Advertisement

Timing Analysis in Low-Latency Mix Networks: Attacks and Defenses

  • Vitaly Shmatikov
  • Ming-Hsiu Wang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4189)

Abstract

Mix networks are a popular mechanism for anonymous Internet communications. By routing IP traffic through an overlay chain of mixes, they aim to hide the relationship between its origin and destination. Using a realistic model of interactive Internet traffic, we study the problem of defending low-latency mix networks against attacks based on correlating inter-packet intervals on two or more links of the mix chain. We investigate several attack models, including an active attack which involves adversarial modification of packet flows in order to “fingerprint” them, and analyze the tradeoffs between the amount of cover traffic, extra latency, and anonymity properties of the mix network. We demonstrate that previously proposed defenses are either ineffective, or impose a prohibitively large latency and/or bandwidth overhead on communicating applications. We propose a new defense based on adaptive padding.

Keywords

Crossover Rate Active Attack Consecutive Packet Packet Stream Packet Count 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Back, A., Goldberg, I., Shostack, A.: Freedom Systems 2.1 security issues and analysis (May 2001), http://www.freehaven.net/anonbib/cache/freedom21-security.pdf
  2. 2.
    Back, A., Möller, U., Stiglic, A.: Traffic analysis attacks and trade-offs in anonymity providing systems. In: Moskowitz, I.S. (ed.) IH 2001. LNCS, vol. 2137, pp. 245–257. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Berthold, O., Federrath, H., Köpsell, S.: Web mIXes: A system for anonymous and unobservable internet access. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 115–129. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Berthold, O., Langos, H.: Dummy traffic against long term intersection attacks. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 110–128. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. 5.
    Boucher, P., Shostack, A., Goldberg, I.: Freedom Systems 2.0 architecture (December 2000), http://www.freehaven.net/anonbib/cache/freedom2-arch.pdf
  6. 6.
    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM 24(2), 84–88 (1981)CrossRefGoogle Scholar
  7. 7.
    Danezis, G.: Statistical disclosure attacks. In: Proc. Security and Privacy in the Age of Uncertainty. IFIP Conference Proceedings, vol. 250, pp. 421–426 (2003)Google Scholar
  8. 8.
    Danezis, G.: The traffic analysis of continuous-time mixes. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 35–50. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Danezis, G., Dingledine, R., Mathewson, N.: Mixmixion: Design of a type III anonymous remailer protocol. In: Proc. IEEE Symposium on Security and Privacy, pp. 2–15 (2003)Google Scholar
  10. 10.
    Danezis, G., Serjantov, A.: Statistical disclosure or intersection attacks on anonymity systems. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 293–308. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. 11.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. In: Proc. 13th USENIX Security Symposium, pp. 303–320 (2004)Google Scholar
  12. 12.
    Dingledine, R., Mathewson, N., Syverson, P.: Challenges in deploying low-latency anonymity. NRL CHACS Report 5540-265 (2005)Google Scholar
  13. 13.
    Freedman, M., Morris, R.: Tarzan: A peer-to-peer anonymizing network layer. In: Proc. 9th ACM Conference on Computer and Communications Security, pp. 193–206 (2002)Google Scholar
  14. 14.
    Fu, X., Graham, B., Bettati, R., Zhao, W.: On effectiveness of link padding for statistical traffic analysis attacks. In: Proc. 23rd IEEE Conference on Distributed Computing Systems, pp. 340–349 (2003)Google Scholar
  15. 15.
    Fu, X., Graham, B., Bettati, R., Zhao, W., Xuan, D.: Analytical and empirical analysis of countermeasures to traffic analysis attacks. In: Proc. 32nd International Conference on Parallel Processing, pp. 483–492 (2003)Google Scholar
  16. 16.
    Internet Traffic Archive. Two hours of wide-area TCP traffic (January 1994), http://ita.ee.lbl.gov/html/contrib/LBL-TCP-3.html
  17. 17.
    Levine, B.N., Reiter, M.K., Wang, C.-X., Wright, M.: Timing attacks in low-latency mix systems. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 251–265. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  18. 18.
    Möller, U., Cottrell, L., Palfrader, P., Sassaman, L.: Mixmaster protocol version 2 (July 2003), http://www.abditum.com/mixmaster-spec.txt
  19. 19.
    Murdoch, S., Danezis, G.: Low-cost traffic analysis of T or. In: Proc. IEEE Symposium on Security and Privacy, pp. 183–195 (2005)Google Scholar
  20. 20.
    National Laboratory for Applied Network Research. Auckland-VIII data set (December 2003), http://pma.nlanr.net/Special/auck8.html
  21. 21.
    National Laboratory for Applied Network Research. PMA special traces archive (2005), http://pma.nlanr.net/Special/
  22. 22.
    Newman-Wolfe, R., Venkatraman, B.: High level prevention of traffic analysis. In: Proc. IEEE/ACM 7th Annual Computer Security Applications Conference, pp. 102–109 (1991)Google Scholar
  23. 23.
    Øverlier, L., Syverson, P.: Locating hidden servers. In: Proc. IEEE Symposium on Security and Privacy (2006)Google Scholar
  24. 24.
    Rennhard, M., Rafaeli, S., Mathy, L., Plattner, B., Hutchison, D.: Analysis of an anonymity network for Web browsing. In: Proc. IEEE WETICE, pp. 49–54 (2002)Google Scholar
  25. 25.
    Serjantov, A., Sewell, P.: Passive attack analysis for connection-based anonymity systems. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 116–131. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  26. 26.
    Shmatikov, V.: Probabilistic analysis of an anonymity system. J. Computer Security 12(3-4), 355–377 (2004)Google Scholar
  27. 27.
    Syverson, P., Goldschlag, D., Reed, M.: Anonymous connections and onion routing. In: Proc. IEEE Symposium on Security and Privacy, pp. 44–54 (1997)Google Scholar
  28. 28.
    Syverson, P.F., Tsudik, G., Reed, M., Landwehr, C.: Towards an analysis of onion routing security. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 96–114. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  29. 29.
    Timmerman, B.: A security model for dynamic adaptable traffic masking. In: Proc. New Security Paradigms Workshop, pp. 107–116 (1997)Google Scholar
  30. 30.
    Timmerman, B.: Secure adaptive traffic masking. In: Proc. New Security Paradigms Workshop, pp. 13–24 (1999)Google Scholar
  31. 31.
    Venkatraman, B., Newman-Wolfe, R.: Performance analysis of a method for high level prevention of traffic analysis using measurements from a campus network. In: Proc. IEEE/ACM 10th Annual Computer Security Applications Conference, pp. 288–297 (1994)Google Scholar
  32. 32.
    Wright, M., Adler, M., Levine, B., Shields, C.: An analysis of the degradation of anonymous protocols. In: Proc. ISOC Network and Distributed System Security Symposium (2002)Google Scholar
  33. 33.
    Zhu, Y., Fu, X., Graham, B., Bettati, R., Zhao, W.: On flow correlation attacks and countermeasures in mix networks. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 207–225. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Vitaly Shmatikov
    • 1
  • Ming-Hsiu Wang
    • 1
  1. 1.The University of Texas at Austin 

Personalised recommendations