Evaluating Snowflake as an Indistinguishable Censorship Circumvention Tool

MacMillan, Kyle; Holland, Jordan; Mittal, Prateek

doi:10.48550/arxiv.2008.03254

Cited by 3 publications

(3 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Censors can distinguish tunneled streams carrying covert traffic from those that do not using basic traffic analysis [40] or more sophisticated machine learning techniques [12] that can even operate at line speed directly on network switches [13]. Common problems are that mismatches between the use of a tunnel and its covert protocol enable identification [34], particularly during protocol initialization as in the case of attacks on obfs4 [79] and Snowflake [49]. Active probing may also be used to identify systems whose response (or lack thereof) is distinguishing [24,27,32].…”

Section: Related Workmentioning

confidence: 99%

On Precisely Detecting Censorship Circumvention in Real-World Networks

Wails,

Sullivan,

Sherr

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

The understanding of realistic censorship threats enables the development of more resilient censorship circumvention systems, which are vitally important for advancing human rights and fundamental freedoms. We argue that current stateof-the-art methods for detecting circumventing flows in Tor are unrealistic: they are overwhelmed with false positives (> 94%), even when considering conservatively high base rates (10 −3 ). In this paper, we present a new methodology for detecting censorship circumvention in which a deep-learning flow-based classifier is combined with a host-based detection strategy that incorporates information from multiple flows over time. Using over 60,000,000 real-world network flows to over 600,000 destinations, we demonstrate how our detection methods become more precise as they temporally accumulate information, allowing us to detect circumvention servers with perfect recall and no false positives. Our evaluation considers a range of circumventing flow base rates spanning six orders of magnitude and real-world protocol distributions. Our findings suggest that future circumvention system designs need to more carefully consider host-based detection strategies, and we offer suggestions for designs that are more resistant to these attacks.

show abstract

Section: Related Workmentioning

confidence: 99%

On Precisely Detecting Censorship Circumvention in Real-World Networks

Wails,

Sullivan,

Sherr

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…In order to compare and determine the effectiveness of the method for identifying Snowflake traffic based on DTLS handshake fingerprinting features, we combined DTLS handshake traffic from other WebRTC applications collected during the study of Snowflake indistinguishable by K. MacMillan et al [36] with randomly selected flows from the Snowflake traffic we collected, formed a new WebRTC DTLS handshake fingerprint dataset. The effective traffic flow of the dataset is shown in Table 3.…”

Section: Measures Flowsmentioning

confidence: 99%

F-ACCUMUL: A Protocol Fingerprint and Accumulative Payload Length Sample-Based Tor-Snowflake Traffic-Identifying Framework

2023

View full text Add to dashboard Cite

Tor is widely used to protect users’ privacy, which is the most popular anonymous tool. Tor introduces multiple pluggable transports (PT) to help users avoid censorship. A number of traffic analysis methods have been devoted to de-anonymize these PT. Snowflake is the latest PT based on the WebRTC protocol and DTLS encryption protocol for peer-to-peer communication, differing from other PT, which defeat these traffic analysis methods. In this paper, we propose a Snowflake traffic identification framework, which can identify whether the user is accessing Tor and which hidden service he is visiting. Rule matching and DTLS handshake fingerprint features are utilized to classify Snowflake traffic. The linear interpolation of the accumulative payload length of the first n messages in the DTLS data transmission phase as additional features are extracted to identify the hidden service. The experimental results show that our identification framework F-ACCUMUL can effectively identify Tor-Snowflake traffic and Tor-Snowflake hidden service traffic.

show abstract

“…We leverage the Snowflake Fingerprintability dataset [48] to walkthrough pcapML. The dataset contains over 6,500 DTLS handshakes collected to evaluate the indistinguishability of Snowflake, a pluggable-transport for Tor that leverages WebRTC, with handshakes from other WebRTC applications: Facebook messenger, Google Hangouts, and Discord.…”

Section: Design and Usagementioning

confidence: 99%

Towards Reproducible Network Traffic Analysis

Holland¹,

Schmitt²,

Mittal³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Analysis techniques are critical for gaining insight into network traffic given both the higher proportion of encrypted traffic and increasing data rates. Unfortunately, the domain of network traffic analysis suffers from a lack of standardization, leading to incomparable results and barriers to reproducibility. Unlike other disciplines, no standard dataset format exists, forcing researchers and practitioners to create bespoke analysis pipelines for each individual task. Without standardization researchers cannot compare "applesto-apples," preventing us from knowing with certainty if a new technique represents a methodological advancement or if it simply benefits from a different interpretation of a given dataset.In this work, we examine irreproducibility that arises from the lack of standardization in network traffic analysis. First, we study the literature, highlighting evidence of irreproducible research based on different interpretations of popular public datasets. Next, we investigate the underlying issues that have lead to the status quo and prevent reproducible research. Third, we outline the standardization requirements that any solution aiming to fix reproducibility issues must address. We then introduce pcapML, an open source system which increases reproducibility of network traffic analysis research by enabling metadata information to be directly encoded into raw traffic captures in a generic manner. Finally, we use the standardization pcapML provides to create the pcapML benchmarks, an open source leaderboard website and repository built to track the progress of network traffic analysis methods.

show abstract

Evaluating Snowflake as an Indistinguishable Censorship Circumvention Tool

Cited by 3 publications

References 4 publications

On Precisely Detecting Censorship Circumvention in Real-World Networks

On Precisely Detecting Censorship Circumvention in Real-World Networks

F-ACCUMUL: A Protocol Fingerprint and Accumulative Payload Length Sample-Based Tor-Snowflake Traffic-Identifying Framework

Towards Reproducible Network Traffic Analysis

Contact Info

Product

Resources

About