Devise metrics to measure the safety of the Tor network

We need to develop measurements to quantify the security and safety of the Tor network.

Such metrics will become even more useful to evaluate the effects of the upcoming exit node funding on the Tor network.

added component::metrics/analysis priority::medium resolution::wontfix status::closed type::task labels

Example of such metrics are the graphs generated by #6232 (moved) and #6443 (moved); dealing with the diversity of the network.

The blog post Research problem: measuring the safety of the Tor network has more useful metrics that need development: https://blog.torproject.org/blog/research-problem-measuring-safety-tor-network

Another idea that could be useful is measuring (and plotting over time) the probability that a circuit's entry node and exit node will belong to the same country/AS. Another idea would be to measure the bandwidth capacity of relays running exploitable or non-recommended versions of Tor.

Trac:
Cc: N/A to gsathya, karsten, arma

Some papers on measuring anonymity:

• Towards an Information Theoretic Metric for Anonymity by Danezis et al. which uses the concept of information theoretic entropy to measure the anonymity of mix networks. Done in #6232 (moved) wrt the bandwidth weights of the consensus.

• Towards measuring anonymity by Diaz et al. which comes up with the concept of degree of anonymity. Graphs of the degree of anonymity of the Tor network were created in #6232 (moved).

• Measuring Anonymity Revisited by Tóth et al. which gives examples on why entropy and degree of entropy are not the best ways of measuring anonymity and proposes local anonymity measure as a more correct way.

They said that entropy as a measurement is flawed because two anonymous networks with the same number of users but completely different anonymity properties can have the same entropy. Also, there are anonymous networks with degree of anonymity very close to 1 that are completely broken.

They also said that entropy as a measurement describes the amount of information that an adversary needs to completely and deterministically deanonymize a user. They argue that an adversary is also successful if his attack has a big chance of deanonymizing the user. They believe that entropy can't handle the probability that an attacker's attack will succeed and their local anonymity measure measurement tries to provide that.

I'm not sure how useful it would be for us to use local anonymity measure as a network security measurement.

• A Combinatorial Approach to Measuring Anonymity by Edman et al. which provides a different model of measuring anonymity.

They quantify anonymity by modeling all possible communications and input/output of nodes of an anonymity system as a bipartite graph and then use some graph theory to get a single value that characterizes the system's anonymity.

It seems like a fun approach but the paper is concentrated on mixnets and I'm not sure how it can be generalized to onion routing.

What other anonymity-measuring research have I missed or forgot?

Trac:
Cc: gsathya, karsten, arma to gsathya, karsten, arma, robgjansen

Trac:
Cc: gsathya, karsten, arma, robgjansen to gsathya, karsten, arma, robgjansen, ln5

Trac:
Cc: gsathya, karsten, arma, robgjansen, ln5 to gsathya, karsten, arma, robgjansen, ln5, amj703

Note to self: Ian's paper The Mis-entropists: New Approaches to Measures in Tor, and Paul's paper Why I'm not an Entropist are also related to the topic of measuring diversity on the Tor network.

Trac:
Username: nikita
Cc: gsathya, karsten, arma, robgjansen, ln5, amj703 to gsathya, karsten, arma, robgjansen, ln5, amj703, nikita@illinois.edu

Trac:
Cc: gsathya, karsten, arma, robgjansen, ln5, amj703, nikita@illinois.edu to gsathya, karsten, arma, robgjansen, ln5, amj703, nikita@illinois.edu, r.a@posteo.net

Closing tickets in Metrics/Analysis that have been created 5+ years ago and not seen progress recently, except for the ones that "nickm-cares" about.

Trac:
Resolution: N/A to wontfix
Status: new to closed

closed