Time-based Network Flow Watermark Detection Technology In Anonymous Communication Systems

With the rapid development of network communication technology,network privacy protection has become the focus of attention.Anonymous communication is an important technique to realize the privacy protection of Internet users.It confuses or conceals the network communication relationship through botnets,steppingstones and anonymous networks.There are many anonymous communication tools available for Internet users to access anonymous network.However,these anonymous communication tools are under growing threat of traffic association and node hijacking,time-based network watermarking technology is currently one of the main threats to anonymous communication,which is used to confirm communication relationship by embedding watermark into the outgoing network flows from the Honeypot deployed at all levels of network gateway or the critical network,and extracting watermark information at other locations of the communication link.These watermarking schemes always can resist typical active and passive channel interference such as network jitter,packet chaffing,packet dechaffing,out-of-order,etc.,to determine whether the traffic contains watermark information is of great significance to achieve further removal of the watermark.In this dissertation,concerning the urgent need of anonymous communication system to resist watermarking attacks,the blind detection technology of network watermarking is studied,the specific works are as follows:(1)The main security threats of existed anonymous communication technologies represented by Tor anonymous network are analyzed,such as route selection attack,DOS attack,passive count attack,watermarking attack,and a comparative analysis of the threat level is given.(2)In order to detect the widely used Interval centroid based watermarking(ICB W)scheme with multiple random secret keys,three types of statistical features are comparatively analyzed,including inter-packet delay,number of packets within a fixed time interval and interval centroid.The sensitivity and stability are adopted as two indicators to measure the applicability of detection features under different network interference,the superiority of interval centroid for watermark detection is verified.(3)Based on the MFA detection and the entropy detection,a multi-flow joint centroid entropy detection scheme is proposed,which exploits the stability variation of the interval centroid of the network traffic before and after the watermark embedding.Experimental results on real SSH data show that the proposed scheme can achieve similar detection accuracy compared to MFA on the detection of single-key ICB W watermarking scheme,and more,it can be used for the detection of the generic interval centroid network watermarking schemes including ICBW with multiple random secret keys.(4)Considering the complexity and diversity of network traffic in Tor anonymous communication system,an adaptive grouping mechanism of network flow is proposed by using the feature differences between different types of network flows.On this basis,this paper further proposes an adaptive multi-flow joint centroid entropy grouping detection scheme.Experimental results on the real Tor data show that this scheme can improve the accuracy and applicability of watermark detection in Tor anonymous networks.