Sie sind auf Seite 1von 56

Securing anonymity networks from traffic analysis attacks

1. INTRODUCTION
User anonymity is one important confidentiality criterion for many applications, ranging from peer-to-peer file sharing and anonymous web browsing or e-mail, to various forms of electronic commerce, and finally to electronic voting. The nature of many such applications requires that the identity of either one or more of the participants remains confidential either from the other participant(s) or from third parties. The anonymity of a system can be passively attacked by an observer in two ways, either through inspection of payload or headers of the exchanged data packets, or, when encryption is used, through traffic analysis. Sufficiently effective encryption can be used to prevent packet content inspection, giving prevalence to the second form of attack. Traffic analysis is typically countered by the use of intermediary nodes, whose role is to perturb the traffic flow and thus confuse an external observer. Such intermediaries delay and reroute exchanged messages, reorder them, pad their size, or perform other operations. Chaum proposed such a mix network to handle mail traffic. The original Chaum mix network operates on entire mail messages at a time and therefore does not need to pay particular attention to latency added by the mixes. Increasingly, the data exchanged exceed by far the capacity of mixes, for example, in file-sharing applications. As a result, current mixes operate on individual packets of a flow rather than on entire messages. In conjunction with source routing at the sender, this allows for very efficient network-level implementations of mix networks. Mixes are also being used in applications where low latency is relevant, for example, voice-over-IP or video streaming. Many other applications, such as traditional FTP or file-sharing applications rely on delay-sensitive protocols, such as TCP, and are therefore in turn delay-sensitive as well. For such applications, it is well known that the level of traffic perturbation caused by the mix network must be carefully chosen in order to not unduly affect delay and throughput requirements of the applications. It is difficult to assess the improvement of anonymity that one attains for any given cost in form of added latency and perturbation to traffic streams. Moreover, few quantitative guidelines exist on how different perturbation mechanisms perform

Securing anonymity networks from traffic analysis attacks

2. SYSTEM STUDY
2.1. EXISTING SYSTEM

Idea of anonymous communication is introduced in 1981. Since then, researchers have applied the idea to different applications such as message-based e-mail and flowbased low-latency communications, and they have developed new defense techniques as more attacks have been proposed.

Fig 1: A Single Mix

For anonymous e-mail applications, Chaum proposed using relay servers, called mixes, which encrypt and reroute messages. An encrypted message is analogous to an onion constructed by a sender, who sends the onion to the first mix: y Using its private key, the first mix peels off the firstlayer, which is encrypted using the public key of thefirst mix. y Inside the first layer is the second mixs address and the rest of the onion, which is encrypted with the second mixs public key. y After getting the second mixs address, the first mixforwards the peeled onion to the second mix. Thisprocess repeats all the way to the receiver. y The core part of the onion is the receivers addressand the real message to be sent to the receiver by thelast mix.

Securing anonymity networks from traffic analysis attacks

2.2.

PROPOSED SYSTEM

Focusing on the quantitative evaluation of mix performance and flow-correlation attack. In general, flow-correlation attacks attempt to reduce the anonymity degree by estimating the path of flows through the mix network. Flow correlation analyzes the traffic on a set of links inside the network and estimates the likelihood for each link to be on the path of the flow under consideration. An adversary analyzes the network traffic with the intention of identifying which of several output ports a flow at an input port of a mix is taking. Obviously, flow correlation helps the adversary identify the path of a flow and consequently reveal other critical information related to the flow.

2.3.

MODULES

Our Application has following Anonymity Client, Intermediate simple mix and Secured Server. Implementation includes two objectives. They are y Client and Server Response using a mix network, which includes Performance analysis. y On the other hand detecting the malicious packet data loss, this includes performance analysis using graph.

Sender

Mix Network

Receiver

Fig 19: Mix Network

Securing anonymity networks from traffic analysis attacks

2.4. ANONYMITY CLIENT


Network Availability In this module the client makes sure that the application has initialized the Mix network server and secured data server. Once both the servers are started, data is accessible to the users of the network. Accessing the files In this module the client system is activated to receive the file from the server system. The client system user has to select the file receiving path and start the server. The client is activated to receive the file from the server. Performance analysis In this module we estimate the mix network performance by calculating the response time, CPU speed and intermediate path.

2.5. MIX SERVER


This module is responsible to identify the CPU execution time of each system in network. CPU execution speed varies from one system to another system dynamically in network. Based on the CPU execution speed the path will be selected and changed accordingly to send a file from server to client.

2.6. SECURED DATA SERVER


Sender File In this module, the available systems in the network are scanned. The systems are scanned along with the IP address and it is used for file transfer. The file is transferred from the local system to the client system based on the system selection. Encrypt & Decrypt File In this module, the packets received from mix network are being encrypted and sent to the mix networks. Some requests from the mix are decrypted. This is the actual server which contains the data.

Securing anonymity networks from traffic analysis attacks

Access File Whenever the server gets a request from the mix network or anonymity client it searches for the file in the database and sends the file over secured anonymity mix network. Eavesdropper cannot correlate the exact input flow and outflow of data packets.

Securing anonymity networks from traffic analysis attacks

3. LITERATURE SURVEY
Literature survey is the most important step in software development process. Before developing the tool it is necessary to determine the time factor, economy n company strength. Once these things are satisfied, then next step is to determine which operating system and language can be used for developing the tool. Once the programmers start building the tool the programmers need lot of external support. This support can be obtained from senior programmers, from book or from websites. Before building the system the above consideration r taken into account for developing the proposed system.

3.1. TOWARDS MEASURING ANONYMITY


The degree of anonymity depends on the probabilities that the users have sent a particular message: These probabilities are designed by the attacker. Anonymity is the state of being not identifiable within a set of subjects, the anonymity set. Proposed Measurement Model Considering only sender anonymity, Degree of anonymity provided by system depends on the distribution probabilities and not on the size of anonymity set and quality of the system  

HM = log2 (N) d=1 y y =

How to find the probability distribution in real situations? Understanding the real attacks?

We still dont know how hard or easy to monitor part of or entire of an anonymity system. Degree of anonymity is then relative to attackers Any standardized absolute degree possible?

Securing anonymity networks from traffic analysis attacks

3.2. USES OF ANONYMITY SYSTEMS


3.2.1. Web Browsing and Email The most popular uses of internet are email and web browsing. Therefore, to ensure communications privacy, we should build an anonymity infrastructure to enable users to perform these activities free from intrusion by various attackers. 3.2.2. Electronic Voting Electronic voting is often viewed as a good application of anonymity. One fundamental requirement of an electronic voting system is to ensure that it is not possible to determine who votes for whom. Another is to ensure that the votes are `receipt free', i.e. the voter is unable to prove to a third party which way they voted. This is necessary to prevent votes from being sold. E-voting is a very contentious area with some experts believing that it is currently technically infeasible to provide a secure system with strong anonymity properties in order to guarantee that an election is conducted fairly. Certainly the vast majority of the deployed systems have major shortcomings in their security, user interfaces, or reliability. Nevertheless, if electronic voting systems are ever to be deployed, they will probably need to use the same techniques as anonymity systems. 3.2.3. Censorship Resistance Censorship resistance is the ability to publish a document on a system which ensures that it will be available for a long time, despite powerful adversaries trying to prevent its distribution. Anonymity is a useful tool in censorship resistant systems. It enables publishing to be done anonymously, so the author cannot be tracked (thus removing the fear element which often discourages people from posting controversial documents). Even more importantly, it prevents the machines which store a file from knowing what the file they are storing is, thus removing potential burden of filtering

3.3. THREAT MODELS


There are several main threat models that anonymity researchers consider.

Securing anonymity networks from traffic analysis attacks

The global passive attacker. This is, perhaps, the most common threat model in the literature. The adversary is able to observe (but not modify) all network traffic, and is unable to see inside any of the mixes. The global active attacker. This adversary is able to observe and modify all network traffic. In particular, he is able to inject an arbitrary amount of traffic into the system in a very short time and delay traffic for an arbitrary length of time. The global passive attacker with many compromised mixes. This is a very strong attacker model used by, for instance, Berthold, Pfitzmann and Standtke in [13]. The only requirement is that there is at least one honest (uncompromised) mix on the path of the message. Recall that by compromised" Means that the attacker knows the private key of the mix or can otherwise determine the correspondence between the incoming and the outgoing messages of the mix. If the attacker is the superuser on the machine running the mix, he is an active attacker. The global active attacker with many compromised mixes. A combination of the latter two threat models. A sub-global attacker. This is a large class of attackers that have the ability to monitor some links in the anonymity system, and possibly have some of their own nodes forwarding traffic. All the real attackers almost certainly fall into this category. However, it is difficult to pin down precisely what a real attacker might look like within this class. Mix networks are much harder to analyze. First of all, their properties are heavily dependent on how routes are chosen. This is often done by the users, which are hard to model. Nevertheless, it is clear that the scalability and reliability of mix networks are better than that of cascades, though these properties have not been rigorously quantified or compared. Finally, quantifying the anonymity that a mix network provides has proved elusive for several years. In this thesis we make considerable progress towards this goal. An efficient way of calculating the anonymity of a mix network would enable us to look at properties of mix cascades and mix networks and make a detailed comparison. It has generally been considered that mix networks are secure against the global passive attacker; though they are not secure against the global passive attacker with many compromised mixes. The reader may and the above statements odd {what is Secure" in the context of an anonymity system? What we mean by \an anonymity system is secure
8

Securing anonymity networks from traffic analysis attacks

against X" is that the adversary X does not significantly reduce the anonymity of the system from that which it was designed to provide. Or, more simply (though more subjectively), a significant amount of anonymity is maintained against threat model X

Securing anonymity networks from traffic analysis attacks

4. SYSTEM ANALYSIS
4.1. ARCHITECTURE

Fig Experimental Setup

4.2. OVERVIEW OF NETWORK SETUP


Fig. shows the experimental testbed. The Mix control module that performs the batching and reordering functions is integrated into Linuxs firewall system [14] using Netfilter; Using set of firewall rules to specify what traffic should be protected. Traditional Linux kernels have a 10 msec timer granularity, which makes an high-fidelity implementation of timer-based batching strategies difficult. We use a specific version of Linux (Timesys/Real Time Linux) that guarantees highly accurate timer behavior. Two delay boxes D1 and D2 emulate the Internet propagation delay on different paths. Experiments reported here focus on TCP flows because of their prevalence in the Internet. However, the results are generally applicable to many other kinds of flows that either use TCP-like congestion control mechanisms or otherwise display strong timing footprints due to, for example, user dynamics. VoIP flows or sessions with short HTTP connections are instances of the latter. Given same amount data, they are in general easier to correlate than the long-lasting TCP connections analyzed. The traffic flows in experiments are configured as follows: An FTP client on node R2 downloads a file from the FTP server on S2. We call this traffic flow the flow of interest.

10

Securing anonymity networks from traffic analysis attacks

In experiments, this flow carries packets at a rate of 100 packets per second (pps). The traffic from S1 to R2 serves as the random noise traffic to the FTP client. The traffic from node S1 to node R1 is the cross traffic through mix M from the perspective of the FTP flow. Adjust the rate of cross traffic and of the noise traffic so that the traffic rates on both output links of the mix is approximately 500 pps. The objective of the adversary here is to identify the output link that carries the FTP flow.

4.3. HARDWARE REQUIREMENTS


System Hard Disk Ram : : : Pentium IV 2.4 GHz. 40 GB. 256 Mb.

4.4. SOFTWARE REQUIREMENTS


Operating System Frond End Tool : : : Windows XP Professional JAVA, Swing (JFC), Networking. Eclipse, Netbeans

11

Securing anonymity networks from traffic analysis attacks

5. SOFTWARE ENIVIRONMENT
5.1. JAVA TECHNOLOGY
Java technology is both a programming language and a platform. With most programming languages, you either compile or interpret a program so that you can run it on your computer. The Java programming language is unusual in that a program is both compiled and interpreted. With the compiler, first you translate a program into an intermediate language called Java byte codes the platform-independent codes interpreted by the interpreter on the Java platform. The interpreter parses and runs each Java byte code instruction on the computer. Compilation happens just once; interpretation occurs each time the program is executed. The following figure illustrates how this works.

Fig 3: Java Compiler

Assume Java byte codes as the machine code instructions for the Java Virtual Machine (Java VM). Every Java interpreter, whether its a development tool or a Web browser that can run applets, is an implementation of the Java VM. Java byte codes help make write once, run anywhere possible. You can compile your program into byte codes on any platform that has a Java compiler. The byte codes can then be run on any implementation of the Java VM. That means that as long as a computer has a Java VM, the same program written in the Java programming language can run on Windows 2000, a Solaris workstation, or on an iMac.

12

Securing anonymity networks from traffic analysis attacks

Fig 4: Java sample program execution

5.1.1. The Java Platform A platform is the hardware or software environment in which a program runs. Weve alreadymentioned some of the most popular platforms like Windows 2000, Linux, Solaris, and MacOS.Most platforms can be described as a combination of the operating system and hardware. The Java platform differs from most other platforms in that its a software-only platform that runs on top of other hardware based platforms. The Java platform has two components:
y y

The Java Virtual Machine (Java VM) The Java Application Programming Interface (Java API)

Youve already been introduced to the Java VM. Its the base for the Java platform and is ported onto various hardware-based platforms. The Java API is a large collection of ready-made software components that provide many useful capabilities, such as graphical user interface (GUI) widgets. The Java API is grouped into libraries of related classes and interfaces; these libraries are known as packages. The next section, What Can Java Technology Do? Highlights what functionality some of the packages in the Java API provide. The following figure depicts a program thats running on the Java platform. As the figure shows, the Java API and the virtual machine insulate the program from the hardware.

13

Securing anonymity networks from traffic analysis attacks

Fig 5: Java Platform

Native code is code that after you compile it, the compiled code runs on a specific hardware platform. As a platform-independent environment, the Java platform can be a bit slower than native code. However, smart compilers, well-tuned interpreters, and justin-time byte code compilers can bring performance close to that of native code without threatening portability. 5.1.2. Advantages of Java

The most common types of programs written in the Java programming language are applets and applications. An applet is a program that adheres to certain conventions that allow it to run within a Java-enabled browser. However, the Java programming language is not just for writing cute, entertaining applets for the Web. The general-purpose, highlevel Java programming language is also a powerful software platform. Using the generous API, you can write many types of programs. An application is a standalone program that runs directly on the Java platform. A special kind of application known as a server serves and supports clients on a network. Examples of servers are Web servers, proxy servers, mail servers, and print servers. Another specialized program is a servlet. A servlet can almost be thought of as an applet that runs on the server side. Java Servlets are a popular choice for building interactive web applications, replacing the use of CGI scripts. Servlets are similar to applets in that they are runtime extensions of applications. Instead of working in browsers, though, servlets run within Java Web servers, configuring or tailoring the server. How does the API support all these kinds of programs? It does so with packages of software components that provides a wide range of functionality. Every full implementation of the Java platform gives you the following features:
y

The essentials: Objects, strings, threads, numbers, input and output, data structures, system properties, date and time, and so on.
14

Securing anonymity networks from traffic analysis attacks

y y

Applets: The set of conventions used by applets. Networking: URLs, TCP (Transmission Control Protocol), UDP (User Data gram Protocol) sockets, and IP (Internet Protocol) addresses.

Internationalization: Help for writing programs that can be localized for users worldwide. Programs can automatically adapt to specific locales and be displayed in the appropriate language.

Security: Both low level and high level, including electronic signatures, public and private key management, access control, and certificates.

Software components: Known as JavaBeans, can plug into existing component architectures.

Object serialization: Allows lightweight persistence and communication via Remote Method Invocation (RMI). Java Database Connectivity (JDBCTM): Provides uniform access to a wide range of relational databases. The Java platform also has APIs for 2D and 3D graphics, accessibility, servers, collaboration, telephony, speech, animation, and more. The following figure depicts what is included in the Java 2 SDK.

Fig 6: Java SDK

5.2. NETWORKING
5.2.1. TCP/IP Stack

The TCP/IP stack is shorter than the OSI one:


15

Securing anonymity networks from traffic analysis attacks

Application

Application

OSI 5-7

TCP

UDP

OSI 4

IP

OSI 3

H/w Interface

OSI 1-2

Fig 7: TCP/IP Stack

TCP is a connection-oriented protocol; UDP (User Datagram Protocol) is a connectionless protocol. 5.2.2.
IP DATAGRAM

The IP layer provides a connectionless and unreliable delivery system. It considers each datagram independently of the others. Any association between datagram must be supplied by the higher layers. The IP layer supplies a checksum that includes its own header. The header includes the source and destination addresses. The IP layer handles routing through an Internet. It is also responsible for breaking up large datagram into smaller ones for transmission and reassembling them at the other end. 5.2.3. UDP

When UDP is used between a pair of Mixes, the approach is usually quite different: an application communicates directly with the server and is unaware of the MIX network. On the users computer, data is extracted after the IP-layer and after removal of information that could possibly identify the users computer such as its IP-address inserted into a UDP datagram. This data is then sent through the MIX network, hop-byhop. Note that since data has to be extracted from the IP-stack, i.e. from the kernel space, different operating systems have to be specially supported. Additionally, extracting data from the IP-stack is usually not possible without special privileges.

16

Securing anonymity networks from traffic analysis attacks

With UDP, there are also no guarantees that the data gets through theMIX network. If the application uses TCP, the endpoints of the connection are the users computer and the server: if a UDP datagram is lost on the way from the server to the users computer, the TCP-layer in the server eventually realizes that no acknowledgement has arrived and therefore retransmits the data. An advantage of using UDP between Mixes is its transparency to the end-to-end transport and application protocols. Therefore, customization to a particular application is not needed. Using UDP also solves the potential performance problem imposed by stalled TCP-connections in a static MIX network with only a few Mixes. However, using UDP is also dangerous since a fast sender can easily overload a slow receiver, which results in large amounts of lost datagrams. UDP makes sense in an environment where all the Mixes have similar computing power and bandwidth. In such an environment, each link between two Mixes can be tuned to its maximum throughput without having too many lost datagrams. However, it is probably very difficult to achieve the same in a dynamic and heterogeneous environment when using UDP. Taking into account the advantages and disadvantages of the two protocols, I have decided to use the TCP protocol to communicate between two nodes. The reasons for this decision are the following: y It should be possible to use MorphMix on a variety of operating systems without special privileges. This is easier with TCP than with UDP, as no data has to be extracted from the kernel space. y Taking into account the heterogeneity of the nodes participating in our network, using TCP makes life much easier. With UDP, two nodes would have to employ some sort of ow control between them to achieve acceptable performance without losing too many packets. It is questionable if one could do much better than using TCP directly. y As we will make use of xed-length messages between nodes to improve the protection from attacks, UDP would waste a lot of bandwidth: since the ACK messages of the end-to-end TCP connections are transported within UDP datagrams, the effective payload of them is only short and the datagrams would have to be padded to the xed-length of messages. With TCP, this problem does not occur as the TCP messages only transport application data and there are no application level ACKs.
17

Securing anonymity networks from traffic analysis attacks

5.2.4.

TCP

When the TCP protocol is used between a pair of Mixes, the users application usually accesses the anonymizing network in the same way a web browser accesses a web proxy: a TCP-connection is set up to the access program running on the users computer, which in turn handles the communication with the MIX network. When the data travels through the network, it is sent across TCP-connections on each link between two adjacent Mixes. To function properly, the access program usually needs to understand the protocol of each application it provides access. For instance, if it is accessed by a web browser, it needs to know part of the HTTP protocol [2] to interpret the various methods such as GET or CONNECT correctly. The disadvantage of this is that the access program has to be extended whenever a new application should be supported. On the other hand, this approach makes it quite easy to support different platforms as the access program runs only on the application level accessing the socket interface without requiring special privileges. Using TCP-connections implies that the properties of TCP Flow control and correct delivery of all data in the right order are guaranteed hop-by-hop and not end-toend between the users application and the server. Consequently, a MIX must not lose any data of an end-to-end connection or the application will usually fail. On the other hand, TCP makes the reliable communication between Mixes that have very different bandwidth connections quite easy because the transport layer takes care that all data is delivered correctly. When a packet of a TCP-connection is lost, then every end-to-end connection using that particular link stalls. In an environment with relatively few static Mixes and consequently few connections between a pair of Mixes that each carry many end-to-end connections, this could be a potential performance problem. However, in a highly dynamic environment with very many Mixes, this shouldnt be a major problem, since a connection between two Mixes never carries very many end-to-end connections. y Internet addresses

In order to use a service, you must be able to find it. The Internet uses an address scheme for machines so that they can be located. The address is a 32 bit integer which gives the IP address. This encodes a network ID and more addressing. The network ID falls into various classes according to the size of the network address.

18

Securing anonymity networks from traffic analysis attacks

Network address

Class A uses 8 bits for the network address with 24 bits left over for other addressing. Class B uses 16 bit network addressing. Class C uses 24 bit network addressing and class D uses all 32. y Subnet address

Internally, the UNIX network is divided into sub networks. Building 11 is currently on one sub network and uses 10-bit addressing, allowing 1024 different hosts. y Host address

8 bits are finally used for host addresses within our subnet. This places a limit of 256 machines that can be on the subnet. y Total address

137.92.11.13

Network

Subnet

Host

The 32 bit address is usually written as 4 integers separated by dots. y Port addresses

A service exists on a host, and is identified by its port. This is a 16 bit number. To send a message to a server, you send it to the port for that service of the host that it is running on. This is not location transparency! Certain of these ports are well known. y Sockets

A socket is a data structure maintained by the system to handle network connections. A socket is created using the call socket. It returns an integer that is like a file descriptor. In fact, under Windows, this handle can be used with Read File and Write File functions.

19

Securing anonymity networks from traffic analysis attacks

#include <sys/types.h> #include <sys/socket.h> int socket(int family, int type, int protocol); Here family will be AF_INET for IP communications, protocol will be zero, and type will depend on whether TCP or UDP is used. Two processes wishing to communicate over a network create a socket each. These are similar to two ends of a pipe but the actual pipe does not yet exist.

5.3. JFREE CHART


JfreeChart is a free 100% Java chart library that makes it easy for developers to display professional quality charts in their applications. JfreeCharts extensive feature set includes: A consistent and well-documented API, supporting a wide range of chart types; A flexible design that is easy to extend, and targets both server-side and client-side applications; Support for many output types, including Swing components, image files (including PNG and JPEG), and vector graphics file formats (including PDF, EPS and SVG); JfreeChart is open source or, more specifically, free software. It is distributed under the terms of the GNU Lesser General Public License (LGPL), which permits use in proprietary applications. 5.3.1. Map Visualizations Charts showing values that relate to geographical areas. Some examples include: (a) population density in each state of the United States, (b) income per capita for each country in Europe, (c) life expectancy in each country of the world. The tasks in this project include: Sourcing freely redistributable vector outlines for the countries of the world, states/provinces in particular countries (USA in particular, but also other areas);

20

Securing anonymity networks from traffic analysis attacks

Creating an appropriate dataset interface (plus default implementation), a rendered, and integrating this with the existing XYPlot class in JfreeChart; Testing, documenting, testing some more, documenting some more. 5.3.2. Time Series Implement a new (to JfreeChart) feature for interactive time series charts --- to display a separate control that shows a small version of ALL the time series data, with a sliding view rectangle that allows you to select the subset of the time series data to display in the main chart. 5.3.3. Dashboards There is currently a lot of interest in dashboard displays. Create a flexible dashboard mechanism that supports a subset of JfreeChart chart types (dials, pies, thermometers, bars, and lines/time series) that can be delivered easily via both Java Web Start and an applet. 5.3.4. Property Editors The property editor mechanism in JfreeChart only handles a small subset of the properties that can be set for charts. Extend this mechanism to provide greater end-user control over the appearance of the charts.

21

Securing anonymity networks from traffic analysis attacks

6. SYSTEM DESIGN
6.1. STRUCTURAL DIAGRAM
6.1.1. Class Diagram Class diagrams identify the class structure of a system, including the properties and methods of each class. Also depicted are the various relationships that can exist between classes, such as an inheritance relationship. The Class diagram is one of the most widely used diagrams from the UML specification

Anonymity Client +Search: String +Status_Info: String +Available Network() +Search Pages() +Transfer Rate()

Mix Network +IPAdress: String +PortNumber: Int +Start() +Receive Request() +Transfer Request() +Respond Request()

Secure Data Server Performance +Response Time() +Received Page() +Transfer Rate() +IPAdress: String +PortNumber: Int +Start() +Receive Request() +Encrypt Response() +Send Response()

Fig 9: Class diagram for the application of anonymity

6.1.2.

Object Diagram

Object diagrams model instances of classes. This type of diagram is used to describe the system at a particular point in time. Using this technique, you can validating the class diagram and it's multiplicity rules with real-world data, and record test scenarios. From a notation standpoint, Object diagrams borrow elements from Class diagrams.

22

Securing anonymity networks from traffic analysis attacks

6.1.3. Component Diagram Component diagrams fall under the category of an implementation diagram, a kind of diagram that models the implementation and deployment of the system. A Component Diagram, in particular, is used to describe the dependencies between various software components such as the dependency between executable files and source files. This information is similar to that within make files, which describe source code dependencies and can be used to properly compile an application.

6.1.4. Deployment Diagram Deployment diagrams are another model in the implementation diagram category. The Deployment diagram models the hardware used in implementing a system and the association between those hardware components. Components can also be shown on a Deployment diagram to show the location of their deployment. Deployment diagrams can also be used early on in the design phase to document the physical architecture of a system.

6.2. Behavioral Diagram


6.2.1. Use Case Diagram Use Case diagrams identify the functionality provided by the system (use cases), the users who interact with the system (actors), and the association between the users and the functionality. Use Cases are used in the Analysis phase of software development to articulate the high-level requirements of the system. The primary goals of Use Case diagrams include:
y y y

Providing a high-level view of what the system does Identifying the users ("actors") of the system Determining areas needing human-computer interfaces

Use Cases extend beyond pictorial diagrams. In fact, text-based use case descriptions are often used to supplement diagrams, and explore use case functionality in more detail.

23

Securing anonymity networks from traffic analysis attacks

System Start Proxy Server

Start Server Mix Network Search Available Pages Anonymity Client

Select a page

Performance

Secure Data Server Tranfering data

All proceses

Fig 10Usecase diagram for anonymity application

Start Server

Search Available Pages

Anonymity Client

Select a Page

Calculate Resonse time

Calculate Transfer Rate

Fig 11: Usecase diagram for Anonymity client

24

Securing anonymity networks from traffic analysis attacks

Start Proxy Server

Start data server

Mix Network Send Request

Secure data server

Encrypt Response

Receive Response

Fig 12: Usecase diagram for Mix Network

Request a page

Search available pages Secure Data server

Accessing requesting page

Encrypt response

Send

Fig 13: Usecase diagram for Data server

25

Securing anonymity networks from traffic analysis attacks

Browse For file

Separate the file into packets Packet Sender

Send the Packets

Clear

Fig 14: Usecase diagram for packet sender

Receive packets

Queue Packets Using Batching Packet_Router

Packet Status

Send Packets to receiver

Fig 15: Usecase diagram for packet router

26

Securing anonymity networks from traffic analysis attacks

Receive packets from batch

Show status of packets Packet_receiver

Contents of received file

Result of the file

Fig 16: Usecase diagram for packet receiver

System Start Application

Browse for File

Seperate Packet Router

Packet Sender

Send

Receive the file

Queue the packets

Confirm received packet status

Packet Receiver

Result Analysis

End Application

Fig Usecase diagram for packet loss

6.2.2. Sequence Diagram Sequence diagrams document the interactions between classes to achieve a result, such as a use case. The Sequence diagram lists objects horizontally, and time vertically, and models these messages over time.
27

Securing anonymity networks from traffic analysis attacks

Client

Search

Performance

Mix Server

Data Server

1 : Start Application()

2 : Search available pages() 3 : Send Request() 4 : Request Received() 5 : Response Encrypted()

6 : Response Sent()

7 : Response Decrypted()

8 : Content Received()

9 : Select a page() 10 : Send Request()

11 : Page Received()

12 : Calculate the Network Performance()

Fig 17: Sequence diagram for the anonymous application

28

Securing anonymity networks from traffic analysis attacks

Sender

Computer

Router

Receiver

Analysis

Graph

1 : Start Application()

2 : Browse for file() 3 : Seperate the File() 4 : Send the packets() 5 : Queue Packets()

6 : Send the packets()

7 : packets deleted abnormally()

8 : Packets are lost()

9 : Analyze the performance()

10 : Display results in a Graph()

Fig Sequence Diagram for packet data loss

6.2.3.

Collaboration Diagram

Collaboration diagrams model the interactions between objects. This type of diagram is a cross between an object diagram and a sequence diagram. It uses free-form arrangement of objects which makes it easier to see all iterations involving a particular object.

29

Securing anonymity networks from traffic analysis attacks

5 : Response Encrypted() Data Server

4 : Request Received() 6 : Response Sent()

11 : Page Received()

10 : Send Request()

Search 7 : Response Decrypted() Mix Server 3 : Send Request() 2 : Search available pages() 8 : Content Received() 9 : Select a page()

1 : Start Application() Performance 12 : Calculate the Network Performance() Client

Fig 18: Collaboration diagram for the application

Sender

8 : Packets are lost()

Receiver

6 : Send the packets() 9 : Analyze the performance() 7 : packets deleted abnormally() 5 : Queue Packets() 1 : Start Application() 2 : Browse for file() Router 10 : Display results in a Graph() Analysis

4 : Send the packets()

3 : Seperate the File() Computer Graph

Fig Collaboration diagram for the packet data loss

30

Securing anonymity networks from traffic analysis attacks

6.2.4. State Chart Diagram State diagrams, are used to document the various modes ("state") that a class can go through, and the events that cause a state transition. 6.2.5. Activity Diagram Activity diagrams are used to document workflows in a system, from the business level down to the operational level. The general purpose of Activity diagrams is to focus on flows driven by internal processing vs. external events.

6.3. DATA FLOW DIAGRAM


The DFD is also called as bubble chart. It is a simple graphical formalism that can be used to represent a system in terms of the input data to the system, various processing carried out on these data, and the output data is generated by the system.

Anonymity Client

Mix Server

Mix Server

Performance Analysis

Secure Data Server

Fig 8: Data flow diagram

31

Securing anonymity networks from traffic analysis attacks

7. IMPLEMENTATION
Implementation is the stage of the project when the theoretical design is turned out into a working system. Thus it can be considered to be the most critical stage in achieving a successful new system and in giving the user, confidence that the new system will work and be effective. The implementation stage involves careful planning, investigation of the existing system and its constraints on implementation, designing of methods to achieve changeover and evaluation of changeover methods.

7.1. MIX NETWORKS


The main objective is to analyze the effectiveness of mixes against a special class of timing-based attacks. Some mix networks do not explicitly batch packets at the mixes, but rather perturb traffic patterns implicitly by running TCP-style feedback-based protocols between mixes.A mix network, such as Onion Routing network or Tor Network, consists of multiple mixes that are interconnected by a network. Such a mix network may provide enhanced anonymity, as payload packets may go through multiple mixes. Since the endto-end performance of any mix network eventually relies on the performance of its individual mixes, the analysis of the single mix provides a foundation for analyzing the end-to-end performance of mix networks. We discuss in detail how to extend our work to larger and complicated mix networks in . In fact, if we view a mix network (for example, any portion of a Tor network as one super mix, the analytical techniques in this paper can be directly applied. The main objective is to analyze the effectiveness of mixes againsta special class of timing-based attacks. Some mix networks (most notably maybe Tor) do not explicitly batch packets at the mixes, but rather perturb traffic patterns implicitly by running TCPstyle feedback-based protocols between mixes. In this paper, we limit our attention to mix networks with explicit batching. A mix network, such as Onion Routing network or Tor Network, consists of multiple mixes that are interconnected by a network. Such a mix network may provide enhanced anonymity, as payload packets may go through multiple mixes. Since the end-to-end performance of any mix network eventually relies on the performance of its individual mixes, the analysis of the single mix provides a foundation for analyzing the end-to-end performance of mix networks. We discuss in detail how to
32

Securing anonymity networks from traffic analysis attacks

extend our work to larger and complicated mix networks in . In fact, if we view a mix network (for example, any portion of a Tor network as one super mix, the analytical techniques in this paper can be directly applied. Description y Batching Strategies for a Mix

Batching strategies are designed to prevent not only simple timing analysis attacks, but also powerful trickle attacks. The attacks focus on the traffic characteristics. As reordering does not significantly change packet inter-arrival times for mixes that use batching, these attacks are unaffected by reordering. Thus, our results are applicable to systems that use any kind of reordering methods. More precisely, reorderings are in all cases caused by packets being delayed by the batcher, and can therefore be handled by modifying the batching algorithm accordingly. Any of the batching strategies can be implemented in two ways y Link-Based Batching

With this method, each output link has a separate queue. A newly arrived packet is put into a queue depending on its destination (and hence the link associated with the queue). Once a batch is ready from a particular queue (per the batching strategy), the packets are taken out of the queue and transmitted over the corresponding link. y Mix-Based Batching

The entire mix has only one queue. The selected batching strategy is applied to this queue. That is, once a batch is ready (per the batching strategy, the packets are taken out the queue and transmitted over links based on the packets destination.Each of these two methods has its own advantages and disadvantages. The control of link-based batching is distributed inside the mix and hence may have good efficiency. On the other hand, mixbased batching uses only one queue and hence is easier to manage.
Strategy index S0 S1 S2 Name Simple Proxy Threshold Mix Timed Mix Adjustable Parameters none <m> <t> Algorithms No batching or reordering If n = m, send n packets If timer times out, send n packets

33

Securing anonymity networks from traffic analysis attacks

S3

Threshold or Timed Mix Threshold and Timed Mix Threshold Pool Mix

< m, t >

S4 S5

< m, t > < m, f>

S6 S7

Timed Pool Mix Timed Dynamic Pool Mix

< t, f > < m, t, f, p >

If timer times out, send n packets; elseifn = m { send n packets; reset the timer } If (timer times out) and n m, send n packets If (timer times out) and (n > f), send n f randomly chosen packets If n = m + f, send m randomly chosen packets If (timer times out) and (n m + f), send max(1, [p( nf)]) randomly chosen packets

Table 1: Batching Strategies for Mix Networks

7.2. TRAFFIC FLOW CORRELATION TECHNIQUES


Adversarys objective is to correlate an incoming flow to an output link at a mix. These flow correlation attacks are harmful in a variety of situations. For e.g., Single mix scenario depicted in Fig 1, the adversary can discover whom sender is talking to by correlating the output traffic at the mix senders traffic despite cross traffic from another senders. In a mix network, the adversary can easily reconstruct the path of the connection by combining measurements and results of the flow correlation either at the network boundaries or within the network.
Fig 2: Typical flow chart for flow correlation

Step 1:

Data Collection

Step 2:

Flow Pattern Vector Extraction Based on Mixs Batching Strategies

Step 3: Distance Function Selection to Measure the To Measure the Dependency between Two Flows

Step 4:

Flow Correlation

34

Securing anonymity networks from traffic analysis attacks

Algorithm: Data Collection. Assume that the adversary is able to collect information about all the packets on both input and output links. For each collected packet, the arrival time is recorded using tools such as tcpdump or Ciscos NetFlow. We assume that all the packets are encrypted and padded to the same size, and hence, only the arrival time is of interest. The arrival times of packets at input link I form a time series Ai=(ai,1,,,ai,r), Where ai,k is the kth packets arrival time at input link i, and r is the size of the sample collected during a given sampling interval. Similarly, the arrival times of packets at output link j form a time series Bj=(bj,1,,,bi,s), Where bj,k is the kth packets arrival time at output link j, and s is the size of the sample collected during a given sampling interval. The packets come out from mixes in batches. Select sampling interval that is usually much longer than the duration of a batch. Hence, a sampling interval typically contains many batches. Make the simplifying assumption that the traffic characteristic of the flow under consideration (the input flow) is known. This can be the case, for example, when the flow traffic characteristics indeed observable on a link either inside or at the edge of the mix network. Flow Pattern Vector Extraction. The strategy of the adversary is to analyze the time series Ais and Bjs in order to determine if there is any dependency between an input flow and an output flow of the mix. However, a direct analysis over these time series will not be effective. They need to be transformed into so called pattern vectors that can facilitate further analysis. Its found that effective transformation depends on batching strategies utilized by the mix. Distance Function Selection. Define the distance function d(Xi,Yj), which measures the distance between an input flow at input link i and the traffic at output link j. The smaller the distance, the more likely the flow on an input link is correlated to the corresponding flow on the output link. Clearly, the definition of the distance function is the key in the correlation analysis.

35

Securing anonymity networks from traffic analysis attacks

We have two effective distance functions: one is based on mutual information and the other is based on the frequency-spectrum-based matched filter. Flow Correlation. Once the distance function has been defined between an input flow and an output link, we can easily carry out the correlation analysis by selecting the output link whose traffic has the minimum distance to input flow pattern vector Xi. I have analyzed mix networks in terms of their effectiveness in providing anonymity and quality-of-service. Output control is flexible in controlling the overhead by adjusting the maximum packet delay Mean Time Detection. Mean Time Recovery.

36

Securing anonymity networks from traffic analysis attacks

8. SYSTEM TESTING
The purpose of testing is to discover errors. Testing is the process of trying to discover every conceivable fault or weakness in a work product. It provides a way to check the functionality of components, sub-assemblies, assemblies and/or a finished product It is the process of exercising software with the intent of ensuring that the Software system meets its requirements and user expectations and does not fail in an unacceptable manner. There are various types of test. Each test type addresses a specific testing requirement.

8.1. BOX APPROACH


Software testing methods are traditionally divided into white- and black-box testing. These two approaches are used to describe the point of view that a test engineer takes when designing test cases.

8.2. BLACK BOX TESTING


Black box testing treats the software as a "black box"without any knowledge of internal implementation. Black box testing methods include: equivalence partitioning, boundary value analysis, all-pairs testing, fuzz testing, model-based testing, exploratory testing and specification-based testing.

8.3. GREY BOX TESTING


Grey box testing involves having knowledge of internal data structures and algorithms for purposes of designing the test cases, but testing at the user, or black-box level. Manipulating input data and formatting output do not qualify as grey box, because the input and output are clearly outside of the "black-box" that we are calling the system under test. This distinction is particularly important when conducting integration testing between two modules of code written by two different developers, where only the interfaces are exposed for test. However, modifying a data repository does qualify as grey box, as the user would not normally be able to change the data outside of the system under test. Grey box testing may also include reverse engineering to determine, for instance, boundary values or error messages.

37

Securing anonymity networks from traffic analysis attacks

8.4. UNIT TESTING


Unit testing refers to tests that verify the functionality of a specific section of code, usually at the function level. In an object-oriented environment, this is usually at the class level, and the minimal unit tests include the constructors and destructors. These types of tests are usually written by developers as they work on code, to ensure that the specific function is working as expected. One function might have multiple tests, to catch corner cases or other branches in the code. Unit testing alone cannot verify the functionality of a piece of software, but rather is used to assure that the building blocks the software uses work independently of each other. Unit testing is also called component testing.

8.5. INTEGRATION TESTING


Integration testing is any type of software testing that seeks to verify the interfaces between components against a software design. Software components may be integrated in an iterative way or all together ("big bang"). Normally the former is considered a better practice since it allows interface issues to be localized more quickly and fixed. Integration testing works to expose defects in the interfaces and interaction between integrated components (modules). Progressively larger groups of tested software components corresponding to elements of the architectural design are integrated and tested until the software works as a system. System Testing System testing tests a completely integrated system to verify that it meets its requirements. System Integration Testing System integration testing verifies that a system is integrated to any external or thirdparty systems defined in the system requirements. Regression testing Regression testing focuses on finding defects after a major code change has occurred. Specifically, it seeks to uncover software regressions, or old bugs that have come back.
38

Securing anonymity networks from traffic analysis attacks

Such regressions occur whenever software functionality that was previously working correctly stops working as intended. Typically, regressions occur as an unintended consequence of program changes, when the newly developed part of the software collides with the previously existing code. Common methods of regression testing include rerunning previously run tests and checking whether previously fixed faults have reemerged. The depth of testing depends on the phase in the release process and the risk of the added features. They can either be complete, for changes added late in the release or deemed to be risky, to very shallow, consisting of positive tests on each feature, if the changes are early in the release or deemed to be of low risk. Security Testing Security testing is essential for software that processes confidential data to prevent system intrusion by hackers.

39

Securing anonymity networks from traffic analysis attacks

9. TEST CASES
Testcase for anonymity client
TEST CASE # 1 PRIORITY(H,M,L): MEDIUM

TEST OBJECTIVE: To check whether searching pages available or not. TEST DESCRIPTION: To check whether searching pages have available access permissions. REQUIREMENTS VERIFIED: Yes TEST SETUP/PRE-CONDITIONS: Should select search button to search ACTIONS: User must click on search button PASS: Yes PROBLEMS/ISSUES: No NOTES: Successfully executed EXPECTED RESULTS: Should be able to search the available pages. FAIL: No

Testcase for mix server

TEST CASE # 2

PRIORITY(H,M,L): MEDIUM

TEST OBJECTIVE: To check whether the server gets request and response properly or not TEST DESCRIPTION: To check whether mix accepts the request and forwards to the data server properly or not. REQUIREMENTS VERIFIED: Yes TEST SETUP/PRE-CONDITIONS: Should send requests and responses properly ACTIONS: User must start the mix server EXPECTED RESULTS: Should be able to send requests and responses. PASS: Yes PROBLEMS/ISSUES: No NOTES: Successfully executed FAIL: No

40

Securing anonymity networks from traffic analysis attacks

Testcase for data server


TEST CASE # 3 PRIORITY(H,M,L): MEDIUM

TEST OBJECTIVE: To check whether data server gets requests and response properly or not TEST DESCRIPTION: To check whether data server accepts the request and encrypts the response properly or not. REQUIREMENTS VERIFIED: Yes TEST SETUP/PRE-CONDITIONS: Should accept requests and encrypt responses properly ACTIONS: User must start the data server EXPECTED RESULTS: Should be able to accept requests and responses. PASS: Yes PROBLEMS/ISSUES: No NOTES: Successfully executed FAIL: No

Testcase for packet sender


TEST CASE # 4 PRIORITY(H,M,L): MEDIUM

TEST OBJECTIVE: To check whether the packets separated and sent properly or not TEST DESCRIPTION: To check whether the packets separated and sent properly or not. Also check the status of the separated file. REQUIREMENTS VERIFIED: Yes TEST SETUP/PRE-CONDITIONS: Should select a file to separate them into packets ACTIONS: User must select a file to send. EXPECTED RESULTS: Should be able to send packets to router. PASS: Yes PROBLEMS/ISSUES: No NOTES: Successfully executed FAIL: No

41

Securing anonymity networks from traffic analysis attacks

Testcase for router


TEST CASE # 5 PRIORITY(H,M,L): MEDIUM

TEST OBJECTIVE: To check whether the packets are routed successfully or not? TEST DESCRIPTION: To check whether the packets are routed properly , if not check for the status of receiving packets. REQUIREMENTS VERIFIED: Yes TEST SETUP/PRE-CONDITIONS: Should start receiving packets. ACTIONS: User must start router. EXPECTED RESULTS: Should be able to detect packet losses. PASS: Yes PROBLEMS/ISSUES: No NOTES: Successfully executed FAIL: No

Testcase for receiver


TEST CASE # 6 PRIORITY(H,M,L): MEDIUM

TEST OBJECTIVE: To check whether all packets received properly or not? TEST DESCRIPTION: To check whether packets are lost or not, if any packet loss occurs perform result analysis and preview a graph REQUIREMENTS VERIFIED: Yes TEST SETUP/PRE-CONDITIONS: packets are sent from the router ACTIONS: User must click on result button. EXPECTED RESULTS: Should be able to send packets to router. PASS: Yes PROBLEMS/ISSUES: No NOTES: Successfully executed FAIL: No

42

Securing anonymity networks from traffic analysis attacks

10. OUTPUT SCREENS


10.1. ANONYMITY APPLICATION
Searching Available Pages In this screen, Anonymity Client starts the application and searches for the available pages as shown in a status information window. After searching completed, a dropdown menu will be highlighted with a list files available. Left blank pane displays the model content of the file.

43

Securing anonymity networks from traffic analysis attacks

Request Processing (Mix Network Server) In this screen, Mix network server displaying all the processes. Initially mix network started and then it gets the request from the client, and then transfers the request to the data server. Later it gets the response from server with access to the requested files and response is sent back to the client.

44

Securing anonymity networks from traffic analysis attacks

Response Processing (Secure Data Server) In this screen, secure data server is started and gets request from the mix server. It scans for the available files and Check for its access permissions then encrypt the response and sent back to mix server.

45

Securing anonymity networks from traffic analysis attacks

Received Content (Anonymity Network) In this screen, Anonymity has got the requested file and the contents of the file are displayed in a preview window as shown in here.

46

Securing anonymity networks from traffic analysis attacks

Performance Analysis In this screen, Performance analysis of the anonymity mix application can be measured by calculating the response time and transfer rate.

47

Securing anonymity networks from traffic analysis attacks

10.2. PACKET DATA LOSS DETECTION


Browsing the File (Sender) In this screen, the sender browses the file through Browse button and separates the file into packets before sent.

48

Securing anonymity networks from traffic analysis attacks

Separating the File In this screen, the selected file is being separated and sent to the packet router. It also shows the status of the file before and after separation. A popup window shows the packet separation has done.

49

Securing anonymity networks from traffic analysis attacks

Window Indicating as Packets Lost In this screen, It shows the receiver window with highlighted color to show the packets are not routed correctly.

50

Securing anonymity networks from traffic analysis attacks

Packet Receiver Showing Packet loss In this screen, It shows the receiver window that packets are not received correctly and popup opens to show the status of remaining packets whether routed or not.

51

Securing anonymity networks from traffic analysis attacks

Result Analysis for Packet Loss In this screen, It shows the result analysis of the data loss application with packet size, transfer rate and time.

52

Securing anonymity networks from traffic analysis attacks

Graph Showing the Received Packets & Losses In this screen, It shows the graph depicting the comparison between received packets and lost packets.

53

Securing anonymity networks from traffic analysis attacks

11. CONCLUSION
Modeling flow correlation attacksmay severely degrade anonymous communication systems. Use queuing models to analyze the performance of a continuous-time mix, which randomly assign a deadline to each incoming packet. While the effectiveness of flow correlation attacks was known and empirically demonstrated, analytically model the relationship between the amount of information available to attackers and the detection rate. An adversary correctly determines the outgoing link taken by Alices flow.Our application clearly shows how an anonymity network ultimately fails under flow correlation attacks.

54

Securing anonymity networks from traffic analysis attacks

12. FUTURE WORK


Its found that mix networks that use traditional batching strategies, regardless of the implementation scheme, are vulnerable under flow-correlation attacks. By using statistical analysis, an adversary can accurately determine the output link used by traffic that comes to an input flow of a mix. The detection rate can be as high as 100 percent as long as enough data are available. This is true even if heavy cross traffic exists. The failure of traditional mix batching strategies directly leads us to the formulation of a new packet control method for mixes in order to overcome their vulnerability to flowcorrelation attacks. Appropriate output control can achieve a guaranteed low detection rate while maintaining high throughput for normal payload traffic. Low latency anonymity network is always the biggest challenge; to improve this qualityof-service should be sacrificed. Achieving Low latency at level of quality is remarkable. Understanding of theeffectiveness of mix networks with TCP traffic is important. TCP trafficposes two challenges for mix network design. First, theindiscriminate delaying and possible reordering of packetsin mix networks degrades TCPs goodput. Second,delays and reordering in mixes trigger second-order effectsin TCP, such as congestion control, which in turncan negatively affect the level of anonymity provided bythe mix network. Ultimately, mixes must be made TCPfriendly, and so allow for high-performance anonymouscommunication for widely available application.

55

Securing anonymity networks from traffic analysis attacks

13. REFERENCES

1. Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms, Dr. Chaum. 2. Towards an Information Theoretic Metric for Anonymity, A. Serjantov and G. Danezis, 3. 4. 5. 6. Towards Measuring Anonymity,C. D az, S. Seys, J. Claessens, and B. Preneel. Anonymity vs. Information Leakage in Anonymity Systems, Y. Zhu and R. Bettati. Link Padding and the Intersection Attack, O.R.D. Achives. Anonymous Connections and Onion Routing, P.F. Syverson, D.M. Goldschlag, and M.G. Reed. 7. Tor: The Second- Generation Onion Router, R. Dingledine, N. Mathewson, and P. Syverson. 8. Crowds: Anonymity for Web Transactions, M.K. Reiter and A.D. Rubin. 9. Tarzan: A Peer-to-Peer Anonymizing Network Layer, M.J. Freedman and R. Morris. 10. Introducing MorphMix: Peer-to- Peer Based Anonymous Internet Usage with Collusion Detection, M. Rennhard and B. Plattner. 11. p5: A Protocol for Scalable Anonymous Communication, R. Sherwood, B. Bhattacharjee, and A. Srinivasan. 12. Statistical Identification of Encrypted Web Browsing Traffic, Q. Sun, D.R. Simon, Y.-M. Wang, W. Russell, V.N. Padmanabhan, and L. Qiu. 13. The disadvantages of free MIX routes and how to overcome them , In H. Federrath, editor, Proceedings of Designing Privacy Enhancing Technologies: Workshop on Design Issues in Anonymity and Unobservability, pages 30{45.Springer-Verlag, LNCS 2009, 2000, O. Berthold, A. Pfitzmann, and R. Standtke. 14. netfilter.org, Netfilter, http://netfilter.samba.org/, 2003.

56