Embed Size (px)
Citation preview
Traffic Matrix Approach
R. Newman
Topics
Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity Metrics for Anonymity Applications of anonymity technology
Represents traffic patterns Not specific to a particular message Measure traffic over time window Shows traffic from each sender to each recipient
TM(i,j) = traffic sent from i to j Can be messages, bits, bytes, or rates
Traffic Matrix
1 2 3 4
1 0 3 5 0
2 1 0 0 9
3 2 0 0 5
4 0 11 5 0
Receiver
Sen
der
Traffic Matrix
1 2 3 4
1 0 3 5 0
2 1 0 0 9
3 2 0 0 5
4 0 11 5 0
Receiver
Sen
der
S1
All nodes are both senders and receivers, i.e., peers
S2
S3 S4
31
50
025
5
011
90
Topology is a complete digraph ofN nodes,i.e., an N-clique
Traffic may be zero,light, moderate, or heavy
Traffic Matrix
1 2 3 4
1 0 3 5 0
2 1 0 0 9
3 2 0 0 5
4 0 11 5 0
Receiver
Sen
der
S1
All nodes are both senders and receivers, i.e., peers
S2
S3 S4
31
50
025
5
011
90
Links have capacity limits
Traffic that exceeds link capacity must be split over multiple routes
5
These may be symmetric or not (those shown are symmetric)
105
10
5 5
Traffic Matrix
1 2 3 4
1 0 3 5 0
2 1 0 0 9
3 2 0 0 5
4 0 11 5 0
Receiver
Sen
der
S1
All nodes are both senders and receivers, i.e., peers
S2
S3 S4
31
50
025
5
011
90
Links have capacity limits
Traffic that exceeds link capacity must be split over multiple routes
5
These may be symmetric or not (those shown are symmetric)
105
10
101
Takes the approach that attacker wants to know traffic patterns Not specific to a particular message Measure traffic over time window Global passive adversary Sees source & destination for all msgs
”Observed TM” = what attacker observes If no countermeasures, then observed TM is the actual
TM Assumes nodes are peers Assumes nodes are not compromised
Traffic Matrix
All messages are padded to same length Prevent linking messages
Only (visible) source and destination are not encrypted Prevent linking messages Prevent source/destination linkage
TAP Countermeasures
Node may send dummy messages Adds to observed traffic
Node may re-route messages Changes observed traffic pattern
Node may delay messages Helps obscure message linkage Can smooth out flows
TAP Countermeasures
TM has all diagonal entries zero No self-traffic
T[i,j] = # messages from i to j TM T dominates T’ iff for all i and j
T[i,j] >= T’[i,j] Neutral TM – all traffic is uniform
All non-diagonal values are equal For all i <> j and i’ <> j’, T[i,j] = T[i’,j’]
Unit Neutral TM: all non-diagonal values = 1 Magnitude of Neutral TM is non-zero values in TM
Traffic Matrix
All traffic between all pairs is equal Observer cannot distinguish pairs that are
engaged in much interaction from those that are engaged in none
What information does Neutral TM give? Only an upper bound on the actual possible traffic But traffic between a pair can exceed observed
traffic between the pair, due to rerouting May be overkill
Neutral Traffic Matrix
Actual TM, Tact
End-to-end TM not including any countermeasures No dummy messages No re-routing through intermediaries
Observed TM, Tobs End-to-end traffic as observed from addresses Includes dummy traffic Includes changes due to re-routed traffic
Traffic Matrix
Routes, flow assignments Actual TM requires Tact[i,j] message be sent from i to
j in time period Each message must either be sent directly from
node i to node j Or it must follow a longer path from i to j Flow assignment dictates how many message from
i to j take each particular route
Traffic Matrix
Sk
Si Sj
10
5
Tact[i,j] = 10
5
5
Tobs[i,j] = 5
Link load = number of messages using link Must not exceed link capacity How might you reroute traffic?
Traffic Matrix
S1 S2
S3 S4
31
50
025
5
011
90
5
75
7
5
5
Reroute traffic exceeding capacity Adds load to links on route Must ensure rerouting does not exceed capacity
Traffic Matrix
S1 S2
S3 S4
31
50
025
5
0
70
5
75
7
74
5
5
2
3+4=7 >5
Reroute traffic exceeding capacity Does this work now?
Yes – link loads all below capacities
Traffic Matrix
S1 S2
S3 S4
31
50
025
5
0
70
5
75
7
72
5
5
2
3+2=5
2
5+2=7
Reroute traffic exceeding capacity Total Traffic Load
Sum of link loads What are link loads?
Traffic Matrix
S1 S2
S3 S4
31
50
025
5
0
70
5
75
7
72
5
5
2
2
Source Dest’n Load
1 2 3+2=5
1 3 5
1 4 0+2=2
2 1 1+3=3
2 3 0
2 4 9-2=7
3 1 2
3 2 0+2=2
3 4 5
4 1 0+2=2
4 2 11-4=7
4 3 5+2=7
Total Load 42
Feasible TM For a given actual TM, any TM for which there
exists a set of routes and flow assignments for all senders and destinations such that no link load exceeds the corresponding link capacity
i.e., actual traffic can be re-routed according to the flow assignments without violating constraints
Traffic Matrix
Unit Padding Transform Transforms TM T to T’ by increasing the traffic by
unity on a single link For some i,j, T’[i,j] = T[i,j]+1 and for all other i’,j’ T’[i’,j’] = T[i’,j’]
TAP Countermeasures
T11 T12 T13
T21 T22 T23
T31 T32 T33
0 1 0
0 0 0
0 0 0
T11 T12+1 T13
T21 T22 T23
T31 T32 T33+ =
+ =Tact Tpad Tobs
Unit Rerouting Transform Transforms TM T to T’ by decreasing the traffic from
i to j and increasing it from i to k and from k to j by unity (reroute one i-j message via k)
For some i,j, T’[i,j] = T[i,j]-1 and For some k, T’[i,k] = T[i,j]+1 and T’[k,j] = T[k,j]+1 for all other i’,j’ T’[i’,j’] = T[i’,j’]
TAP Countermeasures
T11 T12 T13
T21 T22 T23
T31 T32 T33
0 -1 +1
0 0 0
0 +1 0
T11 T12-1 T13+1
T21 T22 T23
T31 T32+1 T33+ =
+ =Tact TRR Tobs
Delay not explicitly considered Would reduce load in one window Increase it on same link in next window But we only consider one window here...
TAP Countermeasures
T11 T12 T13
T21 T22 T23
T31 T32 T33
0 -1 0
0 0 0
0 0 0
T11 T12-1 T13
T21 T22 T23
T31 T32 T33+ =
T11 T12 T13
T21 T22 T23
T31 T32 T33
0 +1 0
0 0 0
0 0 0
T11 T12+1 T13
T21 T22 T23
T31 T32 T33+ =
Window t:
Window t+1:
Padding Pad matrix is sum of scaled unit pad matrices One unit pad per i,j pair (where i <> j) N(N-1) scaling multipliers
Rerouting Reroute matrix is sum of scaled unit reroutes One unit reroute matrix per triple (i,j,k) N(N-1)(N-2) non-zero scaling multipliers
Achieving Neutrality
Start with Tact Approach (shown for one row)
First, reroute to minimize maximum T’[i,j] T’[i,j] = Tact + TRR Then pad to bring all non-diagonals to max Tobs = Tact + TRR + Tpad
Achieving Neutrality
Tact+ TpadTRR+ T’ Tobs
Costs increase in load Increase in (mean) delay
Load Cost: Cost = Load(Tobs) –Load(Tact)
Delay Cost: All msgs delivered each period Delay measured as increase in avg # hops Avg # hops = (1-f) + 2f = 1+f Where f = fraction that is rerouted All rerouted msgs take path of 2 hops
Cost of Neutrality
Padding only: Delay cost = ?
None (f = 1) Load Cost = ?
= Load(Tobs) –Load(Tact) = [Load(Tact)+Padding] –Load(Tact) = Padding i.e, cost = exactly number of dummy messages Which is just the sum of the padding multipliers
Cost of Neutrality
Cost of Neutrality
0 1 8
2 0 1
5 3 0
0 7 0
6 0 7
3 5 0
0 8 8
8 0 8
8 8 0
+ =
Padding only: Load Cost = ?
Must pad to highest value in Tact Load(Tobs) = (N2-N)max{Tact[i,j]} Padding = (N2-N)max{Tact[i,j]} –Load(Tact)
Tact Tpad Tobs
Load(Tact)= 20 Load(Tobs)= 6x8=48Load(Tpad)= 48-20=28
Cost of Neutrality Padding only: Load Cost = (N2-N)max{Tact[i,j]} –Load(Tact)
In practice, the distribution of values in Tact is long-tailed, with many 0’s and small numbers
This leads to very high costs for padding only Problem gets worse with larger N!
Larger proportion of non-communicating pairs
Rerouting only: Let T’ be TM after rerouting T’ may not be neutral (pad later)
Delay cost = ? f = ? (average, or per pair) f = (#rerouted msgs)/(#actual msgs) = [Load(T’) – Load(Tact)] / Load(Tact) = Load(TRR) / Load(Tact) Where TRR is reroute matrix T’ = Tact + TRR Load(TRR) = sum of RR scaling multipliers
Cost of Neutrality
Rerouting only: Load Cost = ?
= Load(T’) – Load(Tact) = [Load(T’)+Load(TRR)] –Load(Tact) = Load(TRR) i.e, cost = exactly number of rerouted messages Which is the sum of the reroute multipliers
Approach: Reroute first to minimize variance Then pad to bring up to neutrality
Cost of Neutrality
Approach: Reroute first to minimize variance Then pad to bring up to neutrality
In practice This approach leads to about a doubling of load
How to find TRR that minimizes cost? Want to minimize the maximum value in T’ Turn into a system of linear inequalities
Cost of Neutrality
”Flatten” operator Takes a matrix and turns it into a vector Row-major order
(or column-major by transpose)
f(M) =
<M[1,1], M[1,2], ... , M[1,N], M[2,1], ... , M[N,N]>
Linearization of Problem
f
Let rabc = number of msgs rerouted from a to c through intermediate node b (reroute quantity) R = all N3 reroute quantities as N3 x 1 column vector
Let URMabc = unit reroute matrix for a to c via b URMabc[a,b] = 1, URMabc[b,c] = 1, URMabc[a,c] = -1 All other entries are 0 N3 URMs (some of which are all 0’s)
Let DM be N2 x N3 matrix of flattened URMs Each column is a flattened URM
So change TRR due to rerouting is f(TRR) = DM x R
Linearization of Problem
For rerouting given by reroute quantity vector R And padding given by padding matrix TP
We have:
f(Tobs) = f(Tact) + f(TRR) + f(TP)
= f(Tact) + DM x R + f(TP)
We want to minimize the costs of TP and TRR We have lower bound on possible neutral TMs
Set target neutral TM, T, to smallest possible Use linear programming to find R that satisfies inequality (if one exists)
DM x R <= f(T) – f(Tact)
Linearization of Problem
We have lower bound on possible neutral TMs Set target neutral TM, T, to smallest possible T = m times unit neutral TM m >= max(Tact)/N
Use linear programming to find R that satisfies inequality (if one exists) DM x R <= f(T) – f(Tact)
Iterate (increment m) until R can be satisfied Then set f(TP) = f(T) – [f(Tact) + DM x R]
Minimizes max(T[i,j]), hence minimizes costs
Linearization of Problem
Can treat the information ”leaked” by TMs as covert channel Mix-type packets (only src, dest show, all packets are
uniform in size, rest encrypted) How can CC ”sender” convey information? Sender is a single node Sends to ”Eve” – a local eavesdropper Relative traffic volume, absolute volume, order of transmission are
still visible How to minimize (or eliminate) CC? Neutral TM eliminates relative volume as signal
Network Covert Channels
How to minimize (or eliminate) CC? Neutral TM eliminates relative volume as signal Every node always sends indistinguishable packet to
every other node every ”round” Each node always sends to destinations in same order Only signal is change in round time intervals
But how to determine reroute quantities? Not practical for all nodes to exchange traffic levels Want a local decision
Network Covert Channels
Message Sending Policy Maintain Tx queues for each destination High priority = from other node Medium priority = from this node Low priority = dummy packet (generated) Send packet every period
Message arrival policies If dummy from other node, discard If rerouted from other node, put into High queue If local origin, reroute if dest Med queue occupied
Traffic volume changes Ne
Network Covert Channels
Traffic volume changes Negotiate shorter period length if queues stay full Negotiate longer period length if queues mostly empty All nodes must arrive at consensus Single node must dramatically change traffic to force change in period This can be audited
Mode-based security Don’t allow arbitrary period changes Only allow particular modes – reduces CC capacity Only allow change at end of cycle – lower CC capacity
Network Covert Channels
Mode-based security Don’t allow arbitrary period changes Only allow particular modes M modes define allowed period durations Only allow change at end of cycle Cycle is duration spanning one or more periods Capacity is now lg(M)/Tcycle Maximum capacity is known Attempts to exercise CC can be audited
Network Covert Channels
Given an observed TM, there are limits on possible actual TMs The sum of the traffic coming into a node j in Tact
cannot exceed the sum of the traffic coming in to node j in Tobs.
The sum of the traffic coming out of a node i in Tact cannot exceed the sum of the traffic coming out of node i in Tobs.
Although the graphs considered are cliques, the total traffic from node i to node j may exceed the capacity of the (direct) link from i to j due to some traffic being routed through other nodes
Generalizations
Compatible TM A TM T is compatible with Tobs iff there exists a set of
routes and flow assignments for T that produces T’, and Tobs >> T’ (domination)
Let Comp(Tobs) be the set of all TMs compatible with Tobs. Note that both Tobs and Tact must be in Comp(Tobs)
In the absence of other information... Attacker has no reason to pick one compatible TM
over another compatible TM – all equiprobable
Generalizations
Attacker’s question Is Tact in some set S of TMs or not?
In the absences of side information Likelihood is fraction of TMs compatible with Tobs
that are in S Probabilistic approach
Prob(Tact in S | Tobs) =
|Comp(Tobs) int S| /|Comp(Tobs)|
Generalizations
Neutral TM Approach Aims to give nothing to GPA except upper bounds All traffic is equal Can decide reroute and pad quantities from actual traffic and
desired TM Can minimize costs associated with achieving neutrality May be overkill
Probabilistic TM approach Maximize uncertainty of actual TM Large number of compatible TMs with various properties
Summary
Anonymity Metrics Anonymity Set
Per message receiver and/or sender Possibilistic
Plausible Deniability Crowds approach Probability of ”guessing right”
Consistent TM Set size Subsets corresponding to property of interest can lead to probability approach
also Covert Channel approach
Capacity of channel = info leak rate
Summary
