Towards Measuring Unobservability in Anonymous Communication Systems

2.1 Problem statement

More and more users use anonymous communication technology to evade network censorship. Anonymous communication technology can protect the communication content security of the communication parties and the identity information of the communication subject, but it cannot hide the fact that the user is using the technology, that is, an attacker can easily identify that a user is using anonymous communication tools. In addition, modern anonymous communication technology can not eliminate the explicit behavior characteristics of network packets, such as the packet size distribution, network latency, and packet interval, etc. These seemingly useless protocol fingerprint features, actually can effectively help to identify the identity information of network users for the adversary with flow analysis attack capability.

For the flow analysis attacks, the most common countermeasure is protocol masquerading, which is to disguise and imitate the specific implementation of a popular protocol, to confuse the explicit behavior characteristics of the protocol, for example, SkypeMorph^[2] to disguise TOR traffic as Skype video traffic, StegoTorus^[3] to disguise TOR traffic as Skype and HTTP traffic, and CensorSpoofer^[4] to imitate SIP-based VOIP protocol, etc. In fact, in order to fight against flow analysis, TOR has deployed pluggable transports (such as obfs^[16], fte^[17] and Meek^[18], etc.) to support protocol obfuscation and protocol masquerading. Therefore, measuring the degree of unobservability for these protocols is of great significance for evaluating the concealment of the protocol and instructing the design and implementation of future protocols.

The availability problem in low-latency anonymous communication systems is essentially dependent on the degree of unobservability for its communication protocol. This paper focuses on the measurement and evaluation of the unobservability in anonymous communication systems. From the perspective of user’s communication behavior, the unobservability is a computational puzzle, that is, the attacker is not statistically able to confirm or distinguish whether a user is using a particular protocol. Therefore, how to quantify the degree of unobservability for the anonymous communication protocol is quite challenging. This paper will formalize the model of anonymous communication systems, and study whether the anonymous communication protocol and the disguised protocol have statistically distinguishable communication behavior under the model. That is, calculate the relative entropy of the explicit behavioral characteristics of the data packet during the communication to quantify its observability.

2.2 Relevant conception definitions

In this section, we will give an accurate definition of unobservability in anonymous communication systems. This paper adopts the definition given by Pfitzmann et al. in literature [9].

Definition 1.

Anonymity. Anonymity refers to the state in which a communication subject is unrecognizable in a anonymous set.

If an attacker can associate with a sender in the anonymous collection from the obtained information, such as the IP address of the sender, the user is considered identifiable.

Definition 2.

Undetectability. From an attacker’s perspective, the attacker cannot distinguish whether the item of interest exists.

Therefore, anonymity is to study the communication relationship of the communication subjects, and protect their identity information. The research object of undetectability is the item of interest, and protect the communication behavior and communication object.

Definition 3.

Perfect undetectability. When the item of interest is completely indistinguishable, the communication object is considered to be perfectly undetectable.

Definition 4.

Unobservability. Unobservability refers to the state in which the item of interest is indistinguishable from any other communication sets of the same type. The unobservability includes two meanings: the anonymity of the communication subject and undetectability of the communication object.

This paper focuses on the measurement and evaluation of unobservability in anonymous communication systems. Here, we only consider the sender’s unobservability, that is, for a particular message in the sender’s anonymous set, the attacker wants to find out whether this message appears and from which sender during the communication process. The sender here is defined as all possible users.

The degree of unobservability defined in this paper is based on the probability of occurrence for a particular message. That is, after the attacker monitors the anonymous communication system for a period of time, the attacker assigns a probability value to the explicit behavior characteristics of the message that appears during the communication process for each communication subject, which is used to characterize the probability of occurrence for this message.

3.1 Threat model

The degree of observability in the system depends on the attack ability of the adversary, the resources the adversary possesses, and the observability of the explicit behavioral characteristics of the communication protocol itself. In this paper, the adversary is modeled as a passive and local adversary. That is, the adversary can monitor the traffic of the user at the network boundary, thereby observing the explicit behavior characteristics of the communication protocol (such as the packet size and the packet interval, etc.), but cannot falsify, inject or discard the packet. In addition, we also assume that the adversary can only deploy traffic analysis devices at the network boundary, and cannot control the user’s computer. The adversary has limited computing and storage resources, and cannot perform complex calculations in a large-scale backbone network environment. In this section, we will define the attack capabilities of the adversary from three aspects: attack ability, observability and computing resources owned by the adversary:

1. Attack ability
   1. Passive attack. The adversary can deploy a flow analysis systems at the network boundary to monitor and analyze the network flow and the communication behavior of the communication subject.
   2. Active attack. The adversary can manipulate the network flow (such as latency, packet loss, packet content modification and injection attack, etc.).
   3. Proactive Attack. The adversary can simulate the client of the communication system to send packets to actively detect the network status, node behavior characteristics and so on.
2. Visibility
   1. Locally visible. The adversary can only monitor the network boundary (in and out of a network) or part of the network node.
   2. Globally visible. The adversary can monitor the entire communication network node and network traffic.
3. Resources
   1. Limited. The adversary has limited computing and storage resources.
   2. Sufficient. The adversary has sufficient computing and storage resources to collect and capture large-scale network traffic for storage and processing from different network locations.

This paper assumes that the adversaries in real world are local and passive, and have limited computing and storage resources.

4.1 Relative entropy

In information theory, information entropy is defined as the probability of occurrence of stochastic discrete events. Information entropy is usually used to measure the degree of uncertainty of information. Assuming the discrete random variable is $X$, which has $N$ possible values, namely $X\in \left\{x_1,x_2,\dots ,x_N\right\}$, and the probability of occurrence of each value is $p_i=\mathit{Pr}\left(X=x_i\right)$, where $x_i$ is the value of the discrete random variable $X$, then the entropy of the discrete random variable $X$ is defined to be:

Relative entropy, also known as KL divergence (Kull-back-Leibler divergence, KLD), is a measure of how one probability distribution $P$ is different from a second one $Q$. Typically, $P$ represents the true distribution of the data and $Q$ represents the theoretical distribution, the model distribution, or the approximate distribution of $P$. Assuming that $p\left(x\right)$ and $q\left(x\right)$ are two probability density functions of the random variable $X$ the relative entropy between the two is defined to be

if and only if $p\left(x\right)=q\left(x\right)$, $D\left[p\left(x\right),q\left(x\right)\right]=0$.

4.2 How to measure the degree of unobservability

According to the definitions in Section 3, if the anonymous communication protocol $\pi$ is a specific implementation of the target protocol $\tau$ for the given set $O={\left\{{\left\{o_{n,i}\right\}}_{i=1}^M\right\}}_{n=1}^N$, each communication protocol can be modeled as a probability distribution of the data packet on the explicit behavioral features. Assuming that $p_{\pi }$ is the probability distribution of the anonymous communication system on the $i$th feature vector ${\mathit{O}}_i$, similarly, $p_{\tau }$ is the probability distribution of the target protocol on ${\mathit{O}}_i$, where $O$ is the explicit behavior feature vector of the observed packets after the attacker attacks, the relative entropy between the anonymous communication protocol $\pi$ and the target protocol $\tau$ under state $s$ is defined to be

Of these, $s$ is the state of the anonymous communication node, such as handshake state and idle state, etc.

Therefore, based on the relative entropy, we can statistically quantify the degree of unobservability for the communication behavior in the anonymous communication system and the masquerading protocol. When the attacker sees the probability distribution of the explicit behavior characteristics of the anonymous communication protocol on $O$ are completely consistent with that of the target protocol, the relative entropy between them is the smallest, that is, the degree of unobservability for the anonymous communication protocol is the smallest.

Definition 5.

Assuming $S$ is the state set of the anonymous communication system node, $\hat{D}$ is defined to be the relative entropy of the anonymous communication system, denoted as

$$\hat{D}=\frac{1}{\left|S\right|}\sum _{i=1}^{\left|S\right|}\left(D_s\left[p_{\pi },q_{\tau }\right]-D_s\left[p_{\tau },q_{\tau }\right]\right)\text{.}$$

Definition 6.

The maximum relative entropy of the anonymous communication system is defined to be

$$D_M=\underset{s\in S}{\max }\left(D_s\left[p_{\pi },q_{\tau }\right]\right)\text{.}$$

Definition 7.

The degree of unobservability in the anonymous communication system is defined to be

$$d=1-\frac{D_M-\hat{D}}{D_M}\text{.}$$

Therefore, the degree of unobservability in the anonymous communication system can quantify the degree of distinguishability between the anonymous communication system and other protocols in terms of communication behavior. The value range of $d$ is $\left[0,1\right]$. The smaller the $d$ is, the better the unobservability of the protocol is. When $d=0$, the protocol is completely indistinguishable.

5.1 Bridge mechanism introduction

In order to defend against network censorship and flow analysis attacks, TOR proposed a non-public Bridge mechanism. The Bridge node can only be obtained by application to the TOR mail server through Gmail mailbox or from the TOR official website (https://bridges.torproject.org). In order to defend against enumeration attacks, TOR restricts each email address to only obtain a certain number of Bridge nodes within a certain time interval. For webpage mode, TOR also restricts each IP address to only obtain a certain number of Bridge nodes within a certain time interval. In addition, in order to defend against flow analysis attacks, TOR’s Bridge communication protocol imitates the Firefox browser’s TLS handshake process to confuse its traffic characteristics.

5.2 Meek mechanism introduction

Meek is a pluggable transport recently released by the TOR project team. Its goal is to disguise TOR traffic as the traffic to access to the cloud platform. When TOR’s data traffic reaches the cloud computing platform, it will be forwarded to the TOR anonymous network via TOR’s Meek-Server, and finally gets to the real target address. Different from other pluggable transports, it does not imitate a protocol, but runs the target protocol directly. That is, the TOR traffic is encapsulated into the HTTPS payload of Firefox, and the HTTPS protocol header is the protocol header for Firefox to communicate with the cloud platform. After reaching the server of the cloud platform, the HTTPS content is resolved and forwarded to TOR anonymous network via Meek-Server. Therefore, the Meek pluggable transport has the following two advantages:

1. Highly concealed. The Meek pluggable transport runs the target protocol directly rather than masquerades, so its protocol characteristics are very similar to those of the target protocol.

2. There is no need to directly publish the access point address like the Bridge mechanism. Instead, the domain fronting mechanism of the cloud platform is used to allow users to request the domain name of the cloud platform, and then resolve to obtain the IP address. The process is exactly the same as the user’s access to Google’s search service, Amazon and Microsoft cloud platform.

5.3 Experimental methods

In order to measure the degree of unobservability for the pluggable transport in TOR anonymous communication system, we downloaded the latest version of the TOR client software (torbrower-install-4.5.1_zh-CN) from the TOR official website for Windows and Linux platforms, and the built-in Firefox version is Firefox 31.7.0.

Since both Meek and Bridge approaches are masquerading protocols, the method of this experiment is to respectively capture the traffic to visit a website in two TOR modes: Meek-Azure mode and Bridge mode. And then directly access the same URL by Firefox browser. In each mode, the traffic is repeatedly collected 3 times under Windows 7 and Ubuntu respectively. The traffic collected in each mode includes the phases of HTTPS protocol: the handshake phase, the idle phase (waiting for approximately 3 minutes), and the user input data phase (all accessing the same URL). In addition, in order to calculate the degree of unobservability for the Meek and Bridge protocol as well as the disguised Firefox (with Firefox version ESR 31.7.0), this experiment also collected the URL of the Meek-Azure platform directly accessed by the user using the Firefox browser. The collected traffic also includes the protocol handshake phase, the idle phase (waiting for approximately 3 minutes), and the user input data phase (all accessing the same URL).

In order to measure the degree of unobservability for the TOR pluggable transport, we chose the size distribution and packet interval reaching time as the explicit behavior characteristics of the network communication behavior observability. In order to visualize whether the characteristics selected in this paper are distinguishable, we firstly calculated their cumulative distribution function (CDF) for client-to-server (C2S) and server-to-client (S2C) on different platforms (Windows and Ubuntu), as well as the CDF values for direct accessing to HTTPS sites (Azure platform), as shown in Figure 2 and Figure 3. Then, we calculated the relative entropy in different platforms and states according to the approaches proposed in Section 4.2 of this paper, as shown in Table 1 and Table 2. Finally, we gave the measure values for the degree of unobservability in the two TOR modes, respectively Meek mode and the Bridge mode, according to the calculation formula in the anonymous communication system proposed in Section 4.2. In order to show the effect more intuitively, we preprocessed the data and filtered all TCP three-way handshake packets. We made the packet interval accurate to 10 ms. In addition, for the case of $P\left(x\right)=0$, we technically assigned it a small value in this paper, with a probability value of one ten-billionth.

5.4 Experimental results and analysis

In this section we will discuss the experimental results and analyze them accordingly. Figure 2 shows the packet interval distribution of Meek, Bridge and HTTPS (HTTPS of Firefox) with direct-access. From Figure 2, we see that there is little difference for 70% to 80% of the packet interval distribution among Meek, Bridge and HTTPS. However, for Meek's packet, there is a significant jitter at 0.5 to 2 s; while for HTTPS, there is about 20% of the packet interval at 10s.

After manually analyzing the source code of TOR, it is found that Meek’s client will automatically send a heartbeat packet when the connection is idle in order to maintain a long connection to the cloud platform. The heartbeat packet has a random interval between 0.1 and 5 s. When directly access the Azure cloud platform with Firefox, if there is no data, a heartbeat packet will also be sent, and the heartbeat packet interval is 10 s.

Figure 3 shows the packet size distribution for Meek, Bridge, and HTTPS (HTTPS of Firefox). From Figure 3, we can see the following two obvious phenomena:

1. Phenomenon 1. In the Bridge mode, the C2S packet size is concentrated at 600 B. After analysis, it is found that the TOR packet (cell) is a fixed size, which is 597 B under the Windows platform, and 609 B under the Ubuntu platform.

2. Phenomenon 2. In the Meek mode, there is a high proportion for C2S packet size of about 200 B and S2C packet size of about 400 B. After analyzing the source code of TOR, it is found that these are the size of heartbeat packets in TOR’s Meek mode. The size of the heartbeat packet is slightly different under different platforms, and there is no difference under the same platform.

It can be seen directly from Figure 2 and Figure 3 that the TOR’s pluggable transports (Bridge and Meek) still statistically have a significant difference from the masquerading protocol (HTTPS). Now, we will calculate the relative entropy for the packet interval distribution and the packet size distribution respectively in TOR’s Meek mode, TOR’s Bridge mode and HTTPS protocol in different states, as well as the relative entropy of HTTPS compared with itself (the packet captured under the same platform at different times), for example, the relative entropy for C2S packet size distribution and packet interval distribution.

The results in Table 1 and Table 2 show that relative entropy can well describe the statistical similarity between the target protocol and the masquerading protocol. Compared to the packet interval distribution, the packet size distribution can better characterize the degree of distinguishability of explicit behavioral features for TOR pluggable transports. In this paper, we calculated the relative entropy for packet size distribution and packet interval distribution under the same network environment, the same operation system and the same state, so the different calculation results are comparable.

Therefore, according to Equation (6), the degree of unobservability for the Meek and Bridge pluggable transports can be calculated. For the Meek transport, the degree of unobservability under Windows platform is $d=0.54$; while $d=0.36$ under the Ubuntu platform. For the Bridge transport, the degree of unobservability under the Windows platform is $d=0.72$; while $d=0.53$ under the Ubuntu platform. As can be seen from the above values, the degree of unobservability for the Meek is better that for the Bridge mode no matter under the Windows platform or the Ubuntu platform. That is to say, it is statistically more difficult to distinguish the traffic in Meek mode. However, it still has stronger traffic characteristics compared with HTTPS traffic, that is, it is easy to distinguish the traffic of TOR in both Bridge and Meek modes from HTTPS traffic.