Tempest: Temporal Dynamics in Anonymity Systems

Wails, Ryan; Sun, Yixin; Johnson, Aaron M.; Chiang, Mung; Mittal, Prateek

doi:10.1515/popets-2018-0019

Cited by 15 publications

(7 citation statements)

References 44 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Even though a single AS could serve thousands of Tor clients, identification of a Tor client's AS can be dangerous. As noted by Wails et al [36], knowledge of a client's AS is problematic for three unique reasons: (1) The client AS can be tar-geted to divulge a user's real identity; (2) the diversity of a client's attributes (e.g. physical location) is much lower in a single AS and could be combined with auxiliary information to perform deanonymization; (3) the client AS can be used to link connections and profile Tor clients.…”

Section: Adversary Modelmentioning

confidence: 76%

“…However, this results in a decrease in guard relay randomness, which in turn leaks probabilistic information about client origin ASes. A major drawback of their approach is thus a significant decrease in the Shannon entropy of client source ASes over time, allowing client ASes to be statistically fingerprinted [26,36]. These fingerprinting attacks allow adversaries to link a client to her source AS.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

DPSelect: A Differential Privacy Based Guard Relay Selection Algorithm for Tor

Hanley

Sun

Wagh

et al. 2019

Proceedings on Privacy Enhancing Technologies

Self Cite

View full text Add to dashboard Cite

Recent work has shown that Tor is vulnerable to attacks that manipulate inter-domain routing to compromise user privacy. Proposed solutions such as Counter-RAPTOR [29] attempt to ameliorate this issue by favoring Tor entry relays that have high resilience to these attacks. However, because these defenses bias Tor path selection on the identity of the client, they invariably leak probabilistic information about client identities. In this work, we make the following contributions. First, we identify a novel means to quantify privacy leakage in guard selection algorithms using the metric of Max-Divergence. Max-Divergence ensures that probabilistic privacy loss is within strict bounds while also providing composability over time. Second, we utilize Max-Divergence and multiple notions of entropy to understand privacy loss in the worst-case for Counter-RAPTOR. Our worst-case analysis provides a fresh perspective to the field, as prior work such as Counter-RAPTOR only analyzed average case-privacy loss. Third, we propose modifications to Counter-RAPTOR that incorporate worst-case Max-Divergence in its design. Specifically, we utilize the exponential mechanism (a mechanism for differential privacy) to guarantee a worst-case bound on Max-Divergence/privacy loss. For the quality function used in the exponential mechanism, we show that a Monte-Carlo sampling-based method for stochastic optimization can be used to improve multi-dimensional trade-offs between security, privacy, and performance. Finally, we demonstrate that compared to Counter-RAPTOR, our approach achieves an 83% decrease in Max-Divergence after one guard selection and a 245% increase in worst-case Shannon entropy after 5 guard selections. Notably, experimental evaluations using the Shadow emulator shows that our approach provides these privacy benefits with minimal impact on system performance.

show abstract

Section: Adversary Modelmentioning

confidence: 76%

Section: Introductionmentioning

confidence: 99%

DPSelect: A Differential Privacy Based Guard Relay Selection Algorithm for Tor

Hanley

Sun

Wagh

et al. 2019

Proceedings on Privacy Enhancing Technologies

Self Cite

View full text Add to dashboard Cite

show abstract

“…In practice, many components of anonymous systems, such as network structures and communication components, change over time [79]. In particular, the communication performance of routing nodes in a network, such as bandwidth, communication delay, etc., will change over time.…”

Section: B Transmission Side: Lack Of Security Considerations For Himentioning

confidence: 99%

A Survey of Privacy Protection and Network Security in User On-Demand Anonymous Communication

et al. 2020

View full text Add to dashboard Cite

In an untrusted Internet environment, there is a large amount of user privacy information being vulnerable to various attacks, and it is an important security concern for users on how to protect their privacy, and to further provide the anonymity guarantee. Recently, most privacy-sensitive users prefer anonymous communication to protect their private information from eavesdropping by attackers. Each user has different privacy protection demands for anonymous communication. However, anonymous communication methods cannot meet the various anonymity needs of users. Hence, the user on-demand anonymous communication is proposed, which can dynamically adjust the anonymity level according to a user's anonymity needs. However, the defense capabilities against attacks are insufficient in the existing user on-demand anonymous communication. Some malicious users in the network employ anonymous communication to hide their identities and attack the Internet. Moreover, the existing user on-demand anonymous communication is weak against traffic classification attacks based on machine learning. Therefore, this paper investigates its progresses and defects in privacy protection and network security. User on-demand anonymous communication is mainly composed of the user side and the transmission side. We separately investigate privacy protection and network security of user on-demand anonymous communication from the user side and the transmission side. By surveying various identity anonymity of users on the user side and the hierarchical anonymous transmission on the transmission side, we find two kinds of serious attacks in user on-demand anonymous communication, i.e., abuse of anonymous communication and traffic classification attacks based on machine learning. To solve the above security issues, we suggest the balancing mechanism of anonymous communication and behavior tracking which is used to prevent anonymous abuse, and the secure defense mechanism which is used to resist traffic classification attacks. To inspire follow-up research, we identify some open problems and emphasize future trends concerning user on-demand anonymous communication. INDEX TERMS Privacy protection, network security, machine learning, traffic classification attacks, user on-demand anonymous communication.

show abstract

“…That is, if the adversary is located at the exit node (and hence knows the destination), the security properties of dPHI and PHI hold even if d is malicious. Recently, Wails et al [31] presented attacks against various anonymity protocols in case the source or destination moves within the network and the attacker located within the path between s and d is able to link sessions. While this is an interesting type of attack, it is not part of the threat model of dPHI.…”

Section: Original Threat Modelmentioning

confidence: 99%

dPHI: An improved high-speed network-layer anonymity protocol

Bajic

Becker

2020

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

The Internet infrastructure has not been built with security or privacy in mind. As a result, an adversary who has control over a single Autonomous System can set-up mass surveillance systems to gather meta data by passively collecting the headers of the messages they route. To solve this problem, lightweight anonymous routing protocols such as LAP, DOVETAIL and most recently PHI have been proposed which are efficient enough to be deployed in a large scale infrastructure such as the Internet. In this paper we take a closer look at PHI and introduce several de-anonymization attacks malicious nodes can perform to reduce the sender and receiver anonymity. As a direct consequence of this analysis we propose a new protocol called dependable PHI (dPHI). The security analysis of dPHI includes a detailed quantitative anonymity analysis that compares dPHI with PHI, LAP and HORNET. Together with the performance analysis, this allows for a good comparison of trade-offs for these anonymity protocols.

show abstract

Tempest: Temporal Dynamics in Anonymity Systems

Cited by 15 publications

References 44 publications

DPSelect: A Differential Privacy Based Guard Relay Selection Algorithm for Tor

DPSelect: A Differential Privacy Based Guard Relay Selection Algorithm for Tor

A Survey of Privacy Protection and Network Security in User On-Demand Anonymous Communication

dPHI: An improved high-speed network-layer anonymity protocol

Contact Info

Product

Resources

About