Fundamental Limits of Invisible Flow Fingerprinting

TL;DR

This paper investigates the fundamental limits of invisible flow fingerprinting in network anonymity systems, analyzing how many flows can be reliably fingerprinted without detection under various network conditions.

Contribution

It introduces a theoretical framework for understanding the maximum number of flows that can be fingerprinted invisibly in complex network models.

Findings

Derived bounds on the number of fingerprinted flows

Analyzed scenarios with different flow rates and fingerprinting strategies

Extended analysis to arbitrary flow rates and partial fingerprinting cases

Abstract

Network flow fingerprinting can be used to de-anonymize communications on anonymity systems such as Tor by linking the ingress and egress segments of anonymized connections. Assume Alice and Bob have access to the input and the output links of an anonymous network, respectively, and they wish to collaboratively reveal the connections between the input and the output links without being detected by Willie who protects the network. Alice generates a codebook of fingerprints, where each fingerprint corresponds to a unique sequence of inter-packet delays and shares it only with Bob. For each input flow, she selects a fingerprint from the codebook and embeds it in the flow, i.e., changes the packet timings of the flow to follow the packet timings suggested by the fingerprint, and Bob extracts the fingerprints from the output flows. We model the network as parallel $M/M/1$ queues where each queue is shared by a flow from Alice to Bob and other flows independent of the flow from Alice to Bob. The timings of the flows are governed by independent Poisson point processes. Assuming all input flows have equal rates and that Bob observes only flows with fingerprints, we first present two scenarios: 1) Alice fingerprints all the flows; 2) Alice fingerprints a subset of the flows, unknown to Willie. Then, we extend the construction and analysis to the case where flow rates are arbitrary as well as the case where not all the flows that Bob observes have a fingerprint. For each scenario, we derive the number of flows that Alice can fingerprint and Bob can trace by fingerprinting.