1 / 40

Preserving Caller Anonymity in Voice-over-IP Networks

Preserving Caller Anonymity in Voice-over-IP Networks. Mudhakar Srivatsa, Ling Liu and Arun Iyengar Presented by Mounica Atluri. Agenda. Voice-over-IP Attacks Proposed solution Experimental Evaluation Conclusion. Voice and data communication.

minya
Download Presentation

Preserving Caller Anonymity in Voice-over-IP Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Preserving Caller Anonymity inVoice-over-IP Networks Mudhakar Srivatsa, Ling Liu and Arun Iyengar Presented by Mounica Atluri

  2. Agenda • Voice-over-IP • Attacks • Proposed solution • Experimental Evaluation • Conclusion

  3. Voice and data communication • Data transmission through Public switched telephone network • Uses Circuit switched networks • Expensive

  4. What is VoIP ? • We see people talking through Skype, Vonage, instant messengers • Technology behind is called VoIP • Transmission of voice traffic over  IP-based networks • Sounds are recorded and compressed • Benefit of VoIP: Very economical

  5. VoIP Requirements • Caller anonymity and QoS • Existing approaches use Mix networks • Mix networks route traffic through nodes with random delays and random routes • For example, Onion routing

  6. VoIP Requirements • Other examples are Tor, Freedom and Tarzan • Mix networks cannot accommodate the QoS requirement • Low latency apps are vulnerable to timing attacks

  7. Protocols in VoIP • Uses RTP for data transmission • Route Set Up protocol for call set up and termination

  8. Route set up protocol • Operates in four steps • initSearch: initiates a route set up request • processSearch: processes a route set up request • processResult: processes the results of a route set up request • finSearch: concludes the route set up procedure

  9. initSearch • src initiates a request by broadcasting

  10. processSearch • If p receives a request from q, it checks if the sipurl is the url of the client connected to p. p

  11. processResult • If p receives result (searchId, q), it searches for <searchId, sipurl, prev>, adds <sipurl, q> and forwards result to prev p

  12. finSearch • If src receives result, it adds <dst, q> to its routing table q

  13. Security features of Route setup protocol • Encryption with shared symmetric key • Exposes dst (through dst.sipurl) • dst adds a random delay • src or dst can be inferred if all of their neighboring nodes are malicious

  14. Caller Identification attacks • Triangulation based timing attacks • 3 steps in triangulation based timing attacks • Candidate caller detection: malicious nodes deduce a list of potential callers • Candidate caller ranking: malicious nodes associate a score with every potential caller • Triangulation: Colluding malicious nodes combine their sets to obtain more accurate list of callers.

  15. Three timing attacks • Deterministic triangulation attack • Statistical triangulation attack • Differential triangulation attack

  16. Deterministic triangulation attack • 2 assumptions • Link latencies are deterministic • All nodes are synchronized • 2 properties of route setup protocol • Protocol establishes shortest route between the src and dst • Node p that receives route set up request originated from src can estimate dist(src, p)

  17. Deterministic triangulation attack • Candidate caller detection • Compute S(p) for all s ∈ S(p),

  18. Deterministic triangulation attack • Candidate caller ranking • Compute the score • Triangulation • Compute the final score

  19. Deterministic triangulation attack

  20. Statistical triangulation attack • Link latencies are independently distributed • Length of a path P is given by • In candidate caller detection, p computes a set of Pareto-optimal distances to all nodes v • A set of path lengths d1, d2.. dm is Pareto-optimal if for all other path lengths d,

  21. Statistical triangulation attack • A node v is marked as a candidate caller if • If link latencies follow Gaussian, the path latencies follow Gaussian too • Score of v can be computed as • For other any other distribution, use Chebyshev’s inequality to compute

  22. Statistical triangulation attack • In Triangulation step, the aggregate score for a candidate caller v is computed

  23. Differential triangulation attack • Eliminates time stamp ts from the route set up request • Malicious nodes can estimate the difference • In candidate caller detection, malicious node p computes statistical shortest distances to every other node v as

  24. Differential triangulation attack • Statistical distance distpq[v] is given by distp[v] – distq[v] • v is a candidate caller if • If the link latency distribution is Gaussian, the score of v is given by • Finally, the average score for v is computed

  25. Topology Discovery • Network topology should be known for Timing attacks • Achieved by ping and pong messages y´ pong(y´,x) ping(x,all) x y pong(y, x)

  26. Evaluation of the Threat models • Experimental set up • A synthetic network with 1024 nodes • Topology was constructed using NS-2 topology generator • Node-to-node round trip times varies from 24ms-150ms with a mean of 74ms

  27. Deterministic Triangulation • Number of suspects varies with number of malicious nodes • Epsilon should not be too small or large

  28. Statistical Triangulation • More effective than deterministic when there are uncertainties in link latencies

  29. Differential Triangulation • Statistical attack performs better if the clocks are synchronized • Differential triangulation can achieve a top-10 probability of 0.78 with only 10 malicious nodes

  30. Topology Discovery • With m=20 and ttl=2, about 75% of the topology is discovered

  31. Countering timing attacks • Latency perturbation • each node adds random delay • Random Walk Search Algorithm • Resilient to timing attacks but generates suboptimal routes • Hybrid route set up • Trade off anonymity with QoS

  32. Random Walk Search Algorithm • Sends a search request to a randomly chosen neighbor • Two key properties • Markovian property • Random walker does not traverse the shortest path between any two nodes

  33. Hybrid route setup protocols • Controlled Random Walk • Combination of two protocols • γlimits the length of random walk • Starts with random walk search • Switches to broadcast search with probability 1-γ q

  34. Hybrid route setup protocols • Multi-Agent Random Walk • Similar to random walk • Src sends ω random walkers (ω >1) • Route is established when the first random walker reaches dst • Higher ωresults in optimal route latency • Vulnerable to triangulation based timing attack if src sends out random walkers at time t=0

  35. Experimental evaluation • Performed on 1024-node synthetic VoIP network topology using NS-2 • Algorithms implemented using Phex: an open source Java based implementation of peer-to-peer broadcast based route set up protocol

  36. Performance • Characterized by cost of messaging • QoS guarantees • Routes with latency<250ms satisfy QoS requirements • Larger route set up latency does not affect the quality of voice conversation

  37. Optimal parameter settings • Attack resilience • 99% optimal parameter settings

  38. Topology discovery • Only fraction of topology has been discovered • Top-10 probability for marw was 42% less, crw was 33% less and broadcast was only 9% less • Random walk protocols are more sensitive to topology

  39. Conclusion • VoIP in becoming popular due to its advantages in cost and convenience • It is a major concern to provide anonymity to the clients • Threat models targeting callers’ anonymity are efficient • Even if a small fraction of network is malicious, the caller can be inferred accurately • It is difficult to trade QoS with anonymity

  40. Questions??

More Related