The second-generation onion router (Tor), as the most popular low-latency anonymous communication network on the Internet, is vulnerable to deanonymization attacks caused by traffic analysis.Evaluating the cost associated with acquiring user traffic is crucial to the measurement of the severity of this threat.Because of the direct correlation between Tor network entry nodes and user identities and the fact that these nodes can also be deployed by adversaries, Tor network entry nodes play a vital role in obtaining user traffic.When constructing communication circuits, Tor clients need to be compelled to select the entry nodes of adversaries, commonly referred to as guards.However, the existing approaches used to obtain user traffic by manipulating guard nodes often overlook cost-effectiveness, leading to cost evaluations that do not truthfully reflect the potential capabilities of adversaries.

To address the cost optimization issue of acquiring Tor user traffic, this study presents a novel model, i.e., the push and pull Tor users'guards through optimized resource portfolios (P-Group).The proposed method deploys controllable nodes to draw user traffic.Meanwhile, the proposed method expedites user traffic migration by utilizing general traffic to congest noncontrollable nodes that are currently used by users.This study unifies the resource measurements of both node deployment and bandwidth attacks and analyzes their correlation to enhance resource allocation efficiency.Through in-depth research into the traffic control and congestion mechanisms of the Tor protocol, P-Group employs queuing theory to quantify the reduction in the observed bandwidth of noncontrollable nodes.Moreover, the impact of attacking noncontrollable nodes with identical traffic can vary based on their bandwidth capacities.P-Group utilizes adapted flow deviation techniques to effectively coordinate the total amount of attack resources and target bandwidth capacity to optimize resource allocation.Considering the extensive operational scope and competitiveness of contemporary cloud service providers, this study assumes that the bandwidth requirements of adversaries are readily obtainable from various sources.By investigating standard hosting product prices across ten cloud service providers, including GoDaddy, the average cost of attack bandwidth is determined and integrated into the experimental assessment.

The analysis and simulation results show that P-Group improves the utility and security levels while achieving a more advantageous cost-effectiveness ratio.Solely focusing on deploying controllable nodes, once their total bandwidth reaches 2% of the entire Tor network capacity, the marginal gain from investing resources decreases significantly.The utility of resource distribution has been improved by 20.5% by the proposed method compared with that of an equal split strategy between node deployment and bandwidth attacking.Furthermore, in the context of bandwidth attacks, the likelihood of planted nodes being selected by Tor clients is 15% higher than those of six traditional traffic distribution methods.With the implementation of P-Group, the average duration of the migration of user traffic from noncontrollable nodes to adversary-controllable nodes is approximately 200h, incurring costs of several hundred dollars.

In summary, while challenges persist in cost management within the existing methods of acquiring Tor user traffic, optimization can mitigate these hurdles to attain practical and feasible goals, thereby elevating traffic analysis attacks to a substantial threat.

Internet is an important infrastructure that has been evolving for decades. Border gateway protocol (BGP) is the de facto interdomain routing protocol on the internet and connects autonomous systems (ASes) around the world. The BGP uses internet number resources (INR), including internet protocol (IP) prefixes and autonomous system numbers for addressing and routing. However, BGP has been vulnerable to the INR misusage threat recently, which causes a common type of anomaly called prefix hijacking. In prefix hijacking, a malicious AS originates the victim AS's prefixes to blackhole or intercept the victim's data traffic. The existing security solution, called resource public key infrastructure (RPKI), provides INR ownership and prefix-to-AS mapping information through a centralized infrastructure. ASes can extract and use the information from RPKI to prevent prefix hijacking. However, this solution has three typical drawbacks. First, the centralized architecture of RPKI causes single-point failures. Second, to obtain consistent INR information from RPKI, ASes need a long convergence time owing to the disorderly distribution of information. Third, ASes incur high interaction cost for extracting real-time INR information frequently.

To solve the above mentioned shortcomings, this study proposes a decentralized internet number resource management system (DINRMS) based on blockchain technology. The proposed system adopts a hierarchical architecture consisting of an autonomy layer and an arbitration layer. DINRMS partitions all ASes on the internet into groups that form the autonomy layer. The arbitration layer comprises the Internet Assigned Numbers Authority, five Regional Internet Registries and representatives elected by each group in the autonomy layer. Each entity in DINRMS has nearly the same impact on the system and the single-point failure of an entity does not lead to a serious global breakdown. The architecture of the proposed system overcomes the poor scalability of blockchain technology, which cannot be applied to efficient global INR information management on the internet. A blockchain is maintained within each group to record the INR ownership and prefix-to-AS mapping information of the respective groups. Entities within a group use information from third parties, such as the Whois Lookup tool, to check the consistency of INR ownership information. For prefix-to-AS mapping information, entities within a group use routing data from public route collectors to check the consistency and then vote on the legitimacy of the information. Subsequently, the entities judge the legitimacy of the information according to the majority rule. The arbitration layer maintains the global INR ownership information in the form of group granularity and prefix-to-AS mapping information. This information is sourced from representatives elected by each group in the autonomy layer for mutual supervision and endorsement. The arbitration layer is responsible for arbitrating usage conflicts related to INR. The DINRMS proposes a heuristic INR information push mechanism based on the architecture and dynamics of INR information. The mechanism decides to push INR information to ASes if a long time has passed since the last information push or if many information items have not been pushed.

Experiments results show that DINRMS provides secure and trusted INR information for interdomain routing. In addition, the degree of centralization of DINRMS is 60% less than that of RPKI in terms of the Gini coefficient. Moreover, DINRMS reduces the convergence time and interaction overhead by more than 50%.

DINRMS manages INRs based on blockchain technology using a decentralized approach. The hierarchical and grouping architecture of DINRMS improves system scalability. The efficient push mechanism based on the dynamics of INR information shortens the convergence time and reduces the interaction overhead for ASes to obtain consistent INR ownership and mapping information.