of O(n) and O(n 2 )  Faster detection CS660 - Advanced Information Assurance - UMassAmherst

Compromising anonymity 33 Anonymity network B A CS660 - Advanced Information Assurance - UMassAmherst

Watermark features  Detection efficiency  Invisibility  Robustness  Resource efficiency 34 CS660 - Advanced Information Assurance - UMassAmherst

35 Inter-Packet Delay vs. Interval-Based Watermarking Interval-Based Watermarking – Robustness to packet modifications IBW[Infocom’07], ICBW[S&P’07], DSSS[S&P’07] CLEARLOAD Inter-Packet Delay (IPD) watermarking CS660 - Advanced Information Assurance - UMassAmherst

RAINBOW: Robust And Invisible Non-Blind Watermark NDSS 2009 With Negar Kiyavash and Nikita Borisov 36 CS660 - Advanced Information Assurance - UMassAmherst

37 RAINBOW Scheme Insert spread spectrum watermark within Inter-Packet Delay (IPD) information – At the watermarker: IPD W = IPD + WM – At the detector: IPD R - IPD = WM + Jitter IPD Database – Last n packets, removed after connection ends – Low memory resources for moderate-size enterprises Watermarker Receiver Detector Sender IPD Database IPDIPD W IPD IPD R IPD WM Non-Blind watermarking: provide invisibility CS660 - Advanced Information Assurance - UMassAmherst

38 Detection Analysis Using the last n samples of IPD – Y= IPD R - IPD = WM + Jitter – Normalized correlation – Detection threshold η System parameters: – a: watermark amplitude – b: standard deviation of jitter – represents the SNR – n: watermark length Detection analysis: Hypothesis testing Subtraction IPD R IPD Normalized Correlation Decision IPD Database Watermark Detector Y CS660 - Advanced Information Assurance - UMassAmherst

39 System Design Cross-Over Error Rate (COER) versus system parameters Increasing – Lower error, more visible Increasing n – lower error, slower detection a can be traded for n a should be adjusted to jitter CS660 - Advanced Information Assurance - UMassAmherst

40 Evaluation Devise a selective correlation to compensate for packet-level modifications – Sliding window Invisibility analyzed using – Kolmogorov-Smirnov test – Entropy-based tools of [Gianvecchio, CCS07] Performance summary – Fast detection – Detection time ≈ 3 min of SSH traffic (400 packets) – False errors of order CS660 - Advanced Information Assurance - UMassAmherst

Other applications Linking flows in low-latency applications – Stepping stone detection – Compromising anonymous networks – Long path attack – IRC-based botnet detection – VoIP de-anonymization – … 41 CS660 - Advanced Information Assurance - UMassAmherst

Long-path attack 42 Tor network CS660 - Advanced Information Assurance - UMassAmherst

IRC-based botnets 43 CS660 - Advanced Information Assurance - UMassAmherst

Acknowledgement Some of the slides, content, or pictures are borrowed from the following resources, and some pictures are obtained through Google search without being referenced below: Tor stinks 44 CS660 - Advanced Information Assurance - UMassAmherst

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.