TY - GEN
T1 - On the effectiveness of traffic analysis against anonymity networks using flow records
AU - Chakravarty, Sambuddho
AU - Barbera, Marco V.
AU - Portokalidis, Georgios
AU - Polychronakis, Michalis
AU - Keromytis, Angelos D.
PY - 2014
Y1 - 2014
N2 - We investigate the feasibility of mounting a de-anonymization attack against Tor and similar low-latency anonymous communication systems by using NetFlow records. Previous research has shown that adversaries with the ability to eavesdrop in real time at a few internet exchange points can effectively monitor a significant part of the network paths from Tor nodes to destination servers. However, the capacity of current networks makes packet-level monitoring at such a scale quite challenging. We hypothesize that adversaries could use less accurate but readily available monitoring facilities, such as Cisco's NetFlow, to mount large-scale traffic analysis attacks. In this paper, we assess the feasibility and effectiveness of traffic analysis attacks against Tor using NetFlow data. We present an active traffic analysis technique based on perturbing the characteristics of user traffic at the server side, and observing a similar perturbation at the client side through statistical correlation. We evaluate the accuracy of our method using both in-lab testing and data gathered from a public Tor relay serving hundreds of users. Our method revealed the actual sources of anonymous traffic with 100% accuracy for the in-lab tests, and achieved an overall accuracy of 81.6% for the real-world experiments with a false positive rate of 5.5%.
AB - We investigate the feasibility of mounting a de-anonymization attack against Tor and similar low-latency anonymous communication systems by using NetFlow records. Previous research has shown that adversaries with the ability to eavesdrop in real time at a few internet exchange points can effectively monitor a significant part of the network paths from Tor nodes to destination servers. However, the capacity of current networks makes packet-level monitoring at such a scale quite challenging. We hypothesize that adversaries could use less accurate but readily available monitoring facilities, such as Cisco's NetFlow, to mount large-scale traffic analysis attacks. In this paper, we assess the feasibility and effectiveness of traffic analysis attacks against Tor using NetFlow data. We present an active traffic analysis technique based on perturbing the characteristics of user traffic at the server side, and observing a similar perturbation at the client side through statistical correlation. We evaluate the accuracy of our method using both in-lab testing and data gathered from a public Tor relay serving hundreds of users. Our method revealed the actual sources of anonymous traffic with 100% accuracy for the in-lab tests, and achieved an overall accuracy of 81.6% for the real-world experiments with a false positive rate of 5.5%.
UR - http://www.scopus.com/inward/record.url?scp=84958543378&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84958543378&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-04918-2_24
DO - 10.1007/978-3-319-04918-2_24
M3 - Conference contribution
AN - SCOPUS:84958543378
SN - 9783319049175
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 247
EP - 257
BT - Passive and Active Measurement - 15th International Conference, PAM 2014, Proceedings
T2 - 15th International Conference on Passive and Active Measurement, PAM 2014
Y2 - 10 March 2014 through 11 March 2014
ER -