Research Title: Censoring Private Information from Network Packet Traces
introduction Censorship is a rampant practice in every data network. Indeed, it is a very essential practice in public networks. isps shield prohibited or information under control from being exchanged over their networks, parents use censor applications for parental control in home networks, governments use firewall applications to shield and control networks from inappropriate or restricted usage, etc. these measures are beneficial in such areas and in all other areas where control of information exchanged over networks is necessary. Repercussions from omission of such network controls may range from abuse of networks resource, malicious attacks, and access to restricted information, to child pornography, etc. For purpose of aiding network admins to troubleshoot problems within their networks, sniffing data being transferred in networks cannot be avoided. However, it may be very risky if the data being exchanged over networks turns to be raw and unencrypted. the exchange in such networks might expose personal information making the information susceptible to attackers if it happen to land on malicious hands which can render it to any malpractices such as lodging attacks, accessing the sites that victim had visited, etc.
in this paper we will start by discussing how well the tools that already exist for data sanitization/anonymization including tcpdpriv, scrub-tcpdump and tcpurify obliterate or encrypt network data to make it safe for exchange over networks, yet retaining useful information for network troubleshooting by network technicians and system admins. The major focus for us will then be to implement a software that can censor such private information and still maintain sufficient information for use in troubleshooting data networks specifically in lower tcp layers such as in the application layer. However, before going deep to discussing existing censorship mechanisms and our implementation of the proposed censor mechanism, we will analyze in the following section the threats and opposing practices that surround censorship and tend to hinder censorship progress.
THREATS AND OPOSING PRACTICES FACING CENSORSHIP - Encryption and obfuscation practices
The major factor of consideration in any data network is to security and safety of data transferred over the networks. We can take a simple scenario of application and see the risks it can impose to the whole life aspect of every individual in the practice. Suppose in a military and defense industry where tactical and sensitive security information is shared over network, is assumed, it would be very risky having data not encrypted and authentication and shared credentials in the network being unsafe at any environment the military force might be. Second consideration in a medical field where an emergency has occurred and need for urgent attention arises, it can be taken as extreme negligence assuming all hosts or nodes in the network are safe. It can turn that a malicious node creeps in the network and within no time the emergency situation runs out of control due to such malicious practice as data injections etc, leading to denial of service or even worse. Taking into account the best-implemented and most secure protocol to be used in any data network, security of data transferred is the major and most sensitive factor to put into consideration. We cannot talk about security without mentioning encryption, obfuscation, and obliteration of data deemed to cause or induce security threat. When this mechanisms are deployed into systems of data networks, adding or topping up censorship mechanisms on top of them may render the information in transit being corrupt, meaningless or even distorted to a level of irreversibility unless same mechanisms used in sending end is reversible in the receiving end. Again, exchange of Keys or headers that identifies the encryption, obliteration, or obfuscation mechanism may be left as traces to enable reversibility of the mechanism used which at same time exposes the data again to another level of insecurity. - Cryptographic mechanisms verses censorship
In any security network authentication of any host or node prior to connection is key to protection. Any network host or node is required to authenticate every time it want to join the network. There should be crypto keys in exchange to authenticate every member in the network connecting to it. The second consideration is that encrypted data in the network is transferred from the sender to recipient without interruptions or data injections by any of intermediary nodes. These aspects would protect the free flow of network traffic to its destination. Contrary to this, encryption mechanisms are obstacle to censoring mechanisms. Our initial assumption has been that the transferred data over network is in plain text as usual in standard data networks. However, in encrypted mode, censorship is barred and it either has to be preceded by decryption mechanism before the data becomes identifiable so to obliterate the insecure data in transit. However assuming free flow of information, crypto mechanisms may be considered rival or big brother to censorship mechanisms since the major goal of censorship is to control the data exchanged over the network; removing objectionable data/information. - Censorship fight-back
Internet censors seek ways to identify and block internet access to information they deem objectionable. Increasingly, censors deploy advanced networking tools such as deep-packet inspection (DPI) to identify such connections [3]. In response, activists and academic researchers have developed and deployed network traffic obfuscation mechanisms, which try to circumvention censorship. They apply specialized cryptographic tools to attempt to hide from DPI the true nature and content of connections [1]. In reaction to DPI, modern circumvention tools systems encrypt content to proxies, preventing this kind of keyword search. The result has been that sophisticated modern censors now use DPI to attempt to identify and block traffic created by circumvention tools. For example, China used DPI to detect Tor connections by looking for a specific sequence of bytes in the first application-layer message from client to server. This sequence corresponds to the TLS cipher suites that were selected by Tor clients, which were unlike those selected by other TLS implementations. As another example, Iran used DPI to determine the expiration date of TLS certificates. At the time, Tor servers used certificates with relatively near expiration dates, while most commercial TLS servers chose expiration dates that are many years away. These blocking policies used fairly sophisticated information about the circumvention tool the particular implementation of TLS being carried in packet payloads. Nevertheless, even a crude scan of application-layer content can discover that standard protocols (e.g. SSH, TLS) are being transported. This may be enough to trigger insensitive blocking, or logging of source/destination IP addresses for more analysis that is detailed or later action [2]. BRIEF OVERVIEW OF HOW CENSOR SYSTEMS WORK Address-based identification - Originally, attempts to access censored Internet content were identified by first associating addressing information — IP addresses and port numbers, domain names — with sensitive content, resulting in a blacklist of addresses. Any network connections to these addresses were deemed as attempts to access sensitive content. For blacklisted domain names, the censor can direct ISPs to run modified DNS software. Connections to these domains are then typically blocked or misdirected. For IP addresses, the censor can install hardware mechanisms at ISPs that compare information in a packet’s IP header against the list. As the IP headers appear early in the packet, one needs only to perform “shallow” packet inspection, disregarding information encapsulated deeper in the packet. TCP or UDP port information is similarly available via shallow inspection. A user can avoid both domain-name- and IP/port-based identification by using a proxy, a cooperative machine whose address information is not blacklisted. This has been highlighted above in the cryptographic mechanisms verses censorship section. Identification via deep-packet inspection - The success of proxy systems in practice has led censors to deploy new DPI mechanisms that identify traffic based on information deeper inside the network packets. For example, application-layer content carried in (unencrypted) packet payloads can divulge user-generated data, such as keywords within search URLs. This is already seen in an example of China’s Great Firewall blocking traffic that contains blacklisted keywords. To identify such deeply rooted keywords, DPI come into play and perform their censoring functions thus ensuring control over the traffic despite such proxy systems. SCOPE OF CENSORS Scope of Censorship Censors vary widely with respect to their motivation, effectiveness, and technical sophistication. A wide range of entities, from individuals to corporations and state-level actors, may act as a censor. The extent to which a censor can effectively disrupt communication is a consequence of the censor’s resources and constraints. Specifically, the censor’s technical resources, capabilities, and goals are informed by its sphere of influence and sphere of visibility. The sphere of influence is the degree of active control the censor has over the flow of information and behavior of individuals or large entities. The sphere of visibility is the degree of passive visibility a censor has over the flow of information on its own networks and those of other operators. The spheres of influence and visibility are dictated by physical, political, or economic dynamics. Limitations due to geography are an example of physical constraints. Relevant legal doctrine or international agreements and understandings that influence the censor’s actions are examples of political limitations. Economic constraints assume that the censor operates within some specified budget that affects the technical sophistication and accuracy of the censorship apparatus it can field [4]. ABSTRACT MODEL OF CENSORSHIP At an abstract level, the censorship apparatus is composed of classifier and cost functions that feed into a decision function. Censorship activity can be categorized into two distinct phases, fingerprinting and direct censorship. In the first phase (fingerprinting), the censor identifies and then uses a set of distinguishers D to flag prohibited network activity. For example, the censor may employ regular expressions to detect flows corresponding to a blocked publisher. The classifier takes D and the set of network traffic to be analyzed T as inputs, and outputs offending traffic flows within some acceptable margin of error to account for misclassification [4]. In the second phase (direct censorship), the censor responds to flagged network flows based on a utility function that accounts for the censor’s costs and tolerance for errors. For example, the censor may choose to block flagged network flows by sending TCP reset packets to both the user and the publisher to force the connection to terminate [4]. HOW TCPDPRIV, SCRUB-TCPDUMP AND TCPURIFY WORK SCRUB-tcpdump – is a tool that adds multi-field multi-option anonymization to tcpdump functionality. SCRUB-tcpdump basically is a set of functions that are used to anonymize a packet flow trace in libpcap or tcpdump format so that it can be used to collaborate or release without jeapordizing the anonymity of the network represented by the capture flow. SCRUB-tcpdump allows the user to select from a variety of options for anonymizing fields like the ports, IP addresses, time-stamps, transport protocols, flags, options, etc [5]. Tcpdpriv- Tcpdpriv is program for eliminating confidential information from packets collected on a network interface (or, from trace files created using the -w argument to tcpdump) [6]. TCPurify- is a packet sniffer/capture program similar to tcpdump, but with much reduced functionality. What sets TCPurify apart from other, similar programs is its focus on privacy. TCPurify is designed from the ground up to protect the privacy of users on the sniffed network as much as possible [7]. In order to accomplish this goal, TCPurify truncates almost all packets immediately after the last recognized header (IP or Ethernet), removing all data payload before storing the packet. (There are some notable exceptions, such as ICMP packets, chargen, daytime, etc. Some of these protocols are left in because they are useful for security auditing (ICMP) and others merely because they should be uninteresting) Furthermore, it has the capability of randomizing some or all IP addresses (based on the network portion of the address) to mask exactly where packets are where or to while still retaining some general idea. This randomization is reversible with the help of a one-shot generated file which is created at capture time [7] In general they tend to be oriented to sanitizing large volumes of network data (e.g. to create repositories of traces that researchers can use to study network traffic flows) rather than sanitizing traffic from one user. Consequently, they focus on sanitizing lower layer protocols (up to TCP) and obliterate application layer headers, whereas for troubleshooting, this thesis will seek to retain application layer headers while still removing private info (e.g. http cookies & pop passwords) from those headers. OUR IMPLEMENTATION OF CENSORING AND SANITIZING TOOL In our approach in developing a censoring tool for private information from network packet traces, we will seek to retain application layer headers while still removing private info (e.g. http cookies & pop passwords) from those headers for each individual/ personalized session as opposed to other censoring and sanitizing systems mentioned above.
Here will grow our approach and development of our tool for secure, personalized and sanitized data from and within application layer…..
Conclusion So far network security is a critical aspect that is worth consideration in choosing data transfer within data networks. To this extent, we embrace that Censoring and sanitization in day-to-day data sharing and communications are indeed essential practice and as that is not yet enough it is relevant to retain sufficient information for audit and troubleshooting of the data networks. We acknowledge that more research is ongoing to design and build on the tool to overcome risks that might be or result as a result of exposure of private information in packet traces through data networks.
References: [1]L. Dixon, T. Ristenpart and T. Shrimpton, "Network Traffic Obfuscation and Automated Internet Censorship [2]", Arxiv.org, 2016. [Online]. Available: https://arxiv.org/pdf/1605.04044.pdf. [Accessed: 12- Oct- 2018].
[2]R. Subramanian, "The Growth of Global Internet Censorship and Circumvention: A Survey", SSRN Electronic Journal, p. 12, 2011.
[3]S. Murdoch and H. Roberts, "Internet Censorship and Control [Guest editors' introduction]", IEEE Internet Computing, vol. 17, no. 3, pp. 6-9, 2013.
[4]S. Khattak, Characterization of Internet censorship from multiple perspectives. University of Cambridge Computer Laboratory, 2017, pp. 23-24.
[5]"SCRUB-tcpdump", Scrub-tcpdump.sourceforge.net, 2018. [Online]. Available: http://scrub-tcpdump.sourceforge.net/papers.php. [Accessed: 13- Oct- 2018].
[6]"Program for Eliminating Confidential Information from Traces", Ita.ee.lbl.gov, 2018. [Online]. Available: http://ita.ee.lbl.gov/html/contrib/tcpdpriv.html. [Accessed: 13- Oct- 2018].
[7]H. www.zedroot.org>, "Tcpurify — BrewFormulas", Brewformulas.org, 2017. [Online]. Available: http://brewformulas.org/Tcpurify. [Accessed: 14- Oct- 2018].
