SubRosa 2: An experimental evaluation of timing analysis attacks and defenses in anonymity systems

A circuit-based low-latency anonymous communication service such as Tor helps Internet users hide their IP addresses and thereby conceal their identities when communicating online. However, this kind of service is vulnerable to timing analysis attacks that can discern the relationship between incoming and outgoing messages in order to find correlations between them. The attacker can use this information to reveal the idenity of the internet users without knowing the IP addresses concealed in the anonymous communication services.;Dependent link padding (DLP) is a scheme propsed to enable anonymity systems to resist these attacks. However, DLP adds high overhead from dummy packets in the network systems, resulting in poor quality of service.;We have developed a Tor-like experimental evaluation platform called SubRosa 2 for studying and investigating the overall dummy packets overhead on each scheme that is used to prevent timing timing analysis attacks. We have developed our platform on real distributed networks by using the DETERLab network testbed, which is a public facility for medium-scale repeatable experiments in computer security. In our experiments, we evaluated DLP and reduced overhead dependent link padding (RO-DLP). Furthermore, We compared these schemes to a recently-proposed technique called selective grouping (SG) that aims to further reduce overhead from dummy packets in the padding algorithms at the cost of some anonymity.;Through evaluations of the whole anonymity systems, we validated that RO-DLP could significantly reduce dummy packet overhead and enable larger number of users to be protected from timing analysis attacks in comparision to DLP implementation. We also showed that SG could practically reduce the network overhead with a lower ratio of dummy packets overhead reduction than the previous work proposed. We also deeply investigated the factors and causes to explain the lower ratio of reduction when we implemented SG on the real distributed networks. Furthermore, we performed the partial implementation of SG on some mix nodes with a circuit to compare the results with full implementation of SG. Finally, we showed that SG could enable larger numbers of users participated in the systems when compared with DLP and RO-DLP without SG.