Notes on papers in traffic.bib, with an eye to enumerating all the attacks,
figuring out how they work, and figuring out what we don't yet know.
Hey, authors!
If you happen to be reading this and I call some aspect of your paper 'vague'
or 'unclear', that means that I don't understand it yet. My problem, not
yours--but feel free to clarify for my benefit. ;)
======================================================================
"Traffic analysis of Continuous-time mixes"
Danezis, PET 2004, pp. 35-50
ATTACK #1: mathy.
Uses known delay characteristics of mixes (expressed as time-invariant
probability distribution for delay) to compute probability distributions for
how an input signal will look as it leaves a mix. Compute maximum likelihood
for output signals, given input. Compare.
ATTACK #2: In simulation: Uses click-based simulator, a confusing background
("noise") function, and a vague source "400 packets over 10000 ticks", and an
unclear comparison metric. "No attempt to model the noise."
Neat idea: If we have full network view and we don't know if O1 or O2 is the
output, see if any of their inputs looks like the expected 2nd-to-last view
of the signal.
Email George to see if he still has the code here.
There doesn't seem to be a numerical indication of results or level of
success?
Target system seems to be SG-like.
======================================================================
"On Flow Correlation Attacks and Countermeasures in Mix Networks"
- Zhu, Fu, Graham, Bettati, and Zhao.
PET 2004, pp 207-225.
Attack: against a mix (batch or timed). Pool mixes are mentioned but not
investigated. Transform in/out streams into rates, in buckets, with each
in/out pair corresponding to a mix firing. Compute similarity based on
estimated mutual information OR on an FFT/Wavelet transform plus a "Matched
Filter Detector."
Simulation: Separate one FTP stream from one (not specified AFAICT) noise
generator. Done at packet level with TCP; not totally realistic.
Matched filter seems to work better.
Proposed defense: output traffic control: dummy traffic triggered by QOS
issues. Doesn't seem to examine overhead.
Most crucial details are described in TR2003-8-9, which doesn't seem to be
online. Asked Riccardo for a copy on 6 Dec; no link received yet.
======================================================================
"Inter-Packet Delay Based Coorelation for Tracing Encrypted Connections
through Stepping Stones"
- Xinyuan Wang and Douglas S. Reeves and S. Felix Wu
ESORICS 2002, 244--263
Attack: Against an ersatz low-latency anonymity network built by an attacker
using chained SSH tunnels or something similar. Transform in/out streams to
a correlation metric using a "metric function"; use a "correlation value
function" to compare metrics.
Uses inter-packet delay as observations of streams; assumes one-to-one
correspondence with incoming and outgoing packets.
Examines multiple functions to assess correlation: Min/max sum ration (take
ratio of sum of larger elements pairwise to sum of smaller elements pairwise
between streams). Statistical correlation: take correlation of
IPDs. Normalized dot product 1: X dot Y / MAX(X^2, Y^2). Normalized dot
product 2: X dot Y / MAX(x_i,y_i)^2. Correlation value function: a little
complex.
Experiment: Build a telnet/ssh/telnet/ssh tunnel, capture traces (how many?)
with timestamp resolution of 1 usec. Filter out duplicate, retransmitted,
and ack-only packets.
Experiment take multiple sets of flows; try to match them with different
methods.
Favors min/max sum.
======================================================================