Tor: Cross Jurisdiction Traffic Monitor and Circuit Reconstruction, DeepCorr Flow AI, App DeAnon

grarpamp grarpamp at
Fri Jan 25 22:55:54 PST 2019

We model and analyze passive adversaries that monitors Tor traffic crossing the
border of a jurisdiction an adversary is controlling. We show that a
single adversary
is able to connect incoming and outgoing traffic of their border,
tracking the traffic,
and cooperating adversaries are able to reconstruct parts of the Tor
network, revealing
user-server relationships. In our analysis we created two algorithms
to estimate the
capabilities of the adversaries. The first generates Tor-like traffic
and the second
analyzes and reconstructs the simulated data.

Flow correlation is the core technique used in a multitude of
deanonymization attacks on Tor. Despite the importance of flow
correlation attacks on Tor, existing flow correlation techniques are
considered to be ineffective and unreliable in linking Tor flows
when applied at a large scale, i.e., they impose high rates of false
positive error rates or require impractically long flow observations
to be able to make reliable correlations. In this paper, we show that,
unfortunately, flow correlation attacks can be conducted on Tor
traffic with drastically higher accuracies than before by leveraging
emerging learning mechanisms. We particularly design a system,
called DeepCorr, that outperforms the state-of-the-art by signifi-
cant margins in correlating Tor connections. DeepCorr leverages
an advanced deep learning architecture to learn a flow correlation
function tailored to Tor's complex network--this is in contrast to
previous works' use of generic statistical correlation metrics to cor-
related Tor flows. We show that with moderate learning, DeepCorr
can correlate Tor connections (and therefore break its anonymity)
with accuracies significantly higher than existing algorithms, and
using substantially shorter lengths of flow observations. For in-
stance, by collecting only about 900 packets of each target Tor flow
(roughly 900KB of Tor data), DeepCorr provides a flow correlation
accuracy of 96% compared to 4% by the state-of-the-art system of
RAPTOR using the same exact setting.
   We hope that our work demonstrates the escalating threat of
flow correlation attacks on Tor given recent advances in learning
algorithms, calling for the timely deployment of effective counter-
measures by the Tor community.

In this work we show that Tor is vulnerable to app deanonymization
attacks on Android devices through network traffic analysis. For this
purpose, we describe a general methodology for performing an attack
that allows to deanonymize the apps running on a target smartphone
using Tor, which is the victim of the attack. Then, we discuss a
Proof-of-Concept, implementing the methodology, that shows how the
attack can be performed in practice and allows to assess the
deanonymization accuracy that it is possible to achieve. While attacks
against Tor anonymity have been already gained considerable attention
in the context of website fingerprinting in desktop environments, to
the best of our knowledge this is the first work that highlights Tor
vulnerability to apps deanonymization attacks on Android devices. In
our experiments we achieved an accuracy of 97%

More information about the cypherpunks mailing list