Preserving privacy is an undeniable benefit to users online. However, this benefit (unfortunately) also extends to those who conduct cyber attacks and other types of malfeasance. In this work, we consider the scenario in which Privacy Preserving Technologies (PPTs) have been used to obfuscate users who are communicating online with ill intentions. We present a novel methodology that is effective at deobfuscating such sources by synthesizing measurements from key locations along protocol transaction paths. Our approach links online personas with their origin IP addresses based on a Pattern of Life (PoL) analysis, and is successful even when different PPTs are used. We show that, when monitoring in the correct places on the Internet, DNS over HTTPS (DoH) and DNS over TLS (DoT) can be deobfuscated with up to 100% accuracy, when they are the only privacy-preserving technologies used. Our evaluation used multiple simulated monitoring points and communications are sampled from an actual multiyear-long social network message board to replay actual user behavior. Our evaluation compared plain old DNS, DoH, DoT, and VPN in order to quantify their relative privacy-preserving abilities and provide recommendations for where ideal monitoring vantage points would be in the Internet to achieve the best performance. To illustrate the utility of our methodology, we created a proof-of-concept cybersecurity analyst dashboard (with backend processing infrastructure) that uses a search engine interface to allow analysts to deobfuscate sources based on observed screen names and by providing packet captures from subsets of vantage points.

翻译：保护隐私对在线用户而言无疑是有益的。然而，这种益处（不幸地）也延伸到了那些实施网络攻击及其他类型不法行为的人。在本研究中，我们考虑了一种场景：隐私保护技术被用于混淆那些出于恶意目的进行在线通信的用户。我们提出了一种新颖的方法，通过综合来自协议事务路径关键节点的测量数据，有效去混淆此类来源。我们的方法基于生活模式分析，将在线身份与其原始IP地址关联起来，即使在使用不同的隐私保护技术时也能成功。我们证明，当仅使用隐私保护技术时，在互联网正确位置进行监测，DNS over HTTPS和DNS over TLS可以被以高达100%的精度去混淆。我们的评估使用了多个模拟监测点，并从实际的多年度社交网络留言板中采样通信数据，以重放真实用户行为。评估比较了传统DNS、DoH、DoT和VPN，以量化它们相对的隐私保护能力，并为在互联网上获取最佳性能的理想监测有利位置提出建议。为说明我们方法的实用性，我们创建了一个概念验证的网络安全分析师仪表盘（配有后端处理基础设施），该仪表盘使用搜索引擎界面，允许分析师根据观察到的屏幕名称以及来自部分有利位置的数据包捕获来去混淆来源。