DeepCorr: Strong Flow Correlation Attacks on Tor Using Deep Learning

Flow correlation is the core technique used in a multitude of deanonymization attacks on Tor. Despite the importance of flow correlation attacks on Tor, existing flow correlation techniques are considered to be ineffective and unreliable in linking Tor flows when applied at a large scale, i.e., they impose high rates of false positive error rates or require impractically long flow observations to be able to make reliable correlations. In this paper, we show that, unfortunately, flow correlation attacks can be conducted on Tor traffic with drastically higher accuracies than before by leveraging emerging learning mechanisms. We particularly design a system, called DeepCorr, that outperforms the state-of-the-art by significant margins in correlating Tor connections. DeepCorr leverages an advanced deep learning architecture to learn a flow correlation function tailored to Tor's complex network- this is in contrast to previous works' use of generic statistical correlation metrics to correlate Tor flows. We show that with moderate learning, DeepCorr can correlate Tor connections (and therefore break its anonymity) with accuracies significantly higher than existing algorithms, and using substantially shorter lengths of flow observations. For instance, by collecting only about 900 packets of each target Tor flow (roughly 900KB of Tor data), DeepCorr provides a flow correlation accuracy of 96% compared to 4% by the state-of-the-art system of RAPTOR using the same exact setting. We hope that our work demonstrates the escalating threat of flow correlation attacks on Tor given recent advances in learning algorithms, calling for the timely deployment of effective countermeasures by the Tor community.

[1]  George Danezis,et al.  k-fingerprinting: A Robust Scalable Website Fingerprinting Technique , 2015, USENIX Security Symposium.

[2]  Nikita Borisov,et al.  Towards improving network flow watermarks using the repeat-accumulate codes , 2011, 2011 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[3]  Matthew Wright,et al.  DeNASA: Destination-Naive AS-Awareness in Anonymous Communications , 2016, Proc. Priv. Enhancing Technol..

[4]  Harsha V. Madhyastha,et al.  LASTor: A Low-Latency AS-Aware Tor Client , 2012, IEEE/ACM Transactions on Networking.

[5]  Tom Chothia,et al.  A Statistical Test for Information Leaks Using Continuous Mutual Information , 2011, CSF.

[6]  Hannes Federrath,et al.  Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier , 2009, CCSW '09.

[7]  Nikita Borisov,et al.  Defending Tor from Network Adversaries: A Case Study of Network Path Prediction , 2014, Proc. Priv. Enhancing Technol..

[8]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[9]  Tao Wang,et al.  Effective Attacks and Provable Defenses for Website Fingerprinting , 2014, USENIX Security Symposium.

[10]  Charles V. Wright,et al.  Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis , 2009, NDSS.

[11]  Nikita Borisov,et al.  The Need for Flow Fingerprints to Link Correlated Network Flows , 2013, Privacy Enhancing Technologies.

[12]  Peng Ning,et al.  Tracing Traffic through Intermediate Hosts that Repacketize Flows , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[13]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[14]  George Kadianakis Packet Size Pluggable Transport and Traffic Morphing , 2012 .

[15]  Yuan Yu,et al.  TensorFlow: A system for large-scale machine learning , 2016, OSDI.

[16]  Ian Goldberg,et al.  Changing of the guards: a framework for understanding and improving entry guard selection in tor , 2012, WPES '12.

[17]  Tao Wang,et al.  Improved website fingerprinting on Tor , 2013, WPES.

[18]  Wouter Joosen,et al.  Automated Website Fingerprinting through Deep Learning , 2017, NDSS.

[19]  Nick Feamster,et al.  Location diversity in anonymity networks , 2004, WPES '04.

[20]  Brijesh Joshi,et al.  Touching from a distance: website fingerprinting attacks and defenses , 2012, CCS.

[21]  George Danezis,et al.  Low-cost traffic analysis of Tor , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[22]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.

[23]  Weijia Jia,et al.  A new cell counter based attack against tor , 2009, CCS.

[24]  Steven J. Murdoch,et al.  Sampled Traffic Analysis by Internet-Exchange-Level Adversaries , 2007, Privacy Enhancing Technologies.

[25]  Sushil Jajodia,et al.  Tracking anonymous peer-to-peer VoIP calls on the internet , 2005, CCS '05.

[26]  Michael Schapira,et al.  Measuring and Mitigating AS-level Adversaries Against Tor , 2016, NDSS.

[27]  Nikita Borisov,et al.  Non-Blind Watermarking of Network Flows , 2012, IEEE/ACM Transactions on Networking.

[28]  Douglas S. Reeves,et al.  Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[29]  Nikita Borisov,et al.  Multi-flow Attacks Against Network Flow Watermarking Schemes , 2008, USENIX Security Symposium.

[30]  Prateek Mittal,et al.  Stealthy traffic analysis of low-latency anonymous communication using throughput fingerprinting , 2011, CCS '11.

[31]  Micah Sherr,et al.  Data-plane Defenses against Routing Attacks on Tor , 2016, Proc. Priv. Enhancing Technol..

[32]  Lang Tong,et al.  Detecting Encrypted Stepping-Stone Connections , 2007, IEEE Transactions on Signal Processing.

[33]  KiyavashNegar,et al.  Non-blind watermarking of network flows , 2014 .

[34]  Thomas Ristenpart,et al.  Protocol misidentification made easy with format-transforming encryption , 2013, CCS.

[35]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[36]  George Danezis,et al.  The Traffic Analysis of Continuous-Time Mixes , 2004, Privacy Enhancing Technologies.

[37]  Mun Choon Chan,et al.  Website Fingerprinting and Identification Using Ordered Feature Sequences , 2010, ESORICS.

[38]  Nikita Borisov,et al.  I want my voice to be heard: IP over Voice-over-IP for unobservable censorship circumvention , 2013, NDSS.

[39]  Thomas Engel,et al.  Website fingerprinting in onion routing based anonymization networks , 2011, WPES.

[40]  Claudia Díaz,et al.  Inside Job: Applying Traffic Analysis to Measure Tor from Within , 2018, NDSS.

[41]  Rachel Greenstadt,et al.  A Critical Evaluation of Website Fingerprinting Attacks , 2014, CCS.

[42]  A. Arnbak,et al.  Loopholes for Circumventing the Constitution: Unrestrained Bulk Surveillance on Americans by Collecting Network Traffic Abroad , 2015 .

[43]  Nikita Borisov,et al.  Multi-flow attack resistant watermarks for network flows , 2009, 2009 IEEE International Conference on Acoustics, Speech and Signal Processing.

[44]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[45]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[46]  Arya Mazumdar,et al.  Compressive Traffic Analysis: A New Paradigm for Scalable Traffic Analysis , 2017, CCS.

[47]  Tao Wang,et al.  On Realistically Attacking Tor with Website Fingerprinting , 2016, Proc. Priv. Enhancing Technol..

[48]  Nikita Borisov,et al.  SWIRL: A Scalable Watermark to Detect Correlated Network Flows , 2011, NDSS.

[49]  Anton Stiglic,et al.  Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems , 2001, Information Hiding.

[50]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[51]  Sally Floyd,et al.  Wide area traffic: the failure of Poisson modeling , 1995, TNET.

[52]  Paul F. Syverson,et al.  As-awareness in Tor path selection , 2009, CCS.

[53]  Micah Adler,et al.  An Analysis of the Degradation of Anonymous Protocols , 2002, NDSS.

[54]  Nikita Borisov,et al.  RAINBOW: A Robust And Invisible Non-Blind Watermark for Network Flows , 2009, NDSS.

[55]  Jimmy Ba,et al.  Adam: A Method for Stochastic Optimization , 2014, ICLR.

[56]  Xinwen Fu,et al.  DSSS-Based Flow Marking Technique for Invisible Traceback , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[57]  Klaus Wehrle,et al.  Website Fingerprinting at Internet Scale , 2016, NDSS.

[58]  Riccardo Bettati,et al.  On Flow Correlation Attacks and Countermeasures in Mix Networks , 2004, Privacy Enhancing Technologies.

[59]  Amir Houmansadr,et al.  TagIt: Tagging Network Flows using Blind Fingerprints , 2017, Proc. Priv. Enhancing Technol..

[60]  Riccardo Bettati,et al.  Unmixing Mix Traffic , 2005, Privacy Enhancing Technologies.

[61]  Angelos D. Keromytis,et al.  On the Effectiveness of Traffic Analysis against Anonymity Networks Using Flow Records , 2014, PAM.

[62]  Vitaly Shmatikov,et al.  Timing Analysis in Low-Latency Mix Networks: Attacks and Defenses , 2006, ESORICS.

[63]  Bernhard Plattner,et al.  Introducing MorphMix: peer-to-peer based anonymous Internet usage with collusion detection , 2002, WPES '02.

[64]  George Danezis,et al.  Mixminion: design of a type III anonymous remailer protocol , 2003, 2003 Symposium on Security and Privacy, 2003..

[65]  Nicholas Hopper,et al.  How much anonymity does network latency leak? , 2007, TSEC.

[66]  Nick Feamster,et al.  Counter-RAPTOR: Safeguarding Tor Against Active Routing Attacks , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[67]  George Danezis,et al.  Denial of service or denial of security? , 2007, CCS '07.

[68]  Matthew K. Wright,et al.  Timing Attacks in Low-Latency Mix Systems (Extended Abstract) , 2004, Financial Cryptography.

[69]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[70]  Micah Sherr,et al.  Users get routed: traffic correlation on tor by realistic adversaries , 2013, CCS.

[71]  Ming Yang,et al.  A novel active website fingerprinting attack against Tor anonymous system , 2014, Proceedings of the 2014 IEEE 18th International Conference on Computer Supported Cooperative Work in Design (CSCWD).

[72]  Prateek Mittal,et al.  RAPTOR: Routing Attacks on Privacy in Tor , 2015, USENIX Security Symposium.

[73]  Ian Goldberg,et al.  SkypeMorph: protocol obfuscation for Tor bridges , 2012, CCS.

[74]  Sushil Jajodia,et al.  Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[75]  Xuxian Jiang,et al.  A First Step towards Live Botmaster Traceback , 2008, RAID.