On traffic analysis in anonymous communication networks

Zhu, Ye

02 June 2009

In this dissertation, we address issues related to traffic analysis attacks and the engineering in anonymous communication networks. Mixes have been used in many anonymous communication systems and are supposed to provide countermeasures that can defeat various traffic analysis attacks. In this dissertation, we first focus on a particular class of traffic analysis attack, flow correlation attacks, by which an adversary attempts to analyze the network traffic and correlate the traffic of a flow over an input link at a mix with that over an output link of the same mix. Two classes of correlation methods are considered, namely time-domain methods and frequency-domain methods. We find that a mix with any known batching strategy may fail against flow correlation attacks in the sense that, for a given flow over an input link, the adversary can correctly determine which output link is used by the same flow. We theoretically analyze the effectiveness of a mix network under flow correlation attacks. We extend flow correlation attack to perform flow separation: The flow separation attack separates flow aggregates into either smaller aggregates or individual flows. We apply blind source separation techniques from statistical signal processing to separate the traffic in a mix network. Our experiments show that this attack is effective and scalable. By combining flow separation and frequency spectrum matching method, a passive attacker can get the traffic map of the mix network. We use a non-trivial network to show that the combined attack works. The second part of the dissertation focuses on engineering anonymous communication networks. Measures for anonymity in systems must be on one hand simple and concise, and on the other hand reflect the realities of real systems. We propose a new measure for the anonymity degree, which takes into account possible heterogeneity. We model the effectiveness of single mixes or of mix networks in terms of information leakage and measure it in terms of covert channel capacity. The relationship between the anonymity degree and information leakage is described, and an example is shown.

traffic analysis

anonymity

On traffic analysis attacks and countermeasures

Fu, Xinwen

25 April 2007

Security and privacy have gained more and more attention with the rapid growth and public acceptance of the Internet as a means of communication and information dissemination. Security and privacy of a computing or network system may be compromised by a variety of well-crafted attacks. In this dissertation, we address issues related to security and privacy in computer network systems. Specifically, we model and analyze a special group of network attacks, known as traffic analysis attacks, and develop and evaluate their countermeasures. Traffic analysis attacks aim to derive critical information by analyzing traffic over a network. We focus our study on two classes of traffic analysis attacks: link-load analysis attacks and flow-connectivity analysis attacks. Our research has made the following conclusions: 1. We have found that an adversary may effectively discover link load by passively analyzing selected statistics of packet inter-arrival times of traffic flows on a network link. This is true even if some commonly used countermeasures (e.g., link padding) have been deployed. We proposed an alternative effective countermeasure to counter this passive traffic analysis attack. Our extensive experimental results indicated this to be an effective approach. 2. Our newly proposed countermeasure may not be effective against active traffic analysis attacks, which an adversary may also use to discover the link load. We developed methodologies in countering these kinds of active attacks. 3. To detect the connectivity of a flow, an adversary may embed a recognizable pattern of marks into traffic flows by interference. We have proposed new countermeasures based on the digital filtering technology. Experimental results have demonstrated the effectiveness of our method. From our research, it is obvious that traffic analysis attacks present a serious challenge to the design of a secured computer network system. It is the objective of this study to develop robust but cost-effective solutions to counter link-load analysis attacks and flow-connectivity analysis attacks. It is our belief that our methodology can provide a solid foundation for studying the entire spectrum of traffic analysis attacks and their countermeasures.

Traffic Analysis

Attacks

Analysis and visualization of historical traffic data collected on the Stockholm highway system

Reim, Erich

January 2013

The congestion due to traffic is a worldwide occurrence in major cities, where also the biggest part of the human population lives. To be able to control and oversee the ongoing traffic development in cities, traffic operators use different methods to observe the current trend. This is done by collecting data from stationary sensors to mobile sensors like floating car data. The data collected from stationary sensors is stored in a central database. This historical traffic data is used for analysis of traffic behavior along the main roadway network in Stockholm. Areas which are highly congested can be located as well as areas where traffic flows without problems. This thesis deals with methods to analyze and visualize the traffic behavior based on historical traffic data, measured in the city of Stockholm. Therefore a toolbox is implemented which is used to figure out bottlenecks and typical speed and flow patterns along the Stockholm highway system. Based on the typical speed and flow patterns, it is possible to calculate areas that are affected of congestion and also to determine whether congestion appears due to an incident or a bottleneck.

MATLAB

Toolbox

Traffic analysis

Visualization

On Traffic Analysis Attacks To Encrypted VoIP Calls

Lu, Yuanchao

10 December 2009

No description available.

VOIP

detection rate

speaker detection

traffic analysis

Detecting Hidden Wireless Cameras through Network Traffic Analysis

Cowan, KC Kaye

02 October 2020

Wireless cameras dominate the home surveillance market, providing an additional layer of security for homeowners. Cameras are not limited to private residences; retail stores, public bathrooms, and public beaches represent only some of the possible locations where wireless cameras may be monitoring people's movements. When cameras are deployed into an environment, one would typically expect the user to disclose the presence of the camera as well as its location, which should be outside of a private area. However, adversarial camera users may withhold information and prevent others from discovering the camera, forcing others to determine if they are being recorded on their own. To uncover hidden cameras, a wireless camera detection system must be developed that will recognize the camera's network traffic characteristics. We monitor the network traffic within the immediate area using a separately developed packet sniffer, a program that observes and collects information about network packets. We analyze and classify these packets based on how well their patterns and features match those expected of a wireless camera. We used a Support Vector Machine classifier and a secondary-level of classification to reduce false positives to design and implement a system that uncovers the presence of hidden wireless cameras within an area. / Master of Science / Wireless cameras may be found almost anywhere, whether they are used to monitor city traffic and report on travel conditions or to act as home surveillance when residents are away. Regardless of their purpose, wireless cameras may observe people wherever they are, as long as a power source and Wi-Fi connection are available. While most wireless camera users install such devices for peace of mind, there are some who take advantage of cameras to record others without their permission, sometimes in compromising positions or places. Because of this, systems are needed that may detect hidden wireless cameras. We develop a system that monitors network traffic packets, specifically based on their packet lengths and direction, and determines if the properties of the packets mimic those of a wireless camera stream. A double-layered classification technique is used to uncover hidden wireless cameras and filter out non-wireless camera devices.

wireless cameras

network traffic analysis

privacy

detection

Capturing and Analyzing Network Traffic from Common Mobile Devices for Security and Privacy

Overton, Billy

01 May 2014

Mobile devices such as tablets and smartphones are becoming more common, and they are holding more information. This includes private information such as contacts, financial data, and passwords. At the same time these devices have network capability with access to the Internet being a prime feature. Little research has been done in observing the network traffic produced by these mobile devices. To determine if private information was being transmitted without user knowledge, the mobile capture lab and a set of procedures have been created to observe, capture and analyze the network traffic produced by mobile devices. The effectiveness of the lab and procedures has been evaluated with the analysis of four common mobile devices. The data analyzed from the case studies indicates that, contrary to popular opinion, very little private information is transmitted in clear text by mobile devices without the user’s knowledge.

security

mobile

traffic analysis

traffic capture

Information Security

Systems Architecture

Demand analysis and privacy of floating car data

Camilo, Giancarlo

13 September 2019

This thesis investigates two research problems in analyzing floating car data (FCD): automated segmentation and privacy. For the former, we design an automated segmentation method based on the social functions of an area to enhance existing traffic demand analysis. This segmentation is used to create an extension of the traditional origin-destination matrix that can represent origins of traffic demand. The methods are then combined for interactive visualization of traffic demand, using a floating car dataset from a ride-hailing application. For the latter, we investigate the properties in FCD that may lead to privacy leaks. We present an attack on a real-world taxi dataset, showing that FCD, even though anonymized, can potentially leak privacy. / Graduate

floating car data

privacy

traffic demand

traffic analysis

area segmentation

Using Network Traffic to Infer CPU and Memory Utilization for Cluster Grid Computing Applications

Watkins, Lanier A.

05 January 2010

In this body of work, we present the details of a novel method for passive resource discovery in cluster grid environments where resources constantly utilize inter-node communication. Our method offers the ability to non-intrusively identify resources that have available memory or CPU cycles; this is critical for lowering queue wait times in large cluster grid networks, and for memory-intensive cluster grid applica-tions such as Gaussian (computational chemistry package) and the Weather Research and Forecasting (WRF) modeling package. The benefits include: (1) low message complexity, (2) scalability, (3) load bal-ancing support, and (4) low maintainability. Using several test-beds (i.e., a small local test-bed and a 50-node Deterlab test-bed), we demonstrate the feasibility of our method with experiments utilizing TCP, UDP and ICMP network traffic. Using this technique, we observed a correlation between memory or CPU load and the timely response of network traffic. In such situations, we have observed that in highly utilized (due to multi-programming) nodes there will be numerous, active processes which require context switching or paging. The latency associated with numerous context switches or paging manifests as a de-lay signature within the packet transmission process. Our method detects this delay signature to determine the utilization of network resources. The aforementioned delay signature is the keystone that provides a correlation between network traffic and the internal state of the source node. We characterize this delay signature due to CPU utilization by (1) identifying the different types of assembly language instructions that source this delay and (2) describing how performance-enhancing techniques (e.g., instruction pipelin-ing, caching) impact this delay signature by using the LEON3, implemented as a 40 MHz development board. At the software level, results for medium sized networks show that our method can consistently and accurately identify nodes with available memory or CPU cycles (< 70% availability). At the hardware level, our results show that excessive context switching in active applications increases the average mem-ory access time, thus adding additional delay to the execution of LD instructions. Additionally, internal use of these instructions in heavily utilized situations to send network packets induces the delay signature into network traffic.

Grid-Computing

Passive Resource Discovery

Traffic Analysis

Computer Sciences

Using Secure Real-time Padding Protocol to Secure Voice-over-IP from Traffic Analysis Attacks

Mohanty, Saswat

2011 May 1900

Voice Over IP (VoIP) systems and transmission technologies have now become the norm for many communications applications. However, whether they are used for personal communication or priority business conferences and talks, privacy and confidentiality of the communication is of utmost priority. The present industry standard is to encrypt VoIP calls using Secure Real-time Transport Protocol (SRTP), aided by ZRTP, but this methodology remains vulnerable to traffic analysis attacks, some of which utilize the length of the encrypted packets to infer the language and spoken phrases of the conversation. Secure Real-time Padding Protocol (SRPP) is a new RTP profile which pads all VoIP sessions in a unique way to thwart traffic analysis attacks on encrypted calls. It pads every RTP or SRTP packet to a predefined packet size, adds dummy packets at the end of every burst in a controllable way, adds dummy bursts to hide silence spurts, and hides information about the packet inter-arrival timings. This thesis discusses a few practical approaches and a theoretical optimization approach to packet size padding. SRPP has been implemented in the form of a library, libSRPP, for VoIP application developers and as an application, SQRKal, for regular users. SQRKal also serves as an extensive platform for implementation and verification of new packet padding techniques.

Traffic Analysis

Padding

SRPP

VoIP

Security

Privacy and Anonymity

Detecting Remote Attacks

Han, Wang-tzu

30 July 2004

With the advanced technology, our life has improved, however, it also brings the new model of crime events. Because the intrusion technique and intrusion tools are developed day by day, many computer crimes such as overstep system authority, intrusion events, computer crime, and network attack incidents are happening everywhere and everyday. In fact, those kinds of animus attack behaviors are troublesome problems. Staffs of network management may have to read security advisory, which is sent out by security organization. For example, they have to subscribe advisories for Computer Emergency Response Team or security mail list to continuously accumulate their security information. In addition, in the security protect system, they may need to spend huge fund to purchase firewall system, intrusion detection system, antivirus system and other related security protect systems. These attack behaviors have been evolved from one computer attacked to heavy attack by new intrusion model such as worm to proceed large scale spread attacking recently. Furthermore, each attack use different communication protocol and port, which is aimed at the system vulnerability, it is not easy to detect these attacks. If we can observe the variation of network traffic to detect the unusual hosts, for controlling the usage of network or occurring extraordinary phenomenon, it could help network managers to discover and solve network attack problems in time. Lately, many intrusion events have been happened increasingly, and the denial-of-service has become the most serious network event of the Computer Crime and Security Survey of FBI/CSI in 2003. Therefore, in various attacking types, we choose vulnerability scan and denial-of-service as our research direction. This research extend to develop IPAudit[16], a network traffic monitor system, which is to detect hosts flows traffic of the local area network. We establish network attack rules by using data miningclassification (C4.5) to analyze attack data, and we estimate the correctness percentage of classification. This study also uses different attack applications for the same attack type to process the cross experiment. The result has shown that the technology of data mining classification (C4.5) can help us to forecast efficiently the same attack type events.

Data mining

classification

network traffic analysis

vulnerability scan

Denial-of-service