Presentation is loading. Please wait.

Presentation is loading. Please wait.

Inside Job: Applying Traffic Analysis to Measure Tor from Within

Published byJemimah Higgins Modified over 5 years ago

Similar presentations

Presentation on theme: "Inside Job: Applying Traffic Analysis to Measure Tor from Within"— Presentation transcript:

1 Inside Job: Applying Traffic Analysis to Measure Tor from Within
*Rob Jansen, U.S. Naval Research Laboratory *Marc Juarez, imec-COSIC KU Leuven Rafael Gálvez, imec-COSIC KU Leuven Tariq Elahi, imec-COSIC KU Leuven Claudia Diaz, imec-COSIC KU Leuven *equally credited authors Rob Jansen Center for High Assurance Computer Systems U.S. Naval Research Laboratory 25th Symposium on Network and Distributed System Security San Diego, CA February 21st, 2018

2 Tor Website Fingerprinting
Adversary’s goal: use website fingerprinting to deanonymize client (link client to destination) Use traffic patterns to guess specific webpage accessed U.S. Naval Research Laboratory

3 Onion Service Fingerprinting
Tor website fingerprinting on onion services Destination also runs Tor software Use traffic patterns to guess specific webpage accessed U.S. Naval Research Laboratory

4 Onion Service Fingerprinting
All prior work considers adversary in an entry position U.S. Naval Research Laboratory

5 Onion Service Fingerprinting
All prior work considers adversary in an entry position Limitations of the entry Client-to-entry path is an unrealistic privileged position for most Entry guard relays must be stable and have high up-time Clients choose and pin 1 entry guard for 2-3 months before switching It takes entry guards 3 months to reach steady state and be fully utilized by the network U.S. Naval Research Laboratory

6 This work: fingerprinting from middle relays
Onion service fingerprinting from an internal, middle relay position U.S. Naval Research Laboratory

7 This work: fingerprinting from middle relays
Onion service fingerprinting from an internal, middle relay position Advantages of the middle Clients choose a new middle for every circuit (choice is weighted by bandwidth) No special relay requirements Fully utilized almost immediately Statistical sampling of all clients U.S. Naval Research Laboratory

8 This work: fingerprinting from middle relays
Onion service fingerprinting from an internal, middle relay position Middles will observe a client two orders of magnitude more quickly than guards Advantages of the middle Clients choose a new middle for every circuit (choice is weighted by bandwidth) No special relay requirements Fully utilized almost immediately Statistical sampling of all clients U.S. Naval Research Laboratory

9 This work: fingerprinting from middle relays
The middle identifies the destination… and then what? Onion service popularity measurement [this work] Client geolocation attack using latency [Hopper et al. 2007,2010] Fingerprint protocols instead of websites [future work] Targeted attacks on guards that are used to access websites of interest [Jaggard and Syverson, 2017] U.S. Naval Research Laboratory

10 Outline Background, Motivation: Why the middle relay?
Circuit fingerprinting Onion Service Fingerprinting Onion Service Popularity Measurement Conclusion / Questions U.S. Naval Research Laboratory

11 Circuit Fingerprinting
Collect circuit traces, extract features, train classifiers Identify circuit purpose and position

12 Circuit Fingerprinting
Predict circuit type and relay position Binary classification Circuit purpose: rendezvous (onion service) Circuit position: middle (adj. to guard) U.S. Naval Research Laboratory

13 Data Set, Features, and Training
Generate samples using Shadow Use the Shadow Tor simulator to generate 1.85 million circuits Label circuits with purpose and position Extract features and train random- forest classifiers Use as features: Previous/next node type Counts of cell type/relay command (recv/sent inside/outside) U.S. Naval Research Laboratory

14 Circuit fingerprinting results
U.S. Naval Research Laboratory

15 Onion Service Fingerprinting
Collect webpage traces, train and evaluate classifiers Identify onion service

16 Onion Service Fingerprinting
Given a rendezvous circuit, can we identify the destination? Run modified Tor to identify circuits that we originate! Crawl known and online onion sites Capture TCP trace with tshark 2,500 onion sites, 80 crawls per front page Capture cell trace with onionperf U.S. Naval Research Laboratory

17 Closed World Onion Site Fingerprinting Results
True Positive Rates Entry model Classify using client-to-guard packet traces Middle relay model Classify using middle relay cell traces U.S. Naval Research Laboratory

18 Open World Onion Site Fingerprinting Results
One-class classification problem Site is the monitored site or other We used a popular social networking site ( ) as the monitored site Projection shows boundary that minimizes false positives 80% of all errors were from 12 sites U.S. Naval Research Laboratory

19 Open World Onion Site Fingerprinting Results
Base Rate Performance Precision is 50% at a base rate of 1% Precision decreases exponentially with the base rate U.S. Naval Research Laboratory

20 Onion Service Popularity Measurement
Train classifiers on a social networking site front-page Apply trained classifiers to measure onion service popularity using privacy-preserving Tor measurement tool (PrivCount)

21 Classifying Circuits and Sites in Tor
Measured popular social network site that runs a single onion service Enhanced PrivCount to classify circuit purpose, relay position, and site Three measurements: Classify circuits from real Tor users Classify circuits from ground truth crawler Measure direct accesses to the ASN of (in the cases that we are the 3rd hop) facebookcorewwwi.onion U.S. Naval Research Laboratory

22 Classifying Circuits and Sites in Tor
Measured popular social network site that runs a single onion service Enhanced PrivCount to classify circuit purpose, relay position, and site Three measurements: Classify circuits from real Tor users Classify circuits from ground truth crawler Measure direct accesses to the ASN of (in the cases that we are the 3rd hop) Ethical research: PrivCount provides differential privacy and secure aggregation of results No information is stored on disk Circuit-specific information is stored only for the life of the circuit (10 minutes) Consulted with Tor Research Safety Board to get feedback on methodology facebookcorewwwi.onion U.S. Naval Research Laboratory

23 Classification Results
Classifier True Positives False Negatives Purpose 100% 0% Position 96.5% 3.4% Site 60.0% 40.0% Crawler results (ground truth) Popularity Direct Classified Purpose (onion service) 1.28% 4.48% Site 0.52% 0.02% Measurement pipeline results Results include noise! U.S. Naval Research Laboratory

24 Conclusion Circuit and website fingerprinting is at least as accurate from middle relays as it is from the entry position The number of Facebook onion site visits was indistinguishable from noise More work needed to better understand middle relay threats All code is open-source: github.com/onionpop github.com/privcount github.com/shadow Contact: Rob Jansen U.S. Naval Research Laboratory U.S. Naval Research Laboratory

25 Onion Service Fingerprinting Classifiers
Train and test well known classifiers using packet and cell traces k Nearest Neighbors (kNN) [Wang et al., 2014] Averages over k closest instances according to Euclidean distance CUMUL [Panchenko et al., 2016] Support vector machine (SVM) with radial basis function k-Fingerprinting (KFP) [Hayes and Danezis, 2016] Random forest + kNN (with Hamming distance) U.S. Naval Research Laboratory

Download ppt "Inside Job: Applying Traffic Analysis to Measure Tor from Within"

Similar presentations

LASTor: A Low-Latency AS-Aware Tor Client

LASTor: A Low-Latency AS-Aware Tor Client
Data Mining Classification: Alternative Techniques

Data Mining Classification: Alternative Techniques
1 Advancing Supercomputer Performance Through Interconnection Topology Synthesis Yi Zhu, Michael Taylor, Scott B. Baden and Chung-Kuan Cheng Department.

1 Advancing Supercomputer Performance Through Interconnection Topology Synthesis Yi Zhu, Michael Taylor, Scott B. Baden and Chung-Kuan Cheng Department.
The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.

The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.
Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.

Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.
Memory-based DoS and Deanonymization Attacks on Tor DCAPS Seminar October 11 th, 2013 Rob Jansen U.S. Naval Research Laboratory

Memory-based DoS and Deanonymization Attacks on Tor DCAPS Seminar October 11 th, 2013 Rob Jansen U.S. Naval Research Laboratory
Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL 6788 11.

Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL
Lecture 3 Nonparametric density estimation and classification

Lecture 3 Nonparametric density estimation and classification
Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.

Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.
Software Quality Ranking: Bringing Order to Software Modules in Testing Fei Xing Michael R. Lyu Ping Guo.

Software Quality Ranking: Bringing Order to Software Modules in Testing Fei Xing Michael R. Lyu Ping Guo.
On Traffic Analysis in Tor Guest Lecture, ELE 574 Communications Security and Privacy Princeton University April 3 rd, 2014 Dr. Rob Jansen U.S. Naval Research.

On Traffic Analysis in Tor Guest Lecture, ELE 574 Communications Security and Privacy Princeton University April 3 rd, 2014 Dr. Rob Jansen U.S. Naval Research.
Determining applications and characteristics of encrypted wireless traffic. Chris Hanks CMPE 257 3/17/2011.

Determining applications and characteristics of encrypted wireless traffic. Chris Hanks CMPE 257 3/17/2011.
Location-Aware Onion Routing Aaron Johnson U.S. Naval Research Laboratory IEEE Symposium on Security and Privacy May 19, 2015.

Location-Aware Onion Routing Aaron Johnson U.S. Naval Research Laboratory IEEE Symposium on Security and Privacy May 19, 2015.
K nearest neighbor and Rocchio algorithm

K nearest neighbor and Rocchio algorithm
Failure Prediction in Hardware Systems Douglas Turnbull Neil Alldrin CSE 221: Operating System Final Project Fall 2003 1.

Failure Prediction in Hardware Systems Douglas Turnbull Neil Alldrin CSE 221: Operating System Final Project Fall
Generic Object Detection using Feature Maps Oscar Danielsson Stefan Carlsson

Generic Object Detection using Feature Maps Oscar Danielsson Stefan Carlsson
Automated malware classification based on network behavior

Automated malware classification based on network behavior
Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.

Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.
Signatures As Threats to Privacy Brian Neil Levine Assistant Professor Dept. of Computer Science UMass Amherst.

Signatures As Threats to Privacy Brian Neil Levine Assistant Professor Dept. of Computer Science UMass Amherst.
Jay Stokes, Microsoft Research John Platt, Microsoft Research Joseph Kravis, Microsoft Network Security Michael Shilman, ChatterPop, Inc. ALADIN: Active.

Jay Stokes, Microsoft Research John Platt, Microsoft Research Joseph Kravis, Microsoft Network Security Michael Shilman, ChatterPop, Inc. ALADIN: Active.

Similar presentations

Ads by Google