Notes on papers in traffic.bib, with an eye to enumerating all the attacks, figuring out how they work, and figuring out what we don't yet know. Hey, authors! If you happen to be reading this and I call some aspect of your paper 'vague' or 'unclear', that means that I don't understand it yet. My problem, not yours--but feel free to clarify for my benefit. ;) ====================================================================== "Traffic analysis of Continuous-time mixes" Danezis, PET 2004, pp. 35-50 ATTACK #1: mathy. Uses known delay characteristics of mixes (expressed as time-invariant probability distribution for delay) to compute probability distributions for how an input signal will look as it leaves a mix. Compute maximum likelihood for output signals, given input. Compare. ATTACK #2: In simulation: Uses click-based simulator, a confusing background ("noise") function, and a vague source "400 packets over 10000 ticks", and an unclear comparison metric. "No attempt to model the noise." Neat idea: If we have full network view and we don't know if O1 or O2 is the output, see if any of their inputs looks like the expected 2nd-to-last view of the signal. Email George to see if he still has the code here. There doesn't seem to be a numerical indication of results or level of success? Target system seems to be SG-like. ====================================================================== "On Flow Correlation Attacks and Countermeasures in Mix Networks" - Zhu, Fu, Graham, Bettati, and Zhao. PET 2004, pp 207-225. Attack: against a mix (batch or timed). Pool mixes are mentioned but not investigated. Transform in/out streams into rates, in buckets, with each in/out pair corresponding to a mix firing. Compute similarity based on estimated mutual information OR on an FFT/Wavelet transform plus a "Matched Filter Detector." Simulation: Separate one FTP stream from one (not specified AFAICT) noise generator. Done at packet level with TCP; not totally realistic. Matched filter seems to work better. Proposed defense: output traffic control: dummy traffic triggered by QOS issues. Doesn't seem to examine overhead. Most crucial details are described in TR2003-8-9, which doesn't seem to be online. Asked Riccardo for a copy on 6 Dec; no link received yet. ====================================================================== "Inter-Packet Delay Based Coorelation for Tracing Encrypted Connections through Stepping Stones" - Xinyuan Wang and Douglas S. Reeves and S. Felix Wu ESORICS 2002, 244--263 Attack: Against an ersatz low-latency anonymity network built by an attacker using chained SSH tunnels or something similar. Transform in/out streams to a correlation metric using a "metric function"; use a "correlation value function" to compare metrics. Uses inter-packet delay as observations of streams; assumes one-to-one correspondence with incoming and outgoing packets. Examines multiple functions to assess correlation: Min/max sum ration (take ratio of sum of larger elements pairwise to sum of smaller elements pairwise between streams). Statistical correlation: take correlation of IPDs. Normalized dot product 1: X dot Y / MAX(X^2, Y^2). Normalized dot product 2: X dot Y / MAX(x_i,y_i)^2. Correlation value function: a little complex. Experiment: Build a telnet/ssh/telnet/ssh tunnel, capture traces (how many?) with timestamp resolution of 1 usec. Filter out duplicate, retransmitted, and ack-only packets. Experiment take multiple sets of flows; try to match them with different methods. Favors min/max sum. ======================================================================