peek a boo i still see you why efficient traffic analysis
play

Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis - PowerPoint PPT Presentation

Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail Kevin P Dyer Portland State University Joint work with: Scott Coull , RedJack LLC Thomas Ristenpart , University of Wisconsin-Madison Thomas Shrimpton , Portland


  1. Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail Kevin P Dyer Portland State University Joint work with: Scott Coull , RedJack LLC Thomas Ristenpart , University of Wisconsin-Madison Thomas Shrimpton , Portland State University 1 Wednesday, May 23, 12

  2. Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail... ...to prevent website fingerprinting. 2 Wednesday, May 23, 12

  3. The client makes a single request for a webpage over an encrypted link. Client Proxy Attacker’s goal is to identify the webpage requested. - only proxy’s IP address revealed Security Intuition: - encryption hides everything else 3 Wednesday, May 23, 12

  4. [Sun et al. ’02] [Lu et al. ’10] But [Bissias et al. ‘05] show otherwise [Chen et al. ’10] [Liberatore and Levine ’06] [Luo et al. ’11] [Herrmann et al. ’09] [Panchenko et al. ’11] [Wright et al. ’09] Client Proxy Attacker learns: • packet timings } • packet lengths • packet directions Enables traffic analysis attacks . 4 Wednesday, May 23, 12

  5. [Liberatore and Levine ’06] Attack Scenario SSH protected link Client Proxy 1. Attacker knows what 2. Attacker knows the finite client software is used. universe of webpages. 3. Attacker has labeled training data. 5 Adversary knows the universe of sites. Wednesday, May 23, 12

  6. [Liberatore and Levine ’06] Attack SSH protected link Client Proxy k=1000 webpages naive Bayes Classifier: (packet direction, packet length) counts Attacker can identify randomly chosen Packet lengths are a webpage with 68% accuracy! damaging side-channel 6 Wednesday, May 23, 12

  7. Countermeasure Client Proxy Example countermeasures: • Pad to MTU • Pad to random-length • “Mice-elephants” padding • Traffic Morphing [Wright et al. ’09] • SSL RFC-compliant padding [SSL 3.0 RFC ’99] • ... 7 Wednesday, May 23, 12

  8. Countermeasure Client Proxy Example countermeasures: • Pad to MTU • Pad to random-length Do these countermeasures • “Mice-elephants” padding prevent TA attacks? • Traffic Morphing [Wright et al. ’09] • SSL RFC-compliant padding [SSL 3.0 RFC ’99] • ... 8 Wednesday, May 23, 12

  9. Prior work does not provide a clear answer No Countermeasure Pad to MTU 68% [LL] 8% [LL] k=1000 # of webpages k=2 9 Wednesday, May 23, 12

  10. Prior work does not provide a clear answer No Countermeasure Pad to MTU 68% [LL] 8% [LL] k=1000 # of webpages k=2 98% [W] 86% [W] 10 Wednesday, May 23, 12

  11. Prior work does not provide a clear answer No Countermeasure Pad to MTU 68% [LL] 8% [LL] k=1000 98% [H] k=775 # of webpages k=2 98% [W] 86% [W] 11 Wednesday, May 23, 12

  12. Prior work does not provide a clear answer No Countermeasure Pad to MTU 68% [LL] 8% [LL] k=1000 What about 98% [H] k=775 other values of k ? # of webpages k=2 98% [W] 86% [W] 12 Wednesday, May 23, 12

  13. Prior work does not provide a clear answer No Countermeasure Pad to MTU 68% [LL] 8% [LL] k=1000 What about 98% [H] k=775 other values of k ? # of webpages Does the data set used impact efficacy? k=2 98% [W] 86% [W] 13 Wednesday, May 23, 12

  14. Prior work does not provide a clear answer No Countermeasure Pad to MTU 68% [LL] 8% [LL] k=1000 What about 98% [H] k=775 What about other other values classification of k ? # of strategies? webpages Does the data set used impact efficacy? k=2 98% [W] 86% [W] 14 Wednesday, May 23, 12

  15. Prior work does not provide a clear answer What about other No Countermeasure Pad to MTU countermeasures? 68% [LL] 8% [LL] k=1000 What about 98% [H] k=775 What about other other values classification of k ? # of strategies? webpages Does the data set used impact efficacy? k=2 98% [W] 86% [W] 15 Wednesday, May 23, 12

  16. Our work 1. Comprehensive evaluation of traffic analysis countermeasures. No countermeasure works in the LL setting. 2. In-depth analysis of traffic features Coarse features (e.g., time, bandwidth) enable high-accuracy attacks despite countermeasures 16 Wednesday, May 23, 12

  17. Our work 1. Comprehensive evaluation of traffic analysis countermeasures. No countermeasure works in the LL setting. 2. In-depth analysis of traffic features Coarse features (e.g., time, bandwidth) enable high-accuracy attacks despite countermeasures Pessimistic conclusion: efficient countermeasures can’t hide “coarse” features. 17 Wednesday, May 23, 12

  18. Our Comprehensive Analysis 5 padding schemes 9 countermeasures 2 TLS/SSH “inspired” padding schemes 2 versions of traffic morphing [Liberatore and Levine] naive Bayes, Jaccard [Wright et al.] naive Bayes 6 classifiers [Lu et al.] edit distance [Herrmann et al.] multinomial naive-Bayes [Panchenko et al.] support vector machine 10 “universe” sizes k=2,4,8,16,32,64,128,256,512,775 Liberatore and Levine (2000 websites) 2 data sets Herrmann et al. (775 websites) 18 Wednesday, May 23, 12

  19. The countermeasures • Session Random 255 • Packet Random 255 • Linear Padding • Exponential Padding • Mice-Elephants Padding • Pad to MTU • Packet Random MTU • Traffic Morphing • Direct Target Sampling 19 Wednesday, May 23, 12

  20. The countermeasures • Session Random 255 • Packet Random 255 • Linear Padding Every packet on the wire is padded to a • Exponential Padding fixed length. • Mice-Elephants Padding • Pad to MTU • Packet Random MTU • Traffic Morphing • Direct Target Sampling 20 Wednesday, May 23, 12

  21. The countermeasures • Session Random 255 • Packet Random 255 • Linear Padding Every packet on the wire is padded to a • Exponential Padding fixed length. • Mice-Elephants Padding • Pad to MTU [Wright et al. ’09] - Pads packets • Packet Random MTU - Chops packets • Traffic Morphing - Sends dummy packets • Direct Target Sampling - Mimics packet-length distributions 21 Wednesday, May 23, 12

  22. Some representative results Classifier accuracy at k =512 None Pad to MTU Traffic Morphing Herrmann et al. 99% 2% 3% Liberatore and Levine 97% 41% 17% Panchenko et al. 96% 82% 81% 22 Wednesday, May 23, 12

  23. Some representative results Classifier accuracy at k =512 None Pad to MTU Traffic Morphing Herrmann et al. 99% 2% 3% Liberatore and Levine 97% 41% 17% Panchenko et al. 96% 82% 81% Best performer with no countermeasure applied. 23 Wednesday, May 23, 12

  24. Some representative results Classifier accuracy at k =512 None Pad to MTU Traffic Morphing Herrmann et al. 99% 2% 3% 41% 17% Liberatore and Levine 97% Panchenko et al. 96% 82% 81% Best performer with no Best performer with countermeasure applied. countermeasures applied. 24 Wednesday, May 23, 12

  25. Under the hood of the [Panchenko ’11] classifier Pad to MTU 82% at k=512 Traffic Morphing 81% at k=512 25 Wednesday, May 23, 12

  26. Under the hood of the [Panchenko ’11] classifier Support vector machine Features used: Packet lengths upstream WHY? Packet lengths downstream Burst bandwidth upstream Burst bandwidth downstream HTML marker downstream Number markers upstream Number markers downstream Total bytes transmitted upstream Total bytes transmitted downstream Percentage of downstream packets Total number of packets upstream Pad to MTU 82% at k=512 Total number of packets downstream Occurring packet lengths downstream Traffic Morphing 81% at k=512 Occurring packet lengths upstream 26 Wednesday, May 23, 12

  27. Under the hood of the [Panchenko ’11] classifier X Support vector machine Features used: Packet lengths upstream WHY? Packet lengths downstream Burst bandwidth upstream Burst bandwidth downstream ? HTML marker downstream Number markers upstream Number markers downstream Total bytes transmitted upstream Total bytes transmitted downstream Percentage of downstream packets Total number of packets upstream Pad to MTU 82% at k=512 Total number of packets downstream Occurring packet lengths downstream Traffic Morphing 81% at k=512 Occurring packet lengths upstream 27 Wednesday, May 23, 12

  28. Under the hood of the [Panchenko ’11] classifier X Support vector machine Features used: Packet lengths upstream WHY? Packet lengths downstream Burst bandwidth upstream Burst bandwidth downstream ? HTML marker downstream Number markers upstream Number markers downstream Total bytes transmitted upstream Total bytes transmitted downstream Percentage of downstream packets Total number of packets upstream Pad to MTU 82% at k=512 Total number of packets downstream Occurring packet lengths downstream Traffic Morphing 81% at k=512 Occurring packet lengths upstream 28 Wednesday, May 23, 12

  29. Digging deeper: Understanding the features 1. Identify “coarse” feature. Time Bandwidth Burst Bandwidth 2. Implement a feature-specific classifier. 3. Run classifier against all countermeasures. 29 Wednesday, May 23, 12

  30. “Coarse” Traffic Features with Pad to MTU None Pad to MTU None Pad to MTU time 2.8s 2.8s time 5.2s 5.2s bandwidth bandwidth 277KB 347KB 1794KB 2560KB bursts 13 13 bursts 107 107 30 Wednesday, May 23, 12

  31. Feature: Time Elapsed Useful for small values of k “Pad to MTU” 5% at k=512 31 Wednesday, May 23, 12

  32. Feature: Bandwidth More robust to large values k than the time classifier Still a “coarse” measurement “Pad to MTU” 42% at k=512 32 Wednesday, May 23, 12

Recommend


More recommend