03-05-2012, 12:49 PM
Defending Against Traffic Analysis in Wireless Networks Through Traffic Reshaping
[attachment=21149]
Abstract
Traffic analysis has been exploited by attackers to
threaten user privacy in wireless networks. As an example, a
user’s online activities may be exposed to strangers, even if the
traffic is encrypted. However, the existing defense mechanisms
against traffic analysis, such as packet padding and traffic
morphing, are inefficient because they add noise traffic to blur
the traffic features, therefore introducing significant overhead.
In this paper, we propose the traffic reshaping technique
to thwart traffic analysis. It creates multiple virtual media
access control (MAC) interfaces over a single wireless card,
dynamically schedules packets over these interfaces, thereby
reshaping the packet features on each virtual interface. Hence,
features of the original traffic are obscured and unavailable
for the adversary to infer users’ online activities. Unlike the
existing solutions, traffic reshaping enhances privacy protection
without incurring overhead in items of adding noise traffic. We
evaluate the performance of traffic reshaping through tracebased
experiments. The results show that traffic reshaping is
effective and efficient in defending against the traffic analysis
attacks.
Keywords-Traffic Reshaping, Traffic Analysis, Privacy, Users’
Online Activities, Virtualization
I. INTRODUCTION
Due to the shared-medium nature of wireless links, adversaries
can easily eavesdrop on the traffic from and to a
specific user. Even if the traffic is encrypted, traffic features
are still exposed to adversaries, and the user may suffer
from traffic analysis attacks. Even worse, it may cause
many upper-layer side-channel information leaks, which
discovered in various online applications, such as web
browsing [1], [2], video-streaming [3], and voice-over-IP
(VoIP) applications [4], [5].
Traffic analysis extracts identifiable traffic features, such
as packet size, frequency of a packet and the packet interarrival
time, from traffic flows, and then associates the features
with certain facts or secrets. Machine learning techniques,
such as Support Vector Machine (SVM), Neural Network
(NN), Bayesian techniques and Hidden Markov Models
(HMM), can be used to enhance the accuracy of traffic
analysis. Recent studies show that through traffic analysis
an adversary can identify user’s online activities (e.g., webbrowsing,
chatting, online gaming, downloading, uploading,
online video and BitTorrent (BT)) [6] and glean what other
users are browsing [1] in a few seconds with high accuracy.
It turns out that traffic analysis has been a severe threats to
user privacy in wireless networks.
A commonly used technique to defend against traffic
analysis is packet padding [1], [2] (e.g., padding all packets
to the same length), which usually incurs significant communication
overhead, hence it is not an ideal solution. Traffic
morphing [7], which modifies packet sizes to morph the
network traffic from one class to another, is proposed to
defend against traffic analysis in VoIP and web-browsing
applications. But the communication overhead in terms of
the increased payloads, reported from 15.4% to 38.9% [7],
are not negligible.
It is very challenging to defend against traffic analysis
effectively and efficiently. In this paper, we propose a novel
approach, traffic reshaping, to prevent adversaries from
inferring users’ online activities through traffic analysis.
Traffic reshaping creates multiple virtual MAC interfaces
over a single wireless card, dynamically assigns packets
over these interfaces, thereby changing the packet features
on each virtual interface. Since traffic reshaping does not
use packet splitting and reassembling, unlike the existing
approaches (e.g., packet padding and traffic morphing), it
does not incur additional overhead for noise traffic. The
only message overhead introduced by traffic reshaping is
for configuring virtual interfaces. Hence, traffic reshaping
achieves better efficiency and performs well in defending
against traffic analysis. Furthermore, traffic reshaping is a
MAC layer solution and transparent to high level protocols.
We evaluate the performance of traffic reshaping through
trace-based experiments. The results show that the accuracy
of traffic analysis decreases from 83.24% to 43.69% when
the eavesdropping duration is 5 seconds. When the eavesdropping
duration is extended to 1 minute, the accuracy
remains unchanged as 44.49%, as compared with that of
91.86% under the situation without traffic reshaping.
The remainder of this paper is organized as follows.
We present the background of our work in Section II. We
then describe the detailed design of traffic reshaping against
traffic analysis in Section III. In Section IV, we evaluate
the traffic reshaping through real trace-based experiments.
Section V discusses the implications and Section VI summarizes
the related work. Finally, we conclude the paper in
Section VII.
2011 31st International Conference on Distributed Computing Systems
1063-6927/11 $26.00 © 2011 IEEE
DOI 10.1109/ICDCS.2011.77
593
II. BACKGROUND
A. Attack Model
The shared-medium nature of wireless links poses a great
threat to user privacy. It is easy for an adversary to keep
monitoring traffic traces from and to a specific user with
sniffer software (e.g., Wireshark, Aircrack-ng) in current
local area networks (WLANs) settings. Based on these traffic
traces, an attacker is able to identify traffic features and use
traffic analysis to link the features to certain facts or secrets.
As an example, the analysis based on the traffic features
collected in a few seconds in the MAC layer is able to
yield accurate estimation of users’ online activities (i.e.,
the particular network application or service that a user is
running), no matter what encryption schemes are used [6].
A user’s online activities is regarded as highly private and
sensitive, since the user usually do not want other persons
in the same WLAN to track what they are doing on the
Internet (e.g., web-browsing, chatting, online gaming and
downloading, etc.). In addition, it is more risky that an
adversary performs further attacks to get more sensitive
personal information, such as which websites or contents
a particular user is reading.
Traffic features, such as average packet interarrival time,
average packet size and packet size distribution, can be
used to profile users’ actual online activities. For example,
chatting and gaming are low traffic applications with smaller
packets. Downloading and uploading are high traffic applications
with large packet size in downlink and uplink, respectively.
Also, online video demonstrates a relatively stable
data rate and browsing contains bursty traffic. Figure 1 shows
the packet size probability of distribution function (PDF) of
seven popular online applications measured in residential
environments1 when the applications receive packets from
the AP. It is obvious that traffic features can be employed
to classify most applications.
Various traffic classification techniques, such as SVM
and NN algorithms, Bayesian techniques, HMM, have been
extensively studied. According to [6], the adversaries can
accurately tell which online applications are active through
SVM and NN algorithms. The accuracy reaches around
80% when the eavesdropping duration is 5 seconds. If
eavesdroppers monitor the traffic for one minute, the classification
accuracy is higher than 90% and even achieves
100% accuracy in most of the situations.
B. Existing Defense Against Traffic Analysis
The research defending against traffic analysis can be
categorized into the following groups.
Traffic padding and packet padding are presented
in [1], [2], [8], [9] to counter traffic analysis. Although these
1The received signal strength indicator is around -50dBm in the measurement.
0 200 400 600 800 1000 1200 1400 1600
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Packet Size (bytes)
Probability of Distribution Functions
Browsing
Chatting
Online Gaming
Downloading
Uploading
Online Video
BitTorrent (BT)
Figure 1. Packet size PDF of seven popular applications on receiver’s side
approaches may alleviate the problem, they are usually inefficient
and incur high overheads. According to [7], padding
the packets to the Maximum Transmission Unit (MTU)
length of 1500 bytes incurs an overhead of 156.5%, and
the adversary is still able to perform accurate classification
with accuracy 86.2%.
Traffic morphing is proposed in [7] to thwart traffic
analysis by modifying one class of traffic to look like another
class. Hence, traffic morphing reduces the accuracy of
traffic classification while incurring much less overhead than
packet padding. Results in [7] show that the traffic morphing
reduces the VoIP classifier’s accuracy from 71% to 54%
with 15.4% overhead on average. Likewise, the accuracy
of the web classifier is reduced from 98.4% to 63.4% with
38.9% overhead. The overhead of traffic morphing for VoIP
and HTTP applications, is not negligible. In addition, traffic
morphing only changes the packet size, hence other features
may still be sufficient for classification.
Identifier-free approaches [10], [11], which conceal the
identifiers (i.e., MAC addresses) of users, can be utilized
to prevent the adversary from associating the traffic features
with the user’s identity, thereby preserving the user’s privacy
in wireless networks. However, the physical layer measurements
on traffic statistics (e.g., received signal strength indicator
(RSSI) values) allow the adversary to link the packets
with a specific user [12]. On the other hand, identifier-free
approaches require to encrypt all the packets, including the
packet header, control and management frames, thus the
overhead of encryption and key managements can not be
overlooked.
Frequency hopping changes the frequency of the communication
channel periodically. It was designed to defeat
frequency jamming and has the potential of preventing the
adversary from obtaining the whole traffic traces from a
user [13], thereby mitigating traffic analysis attacks.
594
Pseudonym schemes [14], [15] randomly change the
MAC address of a user, so that adversary cannot track
the entire traffic stream between the user and the AP.
However, both frequency hopping and pseudonym schemes
are insufficient to prevent traffic analysis attacks [6], [16],
[10], because they do not obscure the traffic features when
the traffic is partitioned over a single frequency channel or a
specific MAC address. Hence, a single partition (i.e., piece
of traffic trace) may release enough sensitive information
for the adversary to perform traffic analysis accurately.
For example, since pseudonym schemes only change MAC
addresses each session or when idle, all the packets sent
under one pseudonym are still linkable [10].
Physical space security and jamming approaches aim
to reduce the number of packets that can be overheard
by an eavesdropper. Lakshmanan et al. [17] and Sheth
et al. [18] demonstrate that using directional antennas to
focus transmissions within a secure physical space and
jamming [19] have been suggested as methods to mitigate
an eavesdropper’s ability to overhear wireless packets. An
intelligent jamming strategy deployed at potential eavesdropper
locations can effectively raise the noise level to
neutralize eavesdroppers, but jamming will also interfere
with legitimate communications and degrade the network’s
performance [12].
In summary, the inefficiency of above existing approaches
shows the following shortcomings. (1) Besides packet size,
other traffic features (e.g., packet interarrival time) can
still be used for traffic analysis. (2) The approaches partitioning
the traffic over different frequency channels (i.e.,
frequency hopping) or using different MAC addresses (i.e.,
pseudonym) are at a coarse granularity, so the individual
partitions of traffic may still lead to information leaks.
Further, the traffic partitioning algorithms are naive and
do not change the traffic features in a single partition. If
the adversary accumulates the traffic traces in discrete time
intervals, it is as if the adversary is monitoring all traffic in
a smaller time scale. (3) Communication overhead (e.g., in
padding and traffic morphing) or operational overhead (e.g.,
in identifier-free approaches) cannot be ignored.
In this paper, we use traffic reshaping to overcome above
shortcomings and show that it is able to significantly improve
the traditional defense against traffic analysis over the
wireless links.
[attachment=21149]
Abstract
Traffic analysis has been exploited by attackers to
threaten user privacy in wireless networks. As an example, a
user’s online activities may be exposed to strangers, even if the
traffic is encrypted. However, the existing defense mechanisms
against traffic analysis, such as packet padding and traffic
morphing, are inefficient because they add noise traffic to blur
the traffic features, therefore introducing significant overhead.
In this paper, we propose the traffic reshaping technique
to thwart traffic analysis. It creates multiple virtual media
access control (MAC) interfaces over a single wireless card,
dynamically schedules packets over these interfaces, thereby
reshaping the packet features on each virtual interface. Hence,
features of the original traffic are obscured and unavailable
for the adversary to infer users’ online activities. Unlike the
existing solutions, traffic reshaping enhances privacy protection
without incurring overhead in items of adding noise traffic. We
evaluate the performance of traffic reshaping through tracebased
experiments. The results show that traffic reshaping is
effective and efficient in defending against the traffic analysis
attacks.
Keywords-Traffic Reshaping, Traffic Analysis, Privacy, Users’
Online Activities, Virtualization
I. INTRODUCTION
Due to the shared-medium nature of wireless links, adversaries
can easily eavesdrop on the traffic from and to a
specific user. Even if the traffic is encrypted, traffic features
are still exposed to adversaries, and the user may suffer
from traffic analysis attacks. Even worse, it may cause
many upper-layer side-channel information leaks, which
discovered in various online applications, such as web
browsing [1], [2], video-streaming [3], and voice-over-IP
(VoIP) applications [4], [5].
Traffic analysis extracts identifiable traffic features, such
as packet size, frequency of a packet and the packet interarrival
time, from traffic flows, and then associates the features
with certain facts or secrets. Machine learning techniques,
such as Support Vector Machine (SVM), Neural Network
(NN), Bayesian techniques and Hidden Markov Models
(HMM), can be used to enhance the accuracy of traffic
analysis. Recent studies show that through traffic analysis
an adversary can identify user’s online activities (e.g., webbrowsing,
chatting, online gaming, downloading, uploading,
online video and BitTorrent (BT)) [6] and glean what other
users are browsing [1] in a few seconds with high accuracy.
It turns out that traffic analysis has been a severe threats to
user privacy in wireless networks.
A commonly used technique to defend against traffic
analysis is packet padding [1], [2] (e.g., padding all packets
to the same length), which usually incurs significant communication
overhead, hence it is not an ideal solution. Traffic
morphing [7], which modifies packet sizes to morph the
network traffic from one class to another, is proposed to
defend against traffic analysis in VoIP and web-browsing
applications. But the communication overhead in terms of
the increased payloads, reported from 15.4% to 38.9% [7],
are not negligible.
It is very challenging to defend against traffic analysis
effectively and efficiently. In this paper, we propose a novel
approach, traffic reshaping, to prevent adversaries from
inferring users’ online activities through traffic analysis.
Traffic reshaping creates multiple virtual MAC interfaces
over a single wireless card, dynamically assigns packets
over these interfaces, thereby changing the packet features
on each virtual interface. Since traffic reshaping does not
use packet splitting and reassembling, unlike the existing
approaches (e.g., packet padding and traffic morphing), it
does not incur additional overhead for noise traffic. The
only message overhead introduced by traffic reshaping is
for configuring virtual interfaces. Hence, traffic reshaping
achieves better efficiency and performs well in defending
against traffic analysis. Furthermore, traffic reshaping is a
MAC layer solution and transparent to high level protocols.
We evaluate the performance of traffic reshaping through
trace-based experiments. The results show that the accuracy
of traffic analysis decreases from 83.24% to 43.69% when
the eavesdropping duration is 5 seconds. When the eavesdropping
duration is extended to 1 minute, the accuracy
remains unchanged as 44.49%, as compared with that of
91.86% under the situation without traffic reshaping.
The remainder of this paper is organized as follows.
We present the background of our work in Section II. We
then describe the detailed design of traffic reshaping against
traffic analysis in Section III. In Section IV, we evaluate
the traffic reshaping through real trace-based experiments.
Section V discusses the implications and Section VI summarizes
the related work. Finally, we conclude the paper in
Section VII.
2011 31st International Conference on Distributed Computing Systems
1063-6927/11 $26.00 © 2011 IEEE
DOI 10.1109/ICDCS.2011.77
593
II. BACKGROUND
A. Attack Model
The shared-medium nature of wireless links poses a great
threat to user privacy. It is easy for an adversary to keep
monitoring traffic traces from and to a specific user with
sniffer software (e.g., Wireshark, Aircrack-ng) in current
local area networks (WLANs) settings. Based on these traffic
traces, an attacker is able to identify traffic features and use
traffic analysis to link the features to certain facts or secrets.
As an example, the analysis based on the traffic features
collected in a few seconds in the MAC layer is able to
yield accurate estimation of users’ online activities (i.e.,
the particular network application or service that a user is
running), no matter what encryption schemes are used [6].
A user’s online activities is regarded as highly private and
sensitive, since the user usually do not want other persons
in the same WLAN to track what they are doing on the
Internet (e.g., web-browsing, chatting, online gaming and
downloading, etc.). In addition, it is more risky that an
adversary performs further attacks to get more sensitive
personal information, such as which websites or contents
a particular user is reading.
Traffic features, such as average packet interarrival time,
average packet size and packet size distribution, can be
used to profile users’ actual online activities. For example,
chatting and gaming are low traffic applications with smaller
packets. Downloading and uploading are high traffic applications
with large packet size in downlink and uplink, respectively.
Also, online video demonstrates a relatively stable
data rate and browsing contains bursty traffic. Figure 1 shows
the packet size probability of distribution function (PDF) of
seven popular online applications measured in residential
environments1 when the applications receive packets from
the AP. It is obvious that traffic features can be employed
to classify most applications.
Various traffic classification techniques, such as SVM
and NN algorithms, Bayesian techniques, HMM, have been
extensively studied. According to [6], the adversaries can
accurately tell which online applications are active through
SVM and NN algorithms. The accuracy reaches around
80% when the eavesdropping duration is 5 seconds. If
eavesdroppers monitor the traffic for one minute, the classification
accuracy is higher than 90% and even achieves
100% accuracy in most of the situations.
B. Existing Defense Against Traffic Analysis
The research defending against traffic analysis can be
categorized into the following groups.
Traffic padding and packet padding are presented
in [1], [2], [8], [9] to counter traffic analysis. Although these
1The received signal strength indicator is around -50dBm in the measurement.
0 200 400 600 800 1000 1200 1400 1600
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Packet Size (bytes)
Probability of Distribution Functions
Browsing
Chatting
Online Gaming
Downloading
Uploading
Online Video
BitTorrent (BT)
Figure 1. Packet size PDF of seven popular applications on receiver’s side
approaches may alleviate the problem, they are usually inefficient
and incur high overheads. According to [7], padding
the packets to the Maximum Transmission Unit (MTU)
length of 1500 bytes incurs an overhead of 156.5%, and
the adversary is still able to perform accurate classification
with accuracy 86.2%.
Traffic morphing is proposed in [7] to thwart traffic
analysis by modifying one class of traffic to look like another
class. Hence, traffic morphing reduces the accuracy of
traffic classification while incurring much less overhead than
packet padding. Results in [7] show that the traffic morphing
reduces the VoIP classifier’s accuracy from 71% to 54%
with 15.4% overhead on average. Likewise, the accuracy
of the web classifier is reduced from 98.4% to 63.4% with
38.9% overhead. The overhead of traffic morphing for VoIP
and HTTP applications, is not negligible. In addition, traffic
morphing only changes the packet size, hence other features
may still be sufficient for classification.
Identifier-free approaches [10], [11], which conceal the
identifiers (i.e., MAC addresses) of users, can be utilized
to prevent the adversary from associating the traffic features
with the user’s identity, thereby preserving the user’s privacy
in wireless networks. However, the physical layer measurements
on traffic statistics (e.g., received signal strength indicator
(RSSI) values) allow the adversary to link the packets
with a specific user [12]. On the other hand, identifier-free
approaches require to encrypt all the packets, including the
packet header, control and management frames, thus the
overhead of encryption and key managements can not be
overlooked.
Frequency hopping changes the frequency of the communication
channel periodically. It was designed to defeat
frequency jamming and has the potential of preventing the
adversary from obtaining the whole traffic traces from a
user [13], thereby mitigating traffic analysis attacks.
594
Pseudonym schemes [14], [15] randomly change the
MAC address of a user, so that adversary cannot track
the entire traffic stream between the user and the AP.
However, both frequency hopping and pseudonym schemes
are insufficient to prevent traffic analysis attacks [6], [16],
[10], because they do not obscure the traffic features when
the traffic is partitioned over a single frequency channel or a
specific MAC address. Hence, a single partition (i.e., piece
of traffic trace) may release enough sensitive information
for the adversary to perform traffic analysis accurately.
For example, since pseudonym schemes only change MAC
addresses each session or when idle, all the packets sent
under one pseudonym are still linkable [10].
Physical space security and jamming approaches aim
to reduce the number of packets that can be overheard
by an eavesdropper. Lakshmanan et al. [17] and Sheth
et al. [18] demonstrate that using directional antennas to
focus transmissions within a secure physical space and
jamming [19] have been suggested as methods to mitigate
an eavesdropper’s ability to overhear wireless packets. An
intelligent jamming strategy deployed at potential eavesdropper
locations can effectively raise the noise level to
neutralize eavesdroppers, but jamming will also interfere
with legitimate communications and degrade the network’s
performance [12].
In summary, the inefficiency of above existing approaches
shows the following shortcomings. (1) Besides packet size,
other traffic features (e.g., packet interarrival time) can
still be used for traffic analysis. (2) The approaches partitioning
the traffic over different frequency channels (i.e.,
frequency hopping) or using different MAC addresses (i.e.,
pseudonym) are at a coarse granularity, so the individual
partitions of traffic may still lead to information leaks.
Further, the traffic partitioning algorithms are naive and
do not change the traffic features in a single partition. If
the adversary accumulates the traffic traces in discrete time
intervals, it is as if the adversary is monitoring all traffic in
a smaller time scale. (3) Communication overhead (e.g., in
padding and traffic morphing) or operational overhead (e.g.,
in identifier-free approaches) cannot be ignored.
In this paper, we use traffic reshaping to overcome above
shortcomings and show that it is able to significantly improve
the traditional defense against traffic analysis over the
wireless links.