Compromising anonymous communication systems using blind source separation

Ye Zhu, Riccardo Bettati
2009 ACM Transactions on Privacy and Security  
We propose a class of anonymity attacks to both wired and wireless anonymity networks. These attacks are based on the blind source separation algorithms widely used to recover individual signals from mixtures of signals in statistical signal processing. Since the philosophy behind the design of current anonymity networks is to mix traffic or to hide in crowds, the proposed anonymity attacks are very effective. The flow separation attack proposed for wired anonymity networks can separate the
more » ... fic in a mix network. Our experiments show that this attack is effective and scalable. By combining the flow separation method with frequency spectrum matching, a passive attacker can derive the traffic map of the mix network. We use a non-trivial network to show that the combined attack works. The proposed anonymity attacks for wireless networks can identify nodes in fully anonymized wireless networks using collections of very simple sensors. Based on time series of counts of anonymous packets provided by the sensors, we estimate the number of nodes with the use of Principal Component Analysis. We then proceed to separate the collected packet data into traffic flows that, with help of the spatial diversity in the available sensors, can be used to estimate the location of the wireless nodes. Our simulation experiments indicate that the estimators show high accuracy and high confidence for anonymized TCP traffic. Additional experiments indicate that the estimators perform very well in anonymous wireless networks that use traffic padding. · 3 anonymity. We analyze the effect of multicast/broadcast traffic on the flow separation attack. In contrast to intuition, our analysis and experiments show that the presence of multicast/broadcast traffic significantly helps the attacker to more precisely separate the flows. We discuss the possible use of flow separation attacks in other anonymity network settings and pros and cons of counter-measures. Location Privacy Attack on Wireless Anonymous Communication Networks With the increasing popularity of 802.11 style wireless networks (WLANs), both in infrastructure and in ad-hoc mode, location privacy issues in such networks and in ubiquitous computing environments in general have received great attention. Much recent work has focused on the identification of location privacy risks associated with the use of WLANs and on the implications of weak location privacy (e.g., [Cuellar et al. 2004] ). Locating a node in a wireless network typically requires first to identify the node (where some identifier is associated with the node, without necessarily disclosing the node's user identity,) before proceeding to the geographic location proper. In densely populated networks, node location is difficult without prior identification, since it is impossible to properly attributed traffic to nodes and so to keep the nodes apart. In sparsely populated networks, the identification step is trivial and can be skipped altogether. A number of schemes exist to prevent simple node identification at MAC layer or above through appropriate encryption and the use of one-time MAC address [Gruteser and Grunwald 2003] or broadcast-only communication [Kong and Hong 2003]. More sophisticated node identification approaches rely on interactions with services and access points [Beresford and Stajano 2003] and may be countered by schemes such as path perturbation [Hoh and Gruteser 2005], in which nodes report appropriately modified locations whenever they are close to other nodes, with the goal to confuse the location tracker. Once nodes have been identified, the location proper can be performed with the help of propagation analysis [Castro et al. 2001], directional information [Malhotra et al. 2005], or signal strength analysis [Bahl and Padmanabhan 2000]. A system that counters signal-strength based location through manipulation of sender signal strength is described in [Cai et al. 2005]. Appropriate pre-conditioning of collected traffic data using flow separation allows an attacker to compromise the location privacy in a densely populated, perfectly anonymized wireless network. The traffic data could be collected by very simple sensors, which only need to monitor packets at MAC level or above, do not require directional capabilities, do not need to distinguish packets or relate network packets to senders or receivers, only require coarse time synchronization support, and require only low-bandwidth links for inter-sensor communication. (We don't need support for signal-strength measurement on the sensors either.) Such collections of sensors could be realized by a number of WLAN users that collude and exchange information, or by a separate infrastructure of sensor nodes, such as a sensor network. Given these limited required capabilities, we use the sensors to count packets over intervals of given length, and to forward the resulting time series of packet counts for analysis to some central location. No information is available about how many nodes are present and sending in the area, and the anonymity measures in the WLAN prevent the sensors from distinguishing packets sent from different nodes. Our experimental evaluations using a widely accepted packet-level network sim-
doi:10.1145/1609956.1609964 fatcat:yd2l6qwjuvh7jjjhrseu3vcsum