Towards Measuring Resilience in Anonymous Communication Networks
Proceedings of the 14th ACM Workshop on Privacy in the Electronic Society - WPES '15
Most prior work on anonymous communications has focused, to a large extent, on achieving, measuring, and attacking anonymity properties. There are, however, several other properties of importance in anonymous communication networks, such as their performance and their robustness to denial of service attacks, that have received less scrutiny. To our knowledge, no practical measure of the resilience of an anonymous communication network against active attackers has yet been proposed. In this work
... we propose a metric for quantifying the resilience of anonymous communication networks towards active adversaries with the power to disable selected nodes. differ from standard communication networks in several respects, notably a different network topology, randomized routing policies, and, typically, higher latency and lower overall bandwidth. Thus a new metric is needed. Existing anonymity metrics [7, 8] are of limited practical use for low-latency anonymous communication networks, as their security is typically evaluated towards nonglobal adversaries  . Anonymity is however not the focus of this work; see  for an overview. This paper introduces a new, practical metric for measuring the resilience of anonymous communication networks to active attacks. Our metric takes into account the different features and constraints of anonymous routing policies. Because of the randomization involved in routing policies, it makes sense to measure resilience in terms of the expected quality of communications. We are specifically concerned with measuring resilience against active adversaries aiming to degrade as much as possible the expected quality of service. We model this by considering an adversary that has the capability to take down a set of nodes of his choosing. We conceive three attack strategies. The first strategy (naive approach) is simply to target nodes with the highest bandwidth. Because the criticality of a node depends not only on its bandwidth but also on routing policy constraints, this strategy is not necessarily optimal. We consider two further strategies (greedy approach and optimal approach), which require more computational effort but optimize the attack taking into account the routing policy. Although we ignore the effects of natural network failures, they could easily be encompassed in our metric. The paper is organized as follows. In Section 2 we describe the workings of anonymous communication networks and discuss existing metrics for measuring resilience. In Section 3 we introduce our notion of resilience for anonymous communication networks. Section 4 details the methodology followed to experimentally measure the resilience of a sample node set from the Tor network.