[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] "Seeing through Network-Protocol Obfuscation"

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] "Seeing through Network-Protocol Obfuscation"
From: Yawning Angel <yawning@xxxxxxxxxxxxxxx>
Date: Wed, 19 Aug 2015 18:58:36 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 19 Aug 2015 14:59:00 -0400
In-reply-to: <20150819181303.GE12802@xxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <20150819181303.GE12802@xxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

NB: quickly responding before I go to bed.

On Wed, 19 Aug 2015 14:13:03 -0400
Philipp Winter <phw@xxxxxxxxx> wrote:
> <https://kpdyer.com/publications/ccs2015-measurement.pdf>
> 
> They claim that they are able to detect obfs3, obfs4, FTE, and meek
> using entropy analysis and machine learning.

Not surprised for obfs3/4 since they're mounting an entropy attack which
is explicitly outside of the stated threat model for both protocols.

The FTE semantic attack they presented isn't the easiest one I know of
(the GET request as defined by the regex is pathologically malformed).

Haven't looked at the meek portion of the paper.

> I wonder if their dataset allows for such a conclusion.  They use a
> (admittedly, large) set of flow traces gathered at a college campus.
> One of the traces is from 2010.  The Internet was a different place
> back then.  I would also expect college traces to be very different
> from country-level traces.  For example, the latter should contain
> significantly more file sharing, and other traffic that is considered
> inappropriate in a college setting.  Many countries also have popular
> web sites and applications that might be completely missing in their
> data sets.

Dunno.  Others probably have a better idea on what average internet
traffic looks like these days.

> Considering the rate difference between normal and obfuscated traffic,
> the false positive rate in the analysis is significant.  Trained
> classifiers also seem to do badly when classifying traces they weren't
> trained for.  The authors suggest active probing to reduce false
> positives, but don't mention that this doesn't work against obfs4 and
> meek.

Coming up with something better than obfs4/meek would be nice.  At this
point I'm viewing obfs4 as more of a minimum standard than anything
else.

It's worth noting that Dust2 (mostly done but not yet deployed) can
reduce payload entropy to match a target distribution, but will have
issues with protocol whitelist based DPI.

Regards,

-- 
Yawning Angel

Attachment: pgplI0YleH1fd.pgp
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] "Seeing through Network-Protocol Obfuscation"
  - From: Kevin P Dyer

References:
- [tor-dev] "Seeing through Network-Protocol Obfuscation"
  - From: Philipp Winter

Prev by Author: Re: [tor-dev] Is anyone using tor-fw-helper? (Was Re: BOINC-based Tor wrapper)
Next by Author: Re: [tor-dev] Hash Visualizations to Protect Against Onion Phishing
Previous by thread: [tor-dev] "Seeing through Network-Protocol Obfuscation"
Next by thread: Re: [tor-dev] "Seeing through Network-Protocol Obfuscation"
Index(es):
- Author
- Thread