Towards Practical Attacker Classification for Risk Analysis in Anonymous Communication

  • Andriy Panchenko
  • Lexi Pimenidis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4237)


There are a number of attacker models in the area of anonymous communication. Most of them are either very simplified or pretty abstract – therefore difficult to generalize or even identify in real networks. While some papers distinct different attacker types, the usual approach is to present an anonymization technique and then to develop an attacker model for it in order to identify properties of the technique. Often such a model is abstract, unsystematic and it is not trivial to identify the exact threats for the end-user of the implemented system. This work follows another approach: we propose a classification of attacker types for the risk analysis and attacker modelling in anonymous communication independently of the concrete technique. The classes are designed in the way, that their meaning can be easily communicated to the end-users and management level. We claim that the use of this classification can lead to a more solid understanding of security provided by anonymizing networks, and therewith improve their development.

Finally, we will classify some well known techniques and security issues according to the proposal and thus show the practical relevance and applicability of the proposed classification.


anonymous communication attacker model risk analysis 


  1. 1.
    Attacker Classification to Aid Targeting Critical Systems for Threat Modelling and Security Review (2005), (visited July 2006),
  2. 2.
    ANTS File Sharing (2005) visited October 2005,
  3. 3.
    Berthold, O., Federrath, H., Köpsell, S.: Web MIXes: A System for Anonymous and Unobservable Internet Access. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 115–129. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Chaum, D.L.: The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability. Journal of Cryptology 1, 65–75 (1988)MathSciNetCrossRefMATHGoogle Scholar
  5. 5.
    Clayton, R.C., Danezis, G., Kuhn, M.G.: Real world patterns of failure in anonymity systems. In: Moskowitz, I.S. (ed.) IH 2001. LNCS, vol. 2137, pp. 230–244. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Danezis, G.: Statistical disclosure attacks: Traffic confirmation in open environments. In: Gritzalis, Vimercati, Samarati, Katsikas (eds.) Proceedings of Security and Privacy in the Age of Uncertainty (SEC 2003), Athens, May 2003. IFIP TC11, pp. 421–426. Kluwer Academic Publishers, Dordrecht (2003)CrossRefGoogle Scholar
  7. 7.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: The second-generation onion router. In: Proceedings of the 13th USENIX Security Symposium (2004)Google Scholar
  8. 8.
    Douceur, J.R.: The Sybil Attack. In: Druschel, P., Kaashoek, M.F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, p. 251. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Fasbender, A., Kesdogan, D., Kubitz, O.: Analysis of security and privacy in mobile ip. In: Mobile IP, 4th International Conference on Telecommunication Systems Modeling and Analysis, Nashville (March 1996)Google Scholar
  10. 10.
    Goel, S., Robson, M., Polte, M., Sirer, E.G.: Herbivore: A Scalable and Efficient Protocol for Anonymous Communication. Technical Report 2003-1890, Cornell University, Ithaca, NY (February 2003)Google Scholar
  11. 11.
    Günes, M., Spaniol, O.: Ant-routing-algorithm for mobile multi-hop ad-hoc networks. In: Network control and engineering for Qos, security and mobility II, pp. 120–138. Kluwer Academic Publishers, Norwell, MA, USA (2003)CrossRefGoogle Scholar
  12. 12.
    Hintz, A.: Fingerprinting websites using traffic analysis. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 171–178. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Hirt, A., Jacobson, M.J., Williamson, C.: Survey and analysis of anonymous communication schemes. In: ACM Computing Surveys, Department of Computer Science, December 2003, University of Calgary (submitted to, 2003)Google Scholar
  14. 14.
    Howard, J.D.: An Analysis Of Security Incidents On The Internet 1989-1995. PhD thesis, Carnegie Mellon University (1997)Google Scholar
  15. 15.
    Kesdogan, D., Egner, J., Büschkes, R.: Stop-and-Go-Mixes Providing Anonymity in an Open System. In: Aucsmith, D. (ed.) Information Hiding 98 - Second International Workshop, pp. 83–98. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  16. 16.
    Kesdogan, D., Palmer, C.: The past present and future of network anonymity. Network Security, Special Issue of Computer Communications Journal (2003)Google Scholar
  17. 17.
    Kesdogan, D., Pimenidis, L.: The Hitting Set Attack on Anonymity Protocols. In: Proceedings of Information Hiding, 7th International Workshop, Springer, Heidelberg (2004)Google Scholar
  18. 18.
    Kesdogan, D., Pimenidis, L.: The Lower Bound of Attacks on Anonymity Systems – A Unicity Distance Approach. In: Proceedings of 1st Workshop on Quality of Protection, Colocated at ESORICS, Milan, Italy, September 2005. LNCS, Springer, Heidelberg (2005)Google Scholar
  19. 19.
    Möller, U., Cottrell, L., Palfrader, P., Sassaman, L.: Mixmaster Protocol — Version 2. Draft (July 2003)Google Scholar
  20. 20.
    Murdoch, S.J., Danezis, G.: Low-cost Traffic Analysis of Tor. In: IEEE Symposium on Security and Privacy, Oakland, California, USA (May 2005)Google Scholar
  21. 21.
    MUTE File Sharing. visited October 2005 (2005),
  22. 22.
    Pfitzmann, A.: Security in IT Networks: Multilateral Security in Distributed and by Distributed Systems. In: Script for the lectures Security and Cryptography I+II (October 2004)Google Scholar
  23. 23.
    Pfitzmann, A., Köhntopp, M.: Anonymity, unobservability, and pseudonymity: A proposal for terminology. Draft, version 0.23 (August 2005)Google Scholar
  24. 24.
    Raymond, J.-F.: Traffic analysis: Protocols, attacks, design issues, and open problems. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 10–29. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  25. 25.
    Serjantov, A., Dingledine, R., Syverson, P.: From a trickle to a flood: Active attacks on several mix types. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 36–52. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  26. 26.
    Serjantov, A., Sewell, P.: Passive attack analysis for connection-based anonymity systems. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 116–131. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  27. 27.
    Sherwood, R., Bhattacharjee, B., Srinivasan, A.: P5: A protocol for scalable anonymous communication. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (May 2002)Google Scholar
  28. 28.
    Syverson, P.F., Tsudik, G., Reed, M., Landwehr, C.: Towards an Analysis of Onion Routing Security. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 96–114. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  29. 29.
    Wright, M., Adler, M., Levine, B.N., Shields, C.: An analysis of the degradation of anonymous protocols. In: Proceedings of the Network and Distributed Security Symposium - NDSS 2002, February 2002, IEEE Computer Society Press, Los Alamitos (2002)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2006

Authors and Affiliations

  • Andriy Panchenko
    • 1
  • Lexi Pimenidis
    • 1
  1. 1.Computer Science Department – Informatik IVRWTH Aachen UniversityAachenGermany

Personalised recommendations