Network Traffic Obfuscation and Automated Internet Censorship

  title={Network Traffic Obfuscation and Automated Internet Censorship},
  author={Lucas Dixon and Thomas Ristenpart and Thomas Shrimpton},
  journal={IEEE Security \& Privacy},
Internet censors seek ways to identify and block internet access to information they deem objectionable. Increasingly, censors deploy advanced networking tools such as deep-packet inspection (DPI) to identify such connections. In response, activists and academic researchers have developed and deployed network traffic obfuscation mechanisms. These apply specialized cryptographic tools to attempt to hide from DPI the true nature and content of connections. This survey offers an overview of… 

Figures from this paper

Improving Meek With Adversarial Techniques

A method to efficiently gather reproducible packet captures from both normal HTTPS and Meek traffic is developed and a generative adversarial network (GAN) is trained to minimally modify statistical signatures in a way that hinders classification.

Quack: Scalable Remote Measurement of Application-Layer Censorship

Quack is introduced, a scalable, remote measurement system that can efficiently detect application-layer interference and show that it can effectively detect applicationlayer blocking triggered on HTTP and TLS headers, and it is flexible enough to support many other diverse protocols.

Knocking on IPs: Identifying HTTPS Websites for Zero-Rated Traffic

This paper presents “Open-Knock,” a novel approach that is capable of accurately identifying a zero-rated website, thwarts free-riding attacks, and is sustainable on the increasingly encrypted web.

ACER: detecting Shadowsocks server based on active probe technology

This work proposes a new system named ACER, which AC means active and ER means expert, to detect Shadowsocks servers, and introduces XGBoost algorithm to process the data stream to optimize the detection.

Measuring the Deployment of Network Censorship Filters at Global Scale

FilterMap is presented, a novel framework that can scalably monitor content filtering technologies based on their blockpages and detects the use of commercial filtering technologies for censorship in 36 out of 48 countries labeled as ‘Not Free’ or ‘Partly Free” by the Freedom House “Freedom on the Net” report.

Internet censorship in Italy: An analysis of 3G/4G networks

This work is the first to focus on censorship detection on 3G/4G (hereafter mobile) network operators, investigating the extent of differences in applying censorship inside a single country.

Network Traffic Obfuscation against Traffic Classification

Experiments show that the MIM algorithm has the best performance in white-box attacks, and the obfuscation success rate of DNN and LSTM models is 90%, while CNN has stronger robustness in the black-box attack.

Privacy and Data Protection in the Domain Name System

An important yet often missing aspect from public debates on privacy is the impact of the underlying, for users often hidden, Internet infrastructure to the fundamental right to informational self-determination.

Detecting Cobalt Strike beacons in NetFlow data

This research proposes a detection algorithm based on four identifying network related features, which prove to be able to identify Cobalt Strike TCP beacons with an accuracy of 99.996%.



Seeing through Network-Protocol Obfuscation

This work provides the first in-depth investigation of the detectability of in-use protocol obfuscators by DPI, and builds a framework for evaluation that uses real network traffic captures to evaluate detectability, based on metrics such as the false-positive rate against background traffic.

ScrambleSuit: a polymorphic network protocol to circumvent censorship

By using morphing techniques and a secret exchanged out-of-band, ScrambleSuit can defend against active probing and other fingerprinting techniques such as protocol classification and regular expressions and enables effective and lightweight obfuscation for application layer protocols.

CloudTransport: Using Cloud Storage for Censorship-Resistant Networking

Censorship circumvention systems such as Tor are highly vulnerable to network-level filtering. Because the traffic generated by these systems is disjoint from normal network traffic, it is easy to

StegoTorus: a camouflage proxy for the Tor anonymity system

StegoTorus is presented, a tool that comprehensively disguises Tor from protocol analysis and improves the resilience of Tor to fingerprinting attacks and delivers usable performance.

Dust : A Blocking-Resistant Internet Transport Protocol

Dust is proposed as a blocking-resistant Internet protocol designed to be used alone or in conjunction with existing systems to resist a number of attacks currently in active use to censor Internet communication.

Evading Censorship with Browser-Based Proxies

A browser-based proxy creation system that generates a large number of short-lived proxies so that clients using the system seamlessly hop from one proxy to the next as thesebrowser-based proxies appear and disappear.

Infranet: Circumventing Web Censorship and Surveillance

The design, a prototype implementation, security properties, and performance of Infranet, a system that enables clients to surreptitiously retrieve sensitive content via cooperating Web servers distributed across the global Internet, are described.

SkypeMorph: protocol obfuscation for Tor bridges

This work proposes a model in which the client obfuscates its messages to the bridge in a widely used protocol over the Internet, to make it difficult for the censoring adversary to distinguish between the obfuscated bridge connections and actual Skype calls using statistical comparisons.

Chipping Away at Censorship Firewalls with User-Generated Content

This paper develops Collage, which allows users to exchange messages through hidden channels in sites that host user-generated content, and shows how Collage can be used to build two applications: a direct messaging application, and a Web content delivery system.

Cirripede: circumvention infrastructure using router redirection with plausible deniability

Cirripede is a system that can be used for unobservable communication with Internet destinations and is designed to be deployed by ISPs, intercepts connections from clients to innocent-looking destinations and redirects them to the true destination requested by the client.