preventing encrypted traffic analysis
DESCRIPTION
6 January 2011. Preventing Encrypted Traffic Analysis. Nabíl Adam Schear University of Illinois at Urbana-Champaign Department of Computer Science [email protected]. Committee: Nikita Borisov (UIUC-ECE) Karen L. Bintz (Los Alamos National Laboratory) Matthew Caesar (UIUC-CS) - PowerPoint PPT PresentationTRANSCRIPT
Preventing Encrypted Traffic Analysis
Nabíl Adam SchearUniversity of Illinois at Urbana-Champaign
Department of Computer [email protected]
6 January 2011
Committee: Nikita Borisov (UIUC-ECE)
Karen L. Bintz (Los Alamos National Laboratory)Matthew Caesar (UIUC-CS)Carl A. Gunter (UIUC-CS)
David M. Nicol (UIUC-ECE)
For a copy of the slides or dissertation: http://helious.net/
UNCLASSIFIEDOpen Release
LA-UR 11-01317
2
Encrypted Traffic Analysis• Encrypted protocols provide strong confidentiality
through encryption of content
• But – encryption does not mask packet sizes and timing– Privacy can be breached by traffic analysis attacks
• Traffic analysis can recover:– Browsed websites through encrypted proxies– Keystrokes in real-time systems– Language and phrases in VoIP– Identity in anonymity systems– Embedded protocols in tunnels
• Who needs defense against traffic analysis?– Privacy seeking users and enterprises with VPNs, SSL, VoIP,
anonymity networks etc.
3
Bob logs into SSH gateway
SSH Traffic Analysis Attack
SSH Gateway
54523234JA1232542234
Internal Server A
Corporate Network
Bob’s Computer
dejfwoLfowjf2394h
247jfwolf2uenql2394h
237jfwolf2uenql2394h
By keystroke timing, Bob
typed: U-I-U-C
Bob types password for A:
UIUC
Bob starts login to A
4
Defense Detection Attack
Tor Relay Network
Private Tor Bridge
Alice wants to use Tor from China
Port 443
HFA0adfalkjU4;KDJA23ADK542542342AF
HFA0adfdsfaalU213sdfsdf23ADasdfaK
54251234242342AF
Traffic does not match real HTTPSSignature: TOR
HFA0adfalkjU4;KDJA23ADK542542342AF
5
Approach:Realistic Mimicry with TrafficMimic
• Tunneling real data over cover traffic– Force attacker to see cover packet sizes and timings not
real ones– Attacker cannot separate real data from cover padding
because of encryption
• Use realistic model to generate cover traffic– Simultaneously prevent both types of attack– Less overhead and vulnerability than constant rate
techniques
6
Thesis Statement
“Tunneling real data through realistic cover traffic models is a robust defense that
provides balanced performance and security against powerful traffic analysis attacks.”
7
TrafficMimic Goals
• Offer the user choices for performance versus security trade-offs– Quantify risk and performance gain
• Robustly defend traffic analysis and defense detection attacks against a powerful adversary– Favor adversary with resources and access
• Retain realism, practicality, and usability in implementation and evaluation– Ensure that real users can benefit from TrafficMimic
8
Outline
• Introduction• TrafficMimic design and implementation• Independent cover traffic evaluation• Simulation and modeling performance study• Improving performance with biasing• Conclusions and future work
9
Cover Traffic Tunneling
User
Tunnel
header1data EA
Tunnelheader2
data EB
header2
EBTunnel header
data EA
padding
data size not leaked
header1 no longer visible
Timing changed
10
Constant Rate Cover Traffic
• Current state-of-the-art defense– Effective at masking real protocol activity
• Drawbacks:1) Overhead in excess bytes and delay2) Vulnerable to defense detection3) Packet drops identify the flow in mix systems
11
Realistic Cover Traffic
• Goal 1: Generate cover traffic tunnel that prevents attacker from recovering tunneled protocol
Network Data
Models
Learning Playback
5453234JA23254223
dejfwoLfowjf2394hProxy Proxy
HFA0adfdsfaalU213sdfsdf23ADasdfaK
54251234242342AF
HFA0adfalkjU4;KDJA23ADK542542342AF
Real Traffic
Cover
• Goal 2: Generate traffic of protocol X that is indistinguishable from real X traffic
12
Requirements for Secure Traffic Generation
1) Network agnostic– Closed-loop, TCP-based, reactive to live network conditions– Use Swing [Vishwanath06] to capture empirical distributions of
protocol features from a network trace
2) Quality training– Sanitize training network trace data of anomalies– Care in selecting training data to avoid training-based
attacks
3) Synchronized playback– Secure cover traffic generation is bidirectional
• Requires both statistical and heuristic consistency– Single node controls all traffic generation
13
TrafficMimic Design
• Tunnel uses SOCKS/HTTP or port forwarding• Cover traffic specified by type, size, timing• Master controls all cover traffic generation
• Real data encoded into messages• Message data split into fragments that contain
– message chunk, model traffic, and padding
14
Tor Integrations
• Protects individual Tor SSL links from traffic analysis– OP to OR links OR to OR links OP to Bridge links
• Addresses blocking resistant design [Dingledine06]• No code changes required to any Tor components
• Integrate TM end-to-end in Tor with small code change to OR– Can advertise TM ability through existing Tor directory
Solves Alice’s Tor Problem
15
Outline
• Introduction• TrafficMimic design and implementation• Independent cover traffic evaluation• Simulation and modeling performance study• Improving performance with biasing• Conclusions and future work
16
Evaluation Setup
• System Implementation tested on real Internet wide-area links– Montreal (MN) to London (UK)– Urbana (IL) to San Diego (CA)
• Cover protocol models:– HTTPS, SMTP, and SSH– Fixed 28kbps constant rate model
• Three sets of network traces (~1 hour each)– CAIDA, Jan/Feb 2009, equinix-chicago monitor– UNC, April 20/29, 2003, campus border link– LANL, Sept 2009, external gateway link
Link RTT
MN-UK 85ms
IL-CA 63MS
17
Protocol Classification Attack• Distill connections into network agnostic feature vectors
– Feature selection based, in part, on prior work• Use supervised learning to identify unknown protocols
– Weighted K-nearest neighbor algorithm for classification, K=3– Inter-cluster and distance threshold anomaly detection schemes
Protocol Accuracy F-Score
SSH 95.1% 0.886SMTP 88.7% 0.863
HTTPS 90.5% 0.874
Protocol Accuracy F-Score
SSH 92.3% 0.78SMTP 85.2% 0.748
HTTPS 82.0% 0.791
CAIDA/CAIDA CAIDA/LANL
Consistent with [Wright06]
• First to evaluate realistic attack• Accuracy suffers ~10% with
different test network
18
Classifying Cover Traffic• 73% accuracy fooling
classifier with realistic traffic– 91% of best rate for real
traffic• Constant rate schemes
easily detected with anomaly algorithms
• What if we let the attacker train on TrafficMimic generated traffic with a binary classifier?- With independent HTTPS training/test sets and Internet Links- Accuracy: 49.4% (worse than random guessing)
19
100KB Transfer over Cover Traffic• Need to put real load on cover traffic to test performance
• HTTPS-resp and SMTP high bandwidth, low overhead• HTTPS-req and SSH asymmetric bytes sent/received
- poor performance and high overhead
20
Web Site Load Time Slowdown
• HTTPS provides best real/cover match• SMTP (not shown) very poor
- due to long wait times and relatively small response stream• Performance impact is considerable when compared with native
21
Outline
• Introduction• TrafficMimic design and implementation• Independent cover traffic evaluation• Simulation and modeling performance
study• Improving performance with biasing• Conclusions and future work
22
Performance Study
• Deeper understanding of performance with simulation/modeling
• Questions– Cover traffic tunneling impact on user experience?– Overhead compared to transmitting without cover traffic?– Dependence on relationship between real and cover traffic?
• We assess these impacts with:– tunnel-free network properties derived from simulation– real trace-driven protocol models– analytic models of cover traffic tunneling
23
Simulation Model
• Larger cover sizes have higher TCP efficiency
• Conversely, large cover sizes delay real traffic– On startup waiting for next
cover to begin– On final chunk waiting for end
100 Mbit/s50 ms delay
1.5 Mbit/s20 ms delay
1.5 Mbit/s20 ms delay
client server
• Use bidirectional model of traffic based on HTTP• Collect real HTTP traffic patterns from UNC traces
- Requests are normally distributed- Responses are not, heavy tails- Use clustering to create response categories
Simulated Network
24
Developing an Analytic Model
• Create bidirectional HTTP-like model based on– On-Off renewal processes
• How do we model the real delay of sending data?– Three components: startup, request, response
25
Model Validation
• Use tunnel-free network data from simulation to validate tunneled response delay
• Need to make some simplifying assumptions about data– Normally distributed responses– Exponentially distributed inter-
session timing– Capture all network link
properties with single transmission cost
Model error: 3.57%Simulation error: 3.97%
Larger real load yields higher model accuracy
26
Investigating Slowdown• Use Discrete-time
Markov chain• Find Slowdown: steady-
state probability for real transmission conditioned on availability of real
– Decreasing function of cover session utilization
– Real size larger than cover yields higher slowdown
– Increasing cover sizes with high utilization yields best performance
27
Performance Observations
• Best when there is plenty of cover traffic to carry real– Similar to intuition for constant rate cover traffic
• But mismatches between real and cover are painful– Cover too small, wait time hurts– Cover too large, real traffic has to wait for next cover to begin
• Even when size ratio is favorable low utilization yields high slowdown
• Waiting times dominate effects of padding and network transmission
28
Outline
• Introduction• TrafficMimic design and implementation• Independent cover traffic evaluation• Simulation and modeling performance study• Improving performance with biasing• Conclusions and future work
29
Performance Enhancements
• So far: prevent attack using independent cover traffic– Attacker inference cannot recover information from real flow
• Can we relax strict independence without sacrificing security?– Against both traffic analysis and defense detection– Need to quantify security impact
• Concept: influence the traffic generation process with biasing
30
Recall: Model-Based Traffic Generation
• Collect ECDF of structural features• Sample features using:
– uniform [0,1] random variable– inverse transform sampling
• Bias parameter selection given current real state– Biased samples still come from empirical data
UserSessions
Application ProtocolConnections
Feature ECDFs
Bias
Real state
Optimized sample
Swing
31
Biasing: Two Techniques
• Functional– Create probability distribution that parameterizes biasing
effect– Derive CDF by integration and invert to select samples
• Algorithmic– Select optimized structural sample with iterative algorithm
• Goals:– Avoid splitting real objects– Minimize overhead
Minimize waiting
32
Functional Biasing Example:Probability Split
• PDF given by
• x0 is the optimal point, perfect biasing– Given by the current/recent needs of the real traffic
• Derive inverse CDF F-1 of distribution by integration• Parameter p controls height of left side of x0
– standardize bias factor relation to p
p 1
33
Functional Biasing Distributions
34
Algorithmic Biasing
• Directly try to achieve biasing goals with algorithm
• Try Try Again (TTA)– Select sample from empirical CDF– If greater than real buffer size, use it– If not, repeat up to R times
• Linear algorithm takes first sample that does not split• Optimal algorithm finds minimum of all R samples
that does not split
35
Algorithmic Biasing IllustratedUnbiased Geometric
Optimal TTA
Optimal value shown in red
Linear TTA
36
Simulator
• Simulate 20,000 real objects being sent by a variable number of cover sizes
• Estimate performance with– Number of cover sessions (num splits)– Excess padding needed in final cover (overage)
• Simulation outputs results in tuples:– Denote random variables corresponding to these values Qsim
and Csim
€
qsim i,c i( )
37
Attacking Biasing
• Deduce the real size given observation of cover size using:– Bayesian inference– Maximum likelihood estimation
• Real attack contains history of multiple cover sizes- Approximate real attack by inferring estimate qest from
individual ci observations
• Theoretical attack used for quantifying security impact of biasing– Performance in practice does not recover actionable
information (acc ~5%)
38
Quantifying Information Leakage
• Use information theory: Mutual Information
• Intuitively: given two RV Qsim and Qest: measure how much knowing one variable reduces our uncertainty about the other– Measured in bits per sample pair
• Mathematically:
39
Mutual Information EstimatorOur Bayesian inference:
where m represents the additional information about dist of Csim
Now consider a simplified inference function:
Qest has strictly more information than Qg, thus:
MI computed from ci order of magnitude faster to compute
40
HTTPS Biasing Performance
Performance
• Biasing can improve performance by factor of 2– Significantly fewer splits than constantMTU
• Information leakage higher with linear functional techniques• Lowest MI with algorithmic and expBias
Security
41
SSH over SMTP Responses
• Swapping causes large information leakage in exchange for huge performance improvement
• SMTP large request stream, small protocol-only response stream
• SSH smaller request stream, variable response stream
• Causes SMTP protocol model to “swap” sent/received ratio
42
HTTP Request over HTTP Response
• Over provisioned cover model– Minimal impact on
session performance
• Several techniques can reduce overhead
43
Defense Detection
• Recall: using realistic models prevents adversary from detecting TrafficMimic
• But biasing destroys pristine cover model!
• Solution: sample without replacement within a window of L samples- Replenish when subset is exhausted- Distribution is consistent with original within L observations
44
Defense Detection Attack:Kolmogorov-Smirnov Test
• Attacker checks observed distribution with window W– make determination about
defense detection quicker• Attacker detection
advantage when L>W• Defender performance
advantage with larger L
• Vary L and show maximum attack W with 95% confidence of proving that observed distribution is abnormal- Because of noise in real distributions, attacker must limit W to 50- While defender can safely use up to L=300
45
Performance of Limiting L
• Larger than expected improvement even with very small L
• Performance continues to improve modestly- 7.8% fewer session at
L=5000
• Conservatively use L=100 for further experiments
OptimalTTA on HTTPS
46
Sampling Without Replacement
• Much lower information leakage compared to sampling with replacement– Very low Bayesian attack accuracy
• Performance improvement due to splitting avoided when subset is still large (early optimization)– 55% increase in splits without replacement
47
Trade-Offs• Simulations can help drive traffic combination choices
– Relative importance of MI, overhead, and splits varies
48
Bias Implementation
• Critical parameter to biasing: current real state– Master needs slave and local event loop buffer state to select
biased traffic parameters– Maintain synchronous control of traffic generation at master
• Feedback– Report real buffer state to master model thread through traffic
confirmations used for model synchronization– Potential for stale information, especially from slave
• Split Biasing– Pre-sample R samples from distribution in model thread and defer
parameter selection until just before transmission– For algorithmic techniques only where R is relatively small
49
• Linear algorithms can best use distribution tails– Due to x0~=1 for much of the transfer
• Algorithmic approaches have smaller working set (<10)– Still provide modest improvements in bandwidth– Safest approaches for unknown/variable traffic combinations
Bulk Transfer over HTTP-resp
50
• 3.5-5.5x improvement in bandwidth– Small SSH request stream not well suited to bulk transfer
• Bidirectional overhead reduction for HTTPS and SSH– SMTP already minimal overhead because of small response stream
Bulk Transfer with OptimalTTA
51
Website Load Times with OptimalTTA
• 2.5-9.5x improvement in load time compared to independent cover models- HTTPS-Split takes 6-19 seconds to load pages
• SMTP cover traffic still impractical for most uses• Split biasing provides small advantage over feedback
52
Outline
• Introduction• TrafficMimic design and implementation• Independent cover traffic evaluation• Simulation and modeling performance study• Improving performance with biasing• Conclusions and future work
53
Recall: Thesis Statement
• Robust defense to powerful attack– Tested against generic protocol classification, Bayesian
Inference, and KS-test attacks
• Offers users more performance/security trade-offs– Biasing study helps users decide how to combine protocols– Algorithmic biasing provides safest performance boost
• Practical design, evaluation, and deployment– Used real network data, system implementations, and
Internet evaluation to prove effectiveness– Provided integration with existing privacy tools to aid adoption
54
Conclusions
• Traffic Analysis is daunting security challenge with few deployable defenses– New and existing attacks growing in effectiveness
• TrafficMimic addresses the traffic analysis defense gap– Mimicked realistic cover traffic with 91% accuracy against
powerful protocol classification attack– Resists defense detection and traffic analysis simultaneously– Up to 9x performance increase with biasing
55
Usable Technology Transition
• Integration with existing services– E.g., Tor Anonymity network, VPN clients
• Integrate with OpenSSL library – Allows arbitrary applications to utilize TrafficMimic without
code modification– Platform dependent if using library hooking
• Continue development/adoption of TrafficMimic as a stand-alone proxy– Could be Jack of all trades, but master of none