LASIGE’s integrated member Bernardo Ferreira has co-authored a research paper accepted for publication at NDSS’24 – The 2024 Network and Distributed System Security Symposium, a top cybersecurity conference (Core A*).

The paper, entitled “Flow Correlation Attacks on Tor Onion Service Sessions with Sliding Subset Sum”, presents a new attack on the TOR network that can deanonymize onion service sessions (the so-called “dark web”) in the Tor network, revealing both the IPs of the hidden server and that of the client accessing it. The attack is based on a novel distributed technique named Sliding Subset Sum (SUMo), which can be deployed by a group of colluding ISPs worldwide in a federated fashion. These ISPs collect Tor traffic at multiple vantage points in the network, and analyze it through a pipelined architecture based on machine learning classifiers and a novel similarity function based on the classic subset sum decision problem. These classifiers enable SUMo to deanonymize onion service sessions effectively and efficiently. Results show that as few as 6 ASes can observe 50% of the worldwide TOR traffic, and that altogether the EU countries have a joint guard probability of over 75%, making SUMo a very realistic attack. To help mitigate the risk of this attack being performed, the paper also presents several countermeasures that can limit the effectiveness of SUMo.

This work resulted from a collaboration with researchers of INESC-ID, INESC-TEC, University of Waterloo, and Carnegie Mellon University.