Wei Dong,Chenhong Cao,Xiaoyu Zhang,Yi Gao

DOI: https://doi.org/10.1109/tnet.2018.2879607

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:Low-power and multihop wireless networking is envisioned as a promising technology to achieve both energy efficiency and easy deployment for many Internet of Things (IoT) applications. Measuring packet-level path is crucial for managing large-scale multihop wireless networks. Packet-level path information encodes the routing path, a packet that takes through a network. The availability of packet-level path information can greatly facilitate many network management tasks. It is challenging to reconstruct packet-level paths using a small overhead, especially for large-scale networks. While there is a long list of existing path reconstruction algorithms, these algorithms focus on specific network scenarios, e.g., periodic monitoring networks or event detection networks. There lacks a unified model for systematically understanding and comparing the performance of these algorithms in different network scenarios. In this paper, we fill this gap by proposing an abstract model. Using this model, it is possible to derive a decision space for selecting the best algorithm for different networks. Furthermore, this model also guides us to devise better path reconstruction algorithms (cPath(T), cPath(S), and cPath(ST)) with respect to path reconstruction ratio. Extensive experiments demonstrate the prediction power of our model as well as the advantages of our proposed algorithms. The results show that our algorithm (cPath(ST)) improves a path reconstruction ratio from 94.4%, 34.3%, and 30.8% to 98.9%, 99.9%, and 60.1% on average in three network scenarios, respectively, compared with the best state-of-the-art algorithms.

Yanfei Fan,Yixin Jiang,Haojin Zhu,Jiming Chen,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/twc.2011.122010.100087

IF: 10.4

2010-01-01

IEEE Transactions on Wireless Communications

Abstract:Privacy threat is one of the critical issues in multi-hop wireless networks, where attacks such as traffic analysis and flow tracing can be easily launched by a malicious adversary due to the open wireless medium. Network coding has the potential to thwart these attacks since the coding/mixing operation is encouraged at intermediate nodes. However, the simple deployment of network coding cannot achieve the goal once enough packets are collected by the adversaries. On the other hand, the coding/mixing nature precludes the feasibility of employing the existing privacy-preserving techniques, such as Onion Routing. In this paper, we propose a novel network coding based privacy-preserving scheme against traffic analysis in multi-hop wireless networks. With homomorphic encryption on Global Encoding Vectors (GEVs), the proposed scheme offers two significant privacy-preserving features, packet flow untraceability and message content confidentiality, for efficiently thwarting the traffic analysis attacks. Moreover, the proposed scheme keeps the random coding feature, and each sink can recover the source packets by inverting the GEVs with a very high probability. Theoretical analysis and simulative evaluation demonstrate the validity and efficiency of the proposed scheme.

Boyang Zhou,Gaoning Pan,Chunming Wu,Kai Zhu,Wei Ruan

DOI: https://doi.org/10.1007/s11432-019-9921-7

2020-01-01

Science China Information Sciences

Abstract:Dear editor, Recently, crossfire attack has been witnessed as a new distributed denial-of-service (DDoS) weapon that can effectively cut off the data connections between the chosen target area (wd) of servers and the end hosts (H).The attack is launched by a network of bot (botnet) to drain bandwidth of persistent routes (PRs) in the indirect and lowrate data flooding towards the decoys that are located in upstream to the target, where the PRs are probed by the adversary who sends Internet control message protocol (ICMP) packets with different time-to-live (TTL) values, e.g., using traceroute [1].Such flooding is hard to be detected by firewalls or IDSes.

Jing Tian,Gaopeng Gou,Yangyang Guan,Wei Xia,Gang Xiong,Chang Liu

DOI: https://doi.org/10.1109/milcom52596.2021.9653038

2021-01-01

Abstract:Tor is an important tool for anonymous communication. However, due to its popularity, Tor is also concerned by censors or other malicious attackers. A large body of existing work examines Tor's susceptibility to flow correlation attacks, which are a form of deanonymization attack. Currently, a variety of traffic obfuscation plugs are deployed on Tor to defeat flow correlation attacks. However, whether plug-based defense can effectively resist those attacks has not been tested and verified. This paper focuses on how to effectively defeat the threat of flow correlation attacks on Tor. We first conduct experiments to illustrate the actual defense effect of obfuscation plugs against flow correlation attacks, and the results show their effectiveness. However, the obfuscation-based defense also faces many other problems such as censorship. So we explore the techniques used in differential privacy ($FPA_{k}$ and $d^{\ast}$-private) to apply a tiny perturbation on Tor traffic. Our findings on differential privacy suggest that the perturbations generated by the two mechanisms can successfully flaw the existing flow correlation attacks on Tor.

Hao Zhou,Xiaodong Wang,Sisi Zhong,Yingjie Wu,Zhao Luo

DOI: https://doi.org/10.1109/icicee.2012.419

2012-01-01

Abstract:Recently, several techniques have been proposed to preserve the user location privacy in road networks. To protect the location privacy of users, many of the existing techniques adopt cloaking which blurs the actual location into a set of segments. But these techniques do not take the weight of the segments into account in the situation of road networks. In this paper, we propose a new attack model that an adversary can infer the true location of the requester according to the weight distribution with a certain probability. And we also design an approach to solve this problem, which can guarantee better distribution of the weights in the cloaked set. The experiment result shows the effectiveness and feasibility of our algorithm.

Jia Zhang,Haixin Duan,Jianping Wu

DOI: https://doi.org/10.1109/iccee.2008.32

2008-01-01

Abstract:Compared with traditional anonymous communication systems, the low-latency anonymous communication system can provide more practical services. However, because of its low latency, the anonymity is subject to traffic analysis attack. In this paper, we take Tor, a low-latency anonymous communication network as an example and present an improved algorithm of queue scheduling and resource allocation for anonymous communication systems. Experiment shows that through this simple priority-queue scheduling and resource allocation strategy, we can solve latency increase caused by resource exclusion effectively. This improvement not only optimizes the overall performance of the anonymous communication network, but also increases anonymity of the network.

Jing Tian,Gaopeng Gou,Yangyang Guan,Wei Xia,Gang Xiong,Chang Liu

DOI: https://doi.org/10.1109/IPCCC51483.2021.9679433

2021-01-01

Abstract:Tor is a popular anonymous social network. However, it is also concerned by censors or other malicious attackers. A large body of work examines Tor’s susceptibility to flow correlation attacks. Moreover, the existing methods to defend against such attacks have two inherent drawbacks. One is they will bring high delay to the system, the other is they lack of theoretical basis to prove their effecti...

Xiance Meng,Mangui Liang

DOI: https://doi.org/10.1109/ICCCS61882.2024.10602902

2024-04-19

Abstract:As the most renowned anonymous network, Tor has a broad user base. However, with the increase in users, it faces some performance issues. For instance, relays may become overloaded as more users connect to Tor, leading to network con-gestion. Additionally, changes in network conditions may increase circuit construction latency. These issues severely impact user experience. Studies indicate that the latency for Tor clients is five times higher than for direct connections. This dissatisfaction leads to decreased active users, reducing the network's anonymity. User experience in network access is mainly concerned with network response and data download time. We represent response time by Time to First Byte (TTFB) and Time to Last Byte (TTLB) as the download time. This paper proposes a Multi-Metrics Node Selection (MMNS) method, considering node bandwidth, uptime, and circuit build time. Experimental results show that our proposed method significantly improves network response and data download time, especially for low-latency response applications. Furthermore, we analyzed anonymity and security, confirming that this method ensures security and anonymity for an anonymous communication network.

Engineering,Computer Science

Zixuan Chen,Chao Zheng,Zhao Li,Jinqiao Shi,Zeyu Li

DOI: https://doi.org/10.1109/cscwd61410.2024.10580831

2024-01-01

Abstract:Stepping-stones are widely used by attackers to conceal their identities and gain unauthorized access to restricted targets. Numerous strategies have been suggested to identify stepping-stones and counteract evasive behaviors, with flow correlation standing out as the key technique used in many deanonymization methods. Existing attempts to tackle the flow correlation issue rely on long-flow observations and feature-based methods. Yet, these approaches meet substantial limitations in their suitability across diverse scenarios, network noises influence and accuracy, particularly in the stepping-stone environment. In this paper, we introduce an improved flow correlation model, FlowLinker, which aims to resolve these issues. Specifically, we combined multidimensional statistical features and cumulative flow sequences to construct a robust traffic feature. Then, we leveraged the triplet network to produce an optimized representation, amplifying the difference between unrelated representations. Consequently, it significantly reduces the false correlation rate with flows that seem similar but are unrelated. The experiments on real-world datasets from different network environments we collected show that FlowLinker outperforms other state-of-the-art methods with shorter lengths of flow observations.

Zhong Guan,Chang Liu,Gang Xiong,Zhen Li,Gaopeng Gou

DOI: https://doi.org/10.1016/j.cose.2022.103018

IF: 5.105

2023-01-01

Computers & Security

Abstract:Tor is the most widely used anonymous network which provides anonymity by using proxy nodes to route data. However, many researches have proved that flow correlation attacks can break the anonymity of users’ communication relationships: once attackers have access to the ingress and egress traffic flows at both ends of the network, they will find the specific user who is visiting a monitored Internet service by observing the traffic shape. Existing flow correlation attacks have limited effects because of insufficient traffic shape features, network noise influence and lack of differentiated learning on unrelated flows. In this paper, we propose an improved flow correlation attacking model named FlowTracker which contains four modules: In flow cumulative representation module, raw and normalized cumulative sequences are combined to construct robust traffic shape features. In noise resistant mapping module, stacked auto-encoders are adopted to learn the mapping relationship between related ingress and egress cumulative representations and filter out the network noise. Moreover, we leverage contrast learning in distance optimization module to generate the optimized representation in which difference between unrelated representations is amplified, further reducing the false correlation rate with similar but unrelated flows. Finally, the target flow is reported through a multi-layer decision process in the hierarchical judgment module. We evaluate FlowTracker and other advanced comparison methods on the public and self-built datasets with the more realistic unidirectional setting, experiment results demonstrate that FlowTracker has the highest attacking success rate under general and targeted scenarios, especially when the traffic shape is seriously destroyed by traffic obfuscation.

Yan Qiao,Jun Jiao,Yuan Rao,Huimin Ma

DOI: https://doi.org/10.1371/journal.pone.0163706

IF: 3.7

2016-01-01

PLoS ONE

Abstract:In this study, we address the problem of selecting the optimal end-to-end paths for link loss inference in order to improve the performance of network tomography applications, which infer the link loss rates from the path loss rates. Measuring the path loss rates using end-to-end probing packets may incur additional traffic overheads for networks, so it is important to select the minimum path set carefully while maximizing their performance. The usual approach is to select the maximum independent paths from the candidates simultaneously, while the other paths can be replaced by linear combinations of them. However, this approach ignores the fact that many paths always exist that do not lose any packets, and thus it is easy to determine that all of the links of these paths also have 0 loss rates. Not considering these good paths will inevitably lead to inefficiency and high probing costs. Thus, we propose an adaptive path selection method that selects paths sequentially based on the loss rates of previously selected paths. We also propose a theorem as well as a graph construction and decomposition approach to efficiently find the most valuable path during each round of selection. Our new method significantly outperforms the classical path selection method based on simulations in terms of the probing cost, number of accurate links determined, and the running speed.

Haozhi Li,Tariq Elahi

2024-06-21

Abstract:High latency is a critical limitation within the Tor network. A key factor exacerbating Tor latency is the creation of lengthy circuits that span across geographically distant regions, causing significant transmission delays. To address this issue, a common strategy involves modifying Tor's circuit building process to reduce the likelihood of selecting lengthy circuits. However, this strategy compromises the randomness of Tor's routing, thereby increasing the risk of deanonymization. Improving Tor's latency performance while minimizing security degradation presents a critical challenge. This paper proposes SaTor, a latency-improving scheme for Tor using satellite routing technology. SaTor proposes equipping a targeted subset of Tor relays with satellite network access, utilizing long-distance satellite transmission to accelerate slow circuits, without biasing the existing path selection process. Our SaTor performance evaluation, using a simulator we developed coupled with real-world measurements, demonstrates that over the long-term, SaTor offers an expected speed-up of roughly 40 ms for over 70% of circuits under common conditions. This improvement necessitates outfitting the top approx. 30-40% relays with satellite access. Our research uncovers a viable way to overcome Tor's latency bottleneck, serving as a practical reference for its future enhancement.

Cryptography and Security

Quangang Li,Peipeng Liu,Zhiguang Qin

DOI: https://doi.org/10.14257/ijsia.2015.9.11.36

2015-01-01

International Journal of Security and Its Applications

Abstract:Tor is a popular low-latency anonymous communication system which could provide anonymity and anti-censorship. Based on previous researches on de-anonymization of Tor, this paper proposes a novel approach to attack users' guard selection which can pose great threat against Tor users' anonymity. Under the current design of Tor, once entry guards are compromised, the probability that an attacker observes both ends of a Tor circuit will be highly improved. Actual and simulated experiments both show that an attacker (e.g., a local or national government which have the power to monitor a Tor user's internet connection) can successfully compromise a specific Tor user's entry guard in about 30 minutes, and this can further help de-anonymize the user's anonymous communication.

Sameer Qazi,Tim Moors

DOI: https://doi.org/10.48550/arXiv.1404.7287

2014-05-05

Abstract:Routing policies used in the Internet can be restrictive, limiting communication between source-destination pairs to one path, when often better alternatives exist. To avoid route flapping, recovery mechanisms may be dampened, making adaptation slow. Unstructured overlays have been proposed to mitigate the issues of path and performance failures in the Internet by routing through an indirect-path via overlay peer(s). Choosing alternate-paths in overlay networks is a challenging issue. Ensuring both availability and performance guarantees on alternate paths requires aggressive monitoring of all overlay paths using active probing; this limits scalability. An alternate technique to select an overlay-path is to bias its selection based on physical disjointness criteria to bypass the failure on the primary-path. Recently, several techniques have emerged which can optimize the selection of a disjoint-path without incurring the high costs associated with probing paths. In this paper, we show that using only commodity approaches, i.e. running infrequent traceroutes between overlay hosts, a lot of information can be revealed about the underlying physical path diversity in the overlay network which can be used to make informed-guesses for alternate-path selection. We test our approach using datasets between real-world hosts in AMP and RIPE networks.

Networking and Internet Architecture

Ugo Fiore,Francesco Palmieri

DOI: https://doi.org/10.1016/j.ins.2024.121559

IF: 8.1

2024-10-20

Information Sciences

Abstract:As the effectiveness of modern Internet-based anonymization infrastructures grows, law enforcement agencies are experiencing a progressive erosion of their surveillance capabilities. This can severely undermine their efforts to prevent and investigate various types of unlawful activities, potentially increasing the impunity of organized criminal networks. Balancing the legitimate privacy needs of individuals with the imperative to maintain public safety and combat criminal behavior in the digital world remains a complex tradeoff for both policymakers and technologists who need to find a systematic and reliable way to link the traffic traces associated with criminal activities to their anonymized origins. Accordingly, this paper presents a simple but very effective de-anonymization approach capable of associating traffic traces captured at the edge of the overlay infrastructures, in correspondence with the true origins, to those captured in correspondence with the destinations. The approach is based on determining the minimum-distance pairs within a complete bipartite graph in which the traffic traces are the nodes. Experiments with different distance functions, applied in varied ways, show that the resulting framework appears to be a promising solution that is scalable and easily deployable on real-life network equipment.

computer science, information systems

Zhong Guan,Chang Liu,Gaopeng Gou,Zhen Li,Gang Xiong,Yangyang Ding,Chengshang Hou

DOI: https://doi.org/10.1016/j.comnet.2024.110831

2024-01-01

Abstract:Tor is the most widely used anonymous communication system at present which can anonymize users' network behavior. At the same time, many illegal network activities also appear more frequently with the help of Tor, posing serious challenges for cyberspace security. Therefore, flow fingerprinting and flow correlation analysis methods are put forward to de-anonymize the malicious anonymous behaviors, which utilize external traffic features as the side-channel information. However, the adversary often reduces the ability of above two methods by adding the disturbance to the anonymous traffic. As a countermeasure against the interference, disturbance-resistant analysis methods can effectively identify those adversarial behaviors while knowing how the traffic is modified. However, in real scenarios, it is unrealistic to distinguish between disturbed and nondisturbed anonymous traffic, let alone to have a clear grasp of the disturbing strategy. In this paper, we propose a blind anonymous traffic analysis method called Blind Analyzer based on pattern reconstruction skills in a "masking-generation" manner. Specifically, Blind Analyzer extracts the pattern knowledge from non-disturbed traffic samples by masking and reconstructing them. During the method application, disturbed anonymous traces are processed following the same way, aiming at removing the incremental noise at the masking stage and restoring the original shape at the reconstruction stage. Besides, a conditional discriminator is designed to determine whether the generated sample has obvious class characteristics. Benefited from the proposed method, we can improve the effectiveness of the anonymous network behavior analysis since the disturbed traffic can be restored as normal ones accurately enough. Experiment results on three datasets show that reconstructed traffic samples output by Blind Analyzer are more useful for base analysis models, which improve the corresponding metric values by 11.23% and 6.61% in max for flow fingerprinting and correlation tasks, respectively.

Yaodan Hu,Xuanheng Li,Jianqing Liu,Haichuan Ding,Yanmin Gong,Yuguang Fang

DOI: https://doi.org/10.1109/ICC.2018.8422190

2018-01-01

Abstract:With the growth of smartphone sales and app usage, fingerprinting and identification of smartphone apps have become a considerable threat to user security and privacy. Traffic analysis is one of the most common methods for identifying apps. Traditional countermeasures towards traffic analysis includes traffic morphing and multipath routing. The basic idea of multipath routing is to increase the difficulty for adversary to eavesdrop all traffic by splitting traffic into several subflows and transmitting them through different routes. Previous works in multipath routing mainly focus on Wireless Sensor Networks (WSNs) or Mobile Ad Hoc Networks (MANETs). In this paper, we propose a multipath routing scheme for smartphones with edge network assistance to mitigate traffic analysis attack. We consider an adversary with limited capability, that is, he can only intercept the traffic of one node following certain attack probability, and try to minimize the traffic an adversary can intercept. We formulate our design as a flow routing optimization problem. Then a heuristic algorithm is proposed to solve the problem. Finally, we present the simulation results for our scheme and justify that our scheme can effectively protect smartphones from traffic analysis attack.

Jiangtao Zhai,Kaijie Zhang,Xiaolong Zeng,Yufei Meng,Guangjie Liu

DOI: https://doi.org/10.1155/2024/8823511

IF: 8.993

2024-10-31

International Journal of Intelligent Systems

Abstract:Anonymous network tracing is a significant research subject in the field of network security, and flow correlation technology serves as a fundamental technique for deanonymizing network traffic. Existing flow correlation techniques are considered ineffective and unreliable when applied on a large scale because they exhibit high false‐positive rates or require impractically long periods of traffic observation to achieve reliable correlations. To address this issue, this paper proposed an innovative flow correlation approach for the typical and most widely used Tor anonymous network by combining graph convolutional neural networks with triplet networks. Our proposed method involves extracting features such as packet intervals, packet lengths, and directions from Tor network traffic and encoding each flow into a graph representation. The integration of triplet networks enhances the internode relationships, which can effectively fuse flow representations with node associations. The graph convolutional neural network extracts features from the input graph topology, mapping them to distinct representations in the embedding space, thus effectively distinguishing different Tor flows. Experimental results demonstrate that with a false‐positive rate as low as 0.1%, the correlation accuracy reaches 86.4%, showcasing a 5.1% accuracy improvement compared to the existing state‐of‐the‐art methods.

computer science, artificial intelligence

Haoyao Xie,Liangmin Wang,Shangnan Yin,Hui Zhao,Hao Shentu

DOI: https://doi.org/10.1109/nana51271.2020.00025

2020-01-01

Abstract:With the rapid increase in the demand of users for communication security, Tor is widely used as the most reliable anonymous communication system. Meek is used as a pluggable transport for Tor, which protects Tor users from traffic analysis by disguising the traffic to the Tor network as the traffic to the cloud server. However, in the face of machine-learning attacks that use side-channel information of traffic, Meek still exposes its lack of obfuscation ability. In this research, we propose an adaptive Meek technology (AM) that resists statistical analysis of traffic to disguise Tor-based Meek traffic as the target traffic to meet the minimum cost of improving indistinguishability. First, this technology selects the target traffic, which can be constantly updated to minimize the overhead of obfuscation. Then, it provides a reliable obfuscation solution to maximize the mimicry effect by focusing on side-channel information. Throughout the obfuscation process, our technology can make obfuscation of Meek traffic achieve dynamics and diversity. We use the traffic dataset of the real scenario, then conduct an experimental evaluation through our well-trained classifiers. After our defense, the effect of the classifier was successfully reduced while the overhead is within an acceptable range.

Yujia Liu,Changqing An

DOI: https://doi.org/10.1109/ipccc47392.2019.8958758

2019-01-01

Abstract:Distributed network measurement is critical for various service. Researchers always would like to achieve measurement goals while minimizing the total overhead/cost of measurements. Therefore, the strategy of measurement, such as the selection of probes and their probing rates, is very important. In this paper, we focus on the measurement task of monitoring routing changes to destinations under study with measurement cost in consideration. We propose a decision algorithm to adaptively select vantage points and adjust detection frequency of each selected path. The decision is made based on a learning process aiming to characterize path characteristics and predict path changes. We further develop a tracking system, and the system allows researchers to specify their tradeoff preference between measurement efficiency and cost. We measured 100 paths under different scenarios. The results show that our system can allocate the detection resources more efficiently and detect the same number of path changes as the traditional system by using about 57% of the detection resources.