Anonymity in Peerassisted CDNs Inference Attacks and Mitigation

  • Slides: 26
Download presentation
Anonymity in Peer-assisted CDNs: Inference Attacks and Mitigation Yaoqi Jia, Guangdong Bai, Prateek Saxena,

Anonymity in Peer-assisted CDNs: Inference Attacks and Mitigation Yaoqi Jia, Guangdong Bai, Prateek Saxena, and Zhenkai Liang National University of Singapore 0

Web Content Delivery Ø Popular websites receive millions of hits per day – A

Web Content Delivery Ø Popular websites receive millions of hits per day – A fast way to deliver web content Ø Options to deliver content: – Own servers • Amazon EC 2, Azure – Content delivery networks (CDN) • Akamai, Cloud. Flare 1

Peer-assisted CDNs Ø Insight: Involve web clients to serve content – Akamai Net. Session,

Peer-assisted CDNs Ø Insight: Involve web clients to serve content – Akamai Net. Session, Swarmify, Maygh – Net. Session offloads 70 -80% traffic [NSDI 12, IMC 13] – Swarmify reduces over 60% network latency Server Privacy issue: Infer neighbors’ contents Client 2

Contributions Ø Inference attacks on real-world services – i. e. , Swarmify, Bem. TV

Contributions Ø Inference attacks on real-world services – i. e. , Swarmify, Bem. TV and P 2 PSP Ø Anonymous Peer-assisted CDN (APAC) – Involves browsers as peers – Preserve high level of anonymity – Desired performance – Compatible with browsers 3

Inference Attacks in Peer-assisted CDNs 4

Inference Attacks in Peer-assisted CDNs 4

Inference Attacks Ø Goal – Infer what content a victim user has requested or

Inference Attacks Ø Goal – Infer what content a victim user has requested or delivered (browsing history) Ø Implication – Revealing a user’s browsing history significantly leaks the user’s privacy • A user’s digital identity can be revealed [S&P 10] • A user’s geolocation/political orientation [W 2 SP 14] 5

Inference Attacks in Peer-assisted CDNs Ø Passive attacks: adversary pre-stores all content potentially interesting

Inference Attacks in Peer-assisted CDNs Ø Passive attacks: adversary pre-stores all content potentially interesting to the victim Ø Active attacks: adversary traverses all content potentially served by the victim Server Passive Server Request Fetch Deliver Adversary Active Victim Adversary Victim 6

Real-world Case Studies Ø Swarmify, Bem. TV & P 2 PSP – A deployed

Real-world Case Studies Ø Swarmify, Bem. TV & P 2 PSP – A deployed site with 10 images and 2 videos – A victim peer requests and stores resources – An adversary in the same LAN frequently requests and serves resources Ø No defense against inference attacks – Adversary can observe all resources from/to the victim – Even open for content pollution attacks How to mitigate inference attacks? 7

Anonymous Peer-assisted CDN 8

Anonymous Peer-assisted CDN 8

Threat Model Ø Initiator: peer initiates the request Ø Responder: peer responds the request

Threat Model Ø Initiator: peer initiates the request Ø Responder: peer responds the request Ø Honest-but-curious adversary – Follow protocols Ø Out of scope – Sybil attacks – Denial-of-service attacks (Do. S) 9

Anonymous Peer-assisted CDN (APAC) Ø Goal – Anonymity: conceal a user’s identity to unlink

Anonymous Peer-assisted CDN (APAC) Ø Goal – Anonymity: conceal a user’s identity to unlink her id with her online trace – Performance: acceptable network latency – Compatibility: no (or minor) changes on websites and clients Ø Intuition – Onion-routing (OR) techniques 10

Onion Routing, but with Careful Parameter Selection Ø OR: Messages are encapsulated in layers

Onion Routing, but with Careful Parameter Selection Ø OR: Messages are encapsulated in layers of encryption (onions) Ø Limitations: – Only initiator anonymity – Non-negligible circuit setup latency – Nodes randomly chosen Encryption Decryption Circuit 11

Overview of APAC Ø Peer server constructs the circuit for each request instead of

Overview of APAC Ø Peer server constructs the circuit for each request instead of peers (anonymity) Ø Region-based circuit construction (performance) – Choose intermediate nodes in three regions: nearinitiator, near-responder and globally random Ø Communications via Web. RTC (compatibility) 12

Initiation in APAC Ø Peers fetch resources from the content server Content Server Fetch

Initiation in APAC Ø Peers fetch resources from the content server Content Server Fetch Store Peer v. A Peer v. B 13

Content Delivery via Peers Ø Peers fetch resources from other peers Peer Server Request

Content Delivery via Peers Ø Peers fetch resources from other peers Peer Server Request Report Request via OR circuit Peer v. A (Initiator) Peer v. B (Intermediate) Reply Peer v. B (Responder) 14

Region-based Circuit Construction Peer Server Peer v. A (Initiator) Peer v. B (Intermediate) Peer

Region-based Circuit Construction Peer Server Peer v. A (Initiator) Peer v. B (Intermediate) Peer v. B (Responder) 15

Anonymity Analysis for APAC 16

Anonymity Analysis for APAC 16

Degree of Anonymity Def 1: The degree of initiator anonymity provided by a system

Degree of Anonymity Def 1: The degree of initiator anonymity provided by a system is defined by: Result: The degree of initiator anonymity can be represented as: 17

Parameter Selection Ø Level of anonymity – The maximum number of intermediate nodes Lmax

Parameter Selection Ø Level of anonymity – The maximum number of intermediate nodes Lmax – Distribution factors: the fraction of intermediate nodes near the initiator/responder αinit/αres – The total number of peers N and the number of peers having requested resources NR When Lmax ≥ 2, APAC can preserve the standard degree of anonymity (i. e. , 0. 8) achieved by previous work 18

Performance Evaluation 19

Performance Evaluation 19

Measurement Setup Ø Scenario: CDN operators place edges servers in major cities, but users

Measurement Setup Ø Scenario: CDN operators place edges servers in major cities, but users are not located in those cities Ø Deployed site provides images 1 KB– 2 MB Ø Content server / peer server in City A (New York) Ø 100 Peers in City B (Singapore) 20

Network Latency Reduction (NLR) 80 % 70 60 50 LAN 40 WLAN 30 WAN-City

Network Latency Reduction (NLR) 80 % 70 60 50 LAN 40 WLAN 30 WAN-City 20 10 0 Swarmify 2 -node 3 -node 4 -node 5 -node 6 -node For a 4 -node circuit where APAC provides a latency reduction (49. 7%) lower than the performance obtained for Swarmify (69. 4%) and non-anonymous setting (76. 1%). 21

Effect of Distribution Factors NRL(%) 30 25 20 15 10 5 0 #Nodes in

Effect of Distribution Factors NRL(%) 30 25 20 15 10 5 0 #Nodes in each region 3 -0 -0 2 -1 -0 2 -0 -1 1 -2 -0 1 -1 -1 1 -0 -2 0 -3 -0 0 -2 -1 0 -1 -2 0 -0 -3 Locating intermediate nodes near initiator/responder reduces network latency 22

Sweet Spot NLR (%) 70 60 50 40 Sweet Spot 30 20 10 Degree

Sweet Spot NLR (%) 70 60 50 40 Sweet Spot 30 20 10 Degree of Anonymity 0 0. 5 0. 6 0. 7 0. 8 0. 9 With up-to 2 intermediate nodes, APAC preserves adequate degree of anonymity (i. e. , 0. 8) and desired performance (e. g. , 23 97. 3% bandwidth savings)

Conclusion Ø Inference attacks on peer-assisted CDNs Ø Anonymous Peer-assisted CDN (APAC) – High

Conclusion Ø Inference attacks on peer-assisted CDNs Ø Anonymous Peer-assisted CDN (APAC) – High degree of anonymity – Desired network latency reduction and bandwidth savings – Compatible with current browsers 24

Thanks You Q&A E-mail: jiayaoqi@comp. nus. edu. sg 25

Thanks You Q&A E-mail: [email protected] nus. edu. sg 25