Towards Provably Invisible Network Flow Fingerprints

TL;DR

This paper investigates how to embed and detect network flow fingerprints covertly in packet timings within queue networks, ensuring invisibility from adversaries while enabling accurate fingerprint extraction.

Contribution

It introduces methods for invisibly embedding flow fingerprints in Poisson traffic and analyzes the maximum number of flows that can be fingerprinted without detection.

Findings

Maximum number of flows with embedded fingerprints without detection.

Extension of fingerprinting methods to flows with different rates.

Analysis of network models with parallel queues for fingerprinting.

Abstract

Network traffic analysis reveals important information even when messages are encrypted. We consider active traffic analysis via flow fingerprinting by invisibly embedding information into packet timings of flows. In particular, assume Alice wishes to embed fingerprints into flows of a set of network input links, whose packet timings are modeled by Poisson processes, without being detected by a watchful adversary Willie. Bob, who receives the set of fingerprinted flows after they pass through the network modeled as a collection of independent and parallel $M/M/1$ queues, wishes to extract Alice's embedded fingerprints to infer the connection between input and output links of the network. We consider two scenarios: 1) Alice embeds fingerprints in all of the flows; 2) Alice embeds fingerprints in each flow independently with probability $p$. Assuming that the flow rates are equal, we calculate the maximum number of flows in which Alice can invisibly embed fingerprints while having those fingerprints successfully decoded by Bob. Then, we extend the construction and analysis to the case where flow rates are distinct, and discuss the extension of the network model.