Re3 : Relay Reliability Reputation for Anonymity Systems Anupam Das (UIUC), Nikita Borisov (UIUC), Prateek Mittal (Princeton University) Matthew Caesar (UIUC) 1 November 21, 2018November 21, 2018

Anonymity System Hides user identity and defends users against internet surveillance and traffic analysis. Tor is a system that provides online anonymity. ~5000 Tor Relays ~300,000 Users daily https://metrics.torproject.org 2 November 21, 2018November 21, 2018

How Tor Works? M M M M Exit Tor Relay Encrypted link Unencrypted link Guard Middle Guards: Defend from the predecessor attack By default 3 guards per user Tor circuit /tunnel is built incrementally one hop by one hop Layered encryption is used Each router knows only its predecessor and successor 3 November 21, 2018November 21, 2018

End-to-end Timing Attack in Tor Tor relays are run by volunteers. So relays can be malicious. Timing Correlation Assuming c fraction of the total bandwidth is controlled by an adversary and g fraction of the guards (per user) are compromised, Probability of circuits being compromised: 4 November 21, 2018November 21, 2018

Attack Amplification via Selective DoS New Circuit Dropped Not Dropped C- Compromised H- Honest Relay Guard Middle Exit H C Guard Middle Exit C H Dropped 5 November 21, 2018November 21, 2018

Impact of Selective DoS Under Normal Condition: Under Selective DoS: Guard Middle Exit C H For any given value of g,c>0 we have, 6 November 21, 2018November 21, 2018

Recent Attacks on Tor Some law-enforcement officers and researchers say the shakiness of the network itself, which relies on volunteers, presents opportunities for authorities to trace users It would allow Dutch police to use exploits and malware against privacy systems like the Tor network In his e-mail, Snowden wrote that he personally ran one of the “major Tor exits”–a 2 gbps server named “TheSignal”–and was trying to persuade some unnamed coworkers at his office to set up additional servers. 7 November 21, 2018November 21, 2018

Our Goals Capture circuit dropping characteristics of relays using a localized reputation framework. Adaptively penalize relays exhibiting frequent behavioral oscillation. Filter potentially compromised/unreliable relays. Threat Model: Small fraction (~20%) of relays are compromised. Compromised relays strategically drop circuits. 8 November 21, 2018November 21, 2018

Adaptive Reputation Metric Goals: Effectively summarize historical behavior Use an Exponentially Weighted Moving Average Discourage behavioral oscillation Dynamically adjust the weight of the EWMA (Impact of sudden drop > Impact of sudden rise) X Y Z Node Rep New Exp X Rx Fx Y Ry Fy Z Rz Fz Node NewError Acc Error X δx εx Y δy εy Z δz εz Node Rep X Rx Y Ry Z Rz Node Rep X EWMA(Rx, Fx)=Rx Y EWMA(Ry, Fy)=Ry Z EWMA(Rz, Fz)=Rz New Feedback Update weight of the EWMA Computer Errors 9 November 21, 2018November 21, 2018

Closer Look at Reputation Metric Reaction to random network failures or strategic oscillating behavior- 50% random drop 50% oscillating behavior Circuit dropping results in lowering reputation. Strategic oscillating behavior is punished more severely and this is evident from the lower reputation score for the same drop rate. 10 November 21, 2018November 21, 2018

Confidence Factor To hinder whitewashing attack we associate a confidence factor to each relay’s reputation score. 𝐶𝑜𝑓 𝑛 (𝑥)= β 1/𝑛 where, 0< β <1 Monotonically increasing function of the number of interactions with a given relay Final Ranking Score for a relay: 𝑅𝑎𝑛𝑘 𝑛 𝑥 = 𝑅𝑒𝑝 𝑛 𝑥 · 𝐶𝑜𝑓 𝑛 (𝑥) 11 November 21, 2018November 21, 2018

Relays sorted in descending order of ranking score Filtering Protocol Relays sorted in descending order of ranking score 1-γ γ Consider only top (1-γ) fraction of the relays Top (1-γ) ranked relays Compute : Mean (μ) , Standard Deviation (σ) Filter Relays with |Rank-μ| > k·σ If compromised guards >1, compromised exits obtain higher reputation score so consider filtering on both sides + k·σ μ - k·σ For guards we investigate the following two strategies: Strategy 1: Consider all guards that are not outliers. Strategy 2: Consider only the highest ranked guard. 12 November 21, 2018November 21, 2018

Attack Scenarios We probabilistically analysis the following attack scenarios: Attack Description Example [Guard-Middle-Exit] Allowed Dropped Selective DoS Drop all non-compromised circuits C - H - C H - C - H Random Dropping Randomly drop a non-compromised circuit (with various drop rate) [H - C - H] H - C – H Targeted Attack Drop circuit if a target relay lies on the circuit H - C - T Creeping Death Drop circuit if majority of the relays are honest H - C - C C : compromised relay, H: honest relay, T: targeted relay 13 November 21, 2018November 21, 2018

Evaluation Simulation setup: We perform both simulations and real world experiments. Simulation setup: Gather live Tor relay information (IP, Bandwidth, Selection probabilities) from https://compass.torproject.org/ Randomly assigned 20% bandwidth to be compromised. Parameter Description Value/Range Computational 𝐾 𝑝 Proportional gain 0.5 μ Rewarding factor 2 ν Punishment factor 1 β Confidence Co-efficient Environmental g Fraction of malicious guard {0,1/3,2/3,1} d Drop rate by malicious relays [0,1] f Transient Network failure 0.21 To approximate the failure rate present in the current Tor network we use TorFlow project https://gitweb.torproject.org/torflow.git We generate 10,000 Tor circuits and record their failure rate. Average failure rate after 10 run was found to be approximately 21%. Parameters are set after performing parameter sensitivity Transient network failure computed using TorFlow project https://gitweb.torproject.org/torflow.git 14 November 21, 2018November 21, 2018

Filtering Malicious Relays With g=1/3 we can filter malicious relays efficiently. Even with g=2/3 we can filter significant portion of the malicious relays. Majority of the relays are honest (~80%) So μ and σ are more influenced by honest relays 15 November 21, 2018November 21, 2018

False Errors False Negative (FN)= Fraction of compromised relays accepted False Positive (FP)= Fraction of honest relays discarded Ideally we want both FN and FP as small as possible. As nodes start misbehaving more, FP and FN rates fall 16 November 21, 2018November 21, 2018

Selecting Compromised Circuits Probability of selecting a compromised circuit after filtering: Pr⁡(𝐶𝑋𝐶)= 𝑔 𝑓∙ 𝑐 𝑓 𝑔 𝑓∙ 𝑐 𝑓 + 1− 𝑔 𝑓 1− 𝑐 𝑓 2 + 1−𝑑 [1− 𝑔 𝑓∙ 𝑐 𝑓 − 1− 𝑔 𝑓 1− 𝑐 𝑓 2 ] In our approach for g<1, the attacker has best results with no drops 17 November 21, 2018November 21, 2018

Strategic Dropping The adversary adopts the following strategy- “Drop circuit only if its reputation is above a chosen threshold” To obtain a positive reputation score the adversary cannot afford to drop too many circuits. The probability of constructing a compromised circuit (Pr(CXC)) reaches to a stable value as drop rate declines to zero. 18 November 21, 2018November 21, 2018

Real World Experiments We use Emulab and PlanetLab machines for our experimental setup. Tor Network Destinations Our Traffic Analyzing Server Our relays Timing info sent to server PlanetLab Clients 11 Emulab machines= 10 run Tor protocol (20Kbps)+1 acted as server (gathering timing info from the other 10 machines) [Bauer et al. WPES 07] Used 39 regular Tor node and added our 10 compromised nodes (c≈20%). 19 November 21, 2018November 21, 2018

Results From Live Tor Network We use PlanetLab machines to emulate users from five different continents. User traffic is emulated by retrieving a random web file of 300 KB in size. Similar to our simulations we see that as the number of compromised guards increases, FN also increases 20 November 21, 2018November 21, 2018

Measuring Relay Reliability We look at network-level (probing Tor ORport using nmap) and application-level (creating Tor circuits) reliability. Significant deviation in application and network level reliability. Certain fraction of the Tor relays drop circuits more often than others even though they are reachable. 21 November 21, 2018November 21, 2018

Predicting Relay Reliability The correlation between the advertised bandwidth and reliability < 10-8. So, bandwidth is not an indicator of reliability in Tor network. We also verified that past performance is an indication of future results. We found the “Pearson Correlation” to be 0.72 Testing Reliability on the live Tor network 22 November 21, 2018November 21, 2018

With 1000 interactions we can profile ~600 relays Deployment Strategies We propose 2 ways to deploying Re3 into the Tor network: Localized: Individual Tor clients run Re3 Centralized: Re3 is run by Directory Authorities (DA) With 1000 interactions we can profile ~600 relays 23 November 21, 2018November 21, 2018

Conclusion Our work shows: You can profile the reliability of Tor relays through a reputation framework. Reliability reputation coupled with a filtering protocol can successfully filter compromised/unreliable relays. In the absence of attacks profiling relay reliability can significantly improve the reliability of Tor circuit construction. 24 November 21, 2018November 21, 2018

End 25 November 21, 2018November 21, 2018