Minos: Lightweight & Dynamic Defense Against Traffic Analysis in Programmable Data Planes

Addressing Encrypted Traffic Analysis

• ⚠️ Encrypted traffic analysis attacks infer user intentions (e.g., websites, videos) from packet metadata like size and direction, posing significant privacy threats through techniques like website and IoT fingerprinting.
• 💡 Existing proxy-based defenses are lightweight but lack traffic anonymity, while traffic morphing defenses are strong but incur high bandwidth overhead and require external encryption.

Minos: A Novel Defense Architecture

• 🚀 Minos is a lightweight and scalable defense mechanism built on programmable switches, offering both identity anonymity and traffic anonymity at line rate.
• 🧩 It comprises three core modules: the Proxy Module for encryption, the Schedule Module for flow interleaving, and the Traffic Morphing Module for obfuscation.

Core Modules and Innovations

• 🔒 The Proxy Module achieves line-rate packet header encryption by replacing source IPs and encrypting headers using an encryption round compression method adapted for the Prince cipher on programmable switches.
• 🔄 The Schedule Module dynamically interweaves packets from different flows using round-robin queues to prevent packet disorder and decide when to activate further traffic obfuscation.
• 👻 The Traffic Morphing Module performs dummy packet insertion and packet padding using a priority queue-based scheduling method to generate dummy packets in real-time, enhancing defense for low-flow scenarios.

Performance and Evaluation

• 📊 Implemented on Tofino1 switches, Minos demonstrates line-rate packet encryption (over 94 Gbps) with insignificant latency overhead from scheduling.
• ✅ Evaluation shows Minos can reduce attack accuracy to less than 20% with flow mixing and has limited bandwidth overhead, outperforming previous defenses in throughput and efficiency.