AuthentIx: Detecting Anonymized Attacks via Automated Authenticity Profiling

  • Mordechai GuriEmail author
  • Matan MonitzEmail author
  • Yuval EloviciEmail author
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 670)


In the modern era of cyber-security attackers are persistent in their attempts to hide and mask the origin of their attacks. In many cases, attacks are launched from spoofed or unknown Internet addresses, which makes investigation a challenging task. While protection from anonymized attacks is an important goal, detection of anonymized traffic is also important in its own right, because it allows defenders to take necessary preventative and defensive steps at an early stage, even before the attack itself has begun. In this paper we present AuthentIx, a system which measures the authenticity of the sources of Internet traffic. In order to measure the authenticity of traffic sources, our system uses passive and active profiling techniques, which are employed in both the network and the application protocols. We also show that performing certain cross-views between different communications layers can uncover inconsistencies and find clients which are suspicious. We present our system design and describe its implementation, and evaluate AuthentIx on traffic from authentic and non-authentic sources. Results show that our system can successfully detect anonymous and impersonated attackers, and furthermore, can be used as a general framework to cope with new anonymization and hiding techniques.


Anonymization Attacks IP profiling Proxy VPN Onion routing 


  1. 1.
    Wheeler, D.A., Larsen, G.N.: Techniques for cyber attack attribution. Institute for Defense Analyses (2003)Google Scholar
  2. 2.
    Tangil-Rotaeche, D., Suarez, G., Palomar-González, E., Ribagorda-Garnacho, A., Ramos-Álvarez, B.: Anonymity in the service of attackers. Serb. Publ. InfoRev. Joins UPENET Netw. CEPIS Soc. J. Mag. 27, (2010)Google Scholar
  3. 3.
    Hirt, A., Aycock, J.: Anonymous and malicious. In: 15th Virus Bulletin International Conference (2005)Google Scholar
  4. 4.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router (2004)Google Scholar
  5. 5.
    Fielding, R., Gettys, J., Frystyk, H., Berners-Lee, T.: RFC 2068: Hypertext Transfer Protocol—HTTP/1.1, January 1997.
  6. 6.
  7. 7.
  8. 8.
    Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., Jones, L.: SOCKS Protocol Version 5 (1996).
  9. 9.
    Robertson-Dunn, B.: Defcon Proxy Opens For Business (1999).
  10. 10.
  11. 11.
  12. 12.
    Hamzeh, K., Pall, G., Verthein, W., Taarud, J., Little, W., Zorn, G.: Point-to-point tunneling protocol (pptp) (1999).
  13. 13.
  14. 14.
    Tech and Dev: Hiding Your IP Address Using SSH Tunneling Tutorial (2014).
  15. 15.
  16. 16.
  17. 17.
  18. 18.
  19. 19.
    Blacklists, D.N.S.:
  20. 20.
  21. 21.
  22. 22.
  23. 23.
    Koukis, D., Antonatos, S., Antoniades, D., Markatos, E.P., Trimintzios, P.: A generic anonymization framework for network traffic. In: 2006 IEEE International Conference on Communications (2006)Google Scholar
  24. 24.
    Goldschlag, D., Reed, M., Syverson, P.: Onion routing. Commun. ACM 42, 39 (1999)CrossRefGoogle Scholar
  25. 25.
    Reed, M.G., Syverso, P.F., Goldschlag, D.M.: Anonymous connections and onion routing. IEEE J. Sel. Areas Commun. 16, 482 (1998)CrossRefGoogle Scholar
  26. 26.
    Syverson, P.F., Tsudik, G., Reed, M., Landwehr, C.: Towards an analysis of onion routing security. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 96–114. Springer, Heidelberg (2001). doi: 10.1007/3-540-44702-4_6 CrossRefGoogle Scholar
  27. 27.
    Gabber, E., Gibbons, P.B., Kristol, D.M., Matias, Y., Mayer, A.: Consistent, yet anonymous, Web access with LPWA. Commun. ACM 42, 42 (1999)CrossRefGoogle Scholar
  28. 28.
    Freedman, M.J., Morris‏, R.: Tarzan: a peer-to-peer anonymizing network layer. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (2002)Google Scholar
  29. 29.
    Langheinrich, M.: A privacy awareness system for ubiquitous computing environments. In: Borriello, G., Holmquist, L.E. (eds.) UbiComp 2002. LNCS, vol. 2498, pp. 237–245. Springer, Heidelberg (2002). doi: 10.1007/3-540-45809-3_19 CrossRefGoogle Scholar
  30. 30.
  31. 31.
    Savchenko, I.I., Gatsenko, O.Y.: Analytical review of methods of providing internet anonymity. Autom. Control Comput. Sci. 49(8), 696–700 (2015)CrossRefGoogle Scholar
  32. 32.
    Farah, T.: Traffic, Algorithms and Tools for Anonymization of the Internet.
  33. 33.
    Coull, S.E., Wright, C.V., Keromytis, A.D., Monrose, F., Reiter, M.K.: Taming the devil: techniques for evaluating anonymized network data. In: Proceedings of Network and Distributed System Security Symposium (2008)Google Scholar
  34. 34.
    Sun, Y., Edmundson A., Vanbever, L., Li, O., Rexford, J., Chiang, M., Mittal, P.: RAPTOR. In: 24th USENIX Security Symposium (2015)Google Scholar
  35. 35.
    Manils, P., Abdelberri, C., Blond, S.L., Kaafar, M.A., Castelluccia, C., Legout, A., Dabbous, W.: Compromising Tor anonymity exploiting P2P information leakage. arXiv:1004.1461
  36. 36.
    Liming, L.: Traffic Monitoring and analysis for source identification (2010).
  37. 37.
    Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14527-8_1 CrossRefGoogle Scholar
  38. 38.
    Boda, K., Földes, Á.M., Gulyás, G.G., Imre, S.: User tracking on the web via cross-browser fingerprinting. In: Laud, P. (ed.) NordSec 2011. LNCS, vol. 7161, pp. 31–46. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-29615-4_4 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.Cyber-Security Research CenterBen-Gurion University of the NegevBeer-ShevaIsrael

Personalised recommendations