Traffic Morphing: An Efficient DefenseAgainst Statistical Traffic Analysis
Presented by Yang Gao11/2/2011
Charles V. WrightMIT Lincoln Laboratory
Scott E. CoullJohns Hopkins University
Fabian MonroseUniversity of North Carolina
Outline Potential Hazards Counter measures and Traffic
Morphing How it works? Evaluation and Results
Privacy Security
Privacy Security
Packet Sizeand
Timing Information
Privacy Leakage
Classification ToolsLanguage of a VoIP
callPassword in SSH
Web browsing habits...
How does the attack happen
Webpage browsing Statistical Identification of Encrypted
Web Browsing Traffic (Sun,Q. Stanford University)
A 2000 sample from
100,000 WebPages
Only Objects number and
sizes are recorded
Jaccard’s coefficient
Trained classifier
How does the attack happen
Webpage browsing Statistical Identification of Encrypted
Web Browsing Traffic (Sun,Q. Et Stanford University)
Inferring the Source of Encrypted HTTP Connections (Marc Liberatore and Brian Neil Levine UMA)
Identification of Encrypted VoIP Traffic
Results of the Classifiers
Outline Potential Hazards Counter measures and Traffic
Morphing How it works? Evaluation and Results
Countermeasures Padding Mimicking Morphing Sending at fixed time
intervals(counter the timing analysis)
Comparison
Traffic Morphing
morphing
morphing
How does the morphing work?
L1 L2L1
L2 L1 L2
NL1 : NL2 = 2 : 1
NL1 : NL2 = 1 : 2
Outline Potential Hazards Counter measures and Traffic
Morphing How it works? Evaluation and Results
Traffic Morphing Goals
Good resemblance in packet size distribution
Less overhead Steps
Morphing matrix construction
Morphing MatrixSize x1
Size xn
Size y1
Size yn
2*n equations and n2 unknowns
How to solve these equations?
We won't solve them directly. Convex Optimization
Cost Function
Restrictions
Example
L1 L2L1
L2 L1 L2
Example
L1 L2L1
L1L2 L2
Reduce?Add more constrains to avoid this situation.
Steps for Traffic Morphing Matrix Construction
Select the source process and calculate the probability distribution of the packets size.
Select the target process and calculate the probability distribution of the packets size.
Solve the morphing matrix with optimization method which could minimize the cost while following the restrictions.
Traffic Morphing Get the packet to send. set up a random number to select the element in the matrix Calculate the corresponding packet size. Padding or reduce the packet size Transmit the new packet.
Traffic Morphing Goals
Good resemblance in packet size distribution
Less overhead Steps
Morphing matrix construction Additional Morphing Constraints
Pitfall 1 System is over-specified
Y = AX Solution:
Multi-level programming Find Z which is closest to Y Find A which such that most efficiently maps
X to Z Z=A’X => Minimize( fd(Y,Z) ) Z=AX => Minimize( f0(A) )
Traffic Morphing Goals
Good resemblance in packet size distribution
Less overhead Steps
Morphing matrix construction Additional Morphing Constraints Dealing with Large Sample Spaces
Pitfall 2 Pool Scalability
Pentium 4 2.8G run 1 hr for 80x80 matrix with 6560 constraints
MTU(40~1500) means 1460x1460 Matrix
Solution Multi-level method Sub-matrix Morphing
Multi-level method
Traffic Morphing in sum Goals
Good resemblance in packet size distribution
Less overhead Steps
Morphing matrix construction Convex optimization
Additional Morphing Constraints 2 level Multi-level programming
Dealing with Large Sample Spaces Sub-matrix Morphing
Outline Potential Hazards Counter measures and Traffic
Morphing How it works? Evaluation and Results
Evaluation Encrypted Voice over IP Web Page Identification
Defeating Original Classifier Evaluating Indistinguishability
Encrypted Voice over IP Language Identification of Encrypted
VoIP Traffic:Alejandra y Roberto or Alice and Bob?
Charles V. Wright Lucas Ballard Fabian Monrose Gerald M. Massonfrom Department of Computer Science
Johns Hopkins University
White box encode
Why even the encrypted voice packet will leak information
Unigram frequencies of bit rates
2-gram resemblance
Blackbox
Results for original classifier
Results for Indistinguishablity
Overhead
Web page Identification
Overhead
Practical Considerations Short Network Sessions
Short of packets generated by source? Keep generating until reach a distance
threshold Variations in Source Distribution
Packets size difference for training and using? Divide and conquer
Reduced Packet Sizes How to deal with the reduced packet size in
HTTP Packing to the next
Traffic Morphing in a nut shell
Resemblance Morphing Matrix Convex Optimization
Overhead Minimization Additional Morphing Constraints Dealing with Large Sample Spaces
Practical Considerations Short Network Sessions Variations in Source Distribution Reduced Packet Sizes
Conclusion User privacy are vulnerable even
under encryption protected. Traffic morphing is effective and
robust Traffic morphing is applicable. Traffic morphing is much more
efficient than padding.
Discussion The other side of morphing
Anti-intrude-detection. Mimicry attack
System call sequence
Malicious call combination
library
deny
accept
morphing
Thank you!