A blind flow fingerprinting and correlation method against disturbed anonymous traffic based on pattern reconstruction

IF 4.4 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Networks Pub Date : 2024-09-29 DOI:10.1016/j.comnet.2024.110831

{"title":"A blind flow fingerprinting and correlation method against disturbed anonymous traffic based on pattern reconstruction","authors":"","doi":"10.1016/j.comnet.2024.110831","DOIUrl":null,"url":null,"abstract":"<div><div>Tor is the most widely used anonymous communication system at present which can anonymize users’ network behavior. At the same time, many illegal network activities also appear more frequently with the help of Tor, posing serious challenges for cyberspace security. Therefore, flow fingerprinting and flow correlation analysis methods are put forward to de-anonymize the malicious anonymous behaviors, which utilize external traffic features as the side-channel information. However, the adversary often reduces the ability of above two methods by adding the disturbance to the anonymous traffic. As a countermeasure against the interference, disturbance-resistant analysis methods can effectively identify those adversarial behaviors while knowing how the traffic is modified. However, in real scenarios, it is unrealistic to distinguish between disturbed and non-disturbed anonymous traffic, let alone to have a clear grasp of the disturbing strategy. In this paper, we propose a blind anonymous traffic analysis method called Blind Analyzer based on pattern reconstruction skills in a “masking-generation” manner. Specifically, Blind Analyzer extracts the pattern knowledge from non-disturbed traffic samples by masking and reconstructing them. During the method application, disturbed anonymous traces are processed following the same way, aiming at removing the incremental noise at the masking stage and restoring the original shape at the reconstruction stage. Besides, a conditional discriminator is designed to determine whether the generated sample has obvious class characteristics. Benefited from the proposed method, we can improve the effectiveness of the anonymous network behavior analysis since the disturbed traffic can be restored as normal ones accurately enough. Experiment results on three datasets show that reconstructed traffic samples output by Blind Analyzer are more useful for base analysis models, which improve the corresponding metric values by 11.23% and 6.61% in max for flow fingerprinting and correlation tasks, respectively.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":null,"pages":null},"PeriodicalIF":4.4000,"publicationDate":"2024-09-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1389128624006637","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Tor is the most widely used anonymous communication system at present which can anonymize users’ network behavior. At the same time, many illegal network activities also appear more frequently with the help of Tor, posing serious challenges for cyberspace security. Therefore, flow fingerprinting and flow correlation analysis methods are put forward to de-anonymize the malicious anonymous behaviors, which utilize external traffic features as the side-channel information. However, the adversary often reduces the ability of above two methods by adding the disturbance to the anonymous traffic. As a countermeasure against the interference, disturbance-resistant analysis methods can effectively identify those adversarial behaviors while knowing how the traffic is modified. However, in real scenarios, it is unrealistic to distinguish between disturbed and non-disturbed anonymous traffic, let alone to have a clear grasp of the disturbing strategy. In this paper, we propose a blind anonymous traffic analysis method called Blind Analyzer based on pattern reconstruction skills in a “masking-generation” manner. Specifically, Blind Analyzer extracts the pattern knowledge from non-disturbed traffic samples by masking and reconstructing them. During the method application, disturbed anonymous traces are processed following the same way, aiming at removing the incremental noise at the masking stage and restoring the original shape at the reconstruction stage. Besides, a conditional discriminator is designed to determine whether the generated sample has obvious class characteristics. Benefited from the proposed method, we can improve the effectiveness of the anonymous network behavior analysis since the disturbed traffic can be restored as normal ones accurately enough. Experiment results on three datasets show that reconstructed traffic samples output by Blind Analyzer are more useful for base analysis models, which improve the corresponding metric values by 11.23% and 6.61% in max for flow fingerprinting and correlation tasks, respectively.

查看原文本刊更多论文

基于模式重构的受干扰匿名流量盲流指纹识别和关联方法

Tor 是目前应用最广泛的匿名通信系统，可以匿名用户的网络行为。与此同时，许多非法网络活动也借助 Tor 频繁出现，给网络空间安全带来严峻挑战。因此，人们提出了流量指纹识别和流量关联分析方法，利用外部流量特征作为侧信道信息，对恶意匿名行为进行去匿名化处理。然而，对手往往会通过在匿名流量中添加干扰来降低上述两种方法的能力。作为抗干扰的对策，抗干扰分析方法可以在了解流量如何被修改的同时，有效识别这些对抗行为。然而，在实际场景中，区分受干扰和不受干扰的匿名流量是不现实的，更不用说清楚地掌握干扰策略了。在本文中，我们提出了一种基于 "掩码生成 "方式的模式重构技能的匿名流量盲分析方法，称为 "盲分析器"（Blind Analyzer）。具体来说，Blind Analyzer 通过屏蔽和重构非干扰流量样本，从中提取模式知识。在该方法的应用过程中，受干扰的匿名轨迹也按照同样的方法进行处理，目的是在掩蔽阶段去除增量噪声，在重建阶段恢复原始形状。此外，还设计了一个条件判别器来确定生成的样本是否具有明显的类别特征。得益于所提出的方法，我们可以提高匿名网络行为分析的有效性，因为受干扰的流量可以被准确地还原为正常流量。在三个数据集上的实验结果表明，盲分析器输出的重建流量样本对基础分析模型更有用，在流量指纹识别和相关性任务中，相应的指标值最大分别提高了 11.23% 和 6.61%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Networks 工程技术-电信学

CiteScore

10.80

自引率

3.60%

发文量

434

审稿时长

8.6 months

期刊介绍： Computer Networks is an international, archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in the computer communications networking area. The audience includes researchers, managers and operators of networks as well as designers and implementors. The Editorial Board will consider any material for publication that is of interest to those groups.