Yanfei Fan,Yixin Jiang,Haojin Zhu,Jiming Chen,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/twc.2011.122010.100087

IF: 10.4

2010-01-01

IEEE Transactions on Wireless Communications

Abstract:Privacy threat is one of the critical issues in multi-hop wireless networks, where attacks such as traffic analysis and flow tracing can be easily launched by a malicious adversary due to the open wireless medium. Network coding has the potential to thwart these attacks since the coding/mixing operation is encouraged at intermediate nodes. However, the simple deployment of network coding cannot achieve the goal once enough packets are collected by the adversaries. On the other hand, the coding/mixing nature precludes the feasibility of employing the existing privacy-preserving techniques, such as Onion Routing. In this paper, we propose a novel network coding based privacy-preserving scheme against traffic analysis in multi-hop wireless networks. With homomorphic encryption on Global Encoding Vectors (GEVs), the proposed scheme offers two significant privacy-preserving features, packet flow untraceability and message content confidentiality, for efficiently thwarting the traffic analysis attacks. Moreover, the proposed scheme keeps the random coding feature, and each sink can recover the source packets by inverting the GEVs with a very high probability. Theoretical analysis and simulative evaluation demonstrate the validity and efficiency of the proposed scheme.

Yan Shen,Qi-fei Zhang,Ling-di Ping,Yan-Fei Wang,Wen-juan Li

DOI: https://doi.org/10.1109/trustcom.2012.41

2012-01-01

Abstract:In the existing large-scale performance test of IPsec tunnel, it often needs special software and hardware. To solve the problem, this article proposed a new method, in which packet was encapsulated in user space, and a multi-tunnel controller was designed and implemented with the method of FSM(finite state machine), which controlled the negotiation and establishment of multiple tunnel, including L2tp, IKEv1, IKEv2, IKEv2+EAP and L2tp Over IPsec. Libpcap was used as the bottom layer driver of package, and the application of zero copy technique had reduced system cost immensely. At last, the result of the experiment verified the performance of the IKEv1 tunnel on Tunnel-mode and Transport-mode.

Diwen Xue,Reethika Ramesh,Arham Jain,Michalis Kallitsis,J. Alex Halderman,Jedidiah R. Crandall,Roya Ensafi

2024-03-07

Abstract:VPN adoption has seen steady growth over the past decade due to increased public awareness of privacy and surveillance threats. In response, certain governments are attempting to restrict VPN access by identifying connections using "dual use" DPI technology. To investigate the potential for VPN blocking, we develop mechanisms for accurately fingerprinting connections using OpenVPN, the most popular protocol for commercial VPN services. We identify three fingerprints based on protocol features such as byte pattern, packet size, and server response. Playing the role of an attacker who controls the network, we design a two-phase framework that performs passive fingerprinting and active probing in sequence. We evaluate our framework in partnership with a million-user ISP and find that we identify over 85% of OpenVPN flows with only negligible false positives, suggesting that OpenVPN-based services can be effectively blocked with little collateral damage. Although some commercial VPNs implement countermeasures to avoid detection, our framework successfully identified connections to 34 out of 41 "obfuscated" VPN configurations. We discuss the implications of the VPN fingerprintability for different threat models and propose short-term defenses. In the longer term, we urge commercial VPN providers to be more transparent about their obfuscation approaches and to adopt more principled detection countermeasures, such as those developed in censorship circumvention research.

Cryptography and Security

Renjie Xie,Jiahao Cao,Yuxi Zhu,Yixiang Zhang,Yi He,Hanyi Peng,Yixiao Wang,Mingwei Xu,Kun Sun,Enhuan Dong,Qi Li,Menghao Zhang,Jiang Li

DOI: https://doi.org/10.1109/tifs.2024.3442530

IF: 7.231

2024-08-24

IEEE Transactions on Information Forensics and Security

Abstract:As the mainstream encrypted protocols adopt TCP protocol to ensure lossless data transmissions, the privacy of encrypted TCP traffic becomes a significant focus for adversaries. They can leverage Deep Learning (DL) models to infer the sensitive information from encrypted TCP traffic by analyzing its packet size, direction, and timing information. To defend against such DL-based traffic analysis attacks, recent advances reshape the encrypted traffic and achieve desired results. However, they typically require deploying cooperative modules on both communication endpoints and only support specific applications, such as browsers. In this paper, we propose Cactus, a client-side plug-in to obfuscate bidirectional encrypted TCP traffic for a wide range of applications transparently using the inherent TCP semantics and the emerging eBPF technique. In particular, Cactus provides four effective operations to enable bidirectional traffic obfuscation while preserving communication semantics of applications. Besides, Cactus empowers users to specify which applications to conduct traffic obfuscation and what obfuscation level for each application. We conduct comprehensive experiments to demonstrate that Cactus can effectively obfuscate encrypted TCP traffic with low overhead to hinder the traffic analysis efforts in website fingerprinting and application identification.

computer science, theory & methods,engineering, electrical & electronic

Liang Wang,Hyojoon Kim,Prateek Mittal,Jennifer Rexford

DOI: https://doi.org/10.48550/arXiv.2006.00097

2020-05-29

Networking and Internet Architecture

Abstract:Recent advances in programmable switch hardware offer a fresh opportunity to protect user privacy. This paper presents PINOT, a lightweight in-network anonymity solution that runs at line rate within the memory and processing constraints of hardware switches. PINOT encrypts a client's IPv4 address with an efficient encryption scheme to hide the address from downstream ASes and the destination server. PINOT is readily deployable, requiring no end-user software or cooperation from networks other than the trusted network where it runs. We implement a PINOT prototype on the Barefoot Tofino switch, deploy PINOT in a campus network, and present results on protecting user identity against public DNS, NTP, and WireGuard VPN services.

Shengtuo Hu,Xiaobo Ma,Muhui Jiang,Xiapu Luo,Man Ho Au

DOI: https://doi.org/10.1109/SRDS.2017.30

2017-01-01

Abstract:By hiding messages inside existing network protocols, anti-censorship tools could empower censored users to visit blocked websites. However, existing solutions generally suffer from two limitations. First, they usually need the support of ISP or the deployment of many customized hosts to conceal the communication between censored users and blocked websites. Second, their manipulations of normal network traffic may result in detectable features, which could be captured by the censorship system. In this paper, to tackle these limitations, we propose a novel framework that exploits the publicly available automation services and the plenty of web services and contents to circumvent web censorship, and realize it in a practical tool named AutoFlowLeaker. Moreover, we conduct extensive experiments to evaluate AutoFlowLeaker, and the results show that it has promising performance and can effectively evade realworld web censorship.

Taylor Henderson,Eric Osterweil,Pavan Kumar Dinesh,Robert Simon

2023-10-04

Abstract:Preserving privacy is an undeniable benefit to users online. However, this benefit (unfortunately) also extends to those who conduct cyber attacks and other types of malfeasance. In this work, we consider the scenario in which Privacy Preserving Technologies (PPTs) have been used to obfuscate users who are communicating online with ill intentions. We present a novel methodology that is effective at deobfuscating such sources by synthesizing measurements from key locations along protocol transaction paths. Our approach links online personas with their origin IP addresses based on a Pattern of Life (PoL) analysis, and is successful even when different PPTs are used. We show that, when monitoring in the correct places on the Internet, DNS over HTTPS (DoH) and DNS over TLS (DoT) can be deobfuscated with up to 100% accuracy, when they are the only privacy-preserving technologies used. Our evaluation used multiple simulated monitoring points and communications are sampled from an actual multiyear-long social network message board to replay actual user behavior. Our evaluation compared plain old DNS, DoH, DoT, and VPN in order to quantify their relative privacy-preserving abilities and provide recommendations for where ideal monitoring vantage points would be in the Internet to achieve the best performance. To illustrate the utility of our methodology, we created a proof-of-concept cybersecurity analyst dashboard (with backend processing infrastructure) that uses a search engine interface to allow analysts to deobfuscate sources based on observed screen names and by providing packet captures from subsets of vantage points.

Cryptography and Security,Networking and Internet Architecture

Yanfei Fan,Yixin Jiang,Haojin Zhu,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/infcom.2009.5062146

2009-01-01

Abstract:Privacy threat is one of the critical issues in network coding, where attacks such as traffic analysis can be easily launched by a malicious adversary once enough encoded packets are collected. Furthermore, the encoding/mixing nature of network coding precludes the feasibility of employing the existing privacy-preserving techniques, such as Onion Routing, in network coding enabled networks. In this paper, we propose a novel privacy-preserving scheme against traffic analysis in network coding. With homomorphic encryption operation on Global Encoding Vectors (GEVs), the proposed scheme offers two significant privacy-preserving features, packet flow untraceability and message content confidentiality, for efficiently thwarting the traffic analysis attacks. Moreover, the proposed scheme keeps the random coding feature, and each sink can recover the source packets by inverting the GEVs with a very high probability. Theoretical analysis and simulative evaluation demonstrate the validity and efficiency of the proposed scheme.

Jianming Lv,Chaoyun Zhu,Shaohua Tang,Can Yang

DOI: https://doi.org/10.1007/s11859-014-1034-0

2014-01-01

Wuhan University Journal of Natural Sciences

Abstract:The anonymous communication systems usually have special traffic patterns, which can be detected by censors for further disturbing or blocking. To solve this problem, we present a novel system, Deepflow, to hide anonymous communication traffic into the P2P streaming networks such as PPStream by using steganography. Each Deepflow node joins the PPStream network and performs like a normal PPStream client watching a live channel, while embedding communication data into video packets transferred in the network. The steganographed video packets are disseminated by innocuous PPStream clients and reach the target Deepflow node. It is not necessary for Deepflow nodes to link together in the network, which prevents malicious users from sensing IP address of other Deepflow nodes. Deepflow is competent for secret chatting, transferring text documents, or publishing secret bootstrapping information for other anonymous communication systems. Comprehensive experiments in real network environments are conducted in this paper to show the security and efficiency of Deepflow.

Ming-Wei Wu,Yennun Huang,Ing-Yi Chen,Shyue-Kung Lu,Sy-Yen Kuo

DOI: https://doi.org/10.1007/11814856_5

2006-01-01

Abstract:A few killer applications that rocked the Internet community these years are peer-to-peer (P2P) file-sharing applications and VoIP (voice over Internet Protocol) telephony services. Unlike traditional client-and-server applications in which servers are services provider and by default should be public addressable, each peer in P2P networks can play both roles (client and server). However, legacy usage of the network address translation (NAT) module on most wireless access points (APs) causes new problems with emerging P2P communications especially in opposing APs (both peers of an Internet connection are behind AP) where each peer uses private Internet Protocol (IP) address and neither side has global visibility to each other. This article therefore examines such issue from three approaches, 1) leveraging the complexity of client application, 2) introducing additional intermediate gateways and protocols and 3) enhancing the wireless AP itself. Client-based solutions such as UDP/TCP hole-punching suffer from race condition while gateway-based solutions tend to incur overhead for interoperability and deployment. This paper proposes a scalable port forwarding (SPF) design for wireless AP, which introduces little or negligible time and space complexity, to significantly improve the connectivity and scalability of a conventional AP by 1) lessening the race condition of P2P traversals in opposing APs, 2) multiplexing the port numbers to exceed theoretical upper bound 65,535 and 3) allowing more servers to bind to a specific port.

David Isaac Wolinsky,Linton Abraham,Kyungyong Lee,Yonggang Liu,Jiangyan Xu,P. Oscar Boykin,Renato Figueiredo

DOI: https://doi.org/10.48550/arXiv.1001.2575

2010-01-15

Abstract:Centralized Virtual Private Networks (VPNs) when used in distributed systems have performance constraints as all traffic must traverse through a central server. In recent years, there has been a paradigm shift towards the use of P2P in VPNs to alleviate pressure placed upon the central server by allowing participants to communicate directly with each other, relegating the server to handling session management and supporting NAT traversal using relays when necessary. Another, less common, approach uses unstructured P2P systems to remove all centralization from the VPN. These approaches currently lack the depth in security options provided by other VPN solutions, and their scalability constraints have not been well studied. In this paper, we propose and implement a novel VPN architecture, which uses a structured P2P system for peer discovery, session management, NAT traversal, and autonomic relay selection and a central server as a partially-automated public key infrastructure (PKI) via a user-friendly web interface. Our model also provides the first design and implementation of a P2P VPN with full tunneling support, whereby all non-P2P based Internet traffic routes through a trusted third party and does so in a way that is more secure than existing full tunnel techniques. To verify our model, we evaluate our reference implementation by comparing it quantitatively to other VPN technologies focusing on latency, bandwidth, and memory usage. We also discuss some of our experiences with developing, maintaining, and deploying a P2P VPN.

Networking and Internet Architecture,Distributed, Parallel, and Cluster Computing

Yuan Yang,Dan Wang,Mingwei Xu,Suogang Li

DOI: https://doi.org/10.1109/ICNP.2013.6733606

2013-01-01

Abstract:In this paper we study energy conservation in the Internet. We observe that different traffic volumes on a link can result in different energy consumption; this is mainly due to such technologies as trunking (IEEE 802.1AX), adaptive link rates, etc. We design a green Internet routing scheme, where the routing can lead traffic in a way that is green. We differ from previous studies where they switch network components, such as line cards and routers, into sleep mode. We do not prune the Internet topology.We first develop a power model, and validate it using real commercial routers. Instead of developing a centralized optimization algorithm, which requires additional protocols such as MPLS to materialize in the Internet, we choose a hop-by-hop approach. It is thus much easier to integrate our scheme into the current Internet. We progressively develop three algorithms, which are loop-free, maximize energy conservation, and jointly consider green and QoS requirements such as path stretch. We comprehensively evaluate our algorithms through simulations on synthetic and real topologies and traffic traces. We show that the power saving in the line cards can be as much as 50%.

Jie Li,Lu Zhou,Huaxin Li,Lu Yan,Haojin Zhu

DOI: https://doi.org/10.1109/cns.2019.8802772

2019-01-01

Abstract:Traffic analysis attacks, including website fingerprinting and protocol fingerprinting, are widely adopted by Internet censorship to block a specific type of traffic. To mitigate these attacks, some advanced approaches such as traffic morphing and protocol tunneling techniques have been proposed. However, the existing traffic morphing/protocol tunneling techniques suffer from showing a strong traffic pattern or can be uncovered with a low false positive. Further, they mainly rely on learning the pattern for specific traffic, which makes it highly possible to be identified due to a lack of dynamics. In this paper, we propose a dynamic traffic camouflaging technique, coined FlowGAN, to dynamically morph traffic feature as another “normal” network flow to bypass Internet censorship. The core idea of FlowGAN is to automatically learn the features of the “normal” network flow, and dynamically morph the on-going traffic flows based on the learned features by the adoption of the recently proposed Generative Adversarial Networks (GAN) model. To measure the indistinguishability of the target traffic and the morphed traffic, we introduce a novel concept of ϵ-indistinguishability. We evaluate the proposed method on a dataset involving 10,000 realworld flows, and experimental results show that the effectiveness and the efficiency of FlowGAN regarding ϵ-indistinguishability, AUC, and latency. To the best of our knowledge, our work is the first one to adopt GAN for automatic traffic generation and censor circumvention.

Yazhe Tang,Zixin Xu,Jie Han

DOI: https://doi.org/10.1109/iccis59958.2023.10453777

2023-01-01

Abstract:Encrypting sensitive information such as IP address and port number of data stream can improve the detection resistance of data during network transmission and reduce security threats. The challenge is that the process of achieving sensitive information obfuscation is complex in traditional network environments with limited network node capabilities. Existing work is mostly based on the principles of traditional cryptography to attain secure end-to-end encrypted authentication and transmission. However, it suffers from high time and space costs, complex and inefficient terminal systems, and the inability to encrypt the aforementioned sensitive information. In this paper, we propose to use the P4(Programming Protocol-independent Packet Processors Procedure, one domain-specific language for data plane) to empower network nodes with encryption and decryption of sensitive identification information in a programmable network environment, combined with a control plane to embed traffic security efforts inside the network and ensure the process is transparent to the end system. Experimental results demonstrate that the P4-based encryption and obfuscation mechanism can ensure data transmission in a hybrid network environment of traditional and programmable networks, obfuscating sensitive information without causing performance burden in terms of transmission delay and throughput.

Watson Jia,Mona Wang,Liang Wang,Prateek Mittal

2023-04-03

Abstract:Governments around the world limit free and open communication on the Internet through censorship. To reliably identify and block access to certain web domains, censors inspect the plaintext TLS SNI field sent in TLS handshakes. With QUIC rapidly displacing TCP as the dominant transport-layer protocol on the web, censorship regimes have already begun prosecuting network traffic delivered over QUIC. With QUIC censorship poised to expand, censorship circumvention tools must similarly adapt. We present QUICstep, a censorship-resilient, application-agnostic, performant, and easy-to-implement approach to censorship circumvention in the QUIC era. QUICstep circumvents TLS SNI censorship by conducting a QUIC-TLS handshake over an encrypted tunnel to hide the SNI field from censors and performs connection migration to resume the QUIC session in plain sight of the censor. Our evaluation finds that QUICstep successfully establishes QUIC sessions in the presence of a proof-of-concept censor with minimal latency overhead.

Cryptography and Security,Networking and Internet Architecture

yi mou,kevin wu,david atkin

DOI: https://doi.org/10.1177/1461444814548994

IF: 5.31

2016-01-01

New Media & Society

Abstract:Circumvention tools designed to bypass online censorshipsuch as simple web proxies, virtual private network service, and so onare frequently used in countries whose governments impose heavy Internet censorship. Around 18million Internet users in China are currently using those tools to bypass the Great Firewall and access unblocked online content. In a pioneering empirical investigation of unblocked information seeking in China's censored online environment, the present study systematically examines a wide range of macro-social and micro-individual factors which affect the use of circumvention tools to bypass Internet censorship under the guidance of the interactive communication technology adoption model. The results reveal that, with the exception of social trust, macro-social factors have only a modest influence on the use of circumvention tools. In contrast, micro-individual-level variablesincluding perceived technology fluidity, gratifications, and selected demographic variablesplay a much larger role in our multivariate model. Theoretical and practical implications are discussed.

Zhongliu Zhuo,Xiaosong Zhang,Ruixing Li,Ting Chen,Jingzhong Zhang

DOI: https://doi.org/10.1002/sec.1524

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:Identifying censorship circumvention network traffic has become an important task for preventing abuse of those tools. However, traditional flow-based methods have drawbacks in high false positive rate, and they fail to exploit useful hidden features. In this paper, we propose a novel feature extraction method for censorship circumvention activity identification, which extracts features from multi-granularity, and it uses a heuristic-combining approach to make the final decision. Moreover, unlike traditional approaches, which classify on an individual flow or a packet, the proposed method examines on a new granularity. We present an implementation based on the proposed method, and the results are presented to demonstrate the effectiveness of our method. In comparison to the traditional flow-based methods, the proposed strategy has a slightly lower overall accuracy rate than flow-based approaches; however, its average false positive rate is significantly lower than the traditional method. Copyright © 2016 John Wiley & Sons, Ltd.

Zhenhua Li,Yafei Dai,Guihai Chen,Yunhao Liu

DOI: https://doi.org/10.1007/978-981-19-6982-9_7

2023-01-01

Abstract:Internet censorship is pervasive across the world. However, in some countries like China, even legal, nonpolitical services (e.g., Google Scholar) are incidentally blocked by extreme censorship machinery. Therefore, properly accessing legal Internet services under extreme censorship becomes a critical problem. In this chapter, we conduct a case study on how scholars from a major university of China access Google Scholar through a variety of middleware. We characterize the common solutions (including VPN, Tor, and Shadowsocks) by measuring and analyzing their performance, overhead, and robustness to censorship. Guided by the study, we deploy a novel solution (called ScholarCloud) to help Chinese scholars access Google Scholar with high performance, ease of use, and low overhead. This work provides an insiders view of Chinas Internet censorship and offers a legal avenue for coexistence with censorship.

Xugang Wang,Qianni Deng

DOI: https://doi.org/10.1007/11576235_100

2005-01-01

Abstract:Nowadays, the Internet architecture is complicated and IP addresses are limited in IPV4 context. Many users located behind different kinds of NATs or Firewalls can hardly get a public unique IP. So the hosts behind the NAT can not be accessed by the hosts behind the other NATs. Some P2P systems can partially solve such kind of problems, but unfortunately, these systems just focus the specific self-contained applications such as Skype and BitTorrent whose P2P architectures and NAT traversal mechanisms can not be re-used by other applications directly. In this paper we present a solution by setting up a Virtual Intranet Platform (VIP) which use the public DHT service -OpenDHT as the distributed address/port information rendezvous. Without changing the configuration of the NAT, all the network and distributed application service behind the NAT can make use of the VIP to communicate with the corresponding peer services outside the NAT. The performance of the bandwidth, data lost and delay problems are much better than the existing traditional C-S framework platforms, more general than specific P2P applications. The P2P Communication Platform for NAT Traversal-VIP, is robust and scalable because there are no single failure points in the platform, the structure is in distributed, and majority of the traffic data between two hosts behind the NAT can be transfer directly without relaying.

Yu Fu,Zhe Jia,Lu Yu,Xingsi Zhong,Richard Brooks

DOI: https://doi.org/10.48550/arXiv.1703.02201

2017-03-07

Cryptography and Security

Abstract:Both enterprise and national firewalls filter network connections. For data forensics and botnet removal applications, it is important to establish the information source. In this paper, we describe a data transport layer which allows a client to transfer encrypted data that provides no discernible information regarding the data source. We use a domain generation algorithm (DGA) to encode AES encrypted data into domain names that current tools are unable to reliably differentiate from valid domain names. The domain names are registered using (free) dynamic DNS services. The data transmission format is not vulnerable to Deep Packet Inspection (DPI).