Journal Home > Volume 22 , Issue 6
Tsinghua Science and Technology 2017, 22(6): 702-713 https://doi.org/10.23919/TST.2017.8195352
Open Access | Issue | Published: 14 December 2017

An Active De-anonymizing Attack Against Tor Web Traffic

Show Author's Information Ming Yang( ) Xiaodan Gu Zhen Ling Changxin Yin Junzhou Luo
School of Computer Science and Engineering, Southeast University, Nanjing 211189, China.
Keywords:
traffic analysis, active website fingerprinting, anonymous communication, Tor
Cite this article:
Yang M, Gu X, Ling Z, et al. An Active De-anonymizing Attack Against Tor Web Traffic. Tsinghua Science and Technology, 2017, 22(6): 702-713. https://doi.org/10.23919/TST.2017.8195352
Download citation
EndNote(RIS)
BibTeX

550

Views

26

Downloads

Citations

10

Crossref

N/A

WoS

15

Scopus

3

CSCD

Abstract Full text About this article

Tor is pervasively used to conceal target websites that users are visiting. A de-anonymization technique against Tor, referred to as website fingerprinting attack, aims to infer the websites accessed by Tor clients by passively analyzing the patterns of encrypted traffic at the Tor client side. However, HTTP pipeline and Tor circuit multiplexing techniques can affect the accuracy of the attack by mixing the traffic that carries web objects in a single TCP connection. In this paper, we propose a novel active website fingerprinting attack by identifying and delaying the HTTP requests at the first hop Tor node. Then, we can separate the traffic that carries distinct web objects to derive a more distinguishable traffic pattern. To fulfill this goal, two algorithms based on statistical analysis and objective function optimization are proposed to construct a general packet delay scheme. We evaluate our active attack against Tor in empirical experiments and obtain the highest accuracy of 98.64%, compared with 85.95% of passive attack. We also perform experiments in the open-world scenario. When the parameter k of k-NN classifier is set to 5, then we can obtain a true positive rate of 90.96% with a false positive rate of 3.9%.


menu
Abstract
Full text
Outline
About this article

An Active De-anonymizing Attack Against Tor Web Traffic

Show Author's information Ming Yang( )Xiaodan GuZhen LingChangxin YinJunzhou Luo
School of Computer Science and Engineering, Southeast University, Nanjing 211189, China.

Abstract

Tor is pervasively used to conceal target websites that users are visiting. A de-anonymization technique against Tor, referred to as website fingerprinting attack, aims to infer the websites accessed by Tor clients by passively analyzing the patterns of encrypted traffic at the Tor client side. However, HTTP pipeline and Tor circuit multiplexing techniques can affect the accuracy of the attack by mixing the traffic that carries web objects in a single TCP connection. In this paper, we propose a novel active website fingerprinting attack by identifying and delaying the HTTP requests at the first hop Tor node. Then, we can separate the traffic that carries distinct web objects to derive a more distinguishable traffic pattern. To fulfill this goal, two algorithms based on statistical analysis and objective function optimization are proposed to construct a general packet delay scheme. We evaluate our active attack against Tor in empirical experiments and obtain the highest accuracy of 98.64%, compared with 85.95% of passive attack. We also perform experiments in the open-world scenario. When the parameter k of k-NN classifier is set to 5, then we can obtain a true positive rate of 90.96% with a false positive rate of 3.9%.

Keywords: traffic analysis, active website fingerprinting, anonymous communication, Tor

References(26)

[1]
Liu Q. H., Shen H., and Sang Y. P., Privacy-preserving data publishing for multiple numerical sensitive attributes, Tsinghua Sci. Technol., vol. 20, no. 3, pp. 246-254, 2015.
DOI Google Scholar
[2]
Wang Y., Xu D. B., and Li F., Providing location-aware location privacy protection for mobile location-based services, Tsinghua Sci. Technol., vol. 21, no. 3, pp. 243-259, 2016.
DOI Google Scholar
[3]
Thalmic labs, https://metrics.torproject.org/index.html, 2017.
[4]
Herrmann D., Wendolsky R., and Federrath H., Website fingerprinting: Attacking popular privacy enhancing technologies with the multinomial naïve-Bayes classifier, in Proc. 2009 ACM Workshop on Cloud Computing Security, Chicago, IL, USA, 2009, pp. 31-42.
DOI
[5]
Panchenko A., Niessen L., Zinnen A., and Engel T., Website fingerprinting in onion routing based anonymization networks, in Proc. 10th Annual ACM Workshop on Privacy in the Electronic Society, Chicago, IL, USA, 2011, pp. 103-114.
DOI
[6]
Cai X., Zhang X. C., Joshi B., and Johnson R., Touching from a distance: Website fingerprinting attacks and defenses, in Proc. 2012 ACM Conf. Computer and Communications Security, Raleigh, NC, USA, 2012, pp. 605-616.
DOI
[7]
Yu W., Fu X. W., Graham S., Xuan D., and Zhao W., DSSS-based flow marking technique for invisible traceback, in IEEE Symp. Security and Privacy, Berkeley, CA, USA, 2007, pp. 18-32.
DOI
[8]
Ling Z., Luo J. Z., Yu W., Fu X. W., Xuan D., and Jia W. J., A new cell-counting-based attack against Tor, IEEE/ACM Trans. Netw., vol. 20, no. 4, pp. 1245-1261, 2012.
DOI Google Scholar
[9]
Yang M., Luo J. Z., Ling Z., Fu X. W., and Yu W., De-anonymizing and countermeasures in anonymous communication networks, IEEE Commun. Mag., vol. 53, no. 4, pp. 60-66, 2015.
DOI Google Scholar
[10]
Wang T. and Goldberg I., Improved website fingerprinting on Tor, in Proc.12th ACM Workshop on Workshop on Privacy in the Electronic Society, Berlin, Germany, 2013, pp. 201-212.
DOI
[11]
Wang T., Cai X., Nithyanand R., Johnson R., and Goldberg I., Effective attacks and provable defenses for website fingerprinting, in Proc. 23rd USENIX Conf. Security Symposium, San Diego, CA, USA, 2014, pp. 143-157.
[12]
Panchenko A., Lanze F., Zinnen A., Henze M., Pennekamp J., Wehrle K., and Engel T., Website fingerprinting at internet scale, in Proc. 23rd Internet Society (ISOC) Network and Distributed System Security Symp., San Diego, CA, USA, 2016.
DOI
[13]
He G. F., Yang M., Gu X. D., Luo J. Z., and Ma Y. Y., A novel active website fingerprinting attack against tor anonymous system, in Proc. 2014 IEEE 18th Int. Conf. Computer Supported Cooperative Work in Design CSCWD), Hsinchu, China, 2014, pp. 112-117.
[14]
Hayes J. and Danezis G., Better open-world website fingerprinting, arXiv preprint arXiv: 1509.00789, 2015.
DOI
[15]
Juarez M., Afroz S., Acar G., Diaz C., and Greenstadt R., A critical evaluation of website fingerprinting attacks, in Proc. 2014 ACM SIGSAC Conf. Computer and Communications Security, Scottsdale, AR, USA, 2014, pp. 263-274.
DOI
[16]
Wang T. and Goldberg I., On realistically attacking tor with website fingerprinting, Proc. Priv. Enhanc. Technol., vol. 2016, no. 4, pp. 21-36, 2016.
DOI Google Scholar
[17]
Libevent–an event notification library, http://libevent.org/, 2017.
[18]
Pappas V., Athanasopoulos E., Ioannidis S., and Markatos E. P., Compromising anonymity using packet spinning, in Information Security, Wu T. C., Lei C. L., Rijmen V., and Lee D. T., eds. Berlin, Heidelberg: Springer, 2008, pp. 161-174.
[19]
Tor protocol specification, https://svn.torproject.org/svn/tor/branches/hidserv-perf/doc/spec/tor-spec.txt, 2017.
[20]
Tor directory protocol, http://tor.eff.org/svn/trunk/doc/spec/dir-spec.txt, 2015.
[21]
Bauer K., McCoy D., Grunwald D. C., Kohno T., and Sicker D., Low-resource routing attacks against anonymous systems, Tech. Rep. CU-CS-1025-07, University of Colorado Boulder, CO, USA, 2007.
DOI
[22]
Ling Z., Luo J. Z., Yu W., Yang M., and Fu X. W., Tor bridge discovery: Extensive analysis and large-scale empirical evaluation, IEEE Trans. Parallel Distrib. Syst., vol. 26, no. 7, pp. 1887-1899, 2015.
DOI Google Scholar
[23]
Ling Z., Luo J. Z., Yu W., Yang M., and Fu X. W., Extensive analysis and large-scale empirical evaluation of tor bridge discovery, in Proc. IEEE INFOCOM, Orlando, FL, USA, 2012, pp. 2381-2389.
DOI
[24]
Chang C. C. and Lin C. J., LIBSVM: A library for support vector machines, ACM Trans. Intell. Syst. Technol., vol. 2, no. 3, p. 27, 2011.
DOI Google Scholar
[25]
PLANETLAB, https://www.planet-lab.org/, 2017.
[26]
Tor project obfsproxy, https://www.torproject.org/projects/obfsproxy.html.en, 2015.
Publication history
Copyright
Acknowledgements
Rights and permissions

Publication history

Received: 17 July 2017
Accepted: 26 July 2017
Published: 14 December 2017
Issue date: December 2017

Copyright

© The author(s) 2017

Acknowledgements

This work was partially supported by the National Key R&D Program of China (No. 2017YFB1003000), the National Natural Science Foundation of China (Nos. 61572130, 61320106007, 61632008, 61502100, 61532013, and 61402104); the Jiangsu Provincial Natural Science Foundation (No. BK20150637); the Jiangsu Provincial Key Technology R&D Program (No. BE2014603); the Qing Lan Project of Jiangsu Province, Jiangsu Provincial Key Laboratory of Network and Information Security (No. BM2003201); and the Key Laboratory of Computer Network and Information Integration of the Ministry of Education of China (No. 93K-9).

Rights and permissions

Return