[anti-censorship-team] "Snowflake Anonymous Network Traffic Identification", November 2023

David Fifield david at bamsoftware.com
Fri Apr 19 01:41:31 UTC 2024

Snowflake Anonymous Network Traffic Identification
Yuying Wang, Guilong Yang, Dawei Xu, Cheng Dai, Tianxin Chen, Yunfan Yang 

This paper tries to detect Snowflake by focusing on the DTLS transfer.
Unlike the F-ACCUMUL paper (https://www.mdpi.com/2076-3417/13/1/622),
however, it doesn't use DTLS handshake features, but rather traffic
analysis features such as packet lengths and interarrival times.

Their classifier is a multilayer perceptron, though they also try SVM,
random forest, and naive Bayes. The experiment is a closed world
consisting of Snowflake, Facebook Messenger, Google Hangouts, and
Discord. They don't evaluate realistic base rates: the most imbalanced
evaluation they try is 40:1 (Figure 5). In short, it doesn't look like
there is much to learn from this paper.

> Traffic identification is a dynamic process, and as we identify
> traffic features, Snowflake developers may modify these features to
> render our model ineffective. This could lead to an ongoing
> cat-and-mouse situation. It is necessary to continually collect
> traffic data to maintain a high level of accuracy. In the future, we
> hope to automate this process to adapt to updates and changes in
> Snowflake versions.

Unusually, the authors have publised the Docker image they used to
generate training and test data:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 978-981-99-9247-8_40.pdf
Type: application/pdf
Size: 1176785 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/anti-censorship-team/attachments/20240418/43e3ce3f/attachment-0001.pdf>

More information about the anti-censorship-team mailing list