Presentation is loading. Please wait.

Presentation is loading. Please wait.

Traffic Matrix Approach R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide.

Published byGeorgiana Ford Modified over 9 years ago

Similar presentations

Presentation on theme: "Traffic Matrix Approach R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide."— Presentation transcript:

1 Traffic Matrix Approach R. Newman

2 Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity Metrics for Anonymity Applications of anonymity technology

3 Represents traffic patterns Not specific to a particular message Measure traffic over time window Shows traffic from each sender to each recipient TM(i,j) = traffic sent from i to j Can be messages, bits, bytes, or rates Traffic Matrix 1234 10350 21009 32005 401150 Receiver Sender

4 Traffic Matrix 1234 10350 21009 32005 401150 Receiver Sender S1S1 All nodes are both senders and receivers, i.e., peers S2S2 S3S3 S4S4 3 1 5 0 0 2 5 5 0 11 90 Topology is a complete digraph of N nodes, i.e., an N-clique Traffic may be zero, light, moderate, or heavy

5 Traffic Matrix 1234 10350 21009 32005 401150 Receiver Sender S1S1 All nodes are both senders and receivers, i.e., peers S2S2 S3S3 S4S4 3 1 5 0 0 2 5 5 0 11 90 Links have capacity limits Traffic that exceeds link capacity must be split over multiple routes 5 These may be symmetric or not (those shown are symmetric) 10 5 55

6 Traffic Matrix 1234 10350 21009 32005 401150 Receiver Sender S1S1 All nodes are both senders and receivers, i.e., peers S2S2 S3S3 S4S4 3 1 5 0 0 2 5 5 0 11 90 Links have capacity limits Traffic that exceeds link capacity must be split over multiple routes 5 These may be symmetric or not (those shown are symmetric) 10 5 1

7 Takes the approach that attacker wants to know traffic patterns Not specific to a particular message Measure traffic over time window Global passive adversary Sees source & destination for all msgs ”Observed TM” = what attacker observes If no countermeasures, then observed TM is the actual TM Assumes nodes are peers Assumes nodes are not compromised Traffic Matrix

8 All messages are padded to same length Prevent linking messages Only (visible) source and destination are not encrypted Prevent linking messages Prevent source/destination linkage TAP Countermeasures

9 Node may send dummy messages Adds to observed traffic Node may re-route messages Changes observed traffic pattern Node may delay messages Helps obscure message linkage Can smooth out flows TAP Countermeasures

10 TM has all diagonal entries zero No self-traffic T[i,j] = # messages from i to j TM T dominates T’ iff for all i and j T[i,j] >= T’[i,j] Neutral TM – all traffic is uniform All non-diagonal values are equal For all i <> j and i’ <> j’, T[i,j] = T[i’,j’] Unit Neutral TM: all non-diagonal values = 1 Magnitude of Neutral TM is non-zero values in TM Traffic Matrix

11 All traffic between all pairs is equal Observer cannot distinguish pairs that are engaged in much interaction from those that are engaged in none What information does Neutral TM give? Only an upper bound on the actual possible traffic But traffic between a pair can exceed observed traffic between the pair, due to rerouting May be overkill Neutral Traffic Matrix

12 Actual TM, T act End-to-end TM not including any countermeasures No dummy messages No re-routing through intermediaries Observed TM, T obs End-to-end traffic as observed from addresses Includes dummy traffic Includes changes due to re-routed traffic Traffic Matrix

13 Routes, flow assignments Actual TM requires T act [i,j] message be sent from i to j in time period Each message must either be sent directly from node i to node j Or it must follow a longer path from i to j Flow assignment dictates how many message from i to j take each particular route Traffic Matrix SkSk SiSi SjSj 10 5 T act [i,j] = 10 5 5 T obs [i,j] = 5

14 Link load = number of messages using link Must not exceed link capacity How might you reroute traffic? Traffic Matrix S1S1 S2S2 S3S3 S4S4 3 1 5 0 0 2 5 5 0 11 90 5 7 5 7 5 5

15 Reroute traffic exceeding capacity Adds load to links on route Must ensure rerouting does not exceed capacity Traffic Matrix S1S1 S2S2 S3S3 S4S4 3 1 5 0 0 2 5 5 0 70 5 7 5 7 7 4 5 5 2 3+4=7>5

16 Reroute traffic exceeding capacity Does this work now? Yes – link loads all below capacities Traffic Matrix S1S1 S2S2 S3S3 S4S4 3 1 5 0 0 2 5 5 0 70 5 7 5 7 7 2 5 5 2 3+2=5 2 5+2=7

17 Reroute traffic exceeding capacity Total Traffic Load Sum of link loads What are link loads? Traffic Matrix S1S1 S2S2 S3S3 S4S4 3 1 5 0 0 2 5 5 0 70 5 7 5 7 7 2 5 5 2 2 SourceDest’nLoad 123+2=5 135 140+2=2 211+3=3 230 249-2=7 312 320+2=2 345 41 4211-4=7 435+2=7 TotalLoad42

18 Feasible TM For a given actual TM, any TM for which there exists a set of routes and flow assignments for all senders and destinations such that no link load exceeds the corresponding link capacity i.e., actual traffic can be re-routed according to the flow assignments without violating constraints Traffic Matrix

19 Unit Padding Transform Transforms TM T to T’ by increasing the traffic by unity on a single link For some i,j, T’[i,j] = T[i,j]+1 and for all other i’,j’ T’[i’,j’] = T[i’,j’] TAP Countermeasures T11T12T13 T21T22T23 T31T32T33 010 000 000 T11T12+1T13 T21T22T23 T31T32T33 += += T act T pad T obs

20 Unit Rerouting Transform Transforms TM T to T’ by decreasing the traffic from i to j and increasing it from i to k and from k to j by unity (reroute one i-j message via k) For some i,j, T’[i,j] = T[i,j]-1 and For some k, T’[i,k] = T[i,j]+1 and T’[k,j] = T[k,j]+1 for all other i’,j’ T’[i’,j’] = T[i’,j’] TAP Countermeasures T11T12T13 T21T22T23 T31T32T33 0+1 000 0 0 T11T12-1T13+1 T21T22T23 T31T32+1T33 += += T act T RR T obs

21 Delay not explicitly considered Would reduce load in one window Increase it on same link in next window But we only consider one window here... TAP Countermeasures T11T12T13 T21T22T23 T31T32T33 00 000 000 T11T12-1T13 T21T22T23 T31T32T33 += T11T12T13 T21T22T23 T31T32T33 0+10 000 000 T11T12+1T13 T21T22T23 T31T32T33 += Window t: Window t+1:

22 Padding Pad matrix is sum of scaled unit pad matrices One unit pad per i,j pair (where i <> j) N(N-1) scaling multipliers Rerouting Reroute matrix is sum of scaled unit reroutes One unit reroute matrix per triple (i,j,k) N(N-1)(N-2) non-zero scaling multipliers Achieving Neutrality

23 Start with T act Approach (shown for one row) First, reroute to minimize maximum T’[i,j] T’[i,j] = T act + T RR Then pad to bring all non-diagonals to max T obs = T act + T RR + T pad Achieving Neutrality T act + T pad T RR + T’T obs

24 Costs increase in load Increase in (mean) delay Load Cost: Cost = Load(T obs ) –Load(T act ) Delay Cost: All msgs delivered each period Delay measured as increase in avg # hops Avg # hops = (1-f) + 2f = 1+f Where f = fraction that is rerouted All rerouted msgs take path of 2 hops Cost of Neutrality

25 Padding only: Delay cost = ? None (f = 1) Load Cost = ? = Load(T obs ) –Load(T act ) = [Load(T act )+Padding] –Load(T act ) = Padding i.e, cost = exactly number of dummy messages Which is just the sum of the padding multipliers Cost of Neutrality

26 018 201 530 070 607 350 088 808 880 += Padding only: Load Cost = ? Must pad to highest value in T act Load(T obs ) = (N 2 -N)max{T act [i,j]} Padding = (N 2 -N)max{T act [i,j]} –Load(T act ) T act T pad T obs Load(T act )=20Load(T obs )=6x8=48Load(T pad )=48-20=28

27 Cost of Neutrality Padding only: Load Cost = (N 2 -N)max{T act [i,j]} –Load(T act ) In practice, the distribution of values in T act is long-tailed, with many 0’s and small numbers This leads to very high costs for padding only Problem gets worse with larger N! Larger proportion of non-communicating pairs

28 Rerouting only: Let T’ be TM after rerouting T’ may not be neutral (pad later) Delay cost = ? f = ? (average, or per pair) f = (#rerouted msgs)/(#actual msgs) = [Load(T’) – Load(T act )] / Load(T act ) = Load(T RR ) / Load(T act ) Where T RR is reroute matrix T’ = T act + T RR Load(T RR ) = sum of RR scaling multipliers Cost of Neutrality

29 Rerouting only: Load Cost = ? = Load(T’) – Load(T act ) = [Load(T’)+Load(T RR )] –Load(T act ) = Load(T RR ) i.e, cost = exactly number of rerouted messages Which is the sum of the reroute multipliers Approach: Reroute first to minimize variance Then pad to bring up to neutrality Cost of Neutrality

30 Approach: Reroute first to minimize variance Then pad to bring up to neutrality In practice This approach leads to about a doubling of load How to find T RR that minimizes cost? Want to minimize the maximum value in T’ Turn into a system of linear inequalities Cost of Neutrality

31 ”Flatten” operator Takes a matrix and turns it into a vector Row-major order (or column-major by transpose) f(M) = Linearization of Problem f

32 Let r abc = number of msgs rerouted from a to c through intermediate node b (reroute quantity) R = all N 3 reroute quantities as N 3 x 1 column vector Let URM abc = unit reroute matrix for a to c via b URM abc [a,b] = 1, URM abc [b,c] = 1, URM abc [a,c] = -1 All other entries are 0 N 3 URMs (some of which are all 0’s) Let DM be N 2 x N 3 matrix of flattened URMs Each column is a flattened URM So change T RR due to rerouting is f(T RR ) = DM x R Linearization of Problem

33 For rerouting given by reroute quantity vector R And padding given by padding matrix T P We have: f(T obs ) = f(T act ) + f(T RR ) + f(T P ) = f(T act ) + DM x R + f(T P ) We want to minimize the costs of T P and T RR We have lower bound on possible neutral TMs Set target neutral TM, T, to smallest possible Use linear programming to find R that satisfies inequality (if one exists) DM x R <= f(T) – f(T act ) Linearization of Problem

34 We have lower bound on possible neutral TMs Set target neutral TM, T, to smallest possible T = m times unit neutral TM m >= max(T act )/N Use linear programming to find R that satisfies inequality (if one exists) DM x R <= f(T) – f(T act ) Iterate (increment m) until R can be satisfied Then set f(T P ) = f(T) – [f(T act ) + DM x R] Minimizes max(T[i,j]), hence minimizes costs Linearization of Problem

35 Can treat the information ”leaked” by TMs as covert channel Mix-type packets (only src, dest show, all packets are uniform in size, rest encrypted) How can CC ”sender” convey information? Sender is a single node Sends to ”Eve” – a local eavesdropper Relative traffic volume, absolute volume, order of transmission are still visible How to minimize (or eliminate) CC? Neutral TM eliminates relative volume as signal Network Covert Channels

36 How to minimize (or eliminate) CC? Neutral TM eliminates relative volume as signal Every node always sends indistinguishable packet to every other node every ”round” Each node always sends to destinations in same order Only signal is change in round time intervals But how to determine reroute quantities? Not practical for all nodes to exchange traffic levels Want a local decision Network Covert Channels

37 Message Sending Policy Maintain Tx queues for each destination High priority = from other node Medium priority = from this node Low priority = dummy packet (generated) Send packet every period Message arrival policies If dummy from other node, discard If rerouted from other node, put into High queue If local origin, reroute if dest Med queue occupied Traffic volume changes Ne Network Covert Channels

38 Traffic volume changes Negotiate shorter period length if queues stay full Negotiate longer period length if queues mostly empty All nodes must arrive at consensus Single node must dramatically change traffic to force change in period This can be audited Mode-based security Don’t allow arbitrary period changes Only allow particular modes – reduces CC capacity Only allow change at end of cycle – lower CC capacity Network Covert Channels

39 Mode-based security Don’t allow arbitrary period changes Only allow particular modes M modes define allowed period durations Only allow change at end of cycle Cycle is duration spanning one or more periods Capacity is now lg(M)/T cycle Maximum capacity is known Attempts to exercise CC can be audited Network Covert Channels

40 Given an observed TM, there are limits on possible actual TMs The sum of the traffic coming into a node j in T act cannot exceed the sum of the traffic coming in to node j in T obs. The sum of the traffic coming out of a node i in T act cannot exceed the sum of the traffic coming out of node i in T obs. Although the graphs considered are cliques, the total traffic from node i to node j may exceed the capacity of the (direct) link from i to j due to some traffic being routed through other nodes Generalizations

41 Compatible TM A TM T is compatible with T obs iff there exists a set of routes and flow assignments for T that produces T’, and T obs >> T’ (domination) Let Comp(T obs ) be the set of all TMs compatible with T obs. Note that both T obs and T act must be in Comp(T obs ) In the absence of other information... Attacker has no reason to pick one compatible TM over another compatible TM – all equiprobable Generalizations

42 Attacker’s question Is T act in some set S of TMs or not? In the absences of side information Likelihood is fraction of TMs compatible with T obs that are in S Probabilistic approach Prob(T act in S | T obs ) = |Comp(T obs ) int S| /|Comp(T obs )| Generalizations

43 Neutral TM Approach Aims to give nothing to GPA except upper bounds All traffic is equal Can decide reroute and pad quantities from actual traffic and desired TM Can minimize costs associated with achieving neutrality May be overkill Probabilistic TM approach Maximize uncertainty of actual TM Large number of compatible TMs with various properties Summary

44 Anonymity Metrics Anonymity Set Per message receiver and/or sender Possibilistic Plausible Deniability Crowds approach Probability of ”guessing right” Consistent TM Set size Subsets corresponding to property of interest can lead to probability approach also Covert Channel approach Capacity of channel = info leak rate Summary

Download ppt "Traffic Matrix Approach R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide."

Similar presentations

Ch. 12 Routing in Switched Networks

Ch. 12 Routing in Switched Networks
Ch. 12 Routing in Switched Networks. 12.1 Routing in Packet Switched Networks Routing Algorithm Requirements –Correctness –Simplicity –Robustness--the.

Ch. 12 Routing in Switched Networks Routing in Packet Switched Networks Routing Algorithm Requirements –Correctness –Simplicity –Robustness--the.
IPv4 - The Internet Protocol Version 4

IPv4 - The Internet Protocol Version 4
1 CONGESTION CONTROL. 2 Congestion Control When one part of the subnet (e.g. one or more routers in an area) becomes overloaded, congestion results. Because.

1 CONGESTION CONTROL. 2 Congestion Control When one part of the subnet (e.g. one or more routers in an area) becomes overloaded, congestion results. Because.
CS4550: Computer Networks II network layer basics 3 routing & congestion control.

CS4550: Computer Networks II network layer basics 3 routing & congestion control.
William Stallings Data and Computer Communications 7 th Edition Chapter 13 Congestion in Data Networks.

William Stallings Data and Computer Communications 7 th Edition Chapter 13 Congestion in Data Networks.
24-1 Chapter 24. Congestion Control and Quality of Service (part 1) 23.1 Data Traffic 23.2 Congestion 23.3 Congestion Control 23.4 Two Examples.

24-1 Chapter 24. Congestion Control and Quality of Service (part 1) 23.1 Data Traffic 23.2 Congestion 23.3 Congestion Control 23.4 Two Examples.
Queuing Network Models for Delay Analysis of Multihop Wireless Ad Hoc Networks Nabhendra Bisnik and Alhussein Abouzeid Rensselaer Polytechnic Institute.

Queuing Network Models for Delay Analysis of Multihop Wireless Ad Hoc Networks Nabhendra Bisnik and Alhussein Abouzeid Rensselaer Polytechnic Institute.
Delay and Throughput in Random Access Wireless Mesh Networks Nabhendra Bisnik, Alhussein Abouzeid ECSE Department Rensselaer Polytechnic Institute (RPI)

Delay and Throughput in Random Access Wireless Mesh Networks Nabhendra Bisnik, Alhussein Abouzeid ECSE Department Rensselaer Polytechnic Institute (RPI)
DYNAMIC POWER ALLOCATION AND ROUTING FOR TIME-VARYING WIRELESS NETWORKS Michael J. Neely, Eytan Modiano and Charles E.Rohrs Presented by Ruogu Li Department.

DYNAMIC POWER ALLOCATION AND ROUTING FOR TIME-VARYING WIRELESS NETWORKS Michael J. Neely, Eytan Modiano and Charles E.Rohrs Presented by Ruogu Li Department.
CS 408 Computer Networks Congestion Control (from Chapter 05)

CS 408 Computer Networks Congestion Control (from Chapter 05)
5/21/20151 Mobile Ad hoc Networks COE 549 Capacity Regions Tarek Sheltami KFUPM CCSE COE

5/21/20151 Mobile Ad hoc Networks COE 549 Capacity Regions Tarek Sheltami KFUPM CCSE COE
Chapter 9 Graph algorithms. Sample Graph Problems Path problems. Connectedness problems. Spanning tree problems.

Chapter 9 Graph algorithms. Sample Graph Problems Path problems. Connectedness problems. Spanning tree problems.
3 -1 Chapter 3 The Greedy Method 3 -2 The greedy method Suppose that a problem can be solved by a sequence of decisions. The greedy method has that each.

3 -1 Chapter 3 The Greedy Method 3 -2 The greedy method Suppose that a problem can be solved by a sequence of decisions. The greedy method has that each.
Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.
Adaptive Routing Proshanto Mukherji CSC 457: Computer Networks University of Rochester.

Adaptive Routing Proshanto Mukherji CSC 457: Computer Networks University of Rochester.
Chapter 9 Graph algorithms Lec 21 Dec 1, 2010. Sample Graph Problems Path problems. Connectedness problems. Spanning tree problems.

Chapter 9 Graph algorithms Lec 21 Dec 1, Sample Graph Problems Path problems. Connectedness problems. Spanning tree problems.
Distributed Priority Scheduling and Medium Access in Ad Hoc Networks Distributed Priority Scheduling and Medium Access in Ad Hoc Networks Vikram Kanodia.

Distributed Priority Scheduling and Medium Access in Ad Hoc Networks Distributed Priority Scheduling and Medium Access in Ad Hoc Networks Vikram Kanodia.
Graphs G = (V,E) V is the vertex set. Vertices are also called nodes and points. E is the edge set. Each edge connects two different vertices. Edges are.

Graphs G = (V,E) V is the vertex set. Vertices are also called nodes and points. E is the edge set. Each edge connects two different vertices. Edges are.
MOHAMMAD IMRAN DEPARTMENT OF APPLIED SCIENCES JAHANGIRABAD EDUCATIONAL GROUP OF INSTITUTES.

MOHAMMAD IMRAN DEPARTMENT OF APPLIED SCIENCES JAHANGIRABAD EDUCATIONAL GROUP OF INSTITUTES.

Similar presentations

Ads by Google