In 2015, Tan Qingfeng et al. published a paper on quantifying the
unobservability of circumvention systems. It was only available in
Chinese, and at the time I read a machine translation.
http://crad.ict.ac.cn/EN/10.7544/issn1000-1239.2015.20150562
Lately I've been interested in translation and so, as an experiment, I
paid to have the article professionally translated. Here is the result:
https://www.bamsoftware.com/papers-of-others/Tan2015a/Tan2015a.en.html
The translation seems good for a specialized technical topic, according
to bilingual people I've asked. I had no idea how to select a
translation service, except that I've heard there are a lot of
low-quality ones online, so I picked one with a local office. They
quoted me a price of $0.18 per word, plus a 10% project fee, which for
the estimated 3,000 words came out to about $600. After we signed the
paperwork, they got back to me and said that they underestimated the
word count and it should have been more than double what it was, but
they honored the original quoted price. It only took one week (proposal
approved March 6, translation delivered March 13).
What's on a wishlist of papers to have translated? For me it includes
*
http://cdmd.cnki.com.cn/Article/CDMD-10004-1016120870.htm
Master's thesis, "Research and Realization of Tor Anonymous
Communication Identification Method Based on Meek"
*
https://archive.org/details/CN109286576A
Patent application, something about using ML to detect Shadowsocks
and SSH.
Below is my summary of the Tan Qingfeng et al. paper.
----
The paper proposes a method of quantifying the unobservability of a
circumvention system that imitates a target protocol. Conceptually, they
look at how much the circumvention protocol diverges from an ideal
implementation of the target protocol, compared to how much an actual
implementation of the target protocol diverges from the ideal.
There are a lot of definitions for an abstract computational model of
how a network protocol runs, but they don't use the model in any
essential way. The important parts are that the output of running a
protocol in a certain way (which they call a "state") is a sequence of N
packets. From each packet they extract M features, resulting in an N×M
feature vector. The feature vectors are used to compute divergence.
Concretely, they look at the 6 states
S = {C2S Handshake, C2S Idle, C2S Data Transmission,
S2C Handshake, S2C Idle, S2C Data Transmission}
and the M=2 features
{packet length, packet timing interval}.
and they don't specify what N is, or whether it is the same across all
states.
They use the notational conventions:
p: measured distribution
q: ideal distribution
τ: target protocol
π: circumvention protocol that mimics τ
and so define probability distributions over feature vectors:
q_τ: ideal distribution of target protocol
p_τ: measured distribution of target protocol
p_π: measured distribution of circumvention protocol
The basic measure of divergence is:
D(p_π, q_τ) − D(p_τ, q_τ)
which you can understand as:
how much the circumvention protocol differs from the target protocol
minus
how much the target protocol differs from itself
I don't really understand the reasoning behind the formulas they use to
get an overall unobservability score. It seems ad-hoc without a
theoretical motivation. To get the overall divergence of a protocol,
they average the divergence of each of its states (C2S Handshake,
S2C Handshake, etc.) (Eq. (4)). They then divide that average by the
maximum divergence of any single state (Eq. (5)), which means the
outcome depends on how you slice up the state space. The unobservability
score d is supposed to lie within [0, 1] but technically it can be
negative—perhaps the difference of divergence should be taken in
absolute value. In all tests, the target protocol τ is Firefox speaking
HTTPS, which makes sense when they evaluate meek, but not when they
evaluate the vanilla Tor protocol. How do they get q_τ, the "ideal"
distribution of Firefox HTTPS? They don't say, but I suspect they run
Firefox twice, and call one distribution "ideal" and one "measured."
The summary unobservability scores lead to the conclusion that meek is
more unobservable than the vanilla Tor protocol, but less unobservable
than Firefox HTTPS itself. I managed to reproduce their final scores
using the data in Table 1 and Table 2—except that 1 of the 4 values was
a little off. The way to do it is, for example, to take the 12 values in
the Meek–Windows rows in both tables (that's your D(p_π, q_τ)) and
compare them to the 12 values in the HTTPS–Windows rows (that's
D(p_τ, q_τ)). Example in R:
> D_p_π <- c(3.56, 1.20, 18.27, 18.14, 10.35, 5.19, 17.57, 4.76, 20.91, 20.20, 19.89, 10.86)
> D_p_τ <- c(1.67, 2.05, 2.56, 4.64, 1.96, 0.77, 0, 0, 0, 0, 0, 0.77)
> mean(D_p_π - D_p_τ) / max(D_p_π)
[1] 0.5439184
then repeat for Meek–Ubuntu, Bridge–Windows, and Bridge–Ubuntu. Here are
the paper's numbers, and the ones that I get:
Meek–Windows 0.54 0.5439184
Meek–Ubuntu 0.36 0.342749 * not equal
Bridge–Windows 0.72 0.7160888
Bridge–Ubuntu 0.53 0.5324601