TY - GEN
T1 - Inflow
T2 - 2018 IEEE Conference on Computer Communications, INFOCOM 2018
AU - Iacovazzi, Alfonso
AU - Sarda, Sanat
AU - Elovici, Yuval
N1 - Publisher Copyright: © 2018 IEEE.
PY - 2018/10/8
Y1 - 2018/10/8
N2 - TOR is a well-known and established anonymous network that has increasingly been abused by services distributing and hosting content, in most cases images and videos, that are illegal or morally deplorable (e.g., child pornography content). Law enforcement continually tries to identify the users and providers of such content. State of the art techniques to breach TOR's anonymity are usually based on passive and active network traffic analysis, and rely on the ability of the deanonymization entity to control TOR's edge communication. Despite this, locating hidden servers and linking illegal content with those providing and spreading this content remains an open and controversial issue. In this paper, we describe Inflow, a new technique to identify hidden servers based on inverse flow watermarking. Inflow exploits the influence of congestion mechanisms on the traffic passing through the TOR network. Inflow drops bursts of packets for short time intervals on the receiving side of a traffic flow coming from a hidden server and passing through the TOR network. Packet dropping affects the TOR flow control and causes time gaps in flows observed on the hidden server side. By controlling the communication edges and detecting the watermarking gaps, Inflow is able to detect the hidden server. Our results, obtained by means of empirical experiments performed on the real TOR network, show true positive rates in the range of 90 to 98%.
AB - TOR is a well-known and established anonymous network that has increasingly been abused by services distributing and hosting content, in most cases images and videos, that are illegal or morally deplorable (e.g., child pornography content). Law enforcement continually tries to identify the users and providers of such content. State of the art techniques to breach TOR's anonymity are usually based on passive and active network traffic analysis, and rely on the ability of the deanonymization entity to control TOR's edge communication. Despite this, locating hidden servers and linking illegal content with those providing and spreading this content remains an open and controversial issue. In this paper, we describe Inflow, a new technique to identify hidden servers based on inverse flow watermarking. Inflow exploits the influence of congestion mechanisms on the traffic passing through the TOR network. Inflow drops bursts of packets for short time intervals on the receiving side of a traffic flow coming from a hidden server and passing through the TOR network. Packet dropping affects the TOR flow control and causes time gaps in flows observed on the hidden server side. By controlling the communication edges and detecting the watermarking gaps, Inflow is able to detect the hidden server. Our results, obtained by means of empirical experiments performed on the real TOR network, show true positive rates in the range of 90 to 98%.
KW - Hidden service
KW - TOR
KW - Traceback
KW - Watermark
UR - http://www.scopus.com/inward/record.url?scp=85056204117&partnerID=8YFLogxK
U2 - 10.1109/INFOCOM.2018.8486375
DO - 10.1109/INFOCOM.2018.8486375
M3 - Conference contribution
T3 - Proceedings - IEEE INFOCOM
SP - 747
EP - 755
BT - INFOCOM 2018 - IEEE Conference on Computer Communications
Y2 - 15 April 2018 through 19 April 2018
ER -
