1 NetCamo: Camouflaging Network Traffic for Real-Time Applications X. Fu, B. Graham, R. Bettati and W. Zhao Department of Computer Science Texas A&M University College Station, TX 77843 - 3112 {xinwenfu, bwg7173, bettati, zhao}@cs.tamu.edu Y. Guan Department of Electrical and Computer Engineering Iowa State University Ames, IA 50011 yguan@iastate.edu I. INTRODUCTION NetCamo is a toolkit that is capable of preventing traffic analysis while guaranteeing worst-case delays in computer networks for mission critical applications. In this paper, we overview its design and implementation, address several critical issues related to the core technology used in the NetCamo. The first objective of NetCamo is to provide security services beyond the traditional encryption techniques that have played an important role in network security. It is a misconception that to secure a network, one only needs to encrypt the traffic. With increasing amounts of traffic being encrypted and its contents, therefore, being beyond the reach of effective cryptanalysis, attention is shifting toward traffic analysis, and the prevention thereof. Traffic analysis is a security attack where an intruder observes network traffic in order to infer sensitive information about the applications and/or the underlying system. This form of attack is harmful because significant information about operation modes can be inferred by appropriately monitoring the pattern of traffic. It can, for example, uncover the location of command centers, determine the state of alertness of various units, or detect covert information flows to or from apparently noninvolved parties [33]. In addition, effective traffic analysis is well known to greatly help the cryptanalysis efforts [33]. It is, therefore, important to develop means to render traffic analysis efforts ineffective. Traffic analysis can be prevented by camouflaging the payload traffic, i.e., manipulating the traffic so that its pattern is not related, for an observer, to the operational status of applications. To achieve this, an integration of the following measures should be used: • Traffic Padding: Additional packets (called padding packet) may need to be properly inserted into payload packet streams to camouflage them. • Traffic Rerouting: Usually, packets from one host to another are sent via one fixed path. In order to prevent traffic analysis, a stream of traffic between two hosts may need to be rerouted through multiple paths in order to camouflage the traffic. The challenge of this study is that we deal with the problem of preventing traffic analysis in the context of mission critical system where the worst-case delay of payload packets needs to be guaranteed. This is not possible when the network is indiscriminately flooded by padding traffic. Thus, the second objective of NetCamo is to guarantee the worst case delay for communication applications. Delay guarantees are realized by adopting a connection-oriented communication service model in conjunction with admission control during connection establishment. Before an application can transmit a flow of packets to another, a connection admission request is made, and the connection is admitted only if the delay requirements of both new and existing connections can be met. To achieve the prevention of traffic analysis in conjunction with delay guarantees, the design of our NetCamo system enhances the connection admission control module in order to perform both traditional admission control and traffic planning for camouflaging. NetCamo has been realized in our laboratory in the Department of Computer Science at Texas A&M University. A thorough performance evaluation has been carried out. Performance data we collected indicate the system design objectives have been achieved. • NetCamo effectively camouflages the traffic and hence prevents traffic analysis. We will show that the difference between targeted camouflaged traffic patten and real traffic pattern is typically very small. In practice, this makes it extremely difficult for an observer to analyze the traffic and obtain status information of applications that are using the network. • NetCamo does not compromise on delay guarantees. We measure the probability of real-time connections being admitted. Using this measure, we compare NetCamo with a system that does not do prevention of traffic analysis. The data shows that both systems have virtually identical performance in terms of admission capability. Delay guarantee has been discussed in [1]. This paper reports the major results on evaluation of traffic padding and traffic rerouting methods. The rest of this paper is organized as follows. Section II evaluates different schemes of traffic padding in protecting the