I Introduction
Security in computer networks has emerged as an important area of research. Although encryption hides information sent from a transmitter, network traffic analysis can extract important information from the size, count, and timings of the packets. For instance, when attackers relay their flows through compromised nodes called stepping stones, traffic analysis can trace back the attackers [1, 2]. Also, traffic analysis can find the correlations in traffic patterns to link incoming/outgoing flows and break anonymity [3].
Flow watermarking and flow fingerprinting are two active traffic analysis methods that work by perturbing packet timings of flows according to specific patterns to embed information in them. In flow watermarking, the information embedded in a flow is one bit, i.e., either the flow is marked or not. However, in many applications, more than one bit of information is required to be embedded in the packet timings of the flows. Flow fingerprinting provides the solution for such applications by embedding several bits of information in the flows such as the information about the party that has embedded the fingerprint, the source of the flow, or the location at which the flow has been fingerprinted [4].
Active traffic analysis has become an important area of research due to the increasing use of encryption. Wang et al. [5] proposed to embed flow watermarks in interpacket delays to detect stepping stones, and Wang et al. [6] used an intervalbased flow watermark to compromise anonymized VoIP conversations. Houmansadr et al. proposed the first nonblind watermark, RAINBOW [7], offering significantly higher invisibility compared to prior designs, and SWIRL [8] was designed to resist aggregatedflows attacks. Houmansadr et al. [9] was the first to introduce flow fingerprinting, and TagIt [10] introduced the first blind flow fingerprint.
As previous active traffic analysis designs are based on ad hoc heuristics (such as moving packets into secret time intervals), they do not offer any theoretical guarantees on the invisibilityperformance tradeoff. In this work, we take a systematic approach to design a flow fingerprinting system with provable informationtheoretic guarantees on invisibility and performance (e.g., number of fingerprints). Consider a network containing
independent, parallel, work conserving, and First In First Out (FIFO) queues with independent exponential service times where the queue conveys the flow () from the input link to the output link, and conveys interfering flows independent of (See Fig. 1). The network is anonymous to Alice and Bob such that they do not know the connections between input and output links. Alice has access to the input links and is able to buffer the packets and release them when she desires to embed fingerprints in packet timings of the flows. Adversary Willie is between Alice and the network and observes after they are accessed by Alice and wishes to detect if Alice is embedding fingerprints in the flows or not. Bob observes the packet timings of the flows on the output links and wishes to extract Alice’s fingerprints.We consider the following problem: given the time interval , can Alice embed flow identifier fingerprints invisible to Willie in the packet timings such that Bob can extract them successfully to deanonymize the network and, if yes, what is the maximum number of flows that can be fingerprinted? For the case where the packet timings of the flows are governed by Poisson process, we calculate the asymptotic expression for the number of flows that can be fingerprinted as a function of , for two scenarios: 1) Alice embeds fingerprints in all of the flows; 2) Alice embeds fingerprints in each flow independently with some small probability .
The remainder of the paper is organized as follows. In Section II, we present the system model, definitions and the metrics employed for the two scenarios of interest. Then, we provide constructions and analyses for the two fingerprinting scenarios in Sections III and Sections IV. In Section V we discuss the results, the extension of the scenarios to distinct flow rates, and the extension of the network model to more general networks. Finally, we conclude in Section VI.
Ii System Model, Definitions, And Metrics
Iia System Model
Alice has access to a set of input links of a network, and is able to buffer packets and release them when she desires. The packet flow conveyed over is denoted by (), and is the set of flows accessed by Alice. Bob receives the flows from the output links of the network, respectively. The network is anonymous such that Alice and Bob do not know the connections between input and output links; they wish to infer this in the interval , and thus deanonymize the network.
Alice embeds a unique flow identifier fingerprint in each flow by altering its packet timings according to a secret codebook of fingerprints shared with Bob, and Bob extracts the fingerprints from the observed flows. Warden Willie, who is between Alice and the network, observes the input links and wishes to detect if Alice embeds fingerprints in them or not (see Fig. 1). Willie knows the fingerprinting scheme Alice will employ if she chooses to embed fingerprints, but he does not have access to the codebook of fingerprints.
Alice, Bob, and Willie know that the packet timings of the flows are modeled by Poisson processes with rates , respectively. The network consists of independent single server queues with exponential service times, i.e., queues, which are work conserving and discipline First In First Out (FIFO). Each queue has multiple inputs and outputs such that the queue () conveys from the input link to the output link , and also conveys interfering Poisson flows independent of . We denote the sum of the rates of the interfering flows on by . The service rate of is , and the queues are stable, i.e., .
We consider two scenarios. In Scenario 1 (analyzed in Section III), the flow rates are equal (), and Alice embeds fingerprints in all of the flows of . In Scenario 2 (analyzed in Section IV), the flow rates are equal, but Alice embeds fingerprints in each flow independently with probability . For each scenario, we calculate the number of flows in which Alice can invisibly and reliably embed fingerprints, as described precisely next.
IiB Definitions
Willie’s hypotheses are (Alice did not embed fingerprints) and (Alice embedded fingerprints). We denote by the probability of rejecting
when it is true (type I error or false alarm), and
the probability of rejectingwhen it is true (type II error or misdetection). We assume that Willie uses classical hypothesis testing with equal prior probabilities and seeks to minimize his probability of error,
; the generalization to arbitrarily prior probabilities is available in [11].Definition 1.
Definition 2.
(Reliability) Fingerprinting for each flow is reliable if and only if for any , where is the probability of the failure event which occurs when

Alice cannot successfully embed a fingerprint since she does not have a packet to release when she needs to;

Alice runs out of fingerprints because the number of fingerprints in her codebook is less than the number of flows in which she wishes to embed fingerprints; or

Bob cannot extract a fingerprint successfully.
Definition 3.
(Lambert Wfunction) The Lambert Wfunction is the inverse function of .
Definition 4.
(The Kullback–Leibler divergence) If
and are probability measures over a set , then the Kullback–Leibler divergence between and is:(1) 
In this paper, we use standard BigO notation [16, ch. 3].
Iii Scenario 1: All flows are fingerprinted
In this section we consider Scenario 1: Alice embeds fingerprints in all of the input flows of a network with equal rates in the time interval , and Bob extracts the fingerprints from the output flows to infer the connection between input and output flows of the network. Because Alice is able to buffer packets and release them when she desires, she changes the packet timings of the flows to embed fingerprints in them according to a secret fingerprinting codebook shared with Bob. Each of the fingerprints is a flow identifier and consists of a sequence of interpacket delays to be employed to embed the corresponding fingerprint. To successfully change the packet timings of a flow according to the chosen codeword, Alice must have a packet in her buffer to transmit at the appropriate times. To account for this, Alice uses a two phase scheme for each flow , similar to the one adopted in [13, Section IV]. First, Alice slows down to buffer packets; then, during the fingerprinting phase, she releases the packets from her buffer with the interpacket delays prescribed by the codeword corresponding to the fingerprint, while buffering the arriving packets of .
We calculate the asymptotic expression for the number of flows that can be fingerprinted as a function of using this strategy.
Theorem 1.
Consider the setting in Section IIA. In a set containing flows with rates , Alice and Bob can invisibly and reliably track all of the flows in the time interval , as long as , where is the LambertW function.
Construction: Per above, Alice divides the time interval of length into two phases: a buffering phase of length and a fingerprinting phase of length such that . During the buffering phase, Alice slows down the packets of each flow , from rate to rate , in order to build up packets in her buffer, ensuring that with high probability, she will not run out of packets during the fingerprinting phase of length (see Fig. 2).
Alice and Bob share a codebook to which Willie does not have access.The codebook construction is similar to that of [13, 14]. To build the codebook, a set of codewords are independently generated according to realizations of a Poisson process with parameter . In particular, to generate a codeword
, first a random variable
is generated according to a Poisson distribution with mean
. Then, interpacket delays are generated by placing points uniformly and independently on an interval of length [17] (see Fig. 3). Therefore, each codeword of the codebook is a series of interpacket delays and corresponds to a unique flow identifier fingerprint. To embed a fingerprint in a flow , Alice applies the interpacket delays of the chosen codeword to the packets of the flow .Analysis: (Invisibility) The analysis of invisibility follows from that of covertness in [13, Theorem 2]. In the first phase, Alice slows down the flows from rate to rate , where , while lower bounding Willie’s error probability () by . During the second phase, the packet timings for each flow is an instantiation of a Poisson process with rate and hence the traffic pattern is indistinguishable from the pattern that Willie expects to observe. Hence, the scheme is invisible.
(Reliability) By [17, Definition 2], Bob can successfully extract the fingerprint from as long as is large and:
(2) 
where is the capacity of for conveying information through packet delays. By [18, Proposition 1], , where is the sum of rates of the interfering flows passing through . Define
(3) 
Since (2) holds for all , for large :
(4) 
Note that Alice does not run out of fingerprints since the number of fingerprints in her codebook equals to the number of flows. Finally, similar to the reliability analysis in [13], we can show that if
(5)  
(6) 
where
(7) 
then . Thus Alice’s fingerprinting is reliable.
(Number of flows) By (4) and (6), we require
(8) 
Next, we show that if
(9) 
then (8) is satisfied. Consider the following fact:
Fact 1.
For , if , then , where is the lambertW function (see Definition 3).
If , since , then Fact 1 yields:
If , since , then:
Consequently, Alice and Bob can invisibly and reliably track flows. Note that by (5), as , as required by the proof for invisibility of the second phase. Also, by (9) and (6) we can show that as , as required by the proof for reliability.
∎
Iv Scenario 2: Each flow is fingerprinted independently with probability
In this section we consider Scenario 2. In a set containing network input flows with equal rates, Alice embeds fingerprints into each flow independently with probability in the time interval , and Bob extracts the fingerprints from the output flows to infer the connection between input and output flows of the network. Similar to Scenario 1, we show that employing a two phase scheme, Alice can embed a unique flow identifier fingerprint in the chosen flows by altering their packet timings according to a secret fingerprint codebook shared between Alice and Bob but unknown to Willie. We calculate the asymptotic expression for the number of flows that can be fingerprinted as a function of using this strategy
Theorem 2.
Construction: The construction is similar to that of Scenario 1. Alice’s codebook contains fingerprints where
(12) 
To decide whether to embed a fingerprint in a flow or not, Alice generates independent Bernoulli random variables with , and she embeds a fingerprint in if and only if .
Analysis: (Invisibility) We analyze the invisibility of the first and second phases separately. In the first phase, the joint pdfs of Willie’s observations under (Alice did not embed fingerprints), and (Alice embedded fingerprints) are:
When Willie applies the optimal hypothesis test to minimize [15, Eq.1]:
(13) 
where is the relative entropy between and . Denote by the expected value with respect to the probability measure . Then:
(14) 
where is true since for all , and is true since . Let . Then, (14) yields . By (13), Willies’ probability of error () is lower bounded by , and thus the first phase is invisible. The analysis of the invisibility for the second phase is the same as that of Scenario 1. Thus, the fingerprinting scheme is invisible.
(Reliability) Similar to the reliability analysis of Theorem 1, we can show that the probability that Alice runs out of packets for each flow is upper bounded by as long as
(15)  
(16) 
Next, we show that Bob can successfully extract Alice’s fingerprints. By (12) and (16),
where the last step is true since . Hence, (4) is satisfied, and thus Bob successfully extracts each fingerprint.
Furthermore, since is an increasing function of
, by the weak law of large numbers (WLLN) we can show that Alice does not run out of fingerprints. Hence, Alice’s fingerprinting is reliable.
V Discussion
Va Source of the gain in Scenario 2
The result for Scenario 2 indicates a much larger fingerprint dictionary can be generated and employed covertly than in Scenario 1. Note that (11) implies that in Scenario 2, a small portion of the flows are fingerprinted. Intuitively, because Willie has to investigate a large number of flows to look for alterations in the timings of a relatively (very) small random subset of those flows, in particular in the first phase, this makes covertness much easier to achieve and leads to the significant gains observed.
VB Extension to distinct rates
When Scenarios 1 and 2 are extended to distinct flow rates, Alice can build a codebook in which the rate of the codewords is . To embed a fingerprint in a flow , Alice first scales the corresponding codeword by a factor and applies the interpacket delays to the first packets of the flow. If Alice receives more than packets in the fingerprinting phase, she releases the excess packets according to random independent interpacket delays generated from the pdf of an exponential random variable with mean . Bob rescales the flow by a factor of and uses the codebook to extract the corresponding fingerprint.
We can show that if and in the first phases of Scenarios 1 and 2, respectively, then Alice’s buffering is invisible. Note that the fingerprinted flow in the second phase is a realization of a Poisson process with rate , and thus it is indistinguishable from the pattern that Willie expects to observe. Hence, the scheme is invisible.
VC Extension of the network
By [19], we can extend our model to parallel routes where each route consists of multiple queues in tandem. On each route , queues are shared between a main flow and interfering flows and the interfering flows are independent. Furthermore, by [20, Corollary 3.3], we can relax the condition of independent interference for queues on each route and extend our model to a feedforward multiclass product form network [21] containing parallel routes where each route conveys flow and consists of multiple queues in tandem shared between a main flow and interfering flows.
Vi Conclusion
In this paper, we presented the construction and analysis for embedding fingerprints in packet timings of flows. In a setting where a set of flows visit Alice, adversary Willie, a network of independent parallel queues with background traffic, and Bob respectively, we established a construction where Alice alters the packet timings in the time interval , according to a secret codebook shared with Bob, to embed flow identifier fingerprints in them without being detected by Willie. We considered two scenarios: 1) Alice embeds fingerprints in all of the flows; 2) Alice embeds fingerprint in each flow independently with probability , and calculated the asymptotic expression for the number of flows that can be fingerprinted as a function of .
References
 [1] S. StanifordChen and L. T. Heberlein, “Holding intruders accountable on the internet,” in Security and Privacy, 1995. Proceedings., 1995 IEEE Symposium on, pp. 39–49, IEEE, 1995.
 [2] Y. Zhang and V. Paxson, “Detecting stepping stones,” in USENIX Security Symposium, vol. 171, p. 184, 2000.
 [3] P. Syverson, G. Tsudik, M. Reed, and C. Landwehr, “Towards an analysis of onion routing security,” in Designing Privacy Enhancing Technologies, pp. 96–114, Springer, 2001.
 [4] A. Houmansadr, Design, analysis, and implementation of effective network flow watermarking schemes. PhD thesis, University of Illinois at UrbanaChampaign, 2012.
 [5] X. Wang and D. S. Reeves, “Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays,” in Proceedings of the 10th ACM conference on Computer and communications security, pp. 20–29, ACM, 2003.
 [6] X. Wang, S. Chen, and S. Jajodia, “Tracking anonymous peertopeer voip calls on the internet,” in Proceedings of the 12th ACM conference on Computer and communications security, pp. 81–91, ACM, 2005.
 [7] A. Houmansadr, N. Kiyavash, and N. Borisov, “Rainbow: A robust and invisible nonblind watermark for network flows,” in NDSS, 2009.
 [8] A. Houmansadr and N. Borisov, “Swirl: A scalable watermark to detect correlated network flows,” in NDSS, 2011.
 [9] A. Houmansadr and N. Borisov, “The need for flow fingerprints to link correlated network flows,” in International Symposium on Privacy Enhancing Technologies Symposium, pp. 205–224, Springer, 2013.
 [10] F. Rezaei and A. Houmansadr, “Tagit: Tagging network flows using blind fingerprints,” Proceedings on Privacy Enhancing Technologies, vol. 2017, no. 4, pp. 290–307, 2017.
 [11] B. Bash, D. Goeckel, and D. Towsley, “Limits of reliable communication with low probability of detection on AWGN channels,” Selected Areas in Communications, IEEE Journal on, vol. 31, pp. 1921–1930, September 2013.
 [12] R. Soltani, B. Bash, D. Goeckel, S. Guha, and D. Towsley, “Covert singlehop communication in a wireless network with distributed artificial noise generation,” in Communication, Control, and Computing (Allerton), 2014 52nd Annual Allerton Conference on, pp. 1078–1085, IEEE, 2014.
 [13] R. Soltani, D. Goeckel, D. Towsley, and A. Houmansadr, “Covert communications on poisson packet channels,” in 2015 53rd Annual Allerton Conference on Communication, Control, and Computing (Allerton), pp. 1046–1052, IEEE, 2015.
 [14] R. Soltani, D. Goeckel, D. Towsley, and A. Houmansadr, “Covert communications on renewal packet channels,” in 2016 54th Annual Allerton Conference on Communication, Control, and Computing (Allerton), IEEE, 2016.
 [15] R. Soltani, D. Goeckel, D. Towsley, B. Bash, and S. Guha, “Covert wireless communication with artificial noise generation,” arXiv preprint arXiv:1709.07096, 2017.
 [16] T. H. Cormen, Introduction to algorithms. MIT press, 2009.
 [17] V. Anantharam and S. Verdu, “Bits through queues,” Information Theory, IEEE Transactions on, vol. 42, no. 1, pp. 4–18, 1996.
 [18] X. Liu and R. Srikant, “The timing capacity of singleserver queues with multiple flows,” DIMACS Series in Discrete Mathematics and Theoretical Computer Science, 2004.
 [19] P. Mimcilovic, “Mismatch decoding of a compound timing channel,” in FortyFourth Annual Allerton Conference on Communication, Control, and Computing, 2006.
 [20] F. P. Kelly, Reversibility and stochastic networks. Cambridge University Press, 2011.
 [21] F. Baskett, K. M. Chandy, R. R. Muntz, and F. G. Palacios, “Open, closed, and mixed networks of queues with different classes of customers,” Journal of the ACM (JACM), vol. 22, no. 2, pp. 248–260, 1975.
Comments
There are no comments yet.