On Effectiveness of Traffic Analysis Against Anonymity Networks Using Netflow

Chakravarty, Sambuddho; Polychronakis, Michalis; Portokalidis, Georgios; Barbera, Marco V.; Keromytis, Angelos D.

Low-latency anonymity preserving networks, such as Tor, are geared towards preserving anonymity of users of semi-interactive Internet applications such as web and instant messaging. In an attempt to maintain users' quality of service, such systems maintain packet inter-arrival characteristics (such as inter-packet delay). Thus, an adversary having access traffic patterns at various points of the Tor network can observer similarities in these patterns, and discover a relationship between otherwise apparently unrelated network connections. Such attacks are commonly known as Traffic Analysis attacks. In the past, various traffic analysis attacks against Tor have been explored. Most modern networking equipment have traffic monitoring subsystems built into them, e.g. Cisco's Netflow. An adversary could potentially utilize the network statistics, derived from such subsystems, to launch traffic analysis attacks. In the paper "Sampled Traffic Analysis by Internet-Exchange-Level Adversaries," Murdoch and Zielinski presented two novel contributions -- 1) a case study to show that a very small number of Internet Exchanges (IXes) intercept and could thus monitor a significant fractions of network paths from Tor nodes to various popular Internet destinations and 2) a mathematical model to classify and de-anonymize anonymous traffic. Our research complements their efforts. We focus on the possible "next-step" of the problem, viz. evaluating the feasibility and effectiveness of practical traffic analysis, using Netflow data, to determine the source of anonymous traffic. We present an active traffic analysis method that involves deliberately modulating the traffic characteristics by perturbing entering the Tor network, and observing a similar perturbation in the the traffic leaving the network. Our method relies on statistical correlation to observe such perturbations. We evaluate the accuracy of our method in both an controlled lab environment and using data gathered from a public Tor relay, serving several hundreds of Tor users. In the in-lab tests, we achieved an accuracy of 100 percent in being able to identify the source of anonymous traffic. In case of tests involving data from the public Tor relay, we achieved an overall accuracy of about 80 percent.



More About This Work

Academic Units
Computer Science
Department of Computer Science, Columbia University
Columbia University Computer Science Technical Reports, CUCS-019-13
Published Here
September 23, 2013