[tor-dev] "Seeing through Network-Protocol Obfuscation"
Yawning Angel
yawning at schwanenlied.me
Wed Aug 19 18:58:36 UTC 2015
NB: quickly responding before I go to bed.
On Wed, 19 Aug 2015 14:13:03 -0400
Philipp Winter <phw at nymity.ch> wrote:
> <https://kpdyer.com/publications/ccs2015-measurement.pdf>
>
> They claim that they are able to detect obfs3, obfs4, FTE, and meek
> using entropy analysis and machine learning.
Not surprised for obfs3/4 since they're mounting an entropy attack which
is explicitly outside of the stated threat model for both protocols.
The FTE semantic attack they presented isn't the easiest one I know of
(the GET request as defined by the regex is pathologically malformed).
Haven't looked at the meek portion of the paper.
> I wonder if their dataset allows for such a conclusion. They use a
> (admittedly, large) set of flow traces gathered at a college campus.
> One of the traces is from 2010. The Internet was a different place
> back then. I would also expect college traces to be very different
> from country-level traces. For example, the latter should contain
> significantly more file sharing, and other traffic that is considered
> inappropriate in a college setting. Many countries also have popular
> web sites and applications that might be completely missing in their
> data sets.
Dunno. Others probably have a better idea on what average internet
traffic looks like these days.
> Considering the rate difference between normal and obfuscated traffic,
> the false positive rate in the analysis is significant. Trained
> classifiers also seem to do badly when classifying traces they weren't
> trained for. The authors suggest active probing to reduce false
> positives, but don't mention that this doesn't work against obfs4 and
> meek.
Coming up with something better than obfs4/meek would be nice. At this
point I'm viewing obfs4 as more of a minimum standard than anything
else.
It's worth noting that Dust2 (mostly done but not yet deployed) can
reduce payload entropy to match a target distribution, but will have
issues with protocol whitelist based DPI.
Regards,
--
Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20150819/20cb914e/attachment.sig>
More information about the tor-dev
mailing list