Anti-misbehavior System for Tor Network

This paper appears in: INC, IMS and IDC, 2009. NCM '09. Fifth International Joint Conference on Date of Conference: 25-27 Aug. 2009 Author(s): Xin Liu Dept. of Comput. Sci. & Technol., East China Normal Univ., ShangHai, China Neng Wang Page(s): 257 - 261 Product Type: Conference Publications

ABSTRACT
Tor is the second generation onion router, supporting the anonymous transport of TCP streams over the Internet. Tor has become the most successful public anonymity communication service in the Internet, and has more than one thousand relay nodes and thousands of users. In this paper, we investigate Tor current exit policies, and found some insufficiencies. Based on the investigation we propose anti-misbehavior system. The system includes two blacklists: global blacklist and local blacklist, and three protocols: reporting misbehavior protocol, building global blacklist protocol and blocking misbehavior users protocol. Reporting misbehavior protocol describes how to report misbehavior from exit node to entry node and how to build local blacklist. Building global blacklist protocol describes how to build global blacklist and how to distribute global blacklist to every Tor node. Blocking misbehavior users protocol describes how to block misbehavior users for the entry node. In addition we also present an evaluation to the system in terms of user experience, performance and anonymity. Through our evaluation, we think anti-misbehavior system can provide better user experience to both Tor users and Tor node administrators; better anti-misbehavior performance; the same transmission performance level with exit policies; and the same anonymity level with exit policies to legitimate Tor users.

Formalizing Anonymous Blacklisting Systems

This paper appears in: Security and Privacy (SP), 2011 IEEE Symposium on Date of Conference: 22-25 May 2011 Author(s): Henry, R. Cheriton Sch. of Comput. Sci., Univ. of Waterloo, Waterloo, ON, Canada Goldberg, I. Page(s): 81 - 95 Product Type: Conference Publications

Anonymous communications networks, such as Tor, help to solve the real and important problem of enabling users to communicate privately over the Internet. However, in doing

so, anonymous communications networks introduce an entirely new problem for the service providers - such as websites, IRC networks or mail servers - with which these users interact, in particular, since all anonymous users look alike, there is no way for the service providers to hold individual misbehaving anonymous users accountable for their actions. Recent research efforts have focused on using anonymous blacklisting systems (which are sometimes called anonymous revocation systems) to empower service providers with the ability to revoke access from abusive anonymous users. In contrast to revocable anonymity systems, which enable some trusted third party to deanonymize users, anonymous blacklisting systems provide users with a way to authenticate anonymously with a service provider, while enabling the service provider to revoke access from any users that misbehave, without revealing their identities. In this paper, we introduce the anonymous blacklisting problem and survey the literature on anonymous blacklisting systems, comparing and contrasting the architecture of various existing schemes, and discussing the tradeoffs inherent with each design. The literature on anonymous blacklisting systems lacks a unified set of definitions, each scheme operates under different trust assumptions and provides different security and privacy guarantees. Therefore, before we discuss the existing approaches in detail, we first propose a formal definition for anonymous blacklisting systems, and a set of security and privacy properties that these systems should possess. We also outline a set of new performance requirements that anonymous blacklisting systems should satisfy to maximize their potential for real-world adoption, and give formal definitions for several optional features already supported by some sche- - mes in the literature.

Digging into Anonymous Traffic: A Deep Analysis of the Tor Anonymizing Network
This paper appears in: Network and System Security (NSS), 2010 4th International Conference on Date of Conference: 1-3 Sept. 2010 Author(s): Chaabane, A. INRIA Rhone-Alpes, Grenoble, France Manils, P. ; Kaafar, M.A. Page(s): 167 - 174 Product Type: Conference Publications

Users' anonymity and privacy are among the major concerns of today's Internet. Anonymizing networks are then poised to become an important service to support anonymous-driven Internet communications and consequently enhance users' privacy protection. Indeed, Tor an example of anonymizing networks based on onion routing concept attracts more and more volunteers, and is now popular among dozens of thousands of Internet users. Surprisingly, very few researches shed light on such an anonymizing network. Beyond providing global statistics on the typical usage of Tor in the wild, we show that Tor is actually being is-used, as most of the observed traffic belongs to P2P applications. In particular, we quantify the BitTorrent traffic and show that the load of the latter on the Tor network is underestimated because of encrypted BitTorrent traffic

(that can go unnoticed). Furthermore, this paper provides a deep analysis of both the HTTP and BitTorrent protocols giving a complete overview of their usage. We do not only report such usage in terms of traffic size and number of connections but also depict how users behave on top of Tor. We also show that Tor usage is now diverted from the onion routing concept and that Tor exit nodes are frequently used as 1-hop SOCKS proxies, through a socalled tunneling technique. We provide an efficient method allowing an exit node to detect such an abnormal usage. Finally, we report our experience in effectively crawling bridge nodes, supposedly revealed sparingly in Tor.

Anonymizing Social Network Using Bipartite Graph

This paper appears in: Computational and Information Sciences (ICCIS), 2010 International Conference on Date of Conference: 17-19 Dec. 2010 Author(s): Lihui Lan Comput. Sci. Sch., JiangSu Univ., Zhenjiang, China Shiguang Ju ; Hua Jin Page(s): 993 - 996 Product Type: Conference Publications

ABSTRACT
Social networks applications have become popular for sharing information. Social networks data usually contain users'private information. So privacy preservation technologies should be exercised to protect social networksagainst various privacy leakages and attacks. In this paper, we give an approach for anonymizing socialnetworks which can be represented as bipartite graphs. We propose automorphism publication to protect against multiple structural attacks and develop a BKM algorithm. We perform experiments on bipartite graph data to study the utility and information loss measure

De-Anonymizing Dynamic Social Networks

Xuan Ding; Lan Zhang; Zhiguo Wan; Ming Gu Global Telecommunications Conference (GLOBECOM 2011), 2011 IEEE Digital Object Identifier: 10.1109/GLOCOM.2011.6133607 Publication Year: 2011 , Page(s): 1 - 6 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (193 KB)

Online social network data are increasingly made publicly available to third parties. Recent studies show that it is possible to recover sensitive information from the released data and several anonymization techniques have been proposed to protect individual privacy. However, most of the

existing defenses have focused on ``one-time'' releases and do not take into consideration the republication of dynamic social network data. Re- publishing data periodically is a natural result of social network evolution and an emerging requirement of dynamic social network analysis. In this paper, we show that by utilizing correlations between sequential releases, the adversary can achieve high precision in de-anonymization of the released data, suppressing the uncertainty of re-identifying each release separately and synthesizing the results afterwards. Besides, we combine structural knowledge with node attributes to compromise graph modification based defenses. With experiments on real data, this work is the first to demonstrate feasibility of de-anonymizing dynamic socialnetworks and should arouse concern for future works on privacy preservation in social network data publishing.

De-anonymizing Social Networks

Narayanan, A.; Shmatikov, V. Security and Privacy, 2009 30th IEEE Symposium on Digital Object Identifier: 10.1109/SP.2009.22 Publication Year: 2009 , Page(s): 173 - 187 Cited by: 12 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (311 KB)

Operators of online social networks are increasingly sharing potentially sensitive information about users and their relationships with advertisers, application developers, and data-mining researchers. Privacy is typically protected by anonymization, i.e., removing names, addresses, etc.We present a framework for analyzing privacy and anonymity in social networks and develop a new re-identification algorithm targeting anonymized social-network graphs. To demonstrate its effectiveness on realworld networks, we show that a third of the users who can be verified to have accounts on both Twitter, a popular microblogging service, and Flickr, an online photo-sharing site, can be re-identified in the anonymous Twitter graph with only a 12% error rate.Our de-anonymization algorithm is based purely on thenetwork topology, does not require creation of a large number of dummy "sybil" nodes, is robust to noise and all existing defenses, and works even when the overlap between the target network and the adversary's auxiliary information is small.

Anonymizing Network Addresses Based on Clustering Subnets

Yi Tang; Yuanyuan Wu Internet Technology and Applications, 2010 International Conference on Digital Object Identifier: 10.1109/ITAPP.2010.5566245 Publication Year: 2010 , Page(s): 1 - 4 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (384 KB)

The network trace is a kind of fundamental data fornetworking researches. To preserve the privacy hidden in those traces, they must be sanitized before publishing them publicly. Many of the sanitization efforts are focused onanonymizing internal network addresses. In this paper, we propose a subnet-clustering based method to anonymize addresses. We adopt different strategies to

anonymize different parts of the address. The network part is anonymized by a prefix-preserved anonymization method, the subnet part is generalized by clustering based on a predefined set of port numbers, and the host address is randomized. We also propose a measure based on information entropy to measure the degree of privacy-preserved in anonymized addresses and develop an entropy-guided algorithm to search the subnet clusters.

AASC: Anonymizing network addresses based on subnet clustering

Yi Tang; Yuanyuan Wu; Quan Zhou Wireless Communications, Networking and Information Security (WCNIS), 2010 IEEE International Conference on Digital Object Identifier: 10.1109/WCINS.2010.5541864 Publication Year: 2010 , Page(s): 672 - 676 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (378 KB)

The network packet trace dataset plays an important role innetworking research. Publishing those traces publicly faces how to protect the providers' sensitive privacy, especially the internal IP addresses. In this paper, we propose a subnet-clustering based method, AASC, to anonymize those internal addresses. According to AASC, three parts of a whole IP address are anonymized by different methods. Thenetwork part is anonymized by a prefix-preserved anonymization method, the subnet part is generalized by clustering based on a predefined set of port numbers, and the host address is randomized. We also define two entropy based metrics, the simple measure and the co-existence measure, to measure the degree of privacy preserved in anonymized addresses. The defined metrics can reflect some dependencies among trace records. We develop a local-search based, measureguided algorithm to search subnet clusters with more utilities. We have conducted some experiments to validate our proposed method.

The Challenges of Effectively Anonymizing NetworkData

Coull, S.E.; Monrose, F.; Reiter, M.K.; Bailey, M. Conference For Homeland Security, 2009. CATCH '09. Cybersecurity Applications & Technology Digital Object Identifier: 10.1109/CATCH.2009.27 Publication Year: 2009 , Page(s): 230 - 236 Cited by: 3 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (201 KB)

The uncertainties that currently exist about the efficacy ofnetwork data anonymization, from both technical and policy perspectives, leave the research community in a vulnerable position. Even as the field marches forward, it does so with little understanding of the implications of publishing anonymized network data on the privacy of the networksbeing monitored and the utility to researchers. Without that understanding, data publishers are left to wonder what fields must be anonymized to avoid legal fallout, while researchers question the confidence of results gained from the data. However, the extensive work done on micro- data anonymity provides the network research community with several useful insights about how to effectively apply anonymization to published

data. At the same time, prior wisdom cannot be applied directly without first overcoming several challenges, including the development of appropriate privacy and utility definitions for the more complex case ofnetwork data. Addressing these challenges is essential, in our view, to ensure the continued, yet responsible, availability of network trace data to support security research.

Anonymizing Path Nodes in Social Network

Wenlue Song; Yan Zhang; Wenyang Bai Database Technology and Applications (DBTA), 2010 2nd International Workshop on Digital Object Identifier: 10.1109/DBTA.2010.5658931 Publication Year: 2010 , Page(s): 1 - 4 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (265 KB)

Recently, social network privacy becomes a hot issue in the field of privacy. We are concerned about the path nodes in the social network. With the knowledge of the two endpoints of a path, the adversary can attack the privacy of the nodes on this path. In this paper, we define the adversary's background knowledge, propose the anonymity model, and propose PN- Anonymity algorithm to adjust paths. Experimental results show that our algorithms can achieve the path nodes anonymous, and information loss can be well controlled to ensure the availability of information.

General-purpose Identity Hiding Schemes for Ad-hoc Networks

This paper appears in: Intelligent Ubiquitous Computing and Education, 2009 International Symposium on Date of Conference: 15-16 May 2009 Author(s): Shushan Zhao Sch. of Comput. Sci., Univ. of Windsor, Windsor, ON, Canada Aggarwal, A. Page(s): 349 - 352 Product Type: Conference Publications

ABSTRACT
Identity disclosure is a security and privacy concern in mobile ad-hoc networks. Previous proposals suggest using anonymous routing protocols. These solutions are limited on certain routing protocols, and cannot be applied to higher layers. In this paper, we propose the requirements of an general-purpose identity hiding scheme, and present schemes based on popular cryptosystems: AES, RSA, and ElGamal. These schemes can be applied in network and above layers. These schemes also overcome the following drawbacks of previous anonymous routing protocols: pair-wise keys, and large amount of pseudonyms. Hence, the proposed schemes are more efficient and applicable.

Waiting for Anonymity: Understanding Delays in the Tor Overlay

This paper appears in: Peer-to-Peer Computing (P2P), 2010 IEEE Tenth International Conference on Date of Conference: 25-27 Aug. 2010 Author(s): Dhungel, P. Polytech. Inst. of NYU, Brooklyn, NY, USA Steiner, M. ; Rimac, I. ; Hilt, V. ; Ross, K.W. Page(s): 1 - 4 Product Type: Conference Publications

ABSTRACT
Although Tor is the most widely used overlay for providing anonymity services, its users often experience very high delays. Because much of Tor usage is for Web applications, which are sensitive to latency, it is critical to reduce delays in Tor. To take an important step in this direction, we seek an in-depth understanding of delays in Tor. By taking snapshots of the entire Tor network within a short time window, we are able to study the delay distribution of the entire router population. We also monitor delays introduced by individual Tor routers over extended periods of time. Our results indicate that apart from delays introduced by routers, overlay network latency also plays a significant role in delays in Tor. We have also observed that at any time, there exist huge differences in the delays introduced by different routers. Our results reveal key performance characteristics of Tor system behavior and provide valuable insights for improving the Tor performance.

Tor is unfair And what to do about it

This paper appears in: Local Computer Networks (LCN), 2011 IEEE 36th Conference on Date of Conference: 4-7 Oct. 2011 Author(s): Tschorsch, F. Telematics Group, Univ. of Wurzburg, Wurzburg, Germany Scheuermann, B. Page(s): 432 - 440 Product Type: Conference Publications

ABSTRACT
Tor is one of the most popular network anonymization services. With increasing popularity, however, Tor is also faced with increasing load. Mechanisms for handling congestion and fairness in anonymization networks, where user privacy is of greatest significance, are not yet well understood. Thus current designs leave a lot to be desired: gross unfairness and largely suboptimal performance can be observed. In this paper, we focus on fairness aspects in the Tor network. We first show that interactions of multiple scheduling

mechanisms in the current Tor design cause heavily unfair resource allocations to users. Subsequently, we develop a fairness model based on max-min fairness that takes the specifics of Tor into account. This leads us to a re-design of Tor's scheduling. We implement the new design in conjunction with a congestion feedback mechanism named N23, which has recently been proposed to be used in Tor. Our scheduling approach overcomes the unfairness problems which are exhibited by today's Tor implementation, and by Tor with N23 as well. It achieves global max-min fairness and thus a fair resource allocation despite selfish end-users.

( please download pdf)

LASTor: A Low-Latency AS-Aware Tor Client

This paper appears in: Security and Privacy (SP), 2012 IEEE Symposium on Date of Conference: 20-23 May 2012 Author(s): Akhoondi, Masoud Yu, Curtis ; Madhyastha, Harsha V. Page(s): 476 - 490 Product Type: Conference Publications

ABSTRACT
The widely used Tor anonymity network is designed to enable low-latency anonymous communication. However, in practice, interactive communication on Tor -- which accounts for over 90% of connections in the Tor network [1] -- incurs latencies over 5x greater than on the direct Internet path. In addition, since path selection to establish a circuit in Tor is oblivious to Internet routing, anonymity guarantees can breakdown in cases where an autonomous system (AS) can correlate traffic across the entry and exit segments of a circuit. In this paper, we show that both of these shortcomings in Tor can be addressed with only client-side modifications, i.e., without requiring a revamp of the entire Tor architecture. To this end, we design and implement a new Tor client, LASTor. First, we show that LASTor can deliver significant latency gains over the default Tor client by simply accounting for the inferred locations of Tor relays while choosing paths. Second, since the preference for low latency paths reduces the entropy of path selection, we design LASTor's path selection algorithm to be tunable. A user can choose an appropriate tradeoff between latency and anonymity by specifying a value between 0 (lowest latency) and 1 (highest anonymity) for a

single parameter. Lastly, we develop an efficient and accurate algorithm to identify paths on which an AS can correlate traffic between the entry and exit segments. This algorithm enables LASTor to avoid such paths and improve a user's anonymity, while the low runtime of the algorithm ensures that the impact on end-to-end latency of communication is low. By applying our techniques to measurements of real Internet paths and by using LASTor to visit the top 200 websites from several geographically-distributed end-hosts, we show that, in comparison to the default Tor client, LASTor reduces median latencies by 25% while also reducing the false negative rate of not detecting a potential snooping AS from 57% to 11%.

Protecting TOR exit nodes from abuse

This paper appears in: MIPRO, 2010 Proceedings of the 33rd International Convention Date of Conference: 24-28 May 2010 Author(s): Gros, Stjepan Faculty of Electrical and Computing Engineering, University of Zagreb, Unska bb, 10000, Croatia Salkic, Marko ; Sipka, Ivan Page(s): 1246 - 1249 Product Type: Conference Publications

ABSTRACT
TOR is a mechanism and a network that allows anonymous use of the resources on the Internet. This is very useful for countries with restricted human rights, but also in all the cases when someone has concerns about being watched or otherwise tracked. The main building blocks of the TOR network are TOR nodes that relay traffic in such way that each node knows for previous and next nodes. The special case are exit nodes that finally deliver traffic to it's intended destination, but that don't know from whom the traffic originates. All theTOR nodes are run by voluntaries throughout the Internet. It turns out that TOR network is heavily misused and thus it is dangerous to run TOR exit nodes as all the misuse of the network appears to be done from the exit nodes which could bring trouble to their owners. In this paper we analyse misuse of the TOR exit nodes and also propose mechanisms that could minimize, or even eliminate, misuse. More specifically, we analyse use of the Honeywall to protect TOR exit node.

Extensive analysis and large-scale empirical evaluation of tor bridge discovery

Zhen Ling; Junzhou Luo; Wei Yu; Ming Yang; Xinwen Fu INFOCOM, 2012 Proceedings IEEE Digital Object Identifier: 10.1109/INFCOM.2012.6195627 Publication Year: 2012 , Page(s): 2381 - 2389 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (1267 KB)

Tor is a well-known low-latency anonymous communication system that is able to bypass Internet censorship. However, publicly announced Tor routers are being blocked by various parties. To counter the censorship blocking, Tor introduced nonpublic bridges as the first-hop relay into its core network. In this paper, we analyzed the effectiveness of two categories of bridge-discovery approaches: (i) enumerating bridges from bridge https and email servers, and (ii) inferring bridges by malicious Tor middle routers. Large-scale experiments were conducted and validated our theoretic findings. We discovered 2365 Tor bridges through the two enumeration approaches and 2369 bridges by only one Tormiddle router in 14 days. Our study shows that the bridge discovery based on malicious middle routers is simple, efficient and effective to discover bridges with little overhead. We also discussed the mechanisms to counter the malicious bridge discovery

Anti-misbehavior System for Tor Network

Xin Liu; Neng Wang INC, IMS and IDC, 2009. NCM '09. Fifth International Joint Conference on Digital Object Identifier: 10.1109/NCM.2009.205 Publication Year: 2009 , Page(s): 257 - 261 Cited by: 1 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (313 KB)

Tor is the second generation onion router, supporting the anonymous transport of TCP streams over the Internet. Torhas become the most successful public anonymity communication service in the Internet, and has more than one thousand relay nodes and thousands of users. In this paper, we investigate Tor current exit policies, and found some insufficiencies. Based on the investigation we propose anti-misbehavior system. The system includes two blacklists: global blacklist and local blacklist, and three protocols: reporting misbehavior protocol, building global blacklist protocol and blocking misbehavior users protocol. Reporting misbehavior protocol describes how to report misbehavior from exit node to entry node and how to build local blacklist. Building global blacklist protocol describes how to build global blacklist and how to distribute global blacklist to everyTor node. Blocking misbehavior users protocol describes how to block misbehavior users for the entry node. In addition we also present an evaluation to the system in terms of user experience, performance and anonymity. Through our evaluation, we think anti-misbehavior system can provide better user experience to both Tor users and Tor node administrators; better anti-misbehavior performance; the same transmission performance level with exit policies; and the same anonymity level with exit policies to legitimate Torusers.

Design Improvement for Tor against Low-Cost Traffic Attack and Low-Resource Routing Attack
Liu Xin; Wang Neng Communications and Mobile Computing, 2009. CMC '09. WRI International Conference on Volume: 3

Digital Object Identifier: 10.1109/CMC.2009.18 Publication Year: 2009 , Page(s): 549 - 554 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (297 KB)

Tor is the second generation onion router, supporting the anonymous transport of TCP streams over the Internet. Its low latency makes it very suitable for common Internet communication applications. So Tor has become the most successful public anonymity communication service in the Internet. In this paper, we investigate Tor design weaknesses. An adversary can use these weaknesses to attack Tor network such as low-cost traffic attack, low-resource routing attack and so on. Based on the investigation we propose tuning mechanisms to overcome the above-mentioned problems. The tuning mechanisms include establishing evaluation system and optimizing Tornode store and output mode. In addition we also present a theoretical analysis to the tuning mechanisms in terms of anonymity and performance. Through our theoretical analysis, we think with our tuning mechanisms, we can promote Tor network anonymity dramatically, and promoteTor network overall performance to the extent.

Identifying Proxy Nodes in a Tor Anonymization Circuit

Chakravarty, S.; Stavrou, A.; Keromytis, A.D. Signal Image Technology and Internet Based Systems, 2008. SITIS '08. IEEE International Conference on Digital Object Identifier: 10.1109/SITIS.2008.93 Publication Year: 2008 , Page(s): 633 - 639 Cited by: 2 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (563 KB)

We present a novel, practical, and effective mechanism that exposes the identity of Tor relays participating in a given circuit. Such an attack can be used by malicious or compromised nodes to identify the rest of the circuit, or as the first step in a follow-on trace-back attack. Our intuition is that by modulating the bandwidth of an anonymous connection (e.g. when the destination server, its router, or an entry point is under our control), we create observable fluctuations that propagate through the Tor network and the Internet to the end-user's host. To that end, we employ LinkWidth, a novel bandwidth-estimation technique. LinkWidth enables network edge-attached entities to estimate the available bandwidth in an arbitrary Internet link without a cooperating peer host, router, or ISP. Our approach also does not require compromise of any Tornodes. In a series of experiments against the Tor network, we show that we can accurately identify the network location of most participating Tor relays.

Effective Attacks in the Tor Authentication Protocol

Yang Zhang Network and System Security, 2009. NSS '09. Third International Conference on Digital Object Identifier: 10.1109/NSS.2009.94 Publication Year: 2009 , Page(s): 81 - 86

IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (480 KB)

As an anonymous Internet communication system Tor is popular and famous, being used by lots of users. The security of Tor is based on the authentication protocol. Although the Tor authentication protocol has been proved secure, this paper discovers its security vulnerability through its concurrency analysis, and shows it cannot be securely executed by multiple concurrent sessions. A new sessionkey exchange protocol for Tor is proposed to dispose of the security vulnerability, where a modular method is adopted to design a secure key exchange protocol in realistic world. Finally, the proposed protocol is proved secure in the UC (universally composable) model which defines conditions for a protocol to securely compose with other protocols in a concurrent environment.

A New Cell-Counting-Based Attack Against Tor

Ling, Z.; Luo, J.; Yu, W.; Fu, X.; Xuan, D.; Jia, W. Networking, IEEE/ACM Transactions on Volume: PP , Issue: 99 Digital Object Identifier: 10.1109/TNET.2011.2178036 Publication Year: 2012 , Page(s): 1 IEEE EARLY ACCESS ARTICLES Quick Abstract | PDF (2801 KB)

Various low-latency anonymous communication systems such as Tor and Anonymizer have been designed to provide anonymity service for users. In order to hide the communication of users, most of the anonymity systems pack the application data into equal-sized cells (e.g., 512 B for Tor, a known real-world, circuit-based, low-latency anonymous communication network). Via extensive experiments on Tor, we found that the size of IP packets in the Tor network can be very dynamic because a cell is an application concept and the IP layer may repack cells. Based on this finding, we investigate a new cell-counting-based attack against Tor, which allows the attacker to confirm anonymous communication relationship among users very quickly. In this attack, by marginally varying the number of cells in the target traffic at the malicious exit onion router, the attacker can embed a secret signal into the variation of cell counter of the target traffic. The embedded signal will be carried along with the target traffic and arrive at the malicious entry onion router. Then, an accomplice of the attacker at the malicious entry onion router will detect the embedded signal based on the received cells and confirm the communication relationship among users. We have implemented this attack against Tor, and our experimental data validate its feasibility and effectiveness. There are several unique features of this attack. First, this attack is highly efficient and can confirm very short communication sessions with only tens of cells. Second, this attack is effective, and its detection rate approaches 100% with a very low false positive rate. Third, it is possible to implement the attack in a way that appears to be very difficult for honest participants to detect (e.g., using our hopping-based signal embedding).

Equal-Sized Cells Mean Equal-Sized Packets in Tor?

Zhen Ling; Junzhou Luo; Wei Yu; Xinwen Fu Communications (ICC), 2011 IEEE International Conference on

Digital Object Identifier: 10.1109/icc.2011.5962653 Publication Year: 2011 , Page(s): 1 - 6 Cited by: 1 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (265 KB)

Tor is a well-known low-latency anonymous communication system. To prevent the traffic analysis attack, Tor packs application data into equal-sized cells. However, we found that equal-sized cells at the application layer do not necessarily produce equal-sized packets at the network layer. Therefore, we introduced a packet size based attack that compromises Tor's communication anonymity with no need of controlling Tor routers. An attacker can manipulate size of packets between a web site and an exit onion router and embeds a signal into the target traffic. An accomplice at the user side can sniff the traffic and recognize this signal. To cope with the signal distortion incurred by Tor and Internet, we developed an effective signal recovery mechanism. Our real-world experiments validate the effectiveness of our attack against Tor. Our work demonstrates the need for re-considering the issue of padding anonymous communication data into equal size.

A novel flow multiplication attack against Tor

Xiaogang Wang; Junzhou Luo; Ming Yang; Zhen Ling Computer Supported Cooperative Work in Design, 2009. CSCWD 2009. 13th International Conference on Digital Object Identifier: 10.1109/CSCWD.2009.4968138 Publication Year: 2009 , Page(s): 686 - 691 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (388 KB)

Tor has become one of the most popular overlay networks for anonymizing TCP traffic. A novel and effective flow multiplication attack against Tor is proposed in this paper, which exploits the fundamental vulnerability of anonymous Web browsing by using a man-in-the-middle attack on client's HTTP flow. In the flow multiplication attack, whenever a malicious exit onion router detects a Web request to a target server, it responds with a malicious page embedded with specified number of image tags, which will cause the browser to initiate deterministic number of web connections on the same circuit to fetch those images. The entry onion router on the circuit can then find such traffic pattern and the communication relationship between the client and the Web server will be discovered. Even if all active content systems such as JavaScript in the browser are disabled, our attack can still compromise the anonymity of Tor while achieving invisibility by keeping client's communication running continuously. The experiment results on Tor validate the feasibility and effectiveness of our attack.

An Improved Tor Circuit-Building Protocol

Xin Liu; Neng Wang Artificial Intelligence, 2009. JCAI '09. International Joint Conference on

Digital Object Identifier: 10.1109/JCAI.2009.27 Publication Year: 2009 , Page(s): 671 - 675 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (264 KB)

Tor is the second generation onion router, supporting the anonymous transport of TCP streams over the Internet. Its low latency makes it very suitable for common Internet communication applications. So Tor has become the most successful public anonymity communication service in the Internet. In this paper, we investigate Tor current circuit-building protocol. We found some performance and user experience deficiencies in this protocol. Based on the investigation we propose improved circuitbuilding protocol. The protocol includes two phases: user-selectable relay node selection and circuit construction. In the new protocol, we propose three new algorithms: user-selectable relay node selection algorithm, fast circuit constructing algorithm and backup circuit algorithm. In addition we also present an evaluation to the new protocol in terms of user experience, performance and anonymity. Through our evaluation, we think with our improved circuit-building protocol, we can provide better user experience, better performance and the same anonymity with current circuitbuilding protocol to Torusers.

Predicting Tor path compromise by exit port

Bauer, K.; Grunwald, D.; Sicker, D. Performance Computing and Communications Conference (IPCCC), 2009 IEEE 28th International Digital Object Identifier: 10.1109/PCCC.2009.5403852 Publication Year: 2009 , Page(s): 384 - 387 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (242 KB)

Tor is currently the most popular low latency anonymizing overlay network for TCP-based applications. However, it is well understood that Tor's path selection algorithm is vulnerable to end-to-end traffic correlation attacks since it chooses Tor routers in proportion to their perceived bandwidth capabilities. Prior work has shown that the fraction of malicious routers and the amount of adversary-controlled bandwidth are significant factors for predicting the number of paths that an adversary can compromise. We extend this prior work by identifying that the application-layer protocol being transported is also a significant factor in predicting path compromise. Through a simulation study driven by data obtained from the real Tor network, we show that ports commonly associated with peer-to-peer file sharing protocols and the simple mail transport protocol (SMTP) are significantly more vulnerable to this attack than other ports

Toward Improving Path Selection in Tor

Fallon Chen; Pasquale, J. Global Telecommunications Conference (GLOBECOM 2010), 2010 IEEE Digital Object Identifier: 10.1109/GLOCOM.2010.5684020 Publication Year: 2010 , Page(s): 1 - 6 IEEE CONFERENCE PUBLICATIONS

Quick Abstract |

PDF (129 KB)

Tor (The Onion Router) is a popular anonymity overlay network that seeks to provide anonymity without significant cost to performance. Tor's support for anonymity is indeed strong, but its network performance is a problem, and one that is widely recognized. While there are some studies that investigate changing the structure of the Tor network to improve performance, we focus on investigating different path selection strategies given the Tor network as is. Specifically, we explore varying the number of hops in a circuit, varying the performance flags in a circuit, and varying the geographic distance between routers in a circuit. We show how much improvement can be had by reducing the path length, which gives the user guidance on how to trade off anonymity for performance

Improving Security and Performance in the TorNetwork through Tunable Path Selection
Snader, R.; Borisov, N. Dependable and Secure Computing, IEEE Transactions on Volume: 8 , Issue: 5 Digital Object Identifier: 10.1109/TDSC.2010.40 Publication Year: 2011 , Page(s): 728 - 741 IEEE JOURNALS & MAGAZINES Quick Abstract | PDF (1597 KB)

The Tor anonymous communication network uses self-reported bandwidth values to select routers for building tunnels. Since tunnels are allocated in proportion to this bandwidth, this allows a malicious router operator to attract tunnels for compromise. Although Tor limits the self-reported bandwidth, it uses a high maximum value, effectively choosing performance over high anonymity for all users. We propose a router selection algorithm that allows users to control the trade-off between performance and anonymity. We also propose an opportunistic bandwidth measurement algorithm to replace selfreported values that is more sensitive to load and more responsive to changing network conditions. Our mechanism effectively blends the traffic from users of different preferences, making partitioning attacks difficult. We implemented the opportunistic measurement and tunable performance extensions and examined their performance both through simulation and in the real Tornetwork. Our results show that users can get dramatic increases in either performance or anonymity with little to no sacrifice in the other metric, or a more modest improvement in both. Our mechanisms are also invulnerable to the previously published low-resource attacks on Tor.

Tor Network Limits

Benmeziane, S.; Badache, N.; Bensimessaoud, S. Network Computing and Information Security (NCIS), 2011 International Conference on Volume: 1 Digital Object Identifier: 10.1109/NCIS.2011.48 Publication Year: 2011 , Page(s): 200 - 205 IEEE CONFERENCE PUBLICATIONS

Quick Abstract |

PDF (764 KB)

Tor is a volunteer run relay network designed for privacy, anonymity, and censorship resistance. Tor has become the most successful public anonymity communication service in the Internet because of its low latency. In this paper, we present a method to exploit the Tor limits in conjunction with the public profile of a user to reduce the degree of anonymity

Low-cost traffic analysis of Tor

Murdoch, S.J.; Danezis, G. Security and Privacy, 2005 IEEE Symposium on Digital Object Identifier: 10.1109/SP.2005.12 Publication Year: 2005 , Page(s): 183 - 195 Cited by: 7 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (384 KB)

Tor is the second generation onion router supporting the anonymous transport of TCP streams over the Internet. Its low latency makes it very suitable for common tasks, such as Web browsing, but insecure against traffic-analysis attacks by a global passive adversary. We present new traffic-analysis techniques that allow adversaries with only a partial view of the network to infer which nodes are being used to relay the anonymous streams and therefore greatly reduce the anonymity provided by Tor. Furthermore, we show that otherwise unrelated streams can be linked back to the same initiator Our attack is feasible for the adversary anticipated by the Tor designers. Our theoretical attacks are backed up by experiments performed on the deployed, albeit experimental, Tor network. Our techniques should also be applicable to any low latency anonymous network. These attacks highlight the relationship between the field of traffic-analysis and more traditional computer security issues, such as covert channel analysis. Our research also highlights that the inability to directly observe network links does not prevent an attacker from performing traffic-analysis: the adversary can use the anonymising network as an oracle to infer the traffic load on remote nodes in order to perform traffic-analysis.

Random Walk-Based Tor Circuit Building Protocol

Xin Liu; Neng Wang Computational Intelligence and Security, 2009. CIS '09. International Conference on Volume: 2 Digital Object Identifier: 10.1109/CIS.2009.18 Publication Year: 2009 , Page(s): 335 - 340 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (311 KB)

Tor is the second generation Onion Routing, supporting the anonymous transport of TCP streams over the Internet. Tor has become the most successful public anonymity communication service in the Internet, and has more than one thousand relay nodes and thousands of users. In this paper, we

investigate Tor current Circuit-Building Protocol. We propose Random Walk-based Circuit Building Protocol (RWCBP) which is based on random walk algorithm. RWCBP includes two phases: circuit construction and application message transmission. In the first phase, we propose circuit construction protocol based on random walk algorithm, and in the second phase, we propose application message transmission algorithm. In addition we also present an evaluation to the protocol according to two categories of metrics: performance and anonymity. In the evaluation of anonymity, we introduce three types of anonymous communication properties, six degrees of anonymity, and give the evaluation result against a local eavesdropper, collaborating relay nodes and the receiver. We prove RWCBP provides the better communication anonymity. In the evaluation of performance, we evaluate the circuit construction and application message transmission performance in terms of network latency, transmission loads and computational latency. Based on our analysis, RWCBP has slight and imperceptible impact on the performance of circuit construction and application message transmission

Breaking Tor Anonymity with Game Theory and Data Mining

Wagner, C.; Wagener, G.; State, R.; Engel, T.; Dulaunoy, A. Network and System Security (NSS), 2010 4th International Conference on Digital Object Identifier: 10.1109/NSS.2010.54 Publication Year: 2010 , Page(s): 47 - 54 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (1097 KB)

Attacking anonymous communication networks is very tempting and many attacks have already been observed. We consider the case of Tor, a widely-used anonymous overlay network. Despite the deployment of several protection mechanisms, we propose an attack originated from only one rogue exit node. Our attack is composed of two elements. The first is an active tag injection scheme. The malicious exit node injects image tags into all HTTP replies, which will be cached for upcoming requests and allows different users to be distinguished. The second element is an inference attack that leverages a semi-supervised learning algorithm to reconstruct browsing sessions. Captured traffic flows are clustered into sessions, such that one session is most probably associated to a specific user. The clustering algorithm uses HTTP headers and logical dependencies encountered in a browsing session. We have implemented a prototype and evaluated its performance on the Tor network. The article also describes several counter-measures and advanced attacks, modeled in a game-theoretical framework and their relevancy assessed with reference to the Nash equilibrium.

Fingerprinting Tor's hidden service log files using a timing channel

Elices, J.A.; Perez-Gonzalez, F.; Troncoso, C. Information Forensics and Security (WIFS), 2011 IEEE International Workshop on Digital Object Identifier: 10.1109/WIFS.2011.6123154 Publication Year: 2011 , Page(s): 1 - 6 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (704 KB)

Hidden services are anonymously hosted services that can be accessed over Tor, an anonymity network. In this paper we present an attack that allows an entity to prove, once a machine suspect to host a hidden server has been confiscated, that such machine has in fact hosted a particular content. Our solution is based on leaving a timing channel fingerprint in the confiscated machine's log file. In order to be able to fingerprint the log server through Tor we first study the noise sources: the delay introduced by Torand the log entries due to other users. We then describe our fingerprint method, and analytically determine the detection probability and the rate of false positives. Finally, we empirically validate our results.

Performance Analysis of Anonymous Communication Channels Provided by Tor

Panchenko, A.; Pimenidis, L.; Renner, J. Availability, Reliability and Security, 2008. ARES 08. Third International Conference on Digital Object Identifier: 10.1109/ARES.2008.63 Publication Year: 2008 , Page(s): 221 - 228 Cited by: 3 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (378 KB)

Providing anonymity for end-users on the Internet is a very challenging and difficult task. There are currently only a few systems that are of practical relevance for the provision of low-latency anonymity. One of the most important to mention is the Tor network that is based on onion routing. Practical usage of the system often leads to delays which are not tolerated by the average end-user. This, in return, discourages many of them from the use of such systems and hence indirectly lowers the protection of remaining users due to a smaller user base. In this paper we show to which extend overloaded nodes and links, as well as geographical diversity of nodes have an influence on the general performance of Tor communication channels. After that, we propose new methods of path selection for performance-improved onion routing which are based on actively measured latencies and estimated available capacities using passive observations of link- wise throughput.

Traffic Identification of Tor and Web-Mix

Xuefeng Bai; Yong Zhang; Xiamu Niu Intelligent Systems Design and Applications, 2008. ISDA '08. Eighth International Conference on Volume: 1 Digital Object Identifier: 10.1109/ISDA.2008.209 Publication Year: 2008 , Page(s): 548 - 551 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (265 KB)

With the wide use of anonymity tools, both blocking and anti-blocking of these tools have become hot topics. And the traffic identifications of the corresponding tools are key issues of both blocking and anti-blocking. In this paper, we address on identifying Tor and Web-Mix traffics, which are two of the most famous anonymity tools. Taking advantage of the typical methods for traffic identification, we proposed a traffic identification scheme based on traffic fingerprint extraction and matching. The

fingerprints comprise of the specific strings, packet length and frequency of the packets' sending time. The details of design and implementation of such traffic identification scheme for both Tor and WebMix are presented. The feasibility of the proposed scheme is shown by the simulation experiments results.

Application-level attack against Tor's hidden service

Lu Zhang; Junzhou Luo; Ming Yang; Gaofeng He Pervasive Computing and Applications (ICPCA), 2011 6th International Conference on Digital Object Identifier: 10.1109/ICPCA.2011.6106555 Publication Year: 2011 , Page(s): 509 - 516 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (1168 KB)

Tor has become one of the most popular overlay networks for anonymizing TCP traffic. Hidden service provided by Torallows users to run a TCP server under a pseudonym, and its resources can be accessed without the operator's real identity being revealed. In this paper, we propose a novel HTTP based application-level attack against Tor's hidden web service. Under the assumption that the entry of the suspected hidden server's circuit is occupied, we evaluate the time correlation between the web accessing and the generated traffic in the malicious onion router. Furthermore, we analyze the probability that the malicious onion routers occupy the entry of the hidden server's circuit when advertise high bandwidth, which is the foundation of our attack. We conducted real-world experiments to evaluate our attack method. The empirical results demonstrate that the hidden service can be effectively and efficiently located

Practical anonymous communication on the mobile internet using Tor

Andersson, Christer; Panchenko, Andriy Security and Privacy in Communications Networks and the Workshops, 2007. SecureComm 2007. Third International Conference on Digital Object Identifier: 10.1109/SECCOM.2007.4550305 Publication Year: 2007 , Page(s): 39 - 48 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (451 KB)

This paper proposes and evaluates several architectural designs for enabling anonymous browsing on the mobile Internet. These architectural designs make use of the Tornetwork in a mobile setting for the provisioning of anonymity to mobile devices. We compare several architectural designs with respect to their anonymity and performance properties. In particular, we are interested in finding a trade-off between anonymity and performance. We also evaluate the architectural designs against other criteria such as practicality, usability, availability, and trust. We show that the most preferable option - given a powerful mobile device and some optimizations in the Tor protocol - is the option where the Tor client is run directly on the mobile device.

Performance Measurements and Statistics of TorHidden Services

Loesing, K.; Sandmann, W.; Wilms, C.; Wirtz, G. Applications and the Internet, 2008. SAINT 2008. International Symposium on Digital Object Identifier: 10.1109/SAINT.2008.69 Publication Year: 2008 , Page(s): 1 - 7 Cited by: 3 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (1136 KB)

Tor (the onion routing) provides a secure mechanism for offering TCP-based services while concealing the hidden server's IP address. In general the acceptance of services strongly relies on its QoS properties. For potential Tor users, provided the anonymity is secured, probably the most important QoS parameter is the time until they finally get response by such a hidden service. Internally, overall response times are constituted by several steps invisible for the user. We provide comprehensive measurements of all relevant latencies and a detailed statistical analysis with special focus on the overall response times. Thereby, we gain valuable insights that enable us to give certain statistical assertions and to suggest improvements in the hidden service protocol and its implementation.

A phishing sites blacklist generator

Sharifi, M.; Siadati, S.H. Computer Systems and Applications, 2008. AICCSA 2008. IEEE/ACS International Conference on Digital Object Identifier: 10.1109/AICCSA.2008.4493625 Publication Year: 2008 , Page(s): 840 - 843 Cited by: 1 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (256 KB)

Phishing is an increasing web attack both in volume and techniques sophistication. Blacklists are used to resist this type of attack, but fail to make their lists up- to-date. This paper proposes a new technique and architecture for ablacklist generator that maintains an up-to-date blacklist of phishing sites. When a page claims that it belongs to a given company, the company's name is searched in a powerful search engine like Google. The domain of the page is then compared with the domain of each of the Google's top- 10 searched results. If a matching domain is found, the page is considered as a legitimate page, and otherwise as a phishing site. Preliminary evaluation of our technique has shown an accuracy of 91% in detecting legitimate pages and 100% in detecting phishing sites.

PhishNet: Predictive Blacklisting to Detect Phishing Attacks

Prakash, P.; Kumar, M.; Kompella, R.R.; Gupta, M. INFOCOM, 2010 Proceedings IEEE Digital Object Identifier: 10.1109/INFCOM.2010.5462216 Publication Year: 2010 , Page(s): 1 - 5 Cited by: 5

IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (125 KB)

Phishing has been easy and effective way for trickery and deception on the Internet. While solutions such as URLblacklisting have been effective to some degree, their reliance on exact match with the blacklisted entries makes it easy for attackers to evade. We start with the observation that attackers often employ simple modifications (e.g., changing top level domain) to URLs. Our system, PhishNet, exploits this observation using two components. In the first component, we propose five heuristics to enumerate simple combinations of known phishing sites to discover new phishing URLs. The second component consists of an approximate matching algorithm that dissects a URL into multiple components that are matched individually against entries in the blacklist. In our evaluation with real-timeblacklist feeds, we discovered around 18,000 new phishing URLs from a set of 6,000 new blacklist entries. We also show that our approximate matching algorithm leads to very few false positives (3%) and negatives (5%)

Benchmarking IP blacklists for financial botnet detection

Oro, D.; Luna, J.; Felguera, T.; Vilanova, M.; Serna, J. Information Assurance and Security (IAS), 2010 Sixth International Conference on Digital Object Identifier: 10.1109/ISIAS.2010.5604040 Publication Year: 2010 , Page(s): 62 - 67 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (353 KB)

Every day, hundreds or even thousands of computers are infected with financial malware (i.e. Zeus) that forces them to become zombies or drones, capable of joining massive financial botnets that can be hired by well-organized cyber-criminals in order to steal online banking customers' credentials. Despite the fact that detection and mitigation mechanisms for spam and DDoS-related botnets have been widely researched and developed, it is true that the passive nature (i.e. low network traffic, fewer connections) of financial botnets greatly hinder their countermeasures. Therefore, cybercriminals are still obtaining high economical profits at relatively low risk with financial botnets. In this paper we propose the use of publicly available IP blackliststo detect both drones and Command & Control nodes that are part of financial botnets. To prove this hypothesis we have developed a formal framework capable of evaluating the quality of a blacklist by comparing it versus a baseline and taking into account different metrics. The contributed framework has been tested with approximately 500 million IP addresses, retrieved during a one-month period from seven different wellknown blacklist providers. Our experimental results showed that these IP blacklists are able to detect both drones and C&C related with the Zeus botnet and most important, that it is possible to assign different quality scores to each blacklist based on our metrics. Finally, we introduce the basics of a high-performance IP reputation system that uses the previously obtained blacklists' quality scores, in order to reply almost in real-time whether a certain IP is a member of a financial botnet or not. Our belief is that such a system can be easily integrated into e-banking anti-fraud systems.

Proactive Blacklisting for Malicious Web Sites by Reputation Evaluation Based on Domain and IPAddress Registration
Fukushima, Y.; Hori, Y.; Sakurai, K. Trust, Security and Privacy in Computing and Communications (TrustCom), 2011 IEEE 10th International Conference on Digital Object Identifier: 10.1109/TrustCom.2011.46 Publication Year: 2011 , Page(s): 352 - 361 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (282 KB)

The objective of creating malicious software (i.e., malware), intruding computers and conducting malicious activities is shifted from showing off attacker's computer skills to earning money. Thus, recent attackers take more sophisticated and effective malware infection ways such as malware infection via malicious Web sites as well as the traditional exploitations like worm propagation. The malicious Web sites attempt to compromise machines by drive-by-download attack which redirects users to exploiting sites and install malware compulsorily in their machines by exploiting vulnerabilities of their Web browser or plugins. As a countermeasure for these malicious Web sites, blacklistingURLs or domains of them is significant. However, attackers tend to change the URLs or domains in a short period to avoid the blacklist. Thus, a blacklisting scheme which can filter even unknown malicious Web sites is critical. In this paper, we first analyze characteristics of malicious Web sites by their domain information such as AS (Autonomous System), IP address block, IP address, domain, and registrar. Second, we evaluate reputations of IP address blocks and registrars used by attackers. Then, we propose ablacklisting scheme constructed of the combination of IPaddress block and registrars with low reputation, that is, intensively used by attackers. From our experimental results, the Web sites with the same combination with low reputation appeared over long period, which indicates that our proposed blacklist has a certain capability of filtering unknown malicious Web sites

Method of countering unsolicited IP applications using lists

So Young Park; Sung Hei Kim; Shin Gak Kang Advanced Communication Technology, 2009. ICACT 2009. 11th International Conference on Volume: 02 Publication Year: 2009 , Page(s): 1047 - 1049 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (681 KB)

Method of countering IP applications spam using lists, namely blacklist and whitelist, is introduced in this paper. This function of an application server provides two-phase anti-spam technique using two kinds of lists. The first is using blacklist and whitelist of the IP application recipient, and the second is using the unified lists of other users. When an IP application is not identified whether it is a spam or not with the lists of the recipient, the anti-spam system uses unified list of other users. For the spam identification and treatment of an IP application, this method also uses other functions such as spam score management function, spam reporting function, and etc

Filtering sources of unwanted traffic

Soldo, F.; El Defrawy, K.; Markopoulou, A.; Krishnamurthy, B.; van der Merwe, J. Information Theory and Applications Workshop, 2008 Digital Object Identifier: 10.1109/ITA.2008.4601049 Publication Year: 2008 , Page(s): 199 - 208 Cited by: 1 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (586 KB)

There is a large and increasing amount of unwanted traffic on the Internet today, including phishing, spam, and distributed denial-of-service attacks. One way to deal with this problem is to filter unwanted traffic at the routers based on source IP addresses. Because of the limited number of available filters in the routers today, aggregation is used in practice: a single filter describes and blocks an entire range of IP addresses. This results in blocking of all (unwanted and wanted) traffic generated from hosts with IP addresses in that range. In this paper, we develop a family of algorithms that, given a blacklist containing the source IP addresses of unwanted traffic and a constraint on the number of filters, construct a set of filtering rules that optimize the tradeoff between the unwanted and legitimate traffic that is blocked. We show that our algorithms are optimal and also computationally efficient. Furthermore, we demonstrate that they are particularly beneficial when applied to realistic distributions of sources of unwanted traffic, which are known to exhibit spatial and temporal clustering

A Survey on Web Application Vulnerabilities (SQLIA, XSS) Exploitation and Security Engine for SQL Injection
Johari, R.; Sharma, P. Communication Systems and Network Technologies (CSNT), 2012 International Conference on Digital Object Identifier: 10.1109/CSNT.2012.104 Publication Year: 2012 , Page(s): 453 - 458 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (317 KB)

Today almost all organizations have improved their performance through allowing more information exchange within their organization as well as between their distributers, suppliers, and customers using web support. Databases are central to the modern websites as they provide necessary data as well as stores critical information such as user credentials, financial and payment information, company statistics etc. These websites have been continuously targeted by highly motivated malicious users to acquire monetary gain. Structured Query Language (SQL) injection and Cross Site Scripting Attack (XSS) is perhaps one of the most common application layer attack technique used by attacker to deface the website, manipulate or delete the content through inputting unwanted command strings. Structured Query Language Injection Attacks (SQLIA) is ranked 1st in the Open Web Application Security Project (OWASP) [1] top 10 vulnerability list and has resulted in massive attacks on a number of websites in the past few years. In this paper, we present a detailed review on various types of Structured Query Language Injection attacks, Cross Site Scripting Attack, vulnerabilities, and

prevention techniques. Besides presenting our findings from the survey, we also propose future expectations and possible development of countermeasures against Structured Query Language Injection attacks.

Towards cellular IP address assignment in wireless heterogeneous sensor networks

Khair, M.G.; Kantarci, B.; Mouftah, H.T. Computers and Communications (ISCC), 2011 IEEE Symposium on Digital Object Identifier: 10.1109/ISCC.2011.5983906 Publication Year: 2011 , Page(s): 615 - 619 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (2120 KB)

In this paper, we have proposed a dynamic IP addressassignment architecture for wireless heterogeneous sensor networks. The assignment scheme and the architecture guarantee that communication channels can be assigned only between the registered devices ensuring the security. The dynamic IP address assignment scheme is based on the advertisement of the IP address utilization status at the base stations. Thus, each base station advertises its IPaddress utilization database when the ratio of the negative acknowledgement messages received from the DNS exceeds a certain threshold. By simulations, we have shown that the proposed assignment scheme introduces significant enhancement in terms of blocking probability when compared to an approach where each base station has its own IP address pool. Furthermore, we have defined three types of blocking, the real blocking, the unjustified acceptance and the unjustified rejections. We have seen that the proposed scheme can lead to lower blockingprobability compared to the uniform IP assignment as long as the update threshold is kept below 1.5%.

Reducing the Effect of Distributed Directory Harvest Attack and Load of Mail Server
Das, S.; Singh, R.; Joshi, R.C.; Toshiwal, D. Industrial and Information Systems, 2008. ICIIS 2008. IEEE Region 10 and the Third international Conference on Digital Object Identifier: 10.1109/ICIINFS.2008.4798387 Publication Year: 2008 , Page(s): 1 - 6 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (346 KB)

A Directory Harvest Attack or DHA is a technique used by spammers in an attempt to determine the valid e-mail addresses associated with an e-mail server so that they can be added to a spam database. Directory Harvest Attackers send the blank mail to the server to collect the valid user-id. They do this by observing the server's reply. Traditionally attackers use single IP address to send

mails. Recently attackers use different IP address to send mail and from oneIP address, they send 1-2 mails. Therefore, only blocking IPaddress is not sufficient to reduce the effect of DHA. The Directory Harvest Attackers not only collect the valid user-id but also increase the load of mail server. In this paper, we propose a framework that reduces the distributed attack and load of mail server. With IP address, the user-id is alsoblocked in this framework. Due to this, the attacker cannot send mails by using same user-id and different IPaddresses. The framework consists of distributed servers that maintain two databases to block the source, one is forIP address, and another is for user-id. All the distributed servers share their database information with each other. Another module is there in the model named front-end filter, which act as a main gateway in the domain. Mail servers decide the black listed source and pass this information to the front-end filter. The filter checks the incoming sourceaddress with its black listed information. If the address is in black list then it sends all the mail coming from the attacker to the reply generator. Reply generator is another module in the framework that gives only 'invalid recipient address' reply to the source. Therefore, front-end filter and distributed method reduces the DHA and load of server. This electronic document is a "live" template

Preserving security and privacy

Stone, A. Internet Computing, IEEE Volume: 8 , Issue: 4 Digital Object Identifier: 10.1109/MIC.2004.23 Publication Year: 2004 , Page(s): 10 - 11 IEEE JOURNALS & MAGAZINES Quick Abstract | PDF (648 KB)

At the "Computers, Freedom, and Privacy (CFP) Conference held in Berkeley, California, the spotlight was on the twin weights of national security and personal liberty - with technology the fulcrum on which all turns. It highlights included sessions devoted to the new international cybercrime treaty, a global crusade to spread technology to underdeveloped nations, laws meant to block illegal sites at the IP-address level, and wiretapping voice-over-IP (VoIP) communications

A mitigation model for TCP SYN flooding with IPspoofing

Kavisankar, L.; Chellappan, C. Recent Trends in Information Technology (ICRTIT), 2011 International Conference on Digital Object Identifier: 10.1109/ICRTIT.2011.5972435 Publication Year: 2011 , Page(s): 251 - 256 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (456 KB)

DDoS attack is considered to be a major threat among security problems in today's Internet. These kinds of attack are potentially severe. They bring down business of company drastically. DDoS attack can easily exhaust the computing and communication resources of its victim within a short period of time. There are attacks exploiting some vulnerability or implementation bug in the software implementation of a service, to bring the server down. Some attacks will use all the available resources at the target machine. This paper deals on attacks that consume all the bandwidth available

to the victim machine. While concentrating on the bandwidth attack the TCP SYN flood is the more prominent attack. TCP/IP protocol suite is the most widely used protocol suite for data communication. The TCP SYN flood works by exhausting the TCP connection queue of the host and thus denying legitimate connection requests. There are various methods used to detect and prevent this attack, one of which is to block the packet based on SYN flag count from the same IP address. This kind of prevention methods becomes unsuitable when the attackers use the Spoofed IP address. For the prevention of this kind of attacks, the TCP specific probing is used in the proposed scheme where the client is requested to change the windows size/ cause packet retransmission while sending the ACK in the three way hand shake. This is very useful to find the Spoofed IP Packets/TCP SYN flood and preventing them

Binary Search on Prefix Covered Levels for IP Address Lookup

This paper appears in: Wireless Communications, Networking and Mobile Computing, 2009. WiCom '09. 5th International Conference on Date of Conference: 24-26 Sept. 2009 Author(s): Guosheng Zhu Comput. Dept., Huazhong Univ. of Sci. & Technol., Wuhan, China Shaohua Yu ; Jinyou Dai Page(s): 1 - 4 Product Type: Conference Publications

ABSTRACT
IP address lookup is a challenging problem because of increasing forwarding table size, increasing Internet traffic, higher link speed, frequent prefix updates, migration to 128 bit IPv6 addresses and higher power consumption. IPaddress lookup need to do two dimensions match to find the longest match prefix. Traditional schemes implementIP address lookup using linear or binary search on prefix lengths or prefix values at the cost of slow lookup speed, complex pre-computation or high power consumption. A novel binary search algorithm based on prefix covered levels is proposed in this paper. At each level we use TCAMs to determine whether there is a match. TCAM entries need not be sorted because prefixes at each level are disjoint. Precomputation is no longer needed and incremental updates are supported. IP address lookup can be done in O(log2max_level+1) TCAM clock cycle at the worst case where max_level is the max number of overlapping prefixes. The current max_level is 7 for IPv4 and 2 for IPv6. With single TCAM chip having several blocks and keeping one block working and the other blockspower off, or with several independent TCAM chips arranged in pipeline architecture, we can support 40 Gbps linespeed forwarding and reduce the power consumption about 50%. Complexity comparison and performance evaluation shows the proposed scheme has better performance over other schemes

Trust Evaluation for P2P Systems

This paper appears in: Wireless Communications, Networking and Mobile Computing, 2008. WiCOM '08. 4th International Conference on Date of Conference: 12-14 Oct. 2008 Author(s): Wang Liang Dept. of Comput. Sci., HuaZhong Normal Univ., Wuhan Guo Yajun Page(s): 1 - 4 Product Type: Conference Publications

ABSTRACT
As online interactions often occur among peers with no prior knowledge of each other in P2P systems, the problem of security is attracting more and more attention. Hence, how to construct an effective trust mechanism to help build trust among peers is an important issue for the research of P2P technology nowadays. This paper proposes a novel reputation-based trust evaluation mechanism for P2P systems. This mechanism takes into account the comprehensive factors affecting trust level, improves the calculation methods of local reputation and global reputation, reduces the computing load of trust level, and introduces the blacklist mechanism into P2P systems. The experiment result shows that this proposed mechanism can effectively evaluate the trust level of peer and detect and separate malicious peers from P2P systems to improve the successful downloading rate, and can be effectively applied to P2P systems.

Key-Insulated Group Signature Scheme with Verifier-Local Revocation

This paper appears in: Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 2007. SNPD 2007. Eighth ACIS International Conference on Date of Conference: July 30 2007-Aug. 1 2007 Author(s): Rupeng Li Shandong Univ., Jinan Jia Yu ; Jin Wang ; Guowen Li ; Daxing Li Volume: 3 Page(s): 273 - 278 Product Type: Conference Publications

ABSTRACT
In group signature schemes, the user's group secret key is often stored on insecure devices e.g. mobile phones that are likely to be compromised by an adversary. To mitigate the damage of key exposure in group signature schemes, we proposed a key-insulated group signature scheme. The group secret key stored on an insecure device is refreshed at

discrete time periods via interaction with a physically-secure device that stores a "master key". Our scheme has secure and random-access key updates. The exposure of up to t of the T time periods, chosen adoptively by the adversary, still keeps any period that was not exposed secure. Our scheme also adopts method of verifier-local revocation (VLR) and supports backward unlinkability, i.e. previously signed signatures remain valid, anonymous and unlinkable even after the signer is revoked.

IP traceback: a new denial-of-service deterrent?

This paper appears in: Security & Privacy, IEEE Date of Publication: May-June 2003 Author(s): Aljifri, H. Miami Univ., Coral Gables, FL, USA Volume: 1 , Issue: 3 Page(s): 24 - 31 Product Type: Journals & Magazines

ABSTRACT
The increasing frequency of malicious computer attacks on government agencies and Internet businesses has caused severe economic waste and unique social threats. IP traceback-the ability to trace IP packets to their origins-is a significant step toward identifying, and thus stopping, attackers.

Location privacy in mobile IP

This paper appears in: Networks, 2005. Jointly held with the 2005 IEEE 7th Malaysia International Conference on Communication., 2005 13th IEEE International Conference on Date of Conference: 16-18 Nov. 2005 Author(s): Wiangsripanawan, R. Centre for Inf. Security, Wollongong Univ., NSW, Australia Safavi-Naini, R. ; Susilo, W. Volume: 2

ABSTRACT
Several security issues arise, due to the design of the mobile IP and its deployment in conjunction with other network protocols. Most of the work on the security of mobile IP has focused on authentication of the control packet and the confidentiality of the content in the protocol, and there are not many proposals in the area of location privacy. In this paper, we propose a method to provide location privacy for mobile IP users. We present two protocols that use an overlay network approach, and designed particularly for mobile IP. We employ

universal re-encryption and extend it to n-out-of-n universal re-encryption to achieve our goal. In contrast to other overlay network approaches, where at least n public key encryption are required, our scheme requires only 2 public key encryption operations. Therefore, it is applicable to mobile IP systems, where in most cases the mobile nodes are small devices and have computational limitation.

Large-Scale IP Traceback in High-Speed Internet: Practical Techniques and Theoretical Foundation

Berkeley, California May 09-May 12 ISBN: 0-7695-2136-3

Jun Li, Georgia Institute of Technology Minho Sung, Georgia Institute of Technology Jun (Jim) Xu, Georgia Institute of Technology Li (Erran) Li, Lucent Technologies

ABSTRACT
Tracing attack packets to their sources, known as IP traceback, is an important step to counter distributed denial-of-service (DDoS) attacks. In this paper, we propose a novel packet logging based (i.e., hash-based) traceback scheme that requires an order of magnitude smaller processing and storage cost than the hashbased scheme proposed by Snoeren et al. [Hash-based IP traceback, in Proc. ACM SIGCOMM], thereby being able to scalable to much higher link speed (e.g., OC-768). The baseline idea of our approach is to sample and log a small percentage (e.g., 3.3%) of packets. The challenge of this low sampling rate is that much more sophisticated techniques need to be used for traceback. Our solution is to construct the attack tree using the correlation between the attack packets sampled by neighboring routers. The scheme using naive independent random sampling does not perform well due to the low correlation between the packets sampled by neighboring routers. We invent a sampling scheme that improves this correlation and the overall efficiency significantly. Another major contribution of this work is that we introduce a novel informationtheoretic framework for our traceback scheme to answer important questions on system parameter tuning and the fundamental trade-off between the resource used for traceback and the traceback accuracy. Simulation results based on real-world network topologies (e.g. Skitter) match very well with results from the information-theoretic analysis. The simulation results also demonstrate that our traceback scheme can achieve high accuracy, and scale very well to a large number of attackers (e.g., 5000+).

A Privacy Service for Locator/Identifier-Split Architectures Based on Mobile IP Mechanisms

Venice, Italy July 18-July 25

ISBN: 978-0-7695-4091-7

Oliver Hanka
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/AFIN.2010.9 Concepts for a next generation Internet architecture quite often propose to decouple identifiers from locators. The so-called locator/identifier-split solves several problematic issues of today's Internet architecture. At the same time, however, a user's location is exposed within the whole network and any participant can be traced. Privacy considerations, therefore, need to be a key design element for any locator/identifier-split architecture. In this paper, we introduce a novel privacy service for locator/identifiersplit architectures. The service is following Mobile IP's proxy idea and introduces mechanisms to overcome the unwanted side effects of such an approach. The concept decouples the privacy service from the network and leaves it open to the customer whether he wants to subscribe or not.

SybilGuard: Defending Against Sybil Attacks via Social Networks

This paper appears in: Networking, IEEE/ACM Transactions on Date of Publication: June 2008 Author(s): Haifeng Yu Comput. Sci. Dept., Nat. Univ. of Singapore, Singapore Kaminsky, M. ; Gibbons, P.B. ; Flaxman, A.D. Volume: 16 , Issue: 3 Page(s): 576 - 589 Product Type: Journals & Magazines

ABSTRACT
Peer-to-peer and other decentralized, distributed systems are known to be particularly vulnerable to sybil attacks. In a sybil attack, a malicious user obtains multiple fake identities and pretends to be multiple, distinct nodes in the system. By controlling a large fraction of the nodes in the system, the malicious user is able to ldquoout voterdquo the honest users in collaborative tasks such as Byzantine failure defenses. This paper presents SybilGuard, a novel protocol for limiting the corruptive influences of sybil attacks. Our protocol is based on the ldquosocial networkrdquo among user identities, where an edge between two identities indicates a human-established trust relationship. Malicious users can create many identities but few trust relationships. Thus, there is a disproportionately small ldquocutrdquo in the graph between the sybil nodes and the honest nodes. SybilGuard exploits this property to bound the number of identities a malicious user can create. We show the effectiveness of SybilGuard both analytically and experimentally.

The Sybil attack in sensor networks: analysis & defenses

This paper appears in: Information Processing in Sensor Networks, 2004. IPSN 2004. Third International Symposium on Date of Conference: 26-27 April 2004 Author(s): Newsome, J. Carnegie Mellon Univ., Pittsburgh, PA, USA Shi, E. ; Song, D. ; Perrig, A. Page(s): 259 - 268 Product Type: Conference Publications

ABSTRACT
Security is important for many sensor network applications. A particularly harmful attack against sensor and ad hoc networks is known as the Sybil attack based on J.R. Douceur (2002), where a node illegitimately claims multiple identities. This paper systematically analyzes the threat posed by the Sybil attack to wireless sensor networks. We demonstrate that the attack can be exceedingly detrimental to many important functions of the sensor network such as routing, resource allocation, misbehavior detection, etc. We establish a classification of different types of the Sybil attack, which enables us to better understand the threats posed by each type, and better design countermeasures against each type. We then propose several novel techniques to defend against the Sybil attack, and analyze their effectiveness quantitatively

Limiting Sybil Attacks in Structured P2P Networks

This paper appears in: INFOCOM 2007. 26th IEEE International Conference on Computer Communications. IEEE Date of Conference: 6-12 May 2007 Author(s): Rowaihy, H. Pennsylvania State Univ., University Park Enck, W. ; McDaniel, P. ; La Porta, T. Page(s): 2596 - 2600 Product Type: Conference Publications

ABSTRACT
One practical limitation of structured peer-to-peer (P2P) networks is that they are frequently subject to Sybil attacks: malicious parties can compromise the network by generating and controlling large numbers of shadow identities. In this paper, we propose an admission control system that mitigates Sybil attacks by adaptively constructing a hierarchy of cooperative peers. The admission control system vets joining nodes via client puzzles. A node wishing to join the network is serially challenged by the nodes from a leaf to the root of the hierarchy. Nodes completing the puzzles of all nodes in the chain are provided a

cryptographic proof of the vetted identity. We evaluate our solution and show that an adversary must perform days or weeks of effort to obtain even a small percentage of nodes in small P2P networks, and that this effort increases linearly with the size of the network. We further show that we can place a ceiling on the number of IDs any adversary may obtain by requiring periodic reassertion of the IDs continued validity.

Modelling of Pseudonymity under Probabilistic Linkability Attacks

This paper appears in: Computational Science and Engineering, 2009. CSE '09. International Conference on Date of Conference: 29-31 Aug. 2009 Author(s): Neubauer, M. Inst. of Commun. Networks & Comput. Eng. (IKR), Univ. Stuttgart, Stuttgart, Germany Volume: 3 Page(s): 160 - 167 Product Type: Conference Publications

ABSTRACT
This paper contributes to the field of measuring (un)linkability in communication systems; a subproblem of privacy protection. We propose an attacker state model for attacks on unlinkability of partial identities named linkability graph. It covers probabilistic linkability attacks based on heterogeneous and time-variant characteristics. From our model, we derive linkability measures and argue prospects for safeguard design. Our model reduces space and time complexity compared to other contributions in literature. This enables simulative privacy analysis of complex context-aware systems that employ multiple partial identities per use

GDH group-based signature scheme with linkability

This paper appears in: Communications, IEE ProceedingsDate of Publication: Oct. 2006 Author(s): Zheng, D. Dept. of Comput. Sci. & Eng., Shanghai Jiaotong Univ. Wei, V.K. ; Chen, K.F. Volume: 153 , Issue: 5 Page(s): 639 - 644 Product Type: Journals & Magazines

ABSTRACT
Recently, a linkable ring signature scheme (called the LWW signature scheme), exhibiting the properties of anonymity, linkability and spontaneity, was presented. Its security is based on the decision Diffie-Hellman (DDH) problem. The distinguishing feature of the LWW signature scheme that differentiates it from other ring signature schemes is linkability, i.e. two signatures by the same signer can be linked. The LWW scheme can be used to construct new efficient e-voting systems. The drawback of the LWW scheme is that it works well on a group where the DDH problem is hard, but does not work on a GDH group where the DDH problem is easy and the computational Diffie-Hellman (CDH) problem is hard. In this paper, a linkable ring signature scheme is presented, based on a GDH group with anonymity, linkability and spontaneity. The security of the scheme is reduced to the discrete logarithm and a new intractability assumption (called DPDH problem) under the random oracle model

Implementing digital signature with RSA encryption algorithm to enhance the Data Security of cloud in Cloud Computing
his paper appears in: Parallel Distributed and Grid Computing (PDGC), 2010 1st International Conference on Date of Conference: 28-30 Oct. 2010 Author(s): Somani, U. Lakhani, K. ; Mundra, M. Page(s): 211 - 216 Product Type: Conference Publications

ABSTRACT
The cloud is a next generation platform that provides dynamic resource pools, virtualization, and high availability. Today, we have the ability to utilize scalable, distributed computing environments within the confines of the Internet, a practice known as cloud computing. Cloud computing is the Concept Implemented to decipher the Daily Computing Problems, likes of Hardware Software and Resource Availability unhurried by Computer users. The cloud Computing provides an undemanding and Non ineffectual Solution for Daily Computing. The prevalent Problem Associated with Cloud Computing is the Cloud security and the appropriate Implementation of Cloud over the Network. In this Research Paper, we have tried to assess Cloud Storage Methodology and Data Security in cloud by the Implementation of digital signature with RSA algorithm.

Benchmarking IP blacklists for financial botnet detection

Oro, D.; Luna, J.; Felguera, T.; Vilanova, M.; Serna, J. Information Assurance and Security (IAS), 2010 Sixth International Conference on Digital Object Identifier: 10.1109/ISIAS.2010.5604040 Publication Year: 2010 , Page(s): 62 - 67 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (353 KB)

Every day, hundreds or even thousands of computers are infected with financial malware (i.e. Zeus) that forces them to become zombies or drones, capable of joining massive financial botnets that can be hired by well-organized cyber-criminals in order to steal online banking customers' credentials. Despite the fact that detection and mitigation mechanisms for spam and DDoS-related botnets have been widely researched and developed, it is true that the passive nature (i.e. low network traffic, fewer connections) of financial botnets greatly hinder their countermeasures. Therefore, cybercriminals are still obtaining high economical profits at relatively low risk with financial botnets. In this paper we propose the use of publicly available IP blackliststo detect both drones and Command & Control nodes that are part of financial botnets. To prove this hypothesis we have developed a formal framework capable of evaluatingthe quality of a blacklist by comparing it versus a baseline and taking into account different metrics. The contributed framework has been tested with approximately 500 million IP addresses, retrieved during a one-month period from seven different wellknown blacklist providers. Our experimental results showed that these IP blacklists are able to detect both drones and C&C related with the Zeus botnet and most important, that it is possible to assign different quality scores to each blacklist based on our metrics. Finally, we introduce the basics of a high-performance IP reputation system that uses the previously obtained blacklists' quality scores, in order to reply almost inreal-time whether a certain IP is a member of a financial botnet or not. Our belief is that such a system can be easily integrated into e-banking anti-fraud systems.

TLS specification changes

Gadanayak, S. Personal Wireless Communications, 2005. ICPWC 2005. 2005 IEEE International Conference on Digital Object Identifier: 10.1109/ICPWC.2005.1431374 Publication Year: 2005 , Page(s): 399 - 402 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (1912 KB)

The transport layer security (TLS) protocol specification provides privacy and data integrity between two communicating applications. The protocol is composed of two layers: the TLS record protocol and the TLS handshake protocol. The TLS record protocol provides connection security, which is private and reliable. The goals of the TLSprotocol are: cryptographic security - TLS should be used to establish a secure connection between two parties; interoperability - independent programmers should be able to develop applications utilizing TLS that will be able to successfully exchange cryptographic parameters without knowledge of one another's code; extensibility - TLS seeks to provide a framework

into which new public key and bulk encryption methods can be incorporated as necessary; this will also accomplish two sub-goals: to prevent the need to create a new protocol (and risking the introduction of possible new weaknesses) and to avoid the need to implement an entire new security library; relative efficiency - cryptographic operations, in particular public key related operations, tend to be highly processor intensive. For this reason, the TLS protocol has incorporated an optional session caching scheme to reduce the number of connections that need to be established from scratch, which in turn reduces the network traffic

TLS Tandem
Badra, M.; Urien, P. New Technologies, Mobility and Security, 2008. NTMS '08. Digital Object Identifier: 10.1109/NTMS.2008.ECP.99 Publication Year: 2008 , Page(s): 1 - 5 IEEE CONFERENCE PUBLICATIONS Quick Abstract | PDF (182 KB)

Nowadays, the TLS protocol (transport layer security) is the de facto standard for securing transactions across the Internet. It provides end-to-end secure communications with one way or mutual authentication between two network nodes. However, this protocol suffers from serious vulnerabilities because classical software implementations are not trusted and allow the use of falsified credentials (e.g. revoked and false certificates) and provide an unsecured storage of credentials (private keys, passwords, etc.). In this paper, we introduce the TLS smart card to prevent those issues and we describe the TLS Tandem protocol, a TLS extension cohabiting between two TLSsoftware installed in both a docking host and a smart card. The card of our architecture, after which the TLSauthentication is successfully performed, derives secret keys from the master secret key, and transmits these values to the TLS software installed in the docking host. We discuss the performance and the efficiency of TLS Tandem. The implementation and performances analysis are performed using smart cards and Java Card libraries.

Nymble: Blocking Misbehaving Users in Anonymizing Networks

This paper appears in: Dependable and Secure Computing, IEEE Transactions on Date of Publication: March-April 2011 Author(s): Tsang, P.P. Dept. of Comput. Sci., Dartmouth Coll., Hanover, NH, USA Kapadia, A. ; Cornelius, C. ; Smith, S.W. Volume: 8 , Issue: 2 Page(s): 256 - 269 Product Type: Journals & Magazines

ABSTRACT
Anonymizing networks such as Tor allow users to access Internet services privately by using a series of routers to hide the client's IP address from the server. The success of such

networks, however, has been limited by users employing this anonymity for abusive purposes such as defacing popular Web sites. Web site administrators routinely rely on IPaddress blocking for disabling access to misbehaving users, but blocking IP addresses is not practical if the abuser routes through an anonymizing network. As a result, administrators block all known exit nodes of anonymizing networks, denying anonymous access to misbehaving and behaving users alike. To address this problem, we present Nymble, a system in which servers can blacklist misbehaving users, thereby blocking users without compromising their anonymity. Our system is thus agnostic to different servers' definitions of misbehavior-servers can blacklist users for whatever reason, and the privacy of blacklisted users is maintained.

Extending Nymble-like Systems

This paper appears in: Security and Privacy (SP), 2011 IEEE Symposium on Date of Conference: 22-25 May 2011 Author(s): Henry, R. Cheriton Sch. of Comput. Sci., Univ. of Waterloo, Waterloo, ON, Canada Goldberg, I. Page(s): 523 - 537 Product Type: Conference Publications

ABSTRACT
We present several extensions to the Nymble framework for anonymous blacklisting systems. First, we show how to distribute the Verinym Issuer as a threshold entity. This provides liveness against a threshold Byzantine adversary and protects against denial-ofservice attacks. Second, we describe how to revoke a user for a period spanning multiple link ability windows. This gives service providers more flexibility in deciding how long to block individual users. We also point out how our solution enables efficient blacklist transferability among service providers. Third, we augment the Verinym Acquisition Protocol for Tor-aware systems (that utilize IP addresses as a unique identifier) to handle two additional cases: 1) the operator of a Tor exit node wishes to access services protected by the system, and 2) a user's access to the Verinym Issuer (and the Tor network) is blocked by a firewall. Finally, we revisit the objective blacklisting mechanism used in Jack, and generalize this idea to enable objective blacklisting in other Nymble-like systems. We illustrate the approach by showing how to implement it in Nymble and Nymbler.

BLACR: TTP-Free Blacklistable Anonymous Credentials with Reputation

Abstract
Anonymous authentication can give users the license to misbehave since there is no fear of retribution. As a deterrent, or means to revocation, various schemes for accountable anonymity feature some kind of (possibly distributed) trusted third party (TTP) with the power to identify or link misbehaving users. Recently, schemes such as BLAC and PEREA showed how anonymous revocation can be achieved without such TTPsanonymous users can be revoked if they misbehave, and yet nobody can identify or

link such users cryptographically. Despite being the state of the art in anonymous revocation, these schemes allow only a basic form of revocation amounting to revoke anybody with d or more misbehaviors or revoke anybody whose combined misbehavior score is too high (where misbehaviors are assigned a severity score). We present BLACR, which significantly advances anonymous revocation in three ways: 1) It constitutes a first attempt to generalize reputation-based anonymous revocation, where negative or positive scores can be assigned to anonymous sessions across multiple categories. Servers can block users based on policies, which specify a Boolean combination of reputations in these categories; 2) We present a weighted extension, which allows the total severity score to ramp up for multiple misbehaviors by the same user; and, 3) We make a significant improvement in authentication times through a technique we call express lane authentication, which makes reputationbased anonymous revocation practical.

PEREA: Towards Practical TTP-Free Revocation in Anonymous Authentication

ABSTRACT
Several anonymous authentication schemes allow servers to revoke a misbehaving users ability to make future accesses. Traditionally, these schemes have relied on powerful TTPs capable of deanonymizing (or linking) users connections. Recent schemes such as Blacklistable Anonymous Credentials (BLAC) and Enhanced Privacy ID (EPID) support privacy-enhanced revocation servers can revoke misbehaving users without a TTPs involvement, and without learning the revoked users identities. In BLAC and EPID, however, the computation required for authentication at the server is linear in the size (L) of the revocation list. We propose PEREA, a new anonymous authentication scheme for which this bottleneck computation is independent of the size of the revocation list. Instead, the time complexity of authentication is linear in the size (K _ L) of a revocation window, the number of subsequent authentications before which a users misbehavior must be recognized if the user is to be revoked. We prove the security of our construction, and have developed a prototype implementation of PEREA to validate its efficiency experimentally.

How China Is Blocking Tor

Abstract. Not only the free web is victim to China's excessive censorship, but also the Tor anonymity network: the Great Firewall of China prevents thousands of potential Tor users from accessing the network. In this paper, we investigate how the blocking mechanism is implemented, we conjecture how China's Tor blocking infrastructure is designed and we propose countermeasures. Our work bolsters the understanding of China's censorship capabilities and thus paves the way towards more effective evasion techniques

Detecting Denial of Service Attacks in Tor

Abstract. Tor is currently one of the more popular systems for anonymizing near real-time communications on the Internet. Recently, Borisov et al. proposed a denial of service based attack on Tor (and related systems) that significantly increases the probability of compromising the anonymity provided. In this paper, we propose an algorithm for detecting such attacks and examine the effectiveness of the obvious approach to evading such detection. We implement a simplified version of the detection algorithm and study whether the attack may be in progress onthe current Tor network. Our preliminary measurements indicate that the attack was probably not implemented during the period we observed the network.

Securing Tor Tunnels under Selective-DoS Attack

Abstract. Low-latency anonymity networks like Tor are subject to selective denialof- service (DoS) attack. Selective-DoS attack lowers anonymity as it forces paths to be rebuilt multiple times to ensure delivery which increases the opportunity for more attack. In this paper we present a detection algorithm which filters out compromised tunnels from a set of Tor tunnels to ensure better anonymity. Our detection algorithm uses two levels of probing to filter out potentially compromised tunnels. We perform probabilistic analysis and extensive simulation to show the robustness of our detection algorithm. We also analyze the cost of our algorithm and show a tradeoff between security and communication overhead. Real worldm experiments reveal that our detection algorithm provides good defense against selective-DoS attack.

STor: Social Network based Anonymous Communication in Tor

Anonymity networks hide user identities with the help of relayed anonymity routers. However, the state-of-the-art anonymity networks do not provide an effective trust model. As a result, users cannot circumvent malicious or vulnerable routers, thus making them susceptible to malicious router based attacks (e.g., correlation attacks). In this paper, we propose a novel social network based trust model to help anonymity networks circumvent malicious routers and obtain secure anonymity. In particular, we design an input independent fuzzy model to determine trust relationships between friends based on qualitative and quantitative social attributes, both of which can be readily obtained from existing social networks. Moreover, we design an algorithm for propagating trust over an anonymity network. We integrate these two components in STor, a novel social network based Tor.We have implemented STor by modifying the Tors source code and conducted experiments on PlanetLab to evaluate the effectiveness of STor. Both simulation and PlanetLab experiment results have demonstrated that STor can achieve secure anonymity by establishing trust-based circuits in a distributed fashion. Although the design of STor is based on Tor network, the social network based trust model can be adopted by other anonymity networks

One Bad Apple Spoils the Bunch:

Exploiting P2P Applications to Trace and Profile Tor Users Abstract
Tor is a popular low-latency anonymity network. However, Tor does not protect against the exploitation of an insecure application to reveal the IP address of, or trace, a TCP stream. In addition, because of the linkability of Tor streams sent together over a single circuit, tracing one stream sent over a circuit traces them all. Surprisingly, it is unknown whether this linkability allows in practice to trace a significant number of streams originating from secure (i.e., proxied) applications.,In this paper, we show that linkability allows us to trace 193% of additional streams, including 27% of HTTP streams possibly originating from secure browsers. In particular, we traced 9% of all Tor streams carried by our instrumented exit nodes. Using BitTorrent as the insecure application, we design two attacks tracing BitTorrent users on Tor. We run these attacks in the wild for 23 days and reveal 10,000 IP addresses of Tor users. Using these IP addresses, we then profile not only the BitTorrent downloads but also the websites visited per country of origin of Tor users. We show that BitTorrent users on Tor are over-represented in some countries as compared to BitTorrent users outside of Tor. By analyzing the type of content downloaded, we then explain the observed behaviors by the higher concentration of pornographic content downloaded at the scale of a country. Finally, we present results suggesting the existence of an underground BitTorrent ecosystem on Tor

Compromising Tor Anonymity Exploiting P2P Information Leakage

ABSTRACT
Privacy of users in P2P networks goes far beyond their current usage and is a fundamental requirement to the adoption of P2P protocols for legal usage. In a climate of cold war between these users and anti-piracy groups, more and more users are moving to anonymizing networks in an attempt to hide their identity. However, when not designed to protect users information, a P2P protocol would leak information that may compromise the identity of its users. In this paper, we first present three attacks targeting BitTorrent users on top of Tor that reveal their real IP addresses. In a second step, we analyze the Tor usage by BitTorrent users and compare it to its usage outside of Tor. Finally, we depict the risks induced by this de-anonymization and show that users privacy violation goes beyond BitTorrent traffic and contaminates other protocols such as HTTP.

Towards a Theory of Anonymous Networking

Abstract The problem of anonymous networking when an eavesdropper observes packet timings in a communication network is considered. The goal is to hide the identities of source-destination nodes, and paths of information flow in the network. One way to achieve such an anonymity is to use Mixes. Mixes are nodes that receive packets from multiple sources and change the timing of packets, by mixing packets at the output links, to prevent the eavesdropper from finding sources of outgoing packets. In this paper, we consider two simple but fundamental scenarios: double input-single output Mix and double input-double output Mix. For the first case, we use the information-theoretic definition of the anonymity, based on average entropy per packet, and find an optimal mixing strategy under a strict latency constraint. For the

second case, perfect anonymity is considered, and maximal throughput strategies with perfect anonymity are found under a strict latency constraint and an average queue length constraint.

ANDaNA: Anonymous Named Data Networking Application

Abstract
Content-centric networking also known as information-centric networking (ICN) shifts emphasis from hosts and interfaces (as in todays Internet) to data. Named data becomes addressable and routable, while locations that currently store that data become irrelevant to applications. Named Data Networking (NDN) is a large collaborative research effort that exemplifies the content-centric approach to networking. NDN has some innate privacyfriendly features, such as lack of source and destination addresses on packets. However, as discussed in this paper, NDN architecture prompts some privacy concerns mainly stemming from the semantic richness of names. We examine privacy-relevant characteristics of NDN and present an initial attempt to achieve communication privacy. Specifically, we design an NDN add-on tool, called ANDaNA, that borrows a number of features from Tor. As we demonstrate via experiments, it provides comparable anonymity with lower relative overhead.

Location Diversity in Anonymity Networks

ABSTRACT
Anonymity networks have long relied on diversity of node location for protection against attackstypically an adversary who can observe a larger fraction of the network can launch a more effective attack. We investigate the diversity of two deployed anonymity networks, Mixmaster and Tor, with respect to an adversary who controls a single Internet administrative domain. Specifically, we implement a variant of a recently proposed technique that passively estimates the set of administrative domains (also known as autonomous systems, or ASes) between two arbitrary end-hosts without having access to either end of the path. Using this technique, we analyze the AS-level paths that are likely to be used in these anonymity networks. We find several cases in each network where multiple nodes are in the same administrative domain. Further, many paths between nodes, and between nodes and popular endpoints, traverse the same domain

Performance Analysis of Anonymous Communication Channels Provided by Tor

AbstractProviding anonymity for end-users on the Internet is a very challenging and difficult task. There are currently only a few systems that are of practical relevance for the provision of low-latency anonymity. One of the most important to mention is the Tor network that is based on onion routing. Practical usage of the system often leads to delays which are not tolerated by the average end-user. This, in return, discourages many of them from the use of such systems and hence indirectly lowers the protection of remaining users due to a smaller user base. In this paper we show to which extend overloaded nodes and links, as well as geographical diversity of nodes have an influence on the general performance of Tor communication channels. After that, we propose new methods of path selection for performance-improved onion routing which are based on actively measured latencies and estimated available capacities using passive observations of linkwise throughput.

Enlisting ISPs to Improve Online Privacy: IP Address Mixing by Default

Abstract. Todays Internet architecture makes no deliberate attempt to provide identity privacyIP addresses are, for example, often static and the consistent use of a single IP address can leak private information to a remote party. Existing approaches for rectifying this situation and improving identity privacy fall into one of two broad classes: (1) building a privacy-enhancing overlay layer (like Tor) that can run on top of the existing Internet or (2) research into principled but often fundamentally different new architectures. We suggest a middle-ground: enlisting ISPs to assist in improving the identity privacy of users in a manner compatible with the existing Internet architecture, ISP best ractices, and potential legal requirements1.

SCION: Scalability, Control, and Isolation On Next-Generation Networks

AbstractWe present the first Internet architecture designed to provide route control, failure isolation, and explicit trust information for end-to-end communications. SCION separates ASes into groups of independent routing subplanes, called trust domains, which then interconnect to form complete routes. Trust domains provide natural isolation of routing failures and human misconfiguration, give endpoints strong control for both inbound and outbound traffic, provide meaningful and enforceable trust, and enable scalable routing updates with high path freshness. As a result, our architecture provides strong resilience and security properties as an intrinsic consequence of good design principles, avoiding piecemeal add-on protocols as security patches. Meanwhile, SCION only assumes that a few top-tier ISPs in the trust domain are trusted for providing reliable end-to-end communications, thus achieving a small Trusted Computing Base. Both our security analysis and evaluation results show that SCION naturally prevents numerous attacks and provides a high level of resilience, scalability, control, and isolation

Verifying and enforcing network paths with ICING

ABSTRACT
We describe a new networking primitive, called a Path Verification Mechanism (PVM). There has been much recent work about how senders and receivers express policies about the paths that their packets take. For instance, a company might want fine-grained control over which providers carry which traffic between its branch offices, or a receiver may want traffic sent to it to travel through an intrusion detection service. While the ability to express policies has been well-studied, the ability to enforce policies has not. The core challenge is: if we assume an adversarial, decentralized, and high-speed environment, then when a packet arrives at a node, how can the node be sure that the packet followed an approved path? Our solution, ICING, incorporates an optimized cryptographic construction that is compact, and requires negligible configuration state and no PKI. We demonstrate ICINGs plausibility with a NetFPGA hardware implementation. At 93% more costly than an IP router on the same platform, its cost is significant but affordable. Indeed, our evaluation suggests that ICING can scale to backbone speeds.