Download

IAIK 

www.IAIK.TUGraz.at 

De-anonymizing the Internet… 

…Using Unreliable IDs 

Josef Plasser 

Advanced Computer Networks 

WS 2010/11 

Josef Plasser Graz, 12.01.2011 Advanced Computer Networks 

1

IAIK 


Content 

• Preface 

• Motivation 

• Different Approaches (Solutions) 

• HostTracker 

– Introduction 

– Algorithm 

– Applications 

• Outlook 


2

IAIK 


Preface 

The Internet is… 

… open 

– Easy to gain Access 

– Easy to get Information 

– Easy to provide Information 

– Can be used for self made Applications 

… pseudo anonymous 

– Packet forwarding without reading payload 

– Source Address not necessary for forwarding Packets 

– But: Sniffing is easy in many cases 


3

IAIK 


Preface (2) 

• Advantages: 

– Easy Communication 

– Information Distribution and Gaining also in repressive Countries 

Also important in democratic Countries 

Example: Wiki Leaks 

• Disadvantage: 

– Difficult to avoid cybercriminal actions 

• Distributing malicious code 

• Spam Emails 

• DoS & DDoS Attacks 

• Breaching Copyrights 


4

IAIK 


Preface (3) 

Security versus Privacy 

More and more sensible Applications 

• Payment Applications 

• Different Kinds of Communication 

• E-Government Applications 

• Interconnecting Devices and Data Bases 

• Booking any kind of Tickets 

Use of Internet is still increasing. 

Security gets more and more important! 


5

IAIK 


Motivation 

• Goal: Make the Internet accountable 

Ability to make Hosts responsible for Traffic 

• Problems: 

– Dynamic IP-Addresses 

– Proxy Servers 

– Network Address Translation (NAT) 

– Source Address Spoofing 

– Botnets 

Black-Listing IP-Addresses doesn’t work 


6

IAIK 


Different Approaches (Solutions) 

• Ingress and Egress Filtering 

• IP-traceback techniques 

• Passport 

• Accountable Internet Protocol (AIP) 

– Self-certifying addresses, no PKI 

Changes to existing Routers necessary! 

• Today's Attacks often require TCP connections 

Source Address spoofing difficult 

Botnets 


7

IAIK 


HostTracker - Introduction 

• System developed from a Microsoft Research group 

• Output: 

– Constant Host IDs … Identity Mapping Table 

– Host IDs mapped to IP-Addresses on the Timeline 

…Host-IP binding information 


8

IAIK 


HostTracker – Introduction (2) 

• De-anonymizing the Internet Using Unreliable IDs 

• Unreliable IDs: 

– User Email IDs 

– Messenger Login IDs 

– Social Network IDs 

– Cookies 

• Unreliable: IDs do not exactly correspond to hosts 

• A Group of unreliable IDs become a “virtual Host-ID” 

Identity mapping Table 


9

IAIK 


HostTracker – Introduction (3) 

• To analyse: Application Level events 

(…from the Unreliable IDs) 


10

IAIK 


HostTracker – Algorithm 

1. Each user-ID (E-Mail ID) will be mapped to a unique Host 

2 different Connections, same IP-Address very unlikely 


11

IAIK 


HostTracker – Algorithm (2) 

2. Reestimation of the Mapping Table 

Possibilities: 

• Multiple User IDs share a Host 

• IP i is a Proxy with multiple Hosts 

• u 2 is a Guest User 

2.1 Grouping of multiple User IDs to one common Host 

• Group of Users logged in from one Host strong Correlation 

• If users login very often next to each other Same Host 

• 2 pairs (u 1 , u 2 ) and (u 2 , u 3 ) {u 1 , u 2 , u 3 } 


12

IAIK 



2.2 Graph Construction 

1. Step: Find first and last Timestamp of any User-Login of 

a group w = [t 1 , t 2 ] …. Binding Window at Ip i 

2. Step: Mark all inconsistent Bindings 


13

IAIK 



2.3 Resolve Inconsistency 

1. Step: Proxy / NAT Identification: 

Conflict Binding 

2. Step: Guest Removal 

3. Step: Splitting Groups 


14

IAIK 


HostTracker - Applications 

Host-IP binding information can be used… 

• …to identify infected Botnet Hosts 

and their Email Accounts 

(0,4 % false positive rate) 

• for Host-Aware Blacklists (instead of IP-Blacklists) 

called Tracklists 

Instead of blocking IPs… 

…block infected Hosts! 


15

IAIK 


HostTracker – Applications (2) 

Input Dataset 

• Month-long User-login Trace from a large Email Provider 

• Input Data Volume ~ 330 GB 

• 550 million unique User IDs 

• More than 220 million unique IP Addresses 

Recommended for the Future 

• Also use other User IDs from 

– Social Network IDs 

– Browser Cookies 


16

IAIK 


HostTracker – Applications (3) 

HostTracker is… 

• Good for finding infected Hosts and temporary Blocking 

• But there is a very low false positive rate (0,4 %) ≠ 0 

• It is no good argument to prosecute somebody 

The big advantage… 

HostTracker just analyses Data 

no Router Changes are necessary 


17

IAIK 


Outlook 

• HostTracker could be Part of a Temporary Solution 

• Challenge: Find a good trade-off between Security and Privacy 


18

IAIK 


Thank you! 


19

IAIK 


Discussion 


20

IAIK 


Comment 

This Presentation does not show the entire HostTracker Algorithm. 

The shown functions are only the core functions. If you wanna 

know more details, please look at: 

http://research.microsoft.com/pubs/80964/sigcomm09.pdf 


21

Download

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?