DPSelect: A Differential Privacy Based Guard Relay Selection Algorithm for Tor

Abstract Recent work has shown that Tor is vulnerable to attacks that manipulate inter-domain routing to compromise user privacy. Proposed solutions such as Counter-RAPTOR [29] attempt to ameliorate this issue by favoring Tor entry relays that have high resilience to these attacks. However, because these defenses bias Tor path selection on the identity of the client, they invariably leak probabilistic information about client identities. In this work, we make the following contributions. First, we identify a novel means to quantify privacy leakage in guard selection algorithms using the metric of Max-Divergence. Max-Divergence ensures that probabilistic privacy loss is within strict bounds while also providing composability over time. Second, we utilize Max-Divergence and multiple notions of entropy to understand privacy loss in the worst-case for Counter-RAPTOR. Our worst-case analysis provides a fresh perspective to the field, as prior work such as Counter-RAPTOR only analyzed average case-privacy loss. Third, we propose modifications to Counter-RAPTOR that incorporate worst-case Max-Divergence in its design. Specifically, we utilize the exponential mechanism (a mechanism for differential privacy) to guarantee a worst-case bound on Max-Divergence/privacy loss. For the quality function used in the exponential mechanism, we show that a Monte-Carlo sampling-based method for stochastic optimization can be used to improve multi-dimensional trade-offs between security, privacy, and performance. Finally, we demonstrate that compared to Counter-RAPTOR, our approach achieves an 83% decrease in Max-Divergence after one guard selection and a 245% increase in worst-case Shannon entropy after 5 guard selections. Notably, experimental evaluations using the Shadow emulator shows that our approach provides these privacy benefits with minimal impact on system performance.

[1]  Prateek Mittal,et al.  Information leaks in structured peer-to-peer anonymous communication systems , 2008, CCS.

[2]  Cynthia Dwork,et al.  Differential Privacy: A Survey of Results , 2008, TAMC.

[3]  R. Coifman,et al.  Entropy-based Algorithms for Best Basis Selection from Which We Can Estimate a L+1 2 2 L . Thus a Signal of N = 2 L Points Can Be Expanded in 2 N Diierent , 1992 .

[4]  Nicholas Hopper,et al.  Shadow: Running Tor in a Box for Accurate and Efficient Experimentation , 2011, NDSS.

[5]  Björn Scheuermann,et al.  The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network , 2014, NDSS.

[6]  Rob Jansen,et al.  Safely Measuring Tor , 2016, CCS.

[7]  Carmela Troncoso,et al.  You cannot hide for long: de-anonymization of real-world dynamic behaviour , 2013, WPES.

[8]  Paul F. Syverson,et al.  As-awareness in Tor path selection , 2009, CCS.

[9]  Michael Schapira,et al.  Measuring and Mitigating AS-level Adversaries Against Tor , 2016, NDSS.

[10]  Matthew Wright,et al.  DeNASA: Destination-Naive AS-Awareness in Anonymous Communications , 2016, Proc. Priv. Enhancing Technol..

[11]  Harsha V. Madhyastha,et al.  LASTor: A Low-Latency AS-Aware Tor Client , 2012, IEEE/ACM Transactions on Networking.

[12]  Alex Biryukov,et al.  Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization , 2013, 2013 IEEE Symposium on Security and Privacy.

[13]  Nick Feamster,et al.  Counter-RAPTOR: Safeguarding Tor Against Active Routing Attacks , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[14]  George Danezis,et al.  Guard Sets for Onion Routing , 2015, Proc. Priv. Enhancing Technol..

[15]  George Danezis,et al.  Statistical Disclosure or Intersection Attacks on Anonymity Systems , 2004, Information Hiding.

[16]  Nick Feamster,et al.  Location diversity in anonymity networks , 2004, WPES '04.

[17]  Aaron Roth,et al.  The Algorithmic Foundations of Differential Privacy , 2014, Found. Trends Theor. Comput. Sci..

[18]  Prateek Mittal,et al.  Tempest: Temporal Dynamics in Anonymity Systems , 2018, Proc. Priv. Enhancing Technol..

[19]  Micah Sherr,et al.  Data-plane Defenses against Routing Attacks on Tor , 2016, Proc. Priv. Enhancing Technol..

[20]  Steven J. Murdoch,et al.  Sampled Traffic Analysis by Internet-Exchange-Level Adversaries , 2007, Privacy Enhancing Technologies.

[21]  Joan Feigenbaum,et al.  Avoiding The Man on the Wire: Improving Tor's Security with Trust-Aware Path Selection , 2015, NDSS.

[22]  Ian Goodfellow,et al.  Deep Learning with Differential Privacy , 2016, CCS.

[23]  Aniket Kate,et al.  (Nothing else) MATor(s): Monitoring the Anonymity of Tor's Path Selection , 2014, IACR Cryptol. ePrint Arch..

[24]  Ian Goldberg,et al.  Changing of the guards: a framework for understanding and improving entry guard selection in tor , 2012, WPES '12.

[25]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[26]  Micah Sherr,et al.  Users get routed: traffic correlation on tor by realistic adversaries , 2013, CCS.

[27]  Esfandiar Mohammadi,et al.  Tight on Budget?: Tight Bounds for r-Fold Approximate Differential Privacy , 2018, CCS.

[28]  Prateek Mittal,et al.  RAPTOR: Routing Attacks on Privacy in Tor , 2015, USENIX Security Symposium.