{"title":"A blind flow fingerprinting and correlation method against disturbed anonymous traffic based on pattern reconstruction","authors":"Zhong Guan, Chang Liu, Gaopeng Gou, Zhen Li, Gang Xiong, Yangyang Ding, Chengshang Hou","doi":"10.1016/j.comnet.2024.110831","DOIUrl":null,"url":null,"abstract":"<div><div>Tor is the most widely used anonymous communication system at present which can anonymize users’ network behavior. At the same time, many illegal network activities also appear more frequently with the help of Tor, posing serious challenges for cyberspace security. Therefore, flow fingerprinting and flow correlation analysis methods are put forward to de-anonymize the malicious anonymous behaviors, which utilize external traffic features as the side-channel information. However, the adversary often reduces the ability of above two methods by adding the disturbance to the anonymous traffic. As a countermeasure against the interference, disturbance-resistant analysis methods can effectively identify those adversarial behaviors while knowing how the traffic is modified. However, in real scenarios, it is unrealistic to distinguish between disturbed and non-disturbed anonymous traffic, let alone to have a clear grasp of the disturbing strategy. In this paper, we propose a blind anonymous traffic analysis method called Blind Analyzer based on pattern reconstruction skills in a “masking-generation” manner. Specifically, Blind Analyzer extracts the pattern knowledge from non-disturbed traffic samples by masking and reconstructing them. During the method application, disturbed anonymous traces are processed following the same way, aiming at removing the incremental noise at the masking stage and restoring the original shape at the reconstruction stage. Besides, a conditional discriminator is designed to determine whether the generated sample has obvious class characteristics. Benefited from the proposed method, we can improve the effectiveness of the anonymous network behavior analysis since the disturbed traffic can be restored as normal ones accurately enough. Experiment results on three datasets show that reconstructed traffic samples output by Blind Analyzer are more useful for base analysis models, which improve the corresponding metric values by 11.23% and 6.61% in max for flow fingerprinting and correlation tasks, respectively.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":null,"pages":null},"PeriodicalIF":4.4000,"publicationDate":"2024-09-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1389128624006637","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}
引用次数: 0
Abstract
Tor is the most widely used anonymous communication system at present which can anonymize users’ network behavior. At the same time, many illegal network activities also appear more frequently with the help of Tor, posing serious challenges for cyberspace security. Therefore, flow fingerprinting and flow correlation analysis methods are put forward to de-anonymize the malicious anonymous behaviors, which utilize external traffic features as the side-channel information. However, the adversary often reduces the ability of above two methods by adding the disturbance to the anonymous traffic. As a countermeasure against the interference, disturbance-resistant analysis methods can effectively identify those adversarial behaviors while knowing how the traffic is modified. However, in real scenarios, it is unrealistic to distinguish between disturbed and non-disturbed anonymous traffic, let alone to have a clear grasp of the disturbing strategy. In this paper, we propose a blind anonymous traffic analysis method called Blind Analyzer based on pattern reconstruction skills in a “masking-generation” manner. Specifically, Blind Analyzer extracts the pattern knowledge from non-disturbed traffic samples by masking and reconstructing them. During the method application, disturbed anonymous traces are processed following the same way, aiming at removing the incremental noise at the masking stage and restoring the original shape at the reconstruction stage. Besides, a conditional discriminator is designed to determine whether the generated sample has obvious class characteristics. Benefited from the proposed method, we can improve the effectiveness of the anonymous network behavior analysis since the disturbed traffic can be restored as normal ones accurately enough. Experiment results on three datasets show that reconstructed traffic samples output by Blind Analyzer are more useful for base analysis models, which improve the corresponding metric values by 11.23% and 6.61% in max for flow fingerprinting and correlation tasks, respectively.
期刊介绍:
Computer Networks is an international, archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in the computer communications networking area. The audience includes researchers, managers and operators of networks as well as designers and implementors. The Editorial Board will consider any material for publication that is of interest to those groups.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
