CN114422210B - AnoA theory-based anonymous network passive flow analysis and evaluation method and system - Google Patents

AnoA theory-based anonymous network passive flow analysis and evaluation method and system Download PDF

Info

Publication number
CN114422210B
CN114422210B CN202111653842.3A CN202111653842A CN114422210B CN 114422210 B CN114422210 B CN 114422210B CN 202111653842 A CN202111653842 A CN 202111653842A CN 114422210 B CN114422210 B CN 114422210B
Authority
CN
China
Prior art keywords
challenge
analysis
attacker
target
challenger
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111653842.3A
Other languages
Chinese (zh)
Other versions
CN114422210A (en
Inventor
费金龙
孟轶同
祝跃飞
吴魏
宋玉涵
郭茂华
潘雁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN202111653842.3A priority Critical patent/CN114422210B/en
Publication of CN114422210A publication Critical patent/CN114422210A/en
Application granted granted Critical
Publication of CN114422210B publication Critical patent/CN114422210B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

The invention belongs to the technical field of network information security, and particularly relates to an anonymous network passive flow analysis and evaluation method and system based on AnoA theory, wherein the method comprises the steps of generating a challenge table to be executed in an evaluation process, determining an analysis target set, packaging the analysis target set and the challenge table together, and transmitting the analysis target set and the challenge table to a challenger; analyzing a specific analysis target; the challenger constructs a challenge function corresponding to the analysis target; the challenger analyzes the challenge element by using the challenge function rule, and generates a challenge list after the challenge element is transformed by combining the challenge value, the anonymous network protocol of the challenger and the analysis scene; an attacker guesses the analysis targets and challenge values and quantifies the analysis intensity using analysis metric evaluation rules. The invention greatly improves the evaluation accuracy by enabling a flow analysis attacker to perform a challenge and response game with a challenger as an anonymous network and defining analysis attributes in flow analysis.

Description

AnoA theory-based anonymous network passive flow analysis and evaluation method and system
Technical Field
The invention belongs to the technical field of network information security, and particularly relates to an anonymous network passive flow analysis and evaluation method and system based on AnoA theory.
Background
With the rapid development of the internet, in order to meet the requirements of communication security and anonymity, more and more communication transmission uses an anonymous network to conceal interactive data. Although the anonymous network can better hide the communication terminal and the communication relationship, in the actual data transmission process, in order to reduce delay overhead and improve transmission efficiency, when balancing the relationship among anonymity, security and high efficiency, the operation flow when the node forwards information is selected to be simplified, the variation range of anonymity flow distribution is limited, so that the flow characteristics coexisting with an anonymity communication mechanism exist in the anonymity transmission stage, and flow analysis becomes an effective method for tracing the anonymity communication terminal. The flow analysis technology based on the anonymous network can be divided into two dimensions according to modes, namely an active flow analysis technology and a passive flow analysis technology, wherein the passive flow analysis method mainly tries to anonymize the communication terminal around the characteristics of fingerprint features, collection areas, communication rules and the like of the monitored flow, has lower requirements and cost, is easy to obtain higher benefits, and is more concerned and used in a real scene. Currently, traffic analysis assessment for anonymous networks is mainly performed by two methods: firstly, a measurement method based on information entropy is used for quantifying the probability of sending and receiving information by a communication user by taking entropy as a standard, and the corresponding relation between the distribution of an analysis target and the information entropy can be captured and intuitively obtained, but the method can only calculate the average value of information leakage, and has the problem that the whole information quantity of an anonymous system exposed to an attacker is difficult to obtain; secondly, the anonymity state of the anonymity protocol is analyzed by a pure information theory based on a measurement method of differential privacy, so that the anonymity privacy is measured, but the method rarely considers analysis attributes such as analysis targets, analysis capabilities, analysis scenes and the like possessed by attackers, so that the lack of pertinence in analysis measurement criteria and attribute definition can cause the problem of inaccurate analysis evaluation measurement.
Disclosure of Invention
Aiming at the defects of incomplete information, imperfect analysis measurement criteria, imperfect attribute definition and the like in the prior art on the passive flow analysis and evaluation of the anonymous network, the invention provides an AnoA theory-based passive flow analysis and evaluation method and system for the anonymous network.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
the invention provides an AnoA theory-based anonymous network passive flow analysis and evaluation method, which comprises the steps of constructing an AnoA evaluation framework-based flow tracing analysis and evaluation framework, defining flow analysis attributes and challenge information for evaluation, and establishing a passive flow analysis intensity measurement rule according to a challenge and response game evaluation flow between an attacker and a challenger described by the AnoA evaluation framework; the method specifically comprises the following steps:
an attacker selects challenge elements, generates a challenge table to be executed in the evaluation process, determines an analysis target set, encapsulates the analysis target set and the challenge table together, and then transmits the analysis target set and the challenge table to the attacker;
Adding a target concept between an attacker and a challenger, and analyzing an analysis target set by the target concept to analyze a specific analysis target;
the challenger receives the challenge list and constructs a challenge function corresponding to the analysis target;
the challenger analyzes the challenge element by using the challenge function rule, and generates a challenge list after the challenge element is transformed by combining the challenge value, the anonymous network protocol of the challenger and the analysis scene;
an attacker uses the analysis capability to guess the analysis targets and the challenge values contained in the transformed challenge list, and uses the analysis metric evaluation rule to quantify the analysis intensity.
Further, the traffic analysis attributes and challenge information include analysis targets, analysis capabilities, analysis scenarios, anonymous network protocols, challenge elements, challenge lists, challenge functions, and challenge values.
Further, the analysis targets comprise a data link analysis set, a correlation mapping analysis set and a participant position analysis set, wherein each analysis set comprises a monitoring object or a non-monitoring object; the analysis capability comprises a region observation capability and a flow analysis capability, wherein the region observation capability represents an active region of an attacker for monitoring anonymous network flow, and the flow analysis capability represents characteristic analysis conditions of the attacker for monitoring the flow; the analysis scene refers to a state set of an attacker monitoring a target environment; the anonymous network protocol refers to anonymous network information used by challengers; the challenge element is expressed as a triplet, and the triplet comprises sender information, receiver information and flow auxiliary information; the challenge table is expressed as a binary group, and the binary group comprises a challenge element and an analysis target; the challenge functions include a data link challenge function, an associative mapping challenge function, and a participant position challenge function, each of the challenge functions allowing position transformations on the challenge elements; the challenge value represents a randomly selected challenge table object.
Further, there are two challenge tables to be executed in the evaluation process, and there are only one group of challenge elements that are different between the two challenge tables, and the corresponding analysis targets are also inconsistent.
Further, the attacker selects a challenge element, generates a challenge table to be executed in the evaluation process, and comprises: the attacker selects corresponding challenge elements according to the analysis target set, wherein the challenge elements at least comprise one group of sender information, receiver information and flow auxiliary information, and simultaneously selects two groups of different challenge elements to form two challenge lists containing different challenge row information.
Further, the challenger receives the challenge list, constructs a challenge function corresponding to the analysis target, and comprises: according to the known analysis target set, obtaining the types of the monitoring targets and the non-monitoring targets of the attacker placed in the challenge list, and determining that the current analysis target type has a corresponding relation with a certain challenge function, so as to construct the challenge function of the corresponding relation.
Further, the challenger performs challenge element analysis by using a challenge function rule, and generates a challenge table after challenge element transformation by combining a challenge value, an anonymous network protocol of the challenger and an analysis scene, wherein the challenge table comprises: the challenger judges the challenge row by utilizing matched challenge function rules, allows the sender information, the receiver information and the flow auxiliary information of the challenge elements to be randomly adjusted, transforms the challenge table together with an analysis scene, randomly selects challenge values, inputs the two challenge tables into an anonymous network protocol, generates a challenge table after the challenge elements are modified, and selects one of the modified challenge tables to be transmitted back to the attacker.
Further, the analysis metric evaluation rule quantifies an analysis intensity including:
an attacker uses the flow analysis capability to guess an analysis target mapped by the flow information in the challenge list, so as to obtain a monitoring target object or a non-monitoring target object;
the challenge value sequence number of the challenge list changed by the challenger is determined by matching the target object with the challenge elements in the initial challenge list by the attacker, and analysis intensity is quantified by using the guess probability.
Further, the quantifying the analysis intensity using the guess probability includes:
a), calculating a guess result of the target object according to the object category, and executing b) if the object category is a monitoring target object, and executing c) if the object category is a non-monitoring target object;
b) Outputting the guess probability of the monitoring target object if the challenge value is consistent with the challenge value sequence number guessed by the attacker;
c) If the challenge value is consistent with the challenge value sequence number guessed by the attacker, outputting the guessing probability of the non-monitoring target object;
d) And outputting a quantized result according to the joint guess probability of the monitored target and the non-monitored target.
The invention also provides an AnoA theory-based anonymous network passive flow analysis and evaluation system, which comprises:
The challenge table generation module is used for an attacker to select challenge elements, generate a challenge table to be executed in the evaluation process, determine an analysis target set, package the analysis target set and the challenge table together and then transmit the analysis target set and the challenge table to the attacker;
the target concept module is used for adding target concepts between an attacker and a challenger, analyzing the analysis target set by the target concepts, and analyzing specific analysis targets;
the challenge function construction module is used for receiving the challenge list by the challenger and constructing a challenge function corresponding to the analysis target;
the challenge list transformation module is used for carrying out challenge element analysis by a challenger by utilizing a challenge function rule, and generating a challenge list after the challenge element transformation by combining a challenge value, an anonymous network protocol of the challenger and an analysis scene;
and the analysis intensity quantization module is used for an attacker to guess the analysis targets and the challenge values contained in the transformed challenge list by utilizing the analysis capability and to quantize the analysis intensity by utilizing the analysis metric evaluation rule.
Compared with the prior art, the invention has the following advantages:
1. according to the invention, on the basis of the known AnoA theory, the complete passive flow analysis intensity of an attacker is evaluated by carrying out challenge and response games between a flow analysis attacker and a challenger serving as an anonymous network; and the analysis targets, analysis capability, analysis scene and other analysis attributes in the flow analysis are defined in detail, feasible evaluation criteria and strength measurement definitions are designed for each type of analysis targets, and the evaluation accuracy is improved to a great extent.
2. Compared with the existing anonymous network analysis and evaluation method, the method can evaluate various analysis targets and anonymous network protocols more comprehensively, wherein the analysis measurement evaluation rule has better universality, is not limited to a passive flow analysis method, can formulate evaluation content according to the analysis targets of the attacker, and has stronger pertinence.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow diagram of an anonymous network passive flow analysis evaluation method based on AnoA theory according to an embodiment of the present invention;
FIG. 2 is a diagram of an AnoA evaluation framework of an embodiment of the invention;
fig. 3 is a flow tracing analysis and evaluation framework diagram based on an AnoA evaluation framework according to an embodiment of the invention;
FIG. 4 is a graph of privacy preserving relationships between analysis targets in accordance with an embodiment of the present invention;
FIG. 5 is a graph of the results of evaluating four website fingerprint attack models according to an embodiment of the present invention;
FIG. 6 is a graph of the evaluation result of a web site response fingerprint recognition attack according to an embodiment of the present invention;
FIG. 7 is a graph of evaluation results of a fingerprint attack of a web site incorporating environmental factor interference in accordance with an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Taking an Tor anonymous network as an example, the anonymous network passive flow analysis and evaluation method based on the AnoA theory of the embodiment constructs a flow tracing analysis and evaluation framework based on the AnoA evaluation framework according to a challenge and response game evaluation flow between an attacker and a challenger described by the AnoA evaluation framework, defines flow analysis attributes and challenge information for evaluation, and establishes a passive flow analysis intensity measurement rule; as shown in fig. 1, the method specifically comprises the following steps:
Step S11, an attacker selects challenge elements, generates a challenge list to be executed in the evaluation process, determines an analysis target set, encapsulates the analysis target set and the challenge list together, and transmits the analysis target set and the challenge list to the challenger.
And step S12, adding a target concept between the attacker and the challenger, and analyzing the analysis target set by the target concept to analyze a specific analysis target.
Step S13, the challenger receives the challenge list and constructs a challenge function corresponding to the analysis target.
In step S14, the challenger performs challenge element analysis by using the challenge function rule, and generates a challenge table after the challenge element transformation by combining the challenge value, the anonymous network protocol of the challenger and the analysis scene.
In step S15, the attacker uses the analysis capability to guess the analysis targets and the challenge values included in the transformed challenge list, and uses the analysis metric evaluation rule to quantify the analysis intensity.
The traffic analysis attributes and challenge information include analysis targets, analysis capabilities, analysis scenarios, anonymous network protocols, challenge elements, challenge lists, challenge functions, and challenge values.
The analysis targets comprise a data link analysis set, an association mapping analysis set and a participant position analysis set, wherein each analysis set comprises a monitoring object or a non-monitoring object. For traffic analysis scenarios existing in the Tor network, the encrypted data link represents that an attacker desires to link the observed traffic sequence with potential monitoring objects (e.g., topics, messages, behaviors, etc.), e.g., the website response fingerprint analysis objective is to match and classify website page traffic of hidden service responses with traffic sequences of monitoring pages; the participant location matching objective represents a sender location that an attacker attempts to match sensitive behavior from a set of active communication objects by continually observing the communication behavior of the anonymous object, e.g., the hidden service descriptor release analysis objective is to match a set of descriptor release behaviors with the publisher information for the same period of time; the communication relationship association objective is that an attacker reveals a mapping relationship between a sender and a receiver in a communication group, for example, the traffic association analysis objective is mainly to determine a potential communication relationship between the sender group and the receiver group.
The analysis capability comprises region observation capability and traffic analysis capability, wherein the region observation capability represents an active region of an attacker for monitoring anonymous network traffic, so that the attacker is positioned at a favorable position for traffic tracing, such AS an active region of an attacker compromising agent local area, a relay node, an AS domain, an IXP and the like, and further represents that the transmission traffic between a client and hidden services can be reproduced when the attacker compromises a key region, such AS the attacker acts AS a user or a hidden service identity to collect request or response traffic of the compromised region, thereby improving the traffic characteristic analysis capability of the attacker. The flow analysis capability is to be represented by that after an attacker has regional observation capability, the attacker can quantitatively collect and record data packets of a flow sequence within a limited time or sequence length, further represents statistics and analysis of flow characteristics, and provides a basic reserve for realizing analysis targets.
The analysis scenario refers to an attacker monitoring a set of states of a target environment where the target environment states are simultaneously affected by anonymous protocols and complex communications. First, anonymous traffic sequences randomly fluctuate within a specific range according to the transfer logic and forwarding requirements of the Tor protocol, which is a random and persistent state influencing factor. Meanwhile, the complicated communication causes unstable states such as loss, jitter, delay and the like of data packets in a traffic sequence, and when the load traffic of a relay node monitored by an attacker is too large, important traffic attributes such as the size, time and the like of the data packets are directly influenced, so that the judgment result of the attacker can be greatly influenced.
The anonymous network protocol refers to anonymous network information used by challengers; the challenge element is expressed as a triplet, and the triplet comprises sender information, receiver information and flow auxiliary information; the challenge table is expressed as a binary group, and the binary group comprises a challenge element and an analysis target; the challenge functions include a data link challenge function, an associative mapping challenge function, and a participant position challenge function, each of the challenge functions allowing position transformations on the challenge elements; the challenge value represents a randomly selected challenge table object.
The underlying symbols appearing in the following evaluations are shown in table 1:
table 1 anonymity metric evaluation symbol definition
Figure BDA0003445365200000081
Figure BDA0003445365200000091
The AnoA assessment framework referred to herein is summarized as a "challenge and response game" between an attacker and a challenger"where a challenger may describe an anonymous communication protocol that provides privacy protection, and an attacker corresponds to an adversary attempting to break the privacy of the protocol, the flow of the interactive game between the two is shown in fig. 2. The AonA evaluation framework specification specifies that an attacker can select a part of the challenge elements from the sender space U, the receiver space R and the auxiliary information Aux to form the challenge list D 0 And D 1 Multiple sets of row information d= (D) are arranged in the pick table 1 ,d 2 ,…,d t ) The line information is composed of elements such as a sender u, a receiver r, auxiliary information aux and the like, and d k =(u k ,r k ,aux k ) K is more than or equal to 0 and less than or equal to t, and two challenge tables D 0 And D 1 Rows with elemental differences therebetween are mutually referred to as challenge rows, i.e. D 0 (d k )≠D 1 (d k ) At time D 0 (d k ) And D 1 (d k ) Are mutually challenging rows CR. When the attacker constructs the combat list D 0 And D 1 And then delivered to the challenger.
The challenger constructs a challenge function alpha according to the privacy protection mechanism of the anonymous communication protocol pi, and when receiving the challenge list D 0 And D 1 Then, the challenge function alpha is used for judging the constituent elements in the challenge row, when the elements are consistent with the input of the challenge function and D 0 And D 1 When only the challenge rows are different, the challenge table is continuously transformed
Figure BDA0003445365200000101
At this time, the challenger randomly selects challenge value b ε {0,1}, +.>
Figure BDA0003445365200000102
After running in anonymous protocol pi, the attacker is returned. Final attacker versus challenge table D b And (3) with
Figure BDA0003445365200000103
Row information d in (b) k Analysis A was performed CH(Π,α,b) Reasonable guesses are made on the challenge value b by using priori knowledge, and the guesses probability is formally described as Pr [ b ] * =b|A CH(Π,α,b) ]Representing guess b * The uniform probability of an event in probability space 0, 1.
In fig. 2, CH is a challenger holding a challenge function α, and for privacy protection of anonymous communication protocol pi, the guess probability of attacker a can be described as formula (1), where b * E {0,1}, b e {0,1}, δ is an anonymity metric value, 0.ltoreq.δ.ltoreq.0.5:
Figure BDA0003445365200000104
when privacy protection capability of anonymous communication protocol pi is strong, challenge value b in attacker A guess * The probability of =b remains around 0.5, and the upper bound of the guess probability is equivalent to the challenger guessing both challenge table information b * =b=0 and b * =b=1, and the probability calculation is shown in formula (2). When the attacker guesses that the result does not match the challenger selection, i.e. b * =0, b=1, and the guess probability can be derived as equation (3). Meanwhile, according to the judging conditions of the formulas (1) and (3), the guessing probability can be converted into the formula (4), wherein 2 delta represents the upper bound of the privacy metric value of the anonymous protocol, and the smaller delta represents the higher privacy degree of pi, and the worse privacy protection degree is on the contrary.
Figure BDA0003445365200000105
Figure BDA0003445365200000106
Pr[b * =0|A CH(Π,α,0) ]≤Pr[b * =0|A CH(Π,α,1) ]+2δ (4)
In order to make the evaluation criteria and attribute definition of the AnoA evaluation framework more closely to the anonymized analysis evaluation of the traceability technology, the embodiment proposes a flow traceability analysis evaluation framework based on the AnoA evaluation framework, and the evaluation flow is shown in fig. 3. Target concept G is added between an attacker and a challenger in the framework, and the function of the target concept G allows the attacker to input multiple types of analysis target setsAG. The attacker is in the interaction initiation phase, except for selecting the challenge element (u k ,r k ,aux k ) In addition, the challenge element at least comprises a set of sender information, receiver information and flow auxiliary information, and also determines the analysis target set AG of the challenge and matches the challenge list D 0 (d k ) And D 1 (d k ) After being packaged together, the two challenge tables are transmitted to challengers, and only one group of challenge elements are different, and the corresponding analysis targets are inconsistent. The analysis target set AG resolves the specific target g≡g (AG) when passing through the target concept G. Challengers receive the challenge list D 0 (d k ) And D 1 (d k ) Obtaining an attacker-put-in-challenge list D from a known analysis target set AG 0 (d k ) And D 1 (d k ) The monitoring target and the non-monitoring target types in the system are determined, the corresponding relation between the current analysis target type and a certain challenge function is determined, so that a challenge function alpha of the corresponding relation is constructed, the selected challenge function alpha judges a challenge row, random adjustment of sender information, receiver information and flow auxiliary information of a challenge element is allowed, and the challenge table is transformed together with an analysis scene
Figure BDA0003445365200000111
Challengers randomly choose b.epsilon.0, 1 and choose the list +.>
Figure BDA0003445365200000112
Input into anonymous protocol pi>
Figure BDA0003445365200000113
Feedback result->
Figure BDA0003445365200000114
And returns to the attacker. An attacker uses the analysis capability C to distinguish CH (pi, Ω, α, 0) from CH (pi, Ω, α, 1), and finally guesses the result b * And sending the comparison result to a challenger.
An attacker takes a network anonymous privacy protection object as a target classification standard to attribute the analysis target of the flow tracingFor data link analysis, association map analysis, and participant position analysis. Algorithm 2.1 represents the challenge row judgment process of the challenge function alpha on the challenge table D, when the number of the challenge table rows is the same as D 0 ||=||D 1 When the challenge line elements meet the input conditions of the challenge function, the challenge line elements are allowed to be randomly transformed, and a challenge table is output after transformation
Figure BDA0003445365200000115
FIG. 4 illustrates the privacy preserving relationship between the analysis targets described above, wherein the data link analysis and the associative mapping analysis are directed to the challenge function α DL And alpha RM Together include a challenge function alpha for participant position analysis PL Is a characteristic of (a). In particular, when the data link analysis is successful, the attacker can remove anonymity to the participant's location at the observation location. Meanwhile, if a group of communication terminals are subjected to the association mapping analysis, the attacker has the capability of tracing analysis around the position of a transmitting end or a receiving end in the same communication scene. Conversely, participant location analysis does not necessarily obtain the true information of the private data. Meanwhile, although the participant analysis can determine the sender or receiver position, accurate judgment on the association information between the communication terminals still cannot be made. Similarly, data link analysis does not mean that sensitive information of communication relationships is compromised.
Figure BDA0003445365200000121
Specifically, the analysis metric evaluation rule quantization analysis intensity in step S15 includes:
an attacker uses the flow analysis capability to guess an analysis target mapped by the flow information in the challenge list, so as to obtain a monitoring target object or a non-monitoring target object;
the challenge value sequence number of the challenge list changed by the challenger is determined by matching the target object with the challenge elements in the initial challenge list by the attacker, and analysis intensity is quantified by using the guess probability.
The quantifying the analysis intensity using the guess probability includes:
a), calculating a guess result of the target object according to the object category, and executing b) if the object category is a monitoring target object, and executing c) if the object category is a non-monitoring target object;
b) Outputting the guess probability of the monitoring target object if the challenge value is consistent with the challenge value sequence number guessed by the attacker;
c) If the challenge value is consistent with the challenge value sequence number guessed by the attacker, outputting the guessing probability of the non-monitoring target object;
d) And outputting a quantized result according to the joint guess probability of the monitored target and the non-monitored target.
On the basis of AnoA evaluation framework definition, an attacker is allowed to play an interactive game with a challenger by using analysis capability C aiming at analysis target g, and the challenger adds analysis scene variable omega to influence challenge table elements, wherein delta is more than or equal to 0 and less than or equal to 0.5, and the evaluation of analysis metrics is expressed as:
Figure BDA0003445365200000131
Attacker versus challenge table D 0 And D 1 The challenge row between them makes a single guess probability distribution, expressed as equation (6). However, when the actual Tor network performs anonymous communication, the anonymous message M is split into multiple groups of transmissions according to the communication environment status, m= (M) 0 ,m 1 ,…,m n ) 0.ltoreq.n.ltoreq.t, meaning that the attacker may contain multiple sets of elements Aux ε { Aux (m) 0 ),aux(m 1 ),…,aux(m n ) Therefore, to achieve the complete analysis target g, multiple batches of evaluation operations are required.
Figure BDA0003445365200000132
For the following
Figure BDA0003445365200000133
All have the attacker choose the combat form +.>
Figure BDA0003445365200000134
Making guesses, including judgments on n anonymous message elements, n e {1,2,3, … }, b e {0,1}, b * ∈{0,1},0≤δ≤0.5:
Figure BDA0003445365200000135
In n evaluation games performed by an attacker and a challenger, delta represents a limited range of analysis intensity during flow tracing analysis, wherein a delta minimum value represents an analysis intensity lower bound. The delta value is close to 0.5, so that the target guessing accuracy of an attacker in the existing analysis capability is shown, the trace-source analysis still has good analysis strength when the anonymous protocol is handled and the scene interference is analyzed, and the anonymization degree of the anonymous protocol is high.
Based on the flow tracing analysis and evaluation framework and the multi-batch analysis and measurement, a general analysis intensity measurement algorithm AIEA is provided, see algorithm 2.2. First, a measurement algorithm prescribes a monitored object g and a non-monitored object
Figure BDA0003445365200000141
As a challenge target. Next, the attacker determines the challenge function α to be challenged in the current game and the corresponding challenge element (u i ,r i ,m i ). Thirdly, the challenger carries out monitoring type judgment on the guessed target of the attacker, and calculates guess probability +.>
Figure BDA0003445365200000142
Finally, returning the delta minimum value in n times of evaluation games by the algorithm, mainly considering that the analysis capacity in the actual scene is higher than the strength result of the analysis model, and selecting the lower limit of the analysis strength in order to restrict the challenge result of any times because an attacker has volatility on the guessing probability of the target objectmin (delta) is used as an important index for evaluating the anonymizing ability of the analysis model. />
Figure BDA0003445365200000143
Figure BDA0003445365200000151
Evaluation criteria for data link analysis, participant position analysis, and association map analysis are described below, respectively.
(1) Data link analysis targets
Table 2 data link analysis evaluation criteria
Figure BDA0003445365200000152
Data link analysis requires that an attacker guess the link relation between anonymous message M generated by an object and a target under the condition of determining the observed object y
Figure BDA0003445365200000153
To achieve destruction alpha DL The purpose of data privacy protection. Evaluating initial stage attacker in challenge table D 0 And D 1 Populating a challenge row CR, wherein the challenge row element is sender u 0 To receiver r 0 Send message m 0 Or m 1 Thereafter challenger uses alpha DL The analysis scene omega and the anonymity protocol pi transform the challenge table so as to enable an attacker to utilize the data link analysis capability C DL Anonymous messages within the challenge row are guessed, and specific evaluation criteria are shown in table 2.
Data link analysis evaluation:
when AG analyzes the target set for the data link, the attacker selects the target object g (y 0 ) And g (y) 1 ) And challenge list (D) 0 ,D 1 ) Challenge row information satisfies CR (D 0 ,D 1 )=((u 0 ,r 0 ,aux(m 0 )),(u 0 ,r 1 ,aux(m 1 ) -a) using a challenge function alpha DL And analyzing scene Ω to transform the challenge table
Figure BDA0003445365200000154
The challenger selects->
Figure BDA0003445365200000161
Figure BDA0003445365200000162
Running related anonymous protocol pi, attacker feeds back the protocol to choose the fight table +.>
Figure BDA0003445365200000163
Related information of->
Figure BDA0003445365200000164
Guessing when an attacker makes use of the link analysis capability C DL Message->
Figure BDA0003445365200000165
Links to target object g (y b ) Time->
Figure BDA0003445365200000166
The attacker gets the guess b *
Based on the description of the data link analysis and evaluation, an attacker monitors the data object g (y), records the anonymous message M generated by the object in advance by using the regional observation capability, and fixes the attacker capability C by using the traffic analysis capability learning feature x DL Described as C DL (y)={c(x 1 ),…,c(x n ) 'attacker's message
Figure BDA0003445365200000167
Guess of (1) is
Figure BDA0003445365200000168
Notably, the powerful analytic capabilities have the opportunity to learn that the monitored object is subject to an anonymous networkAnd the flow characteristics after the pi influence are weakened, so that the privacy protection of the data is weakened. However, the flow state is uncontrollable by the influence of the analysis scene and the protocol, so that the flow characteristics are changed +. >
Figure BDA0003445365200000169
When the guess target g' (y) is included in the monitoring object g (y), the data object is regarded as linkable, otherwise is regarded as null +.>
Figure BDA00034453652000001610
The judgment is shown in the formula (8).
Figure BDA00034453652000001611
(2) Participant position analysis targets
TABLE 3 participant position analysis evaluation criteria
Figure BDA00034453652000001612
Participant location analysis requires an attacker to determine the location of the message sender by guessing the sensitive subject matter s involved in the anonymous message M
Figure BDA00034453652000001613
Can destroy alpha PL Privacy protection for participant locations. The subject s herein, unlike the data object y of the data link analysis, broadly refers to a class of sensitive anonymous communication behaviors. In the initial stage of evaluation, an attacker fills in the challenge table D 0 And D 1 The challenge element in is sender u 0 /u 1 To receiver r 0 Send message m 0 /m 1 At the same time challenger uses alpha PL Analysis scenario Ω, anonymity protocol pi transforms the challenge table, and allows an attacker to exploit analysis capability C on anonymous messages PL Guessing topic and sender location g (s 0 /s 1 ,u 0 /u 1 ) Specific evaluation criteria are shown in table 3.
Participant position analysis assessment:
when AG analyzes target set for participant position, attacker selects target set g (s 0 ,u 0 ) And g(s) 1 ,u 1 ) And challenge list (D) 0 ,D 1 ) Challenge row information satisfies CR (D 0 ,D 1 )=((u 0 ,r 0 ,aux(m 0 )),(u 1 ,r 0 ,aux(m 1 ) -a) using a challenge function alpha PL And analyzing scene Ω to transform the challenge table
Figure BDA0003445365200000171
Challenger selection
Figure BDA0003445365200000172
Figure BDA0003445365200000173
Operating anonymous protocol pi, attacker feeds back the protocol to pick up the list->
Figure BDA0003445365200000174
Inner element->
Figure BDA0003445365200000175
Make guesses when an attacker makes use of analysis capability C PL Message->
Figure BDA0003445365200000176
Sensitive subject s b After matching, guessing sender u of sensitive subject matter based on the existing information b ,/>
Figure BDA0003445365200000177
Make attacker obtain guess value b *
Based on the above description of the analysis and evaluation of the participant positions, an attacker needs to obtain anonymous messages M generated when a sender u performs the operation of a sensitive subject s in advance, learn the flow characteristics x of the message sequence and fix the attacker capacity C PL Described as C PL (s)={c(x 1 ),…,c(x n ) 'attacker's message
Figure BDA0003445365200000178
Guessing the topic represented and the participant position
Figure BDA0003445365200000179
And when the attacker completes the topic guess, the judgment of the sender u is performed,
Figure BDA00034453652000001710
the strong analysis capability can record and learn the topic release flow characteristics influenced by the anonymous network pi, but the challenge table +.>
Figure BDA00034453652000001711
The elements in the scene will change due to analysis
Figure BDA00034453652000001712
In conclusion, when->
Figure BDA00034453652000001713
And->
Figure BDA00034453652000001715
The publisher location of the sensitive topic is successfully guessed on behalf of the attacker.
(3) Associative mapping analysis targets
Table 4 associated map analysis evaluation criteria
Figure BDA00034453652000001714
Figure BDA0003445365200000181
The associative mapping analysis requires an attacker to guess the identity of the sender u and the recipient r of a set of anonymous messages
Figure BDA0003445365200000182
Thereby destroying alpha RM Privacy protection for communication relationships. In the initial stage of evaluation, an attacker fills in the challenge table D 0 And D 1 The challenge element in is sender u 0 /u 1 To receiver r 0 /r 1 Send message m 0 /m 1 And send message m 0 ∈{m 0u ,m 0r },m 1 ∈{m 1u ,m 1r Postamble use alpha RM Analyzing scene omega, anonymity protocol pi to transform challenge table, and making attacker use of analysis capability C RM Guessing association group g (u) 0 /u 1 ,r 0 /r 1 ) Specific evaluation criteria are shown in table 4.
Association mapping analysis evaluation:
when AG analyzes target set for association mapping, attacker selects target set g (u 0 ,r 0 ) And g (u) 1 ,r 1 ) And challenge list (D) 0 ,D 1 ) And satisfies CR (D 0 ,D 1 )=((u 0 ,r 0 ,aux(m 0 )),(u 1 ,r 1 ,aux(m 1 ) -a) using a challenge function alpha RM And analyzing scene Ω to transform the challenge table
Figure BDA0003445365200000183
The challenger selects->
Figure BDA0003445365200000184
Figure BDA0003445365200000185
Operating anonymous protocol pi, attacker feeds back the protocol to pick up the list->
Figure BDA0003445365200000186
Inner element (u) b ,r b ) Make guesses, mainly using associative analysis capability C RM Will u b Message generated->
Figure BDA0003445365200000187
Correlation mapping to r b Message generated->
Figure BDA0003445365200000188
Figure BDA0003445365200000189
The attacker gets the guess b *
Based on the description of the above-described associative mapping analysis evaluation, the attacker's ability is manifested as pre-recording the associative message (m u ,m r ) And learn the associated feature x of the message sequence, the analyst's ability is C RM (u,r)={c(x 1 ),…,c(x n ) 'attacker's message
Figure BDA00034453652000001810
Guess of ++>
Figure BDA00034453652000001811
The stronger analysis capability can have the opportunity to learn the associated flow characteristics after being influenced by the anonymous network pi, but choose the combat form +. >
Figure BDA00034453652000001812
The elements in the system are still influenced by the analysis scene, so that the flow characteristics are changed +.>
Figure BDA00034453652000001813
In summary, when an attacker has the ability to distinguish between +.>
Figure BDA00034453652000001814
Features mapped out (u b ,r b ) Communication relationships, represent the success of an attacker's challenge.
A specific example of a web site fingerprint attack evaluation is set forth below to provide a better understanding of the present invention.
(1) Evaluation target
Website fingerprint attack is the most representative data link analysis technologyOne, therefore, the web site fingerprint attack model may be evaluated and measured using data link analysis evaluation criteria and metric definitions. An attacker marks a set of observation web pages as y, wherein the monitoring pages are marked as
Figure BDA0003445365200000191
The non-monitoring page is marked as->
Figure BDA0003445365200000192
And is also provided with
Figure BDA0003445365200000193
An attacker utilizes regional observation capability to simulate and observe request or response behaviors of web pages, records data elements (u, r, m) generated by web objects in an observation region, wherein the data elements comprise a client u, a hidden service r and a web traffic sequence m, and simultaneously utilizes traffic analysis energy to learn webpage sequence characteristics x generated by g (y).
The website fingerprint attack evaluation process invokes the AIEA algorithm. First, an attacker follows the challenge function α DL The input format fills the challenge element (D) 0 ,D 1 )←((u 0 ,r 0i ,m 0i ),(u 0 ,r 1i ,m 1i ) When an attacker obtains challenger feedback challenge table
Figure BDA0003445365200000194
Thereafter, utilizing analyst's ability C DL For element->
Figure BDA0003445365200000195
After the matched page g' (y) is guessed, the guessing probability is input into a flow tracing analysis and evaluation framework measurement formula (7) to calculate the analysis intensity delta. Finally, after finishing N times of challenge and response games, selecting an analysis metric minimum delta returned to the fingerprint analysis model N.
Table 5 fingerprint attack model evaluation scenario
Figure BDA0003445365200000196
The analysis model N of the evaluation mainly comprises the traditional website fingerprint attack model and the response fingerprint model, and the evaluation data of the specific analysis model are shown in the table 5. Evaluation experiment 10000 observation web pages were selected, of which 500 were monitored objects g (y) and 9500 web pages were non-monitored objects
Figure BDA0003445365200000201
The attacker capability is expressed in detail by simulating the website request behavior of the client by utilizing the regional observation capability, when the capability is stronger, the website response behavior of the hidden service can be simulated even, the flow sequence is collected in the observation region such as an entrance node, the flow analysis capability is utilized to enable the fingerprint attack model to learn the flow sequence characteristics of g (y), and the analysis model can show the perfect recognition performance on the website page after repeated training. During evaluation test, an attacker goes to D 0 And D 1 And randomly filling the observed website page object and the matched flow sequence thereof as challenge elements, and selecting the recognition performance of an analysis model as basic analysis capability, wherein the challenger and the attacker can play up to n=10000 interactive games. In addition, in order to increase the challenge difficulty of the game, consider the complexity of the analysis scene omega of the challenger, set up { packetlss, jitter, latency } and other basic environment control variables, produce the random influence to the encrypted flow sequence in a small range, choose the small-scale website sub-page which is easy to confuse with the monitoring website page as the non-monitoring object at the same time.
(2) Evaluation test
Firstly, assuming that an attacker has conventional analysis capability, website request behaviors of a client can be simulated and corresponding sequence features can be learned, at the moment, the attacker takes a request flow sequence of the client as a challenge element to be placed in a challenge list, and the results of evaluating four website fingerprint analysis models are shown in fig. 5. From the results, the analysis metric minimum value continuously decreases as the number of challenge games increases. For the k-FP analysis model, the analysis intensity remained above 0.45 after the first 6000 challenge games, and the analysis intensity δ still exceeded 0.383 at 10000 challenge games. For the WRFP and CUMUL analysis models, the challenge times exceeded 3000 times, the WRFP had an analysis intensity at least 0.013 above the delta range of CUMUL. While the k-NN analytical model was 0.414 for the lowest delta at 3000 interactions and was reduced to 0.311 for 10000 challenge games, 0.072 different from the delta minimum for k-FP. It follows that the analysis capability of k-FP in identifying client request traffic is more prominent, and WRFP is also higher than the minimum analysis intensity of CUMUL and k-NN.
When the attacker's ability is enough to simulate the website response behavior of the hidden service, and learn the response fingerprint feature distribution at the same time, the attacker inputs the website response traffic sequence into the challenge table as a challenge element, and the evaluation result is shown in fig. 6. The WRFP analytical model has an overall analytical intensity above 0.426 and has an analytical intensity above 0.48 over 4000 challenge games. For the k-NN analysis model, the analysis intensity of the first 3000 times was always kept above 0.46, but as the number of challenge games increased, the lowest analysis intensity of the last 10000 times was reduced to 0.344. The lowest analysis intensities of the k-FP and CUMUL models are similar, and the difference is not more than 4%, but from the analysis intensity variance results of Table 6, the lowest analysis intensity fluctuation of k-FP is smaller than CUMUL. And the evaluation result shows that the optimal analysis model of the hidden server fingerprint identification by the attacker is selected as WRFP, and the CUMUL can realize better analysis capability when the attacker identifies and matches a small number of pages, but the analysis strength of the k-FP is the most stable.
Table 6 variance comparison of website response fingerprint analysis intensities
Figure BDA0003445365200000211
The addition of the variables such as packet delay, jitter or packet loss generally complicates the analysis scenario, and also makes the challenger change the challenge element more randomly, and fig. 7 shows the result of adding the environmental factor when the test website responds to the fingerprint evaluation, and the evaluation has been performed for 5000 times. For the WRFP analysis model, the delta minimum value was reduced from 0.472 to 0.382 when 8% of the flow jitter factor was added, to a degree higher than 0.433 and 0.441 when packet delay and packet loss were performed. For the k-FP analysis model, the 8% packet delay factor reduced the delta minimum by 0.096 further. The 8% of the packet loss factors have the greatest effect on the k-NN and CUMML analysis models, the delta minimum value of the k-NN is reduced to 0.247 from 0.405, the delta minimum value of the CUMUL is reduced to 0.309 from 0.431, and the analysis intensity reduction amplitude exceeds 0.12. However, the CUMUL model has a higher degree of resistance to packet delay, and the lowest analysis intensity is reduced by 0.032. In summary, when the traffic jitter variable of the network environment is within the acceptable range, the attacker uses the WRFP analysis model to perform the website response fingerprint recognition as the best choice.
Correspondingly, the embodiment also provides an AnoA theory-based anonymous network passive flow analysis and evaluation system, which comprises:
the challenge table generation module is used for an attacker to select challenge elements, generate a challenge table to be executed in the evaluation process, determine an analysis target set, package the analysis target set and the challenge table together and then transmit the analysis target set and the challenge table to the attacker;
the target concept module is used for adding target concepts between an attacker and a challenger, analyzing the analysis target set by the target concepts, and analyzing specific analysis targets;
the challenge function construction module is used for receiving the challenge list by the challenger and constructing a challenge function corresponding to the analysis target;
the challenge list transformation module is used for carrying out challenge element analysis by a challenger by utilizing a challenge function rule, and generating a challenge list after the challenge element transformation by combining a challenge value, an anonymous network protocol of the challenger and an analysis scene;
and the analysis intensity quantization module is used for an attacker to guess the analysis targets and the challenge values contained in the transformed challenge list by utilizing the analysis capability and to quantize the analysis intensity by utilizing the analysis metric evaluation rule.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Finally, it should be noted that: the foregoing description is only illustrative of the preferred embodiments of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention are included in the protection scope of the present invention.

Claims (8)

1. An AnoA theory-based anonymous network passive flow analysis and evaluation method is characterized in that a flow tracing analysis and evaluation framework based on an AnoA evaluation framework is constructed according to a 'challenge and response game' evaluation flow between an attacker and a challenger described by the AnoA evaluation framework, flow analysis attributes and challenge information for evaluation are defined, and a passive flow analysis intensity measurement rule is established; the method specifically comprises the following steps:
An attacker selects challenge elements, generates a challenge table to be executed in the evaluation process, determines an analysis target set, encapsulates the analysis target set and the challenge table together, and then transmits the analysis target set and the challenge table to the attacker;
adding a target concept between an attacker and a challenger, and analyzing an analysis target set by the target concept to analyze a specific analysis target;
the challenger receives the challenge list and constructs a challenge function corresponding to the analysis target;
the challenger analyzes the challenge element by using the challenge function rule, and generates a challenge list after the challenge element is transformed by combining the challenge value, the anonymous network protocol of the challenger and the analysis scene;
an attacker guesses the analysis targets and the challenge values contained in the transformed challenge list by using analysis capability, and evaluates the quantitative analysis intensity of the rule by using analysis metrics, wherein the quantitative analysis intensity of the rule by using analysis metrics comprises: an attacker uses the flow analysis capability to guess an analysis target mapped by the flow information in the challenge list, so as to obtain a monitoring target object or a non-monitoring target object; the method comprises the steps of determining a challenge value sequence number of a challenge list which is changed by a challenger through matching a target object with a challenge element in an initial challenge list by the challenger, and quantifying analysis intensity by using guess probability;
The quantifying the analysis intensity using the guess probability includes:
a), calculating a guess result of the target object according to the object category, and executing b) if the object category is a monitoring target object, and executing c) if the object category is a non-monitoring target object;
b) Outputting the guess probability of the monitoring target object if the challenge value is consistent with the challenge value sequence number guessed by the attacker;
c) If the challenge value is consistent with the challenge value sequence number guessed by the attacker, outputting the guessing probability of the non-monitoring target object;
d) And outputting a quantized result according to the joint guess probability of the monitored target and the non-monitored target.
2. The AnoA theory-based anonymous network passive traffic analysis assessment method of claim 1, wherein the traffic analysis attributes and challenge information include analysis targets, analysis capabilities, analysis scenarios, anonymous network protocols, challenge elements, challenge lists, challenge functions, and challenge values.
3. The AnoA theory-based anonymous network passive flow analysis evaluation method as claimed in claim 2, wherein the analysis targets comprise a data link analysis set, a correlation mapping analysis set and a participant position analysis set, and each analysis set comprises a monitoring object or a non-monitoring object; the analysis capability comprises a region observation capability and a flow analysis capability, wherein the region observation capability represents an active region of an attacker for monitoring anonymous network flow, and the flow analysis capability represents characteristic analysis conditions of the attacker for monitoring the flow; the analysis scene refers to a state set of an attacker monitoring a target environment; the anonymous network protocol refers to anonymous network information used by challengers; the challenge element is expressed as a triplet, and the triplet comprises sender information, receiver information and flow auxiliary information; the challenge table is expressed as a binary group, and the binary group comprises a challenge element and an analysis target; the challenge functions include a data link challenge function, an associative mapping challenge function, and a participant position challenge function, each of the challenge functions allowing position transformations on the challenge elements; the challenge value represents a randomly selected challenge table object.
4. A passive traffic analysis and assessment method according to claim 3, wherein the number of challenge tables to be executed in the assessment process is two, there is only one set of challenge elements which are different between the two challenge tables, and the corresponding analysis targets are also inconsistent.
5. The AnoA theory-based anonymous network passive traffic analysis evaluation method as set forth in claim 4, wherein the attacker selects a challenge element to generate a challenge table to be executed in the evaluation process, comprising: the attacker selects corresponding challenge elements according to the analysis target set, wherein the challenge elements at least comprise one group of sender information, receiver information and flow auxiliary information, and simultaneously selects two groups of different challenge elements to form two challenge lists containing different challenge row information.
6. The AnoA theory-based anonymous network passive flow analysis evaluation method as claimed in claim 5, wherein the challenger receives a challenge list, constructs a challenge function corresponding to an analysis target, and comprises: according to the known analysis target set, obtaining the types of the monitoring targets and the non-monitoring targets of the attacker placed in the challenge list, and determining that the current analysis target type has a corresponding relation with a certain challenge function, so as to construct the challenge function of the corresponding relation.
7. The AnoA theory-based anonymous network passive flow analysis evaluation method as claimed in claim 6, wherein the challenger uses a challenge function rule to perform challenge element analysis, and generates a challenge table after challenge element transformation by combining a challenge value, an anonymous network protocol of the challenger and an analysis scene, and comprises the following steps: the challenger judges the challenge row by utilizing matched challenge function rules, allows the sender information, the receiver information and the flow auxiliary information of the challenge elements to be randomly adjusted, transforms the challenge table together with an analysis scene, randomly selects challenge values, inputs the two challenge tables into an anonymous network protocol, generates a challenge table after the challenge elements are modified, and selects one of the modified challenge tables to be transmitted back to the attacker.
8. An anonymized network passive traffic analysis evaluation system based on AnoA theory, comprising:
the challenge table generation module is used for an attacker to select challenge elements, generate a challenge table to be executed in the evaluation process, determine an analysis target set, package the analysis target set and the challenge table together and then transmit the analysis target set and the challenge table to the attacker;
the target concept module is used for adding target concepts between an attacker and a challenger, analyzing the analysis target set by the target concepts, and analyzing specific analysis targets;
The challenge function construction module is used for receiving the challenge list by the challenger and constructing a challenge function corresponding to the analysis target;
the challenge list transformation module is used for carrying out challenge element analysis by a challenger by utilizing a challenge function rule, and generating a challenge list after the challenge element transformation by combining a challenge value, an anonymous network protocol of the challenger and an analysis scene;
the analysis intensity quantization module is used for an attacker to guess the analysis targets and the challenge values contained in the transformed challenge list by utilizing analysis capability and to quantize the analysis intensity by utilizing analysis metric evaluation rules, and the analysis metric evaluation rules quantize the analysis intensity and comprise: an attacker uses the flow analysis capability to guess an analysis target mapped by the flow information in the challenge list, so as to obtain a monitoring target object or a non-monitoring target object; the method comprises the steps of determining a challenge value sequence number of a challenge list which is changed by a challenger through matching a target object with a challenge element in an initial challenge list by the challenger, and quantifying analysis intensity by using guess probability;
the quantifying the analysis intensity using the guess probability includes:
a), calculating a guess result of the target object according to the object category, and executing b) if the object category is a monitoring target object, and executing c) if the object category is a non-monitoring target object;
b) Outputting the guess probability of the monitoring target object if the challenge value is consistent with the challenge value sequence number guessed by the attacker;
c) If the challenge value is consistent with the challenge value sequence number guessed by the attacker, outputting the guessing probability of the non-monitoring target object;
d) And outputting a quantized result according to the joint guess probability of the monitored target and the non-monitored target.
CN202111653842.3A 2021-12-30 2021-12-30 AnoA theory-based anonymous network passive flow analysis and evaluation method and system Active CN114422210B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111653842.3A CN114422210B (en) 2021-12-30 2021-12-30 AnoA theory-based anonymous network passive flow analysis and evaluation method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111653842.3A CN114422210B (en) 2021-12-30 2021-12-30 AnoA theory-based anonymous network passive flow analysis and evaluation method and system

Publications (2)

Publication Number Publication Date
CN114422210A CN114422210A (en) 2022-04-29
CN114422210B true CN114422210B (en) 2023-05-30

Family

ID=81270355

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111653842.3A Active CN114422210B (en) 2021-12-30 2021-12-30 AnoA theory-based anonymous network passive flow analysis and evaluation method and system

Country Status (1)

Country Link
CN (1) CN114422210B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112383525A (en) * 2020-11-04 2021-02-19 淮安苏信科技信息有限公司 Industrial internet security situation evaluation method with high evaluation level and accuracy

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9503470B2 (en) * 2002-12-24 2016-11-22 Fred Herz Patents, LLC Distributed agent based model for security monitoring and response
US20150033347A1 (en) * 2013-07-29 2015-01-29 King Fahd University Of Petroleum And Minerals Apparatus and method for client identification in anonymous communication networks
CN104135385B (en) * 2014-07-30 2017-05-24 南京市公安局 Method of application classification in Tor anonymous communication flow
WO2018076013A1 (en) * 2016-10-21 2018-04-26 Yale University Systems and method for anonymous, low-latencey, tracking-resistant communications in a networked environment
KR102119636B1 (en) * 2018-11-14 2020-06-08 (주)에이아이딥 Anonymous network analysis system using passive fingerprinting and method thereof
US11075892B2 (en) * 2019-03-21 2021-07-27 ColorTokens, Inc. Fully cloaked network communication model for remediation of traffic analysis based network attacks
US11102179B2 (en) * 2020-01-21 2021-08-24 Vmware, Inc. System and method for anonymous message broadcasting

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112383525A (en) * 2020-11-04 2021-02-19 淮安苏信科技信息有限公司 Industrial internet security situation evaluation method with high evaluation level and accuracy

Also Published As

Publication number Publication date
CN114422210A (en) 2022-04-29

Similar Documents

Publication Publication Date Title
Yu et al. An efficient SDN-based DDoS attack detection and rapid response platform in vehicular networks
Acarali et al. Survey of approaches and features for the identification of HTTP-based botnet traffic
Haddadi et al. Benchmarking the effect of flow exporters and protocol filters on botnet traffic classification
Soldo et al. Predictive blacklisting as an implicit recommendation system
Husain et al. Development of an efficient network intrusion detection model using extreme gradient boosting (XGBoost) on the UNSW-NB15 dataset
Sakib et al. Using anomaly detection based techniques to detect HTTP-based botnet C&C traffic
Biryukov et al. Transaction clustering using network traffic analysis for bitcoin and derived blockchains
Al-Duwairi et al. BotDigger: a fuzzy inference system for botnet detection
Li et al. Challenge-based collaborative intrusion detection networks under passive message fingerprint attack: a further analysis
Wang et al. Alert correlation system with automatic extraction of attack strategies by using dynamic feature weights
Silva et al. A statistical analysis of intrinsic bias of network security datasets for training machine learning mechanisms
Hamid et al. IoT-based botnet attacks systematic mapping study of literature
Shafiee Sarjaz et al. Securing BitTorrent using a new reputation-based trust management system
Jetter et al. Quantitative analysis of the sybil attack and effective sybil resistance in peer-to-peer systems
CN114422210B (en) AnoA theory-based anonymous network passive flow analysis and evaluation method and system
Almeida et al. Click fraud detection and prevention system for ad networks
Milolidakis et al. On the Effectiveness of BGP Hijackers That Evade Public Route Collectors
Lu et al. A situation assessment framework for cyber security information relevance reasoning
Jafari Siavoshani et al. Machine learning interpretability meets tls fingerprinting
Niakanlahiji et al. Toward practical defense against traffic analysis attacks on encrypted DNS traffic
Houmer et al. A risk and security assessment of VANET availability using attack tree concept.
Liang et al. On Detecting Interest Flooding Attacks in Named Data Networking (NDN)–based IoT Searches
Suguna et al. Detection of edos attacks in sdn-based cloud model using deep learning based sdpn technique
Sarabi et al. Smart internet probing: Scanning using adaptive machine learning
Priyadharshini et al. A novel spam detection technique for detecting and classifying malicious profiles in online social networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant