A distance-based network activity correlation framework for defeating anonymization overlays

As the effectiveness of modern Internet-based anonymization infrastructures grows, law enforcement agencies are experiencing a progressive erosion of their surveillance capabilities. This can severely undermine their efforts to prevent and investigate various types of unlawful activities, potentially increasing the impunity of organized criminal networks. Balancing the legitimate privacy needs of individuals with the imperative to maintain public safety and combat criminal behavior in the digital world remains a complex tradeoff for both policymakers and technologists who need to find a systematic and reliable way to link the traffic traces associated with criminal activities to their anonymized origins. Accordingly, this paper presents a simple but very effective de-anonymization approach capable of associating traffic traces captured at the edge of the overlay infrastructures, in correspondence with the true origins, to those captured in correspondence with the destinations. The approach is based on determining the minimum-distance pairs within a complete bipartite graph in which the traffic traces are the nodes. Experiments with different distance functions, applied in varied ways, show that the resulting framework appears to be a promising solution that is scalable and easily deployable on real-life network equipment.