An analysis of the statistical disclosure attack and receiver-bound cover

Anonymous communications provides an important privacy service by keeping passive eavesdroppers from linking communicating parties. However, an attacker can use long-term statistical analysis of traffic sent to and from such a system to link senders with their receivers. Cover traffic is an effective, but somewhat limited, counter strategy against this attack. Earlier work in this area proposes that privacy-sensitive users generate and send cover traffic to the system. However, users are not online all the time and cannot be expected to send consistent levels of cover traffic; use of inconsistent cover traffic drastically reduces its impact. We propose that the anonymity system generate cover traffic that mimics the sending patterns of users in the system. This receiver-bound cover (RBC) helps to make up for users that aren’t there, confusing the attacker. To study the statistical disclosure attack and different cover traffic methods, we introduce an analytical method to bound the time for an attacker to identify a contact of Alice with high probability. We use these bounds to show that cover traffic sent by Alice greatly increases the time for attacker success, especially as the amount of traffic from other users increases. Further, we show that RBC greatly enhances the defense, forcing the attacker to take additional time proportional to the amount of cover used. We also examine the effectiveness of the attack and cover traffic when the attacker can only observe part of the traffic in the system. We validate our analysis through simulations that extend to realistic social networks. When RBC is used in combination with user-generated cover traffic, the attack takes a very long time to succeed.