Download
Download
Download
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
IAIK<br />
www.IAIK.TUGraz.at<br />
De-anonymizing the Internet…<br />
…Using Unreliable IDs<br />
Josef Plasser<br />
Advanced Computer Networks<br />
WS 2010/11<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
1
IAIK<br />
www.IAIK.TUGraz.at<br />
Content<br />
• Preface<br />
• Motivation<br />
• Different Approaches (Solutions)<br />
• HostTracker<br />
– Introduction<br />
– Algorithm<br />
– Applications<br />
• Outlook<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
2
IAIK<br />
www.IAIK.TUGraz.at<br />
Preface<br />
The Internet is…<br />
… open<br />
– Easy to gain Access<br />
– Easy to get Information<br />
– Easy to provide Information<br />
– Can be used for self made Applications<br />
… pseudo anonymous<br />
– Packet forwarding without reading payload<br />
– Source Address not necessary for forwarding Packets<br />
– But: Sniffing is easy in many cases<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
3
IAIK<br />
www.IAIK.TUGraz.at<br />
Preface (2)<br />
• Advantages:<br />
– Easy Communication<br />
– Information Distribution and Gaining also in repressive Countries<br />
Also important in democratic Countries<br />
Example: Wiki Leaks<br />
• Disadvantage:<br />
– Difficult to avoid cybercriminal actions<br />
• Distributing malicious code<br />
• Spam Emails<br />
• DoS & DDoS Attacks<br />
• Breaching Copyrights<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
4
IAIK<br />
www.IAIK.TUGraz.at<br />
Preface (3)<br />
Security versus Privacy<br />
More and more sensible Applications<br />
• Payment Applications<br />
• Different Kinds of Communication<br />
• E-Government Applications<br />
• Interconnecting Devices and Data Bases<br />
• Booking any kind of Tickets<br />
Use of Internet is still increasing.<br />
Security gets more and more important!<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
5
IAIK<br />
www.IAIK.TUGraz.at<br />
Motivation<br />
• Goal: Make the Internet accountable<br />
Ability to make Hosts responsible for Traffic<br />
• Problems:<br />
– Dynamic IP-Addresses<br />
– Proxy Servers<br />
– Network Address Translation (NAT)<br />
– Source Address Spoofing<br />
– Botnets<br />
Black-Listing IP-Addresses doesn’t work<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
6
IAIK<br />
www.IAIK.TUGraz.at<br />
Different Approaches (Solutions)<br />
• Ingress and Egress Filtering<br />
• IP-traceback techniques<br />
• Passport<br />
• Accountable Internet Protocol (AIP)<br />
– Self-certifying addresses, no PKI<br />
Changes to existing Routers necessary!<br />
• Today's Attacks often require TCP connections<br />
Source Address spoofing difficult<br />
Botnets<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
7
IAIK<br />
www.IAIK.TUGraz.at<br />
HostTracker - Introduction<br />
• System developed from a Microsoft Research group<br />
• Output:<br />
– Constant Host IDs … Identity Mapping Table<br />
– Host IDs mapped to IP-Addresses on the Timeline<br />
…Host-IP binding information<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
8
IAIK<br />
www.IAIK.TUGraz.at<br />
HostTracker – Introduction (2)<br />
• De-anonymizing the Internet Using Unreliable IDs<br />
• Unreliable IDs:<br />
– User Email IDs<br />
– Messenger Login IDs<br />
– Social Network IDs<br />
– Cookies<br />
• Unreliable: IDs do not exactly correspond to hosts<br />
• A Group of unreliable IDs become a “virtual Host-ID”<br />
Identity mapping Table<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
9
IAIK<br />
www.IAIK.TUGraz.at<br />
HostTracker – Introduction (3)<br />
• To analyse: Application Level events<br />
(…from the Unreliable IDs)<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
10
IAIK<br />
www.IAIK.TUGraz.at<br />
HostTracker – Algorithm<br />
1. Each user-ID (E-Mail ID) will be mapped to a unique Host<br />
2 different Connections, same IP-Address very unlikely<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
11
IAIK<br />
www.IAIK.TUGraz.at<br />
HostTracker – Algorithm (2)<br />
2. Reestimation of the Mapping Table<br />
Possibilities:<br />
• Multiple User IDs share a Host<br />
• IP i is a Proxy with multiple Hosts<br />
• u 2 is a Guest User<br />
2.1 Grouping of multiple User IDs to one common Host<br />
• Group of Users logged in from one Host strong Correlation<br />
• If users login very often next to each other Same Host<br />
• 2 pairs (u 1 , u 2 ) and (u 2 , u 3 ) {u 1 , u 2 , u 3 }<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
12
IAIK<br />
www.IAIK.TUGraz.at<br />
HostTracker – Algorithm (3)<br />
2.2 Graph Construction<br />
1. Step: Find first and last Timestamp of any User-Login of<br />
a group w = [t 1 , t 2 ] …. Binding Window at Ip i<br />
2. Step: Mark all inconsistent Bindings<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
13
IAIK<br />
www.IAIK.TUGraz.at<br />
HostTracker – Algorithm (4)<br />
2.3 Resolve Inconsistency<br />
1. Step: Proxy / NAT Identification:<br />
Conflict Binding<br />
2. Step: Guest Removal<br />
3. Step: Splitting Groups<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
14
IAIK<br />
www.IAIK.TUGraz.at<br />
HostTracker - Applications<br />
Host-IP binding information can be used…<br />
• …to identify infected Botnet Hosts<br />
and their Email Accounts<br />
(0,4 % false positive rate)<br />
• for Host-Aware Blacklists (instead of IP-Blacklists)<br />
called Tracklists<br />
Instead of blocking IPs…<br />
…block infected Hosts!<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
15
IAIK<br />
www.IAIK.TUGraz.at<br />
HostTracker – Applications (2)<br />
Input Dataset<br />
• Month-long User-login Trace from a large Email Provider<br />
• Input Data Volume ~ 330 GB<br />
• 550 million unique User IDs<br />
• More than 220 million unique IP Addresses<br />
Recommended for the Future<br />
• Also use other User IDs from<br />
– Social Network IDs<br />
– Browser Cookies<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
16
IAIK<br />
www.IAIK.TUGraz.at<br />
HostTracker – Applications (3)<br />
HostTracker is…<br />
• Good for finding infected Hosts and temporary Blocking<br />
• But there is a very low false positive rate (0,4 %) ≠ 0<br />
• It is no good argument to prosecute somebody<br />
The big advantage…<br />
HostTracker just analyses Data<br />
no Router Changes are necessary<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
17
IAIK<br />
www.IAIK.TUGraz.at<br />
Outlook<br />
• HostTracker could be Part of a Temporary Solution<br />
• Challenge: Find a good trade-off between Security and Privacy<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
18
IAIK<br />
www.IAIK.TUGraz.at<br />
Thank you!<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
19
IAIK<br />
www.IAIK.TUGraz.at<br />
Discussion<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
20
IAIK<br />
www.IAIK.TUGraz.at<br />
Comment<br />
This Presentation does not show the entire HostTracker Algorithm.<br />
The shown functions are only the core functions. If you wanna<br />
know more details, please look at:<br />
http://research.microsoft.com/pubs/80964/sigcomm09.pdf<br />
Josef Plasser Graz, 12.01.2011 Advanced Computer Networks<br />
21