Fingerprinting a flow of messages to an anonymous server

Abstract

We present an attack to locate hidden servers in anonymous common networks. The attack is based on correlating the flow of messages that arrives to a certain server with the flow that is created by the attacker client. The fingerprint is constructed by sending requests, each request determines one interval. To improve the performance a prediction of the time of arrival is done for each request. We propose an optimal detector to decide whether the flow is fingerprinted, based on the Neyman-Pearson lemma. The usefulness of our algorithm is shown for the case of locating a Tor Hidden Service (HS), where we analytically determine the parameters that yield a fixed false positive probability and compute the corresponding detection probability. Finally, we empirically validate our results with a simulator and with a real implementation on the live Tor network. Results show that our algorithm outperforms any other flow watermarking scheme. Our design also yields a small detectability.