Preventing SSL Traffic Analysis with Realistic Cover Traffic

As more sensitive information is transmitted over computer networks, there has been a steady increase in the deployment of encryption to protect data in-flight. Myriad encrypted network protocols have emerged [8, 2, 1] that enable various applications like encrypted browsing, VPNs, secure shells, and VoIP. Since the data payload of an encrypted protocol is protected by strong encryption, attackers can do traffic analysis attacks, which use the information leaked by side channels (e.g., packet size and timing) to try to recover the contents or intent of the plaintext traffic. Existing attacks can recover a wide range of information from encrypted communications, e.g., Web page visits [3, 6], typed passwords [7, 9], speech data [14, 13], and embedded protocols [15, 4]. Given this threat, a growing number of applications (e.g., low-latency anonymity systems and VPNs) and users (e.g., privacy advocates and whistle-blowers), need better protection from these attacks. Existing techniques for preventing traffic analysis center on sending data with fixed intervals and/or with fixed payload sizes. Though this type of constant rate defense is effective at reducing the information leakage that enables most traffic analysis attacks, it makes it clear that a user is employing countermeasures to evade traffic analysis. This may, in itself, result in unwanted attention and scrutiny. We call this related attack defense detection. To resist both traffic analysis and defense detection attacks, we propose using realistic cover traffic tunnels to mask the observable behavior of the real traffic to be transmitted. The user tunnels his or her real traffic via a proxy service, which embeds the traffic inside fake cover traffic. This tunneling approach incurs overhead in time and in the number of excess bytes transmitted. To trade off overhead and privacy, the user may vary his or her choice of cover traffic model. In this paper, we introduce the basic design and evaluation of a cover traffic tunneling system called TrafficMimic. We utilize methods for generating realistic cover traffic, borrowing from prior work on traffic generation from the simulation and modeling research community [10]. Using several protocol classification and anomaly detection attacks, we show that TrafficMimic is able to reproduce cover traffic reliably and securely. Lastly, we show that realistic cover traffic provides comparable performance to constant-rate techniques, and in some cases can be very efficient.