Seeing through Network-Protocol Obfuscation

Censorship-circumvention systems are designed to help users bypass Internet censorship. As more sophisticated deep-packet-inspection (DPI) mechanisms have been deployed by censors to detect circumvention tools, activists and researchers have responded by developing network protocol obfuscation tools. These have proved to be effective in practice against existing DPI and are now distributed with systems such as Tor. In this work, we provide the first in-depth investigation of the detectability of in-use protocol obfuscators by DPI. We build a framework for evaluation that uses real network traffic captures to evaluate detectability, based on metrics such as the false-positive rate against background (i.e., non obfuscated) traffic. We first exercise our framework to show that some previously proposed attacks from the literature are not as effective as a censor might like. We go on to develop new attacks against five obfuscation tools as they are configured in Tor, including: two variants of obfsproxy, FTE, and two variants of meek. We conclude by using our framework to show that all of these obfuscation mechanisms could be reliably detected by a determined censor with sufficiently low false-positive rates for use in many censorship settings.

[1]  Thomas Shrimpton,et al.  Marionette: A Programmable Network Traffic Obfuscation System , 2015, USENIX Security Symposium.

[2]  Somesh Jha,et al.  LibFTE: A Toolkit for Constructing Practical, Format-Abiding Encryption Schemes , 2014, USENIX Security Symposium.

[3]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[4]  Pete Wyckoff,et al.  Hive - A Warehousing Solution Over a Map-Reduce Framework , 2009, Proc. VLDB Endow..

[5]  Balachander Krishnamurthy,et al.  Key Differences Between HTTP/1.0 and HTTP/1.1 , 1999, Comput. Networks.

[6]  Philipp Winter,et al.  ScrambleSuit: a polymorphic network protocol to circumvent censorship , 2013, WPES.

[7]  Ian Goldberg,et al.  SkypeMorph: protocol obfuscation for Tor bridges , 2012, CCS.

[8]  Ian Goldberg,et al.  Enhancing Tor's performance using real-time traffic classification , 2012, CCS.

[9]  Sebastian Zander,et al.  A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification , 2006, CCRV.

[10]  Vitaly Shmatikov,et al.  The Parrot Is Dead: Observing Unobservable Network Communications , 2013, 2013 IEEE Symposium on Security and Privacy.

[11]  Eric Jones,et al.  SciPy: Open Source Scientific Tools for Python , 2001 .

[12]  Jing Yuan,et al.  Information Entropy Based Clustering Method for Unsupervised Internet Traffic Classification , 2008, 2008 IEEE International Conference on Communications.

[13]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[14]  Peter Hannay,et al.  Using Traffic Analysis to Identify the Second Generation Onion Router , 2011, 2011 IFIP 9th International Conference on Embedded and Ubiquitous Computing.

[15]  Mark Goadrich,et al.  The relationship between Precision-Recall and ROC curves , 2006, ICML.

[16]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[17]  Brijesh Joshi,et al.  Touching from a distance: website fingerprinting attacks and defenses , 2012, CCS.

[18]  Vyas Sekar,et al.  An empirical evaluation of entropy-based traffic anomaly detection , 2008, IMC '08.

[19]  Ratul Mahajan,et al.  Measurement-based models of delivery and interference in static wireless networks , 2006, SIGCOMM.

[20]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[21]  Suman Banerjee,et al.  Diagnosing Wireless Packet Losses in 802.11: Separating Collision from Weak Signal , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[22]  Stefan Lindskog,et al.  How the Great Firewall of China is Blocking Tor , 2012, FOCI.

[23]  Vinod Yegneswaran,et al.  StegoTorus: a camouflage proxy for the Tor anonymity system , 2012, CCS.

[24]  Brandon Wiley Dust : A Blocking-Resistant Internet Transport Protocol , 2011 .

[25]  Philipp Winter,et al.  The Great Firewall of China: How It Blocks Tor and Why It Is Hard to Pinpoint , 2012, login Usenix Mag..

[26]  Bo Yuan,et al.  Employing Entropy in the Detection and Monitoring of Network Covert Channels , 2012 .

[27]  J. Alex Halderman,et al.  Internet Censorship in Iran: A First Look , 2013, FOCI.

[28]  Grenville J. Armitage,et al.  Training on multiple sub-flows to optimise the use of Machine Learning classifiers in real-world IP networks , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[29]  Xun Gong,et al.  CensorSpoofer: asymmetric communication using IP spoofing for censorship-resistant web browsing , 2012, CCS.

[30]  Shawn P. Healy,et al.  The Great Firewall of China. , 2007 .

[31]  Phillip A. Porras,et al.  Clear and Present Data: Opaque Traffic and its Security Implications for the Future , 2013, NDSS.

[32]  Thomas Engel,et al.  Website fingerprinting in onion routing based anonymization networks , 2011, WPES.

[33]  Rachel Greenstadt,et al.  A Critical Evaluation of Website Fingerprinting Attacks , 2014, CCS.

[34]  Zhuoqing Morley Mao,et al.  Internet Censorship in China: Where Does the Filtering Occur? , 2011, PAM.

[35]  Elaine B. Barker,et al.  A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications , 2000 .

[36]  Thomas Ristenpart,et al.  Protocol misidentification made easy with format-transforming encryption , 2013, CCS.

[37]  Renata Teixeira,et al.  Traffic classification on the fly , 2006, CCRV.