Countering Statistical Disclosure with Receiver-Bound Cover Traffic

Anonymous communications provides an important privacy service by keeping passive eavesdroppers from linking communicating parties. However, using long-term statistical analysis of traffic sent to and from such a system, it is possible to link senders with their receivers. Cover traffic is an effective, but somewhat limited, counter strategy against this attack. Earlier work in this area proposes that privacy-sensitive users generate and send cover traffic to the system. However, users are not online all the time and cannot be expected to send consistent levels of cover traffic, drastically reducing the impact of cover traffic. We propose that the mix generate cover traffic that mimics the sending patterns of users in the system. This receiver-bound cover helps to make up for users that aren't there, confusing the attacker. We show through simulation how this makes it difficult for an attacker to discern cover from real traffic and perform attacks based on statistical analysis. Our results show that receiver-bound cover substantially increases the time required for these attacks to succeed. When our approach is used in combination with user-generated cover traffic, the attack takes a very long time to succeed.

[1]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[2]  George Danezis,et al.  Statistical Disclosure Attacks , 2003, SEC.

[3]  Philip R. Zimmermann,et al.  The official PGP user's guide , 1996 .

[4]  Georgios Paliouras,et al.  An evaluation of Naive Bayesian anti-spam filtering , 2000, ArXiv.

[5]  Paul E. Hoffman,et al.  S/MIME Version 2 Message Specification , 1998, RFC.

[6]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[7]  Albert,et al.  Emergence of scaling in random networks , 1999, Science.

[8]  Hannes Federrath Designing Privacy Enhancing Technologies , 2001, Lecture Notes in Computer Science.

[9]  Stefano Bistarelli,et al.  Representing Biological Systems with Multiset Rewriting , 2003 .

[10]  Tony A. Meyer,et al.  SpamBayes: Effective open-source, Bayesian based, email classification system , 2004, CEAS.

[11]  B. Bhattacharjee,et al.  A Protocol for Scalable Anonymous Communication , 1999 .

[12]  Blake Ramsdell,et al.  S/MIME Version 3 Message Specification , 1999, RFC.

[13]  Lauren Weinstein Spam wars , 2003, CACM.

[14]  Roger Dingledine,et al.  On the Economics of Anonymity , 2003, Financial Cryptography.

[15]  Dakshi Agrawal,et al.  Limits of Anonymity in Open Environments , 2002, Information Hiding.

[16]  Vitaly Shmatikov,et al.  Timing Analysis in Low-Latency Mix Networks: Attacks and Defenses , 2006, ESORICS.

[17]  Dieter Gollmann,et al.  Computer Security - ESORICS 2006, 11th European Symposium on Research in Computer Security, Hamburg, Germany, September 18-20, 2006, Proceedings , 2006, ESORICS.

[18]  Claudia Díaz,et al.  Generalising Mixes , 2003, International Symposium on Privacy Enhancing Technologies.

[19]  Oliver Berthold,et al.  Dummy Traffic against Long Term Intersection Attacks , 2002, Privacy Enhancing Technologies.

[20]  Aravind Srinivasan,et al.  P/sup 5/ : a protocol for scalable anonymous communication , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[21]  Nick Mathewson,et al.  Practical Traffic Analysis: Extending and Resisting Statistical Disclosure , 2004, Privacy Enhancing Technologies.

[22]  George Danezis,et al.  Mixminion: design of a type III anonymous remailer protocol , 2003, 2003 Symposium on Security and Privacy, 2003..

[23]  Brian Neil Levine,et al.  Responder anonymity and anonymous peer-to-peer file sharing , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[24]  G Danezis,et al.  Statistical disclosure attacks: Traffic confirmation in open environments , 2003 .