1 STor: Social Network based Anonymous Communication in Tor Peng Zhou, Xiapu Luo, Ang Chen, and Rocky K. C. Chang Department of Computing, The Hong Kong Polytechnic University, Hunghom, Hong Kong cspzhouroc,csxluo,csachen,csrchang @comp.polyu.edu.hk { }

Abstract—Anonymity networks hide user identities with the help of relayed anonymity routers. However, the state-of-the-art anonymity networks do not provide an effective trust model. As a result, users cannot circumvent malicious or vulnerable routers, thus making them susceptible to malicious router based attacks (e.g., correlation attacks). In this paper, we propose a novel social network based trust model to help anonymity networks circumvent malicious routers and obtain secure anonymity. In particular, we design an input independent fuzzy model to determine trust relationships between friends based on qualitative and quantitative social attributes, both of which can be readily obtained from existing social networks. Moreover, we design an algorithm for propagating trust over an anonymity network. We integrate these two elements in STor, a novel social network based Tor. We have implemented STor by modifying the Tor’s source code and conducted experiments on PlanetLab to evaluate the effectiveness of STor. Both simulation and PlanetLab experiment results have demonstrated that STor can achieve secure anonymity by establishing trust-based circuits in a distributed way. Although the design of STor is based on Tor network, the social network based trust model can be adopted by other anonymity networks.

Index Terms—Social Network, Anonymous Communication, Tor, Fuzzy Model !

1 INTRODUCTION alone can be easily bypassed by an attacker. For example, an attacker can set up a malicious router and operate it normally Anonymity networks, which hide user identity by using re- for a period of time to gain the directory servers’ trust. layed anonymity routers, play a very important role in protect- Second, without trust-based routing algorithm, Tor basically ing user privacy. However, without a trust model, the state-of- considers every candidate router with the same trust. Thus, the-art anonymity networks, such as [1]–[11], are vulnerable to Tor is unable to select routers based on their capability of various malicious router based attacks [12], [13]. Therefore, providing secure anonymity when forming the circuits. Third, introducing an effective trust model to anonymity networks the central directory servers are potential targets of various remains a critically important problem. In this paper, we attacks, notably targeted intrusion, IP address blacklisting, and propose a novel social network based trust model and apply it DDoS attacks. For example, network wardens (e.g., The Great to the Tor network [8], which is one of the most dominant Firewall of China [28]) can block Tor networks by blacklisting low-latency anonymity network today [13] and is used by directory servers. The private bridges made available since around 250,000 users [14], [15]. Although the design and version 0.2.1 [29], which are designed to help users affected implementation of the proposed trust model is based on Tor, by the blocking, are often set up in an ad hoc manner. Fourth, this model can be easily applied to other anonymity networks. the existing Tor architecture is not scalable, because a user is A Tor user accesses Internet services through dynamically required to maintain up-to-date information about all the Tor

arXiv:1110.5794v6 [cs.CR] 21 Jan 2013 encrypted circuits. Each circuit usually consists of three Tor routers [30]. routers, preventing an attacker from tracking back a user To effectively evade the malicious router based attacks, we and protecting the private content through nested encryptions. propose a novel trust-based anonymity network, called STor However, without a trust-based onion routing algorithm, a (Social network based Tor), which employs social networks to number of malicious router based attacks on Tor have success- help users circumvent malicious routers. STor provides secure fully demonstrated that Tor’s anonymity could be hampered anonymity to its users by “overlaying” social networks on top if one or more Tor routers in a circuit become malicious. of the current Tor infrastructure. More precisely, STor uses the Examples of such attacks include correlation attacks [16]–[21], existing trust relationships from real-world social networks to congestion attacks [22], disclosure attacks [23], and latency determine a trust score for each router. As the trust information based client location attacks [24]. is based on the router’s owner, STor is able to identify not only Tor [25] uses guard routers at the entry point and selects exit malicious routers, but also the routers that are vulnerable to routers according to the exit node policy to prevent malicious being compromised. A STor user thus selects a router based routers. Moreover, Tor relies on a group of directory servers on the trust score computed from the relationship between to check each router’s credibility according to its uptime the user and the router’s owner. In particular, the user will [25]–[27]. These mechanisms, however, are insufficient for exclude a router which is owned by someone who is not trust-based anonymous communication due to the following in his friendship circle (i.e., no relationship with the user). reasons. First, checking router identities based on uptime Another advantage of using social networks is to eliminate 2 the need for the central directory servers. Therefore, STor Directory servers were originally used for defeating Sybil can operate as a pure distributed system to provide trust- attacks [33], which generate a huge number of fake identities based anonymity services. Finally, STor is scalable, because to attack distributed systems. However, attackers can easily each user is only required to maintain up-to-date information obtain the Tor network’s trust, as the directory servers verify about their friends which is only a subset of the entire Tor router identities only based on their uptimes. Moreover, since network. However, the uncertainty and vagueness of the real- the directory servers are publicly accessible, attackers could world social networks make the relationships between friends compromise them through DDoS, IP/DNS blocking, and tar- imprecise [31], [32], thus designing an effective trust model geted intrusion. To evade these attacks, a trust-based routing based on social networks to facilitate anonymity networks is algorithm must be able to not trivial. Verify a Tor router’s identity using a comprehensive set • In summary, we have made three important contributions in of parameters, including not only the router’s uptime, but this paper: also its owner’s reputation, Enable users to take trust into consideration when select- 1) We introduce a novel social network based trust model • to further secure anonymity networks. In particular, we ing routers to establish circuits, and Manage trust in a distributed way without being threat- have designed STor, the Tor network enhanced by the • social network based trust model. STor users thus select ened by Sybil attacks. routers by taking into account their trust in those routers. STor uses the trust relationship from existing social net- 2) We have designed an input independent fuzzy model works to manage trust in the Tor network. As many recent to handle the uncertainty and vagueness of social rela- studies have demonstrated that social networks can effectively tionships, thus determining the direct trust according to help distributed systems evade Sybil attacks [34]–[40], STor various social attributes in different social networks. We can therefore satisfy the three requirements and provide secure have also developed an algorithm to propagate indirect anonymity by enhancing the baseline anonymity with the trust to a friend’s friends which form a friendship circle. capability of circumventing malicious routers based on a trust Both of them are the major elements in STor. model. 3) We have implemented STor by modifying Tor’s source As STor determines the trust relationship between users code and performed a comprehensive evaluation of the based on existing social networks, attacks targeting social effectiveness of STor in both simulation and experiments networks, like [41], [42], may compromise STor. In the paper, over PlanetLab platform. The experimental results show it is therefore essential to assume that the social network pro- that STor can effectively establish trust-based circuits vides sufficient security for establishing trust among friends. in a decentralized fashion and help users obtain secure In particular, we make two assumptions for the design of STor: anonymity. All entities in social networks can authenticate informa- • The remainder of this paper is organized as follows. Section tion about their friends. 2 presents the threat model considered in this paper. Section Existing social networks have comprehensive mecha- • 3 explains how trust relationships in social networks are nisms to avoid leaking of private information, such as an used in the design of STor, including the quantification and entity’s friendship circles and the IP addresses of their propagation of trust. Section 4 elaborates the qualification routers. process of various social attributes by using a novel input The first assumption is to guarantee that the trust relationship independent fuzzy model. Section 5 presents both simulation obtained from social networks is reliable for computing the and PlanetLab experiment results to evaluate STor. Section 6 trust of each router. The second assumption is to prevent the reviews related work, followed by a conclusion in Section 7. trust relationships from being leaked to the public domain. If an attacker were aware of an entity’s trust relationships, he could compromise the entity’s anonymity by tracking the 2 THREAT MODEL routers of the entity’s friends. The architecture of Tor is illustrated on the left side of The right side of Fig. 1 illustrates the architecture of STor. Fig. 1. When Tor users request anonymity service to visit a Any router included in a circuit must be owned by the user’s remote server, they ask the directory servers for a set of Tor friends or friends of their friends from social networks A and routers that have already been determined as trustworthy due B. Furthermore, friends with a higher trust is more likely to to their uptime to build encrypted circuits. After establishing be selected for the circuit formation. For instance, router , a the circuit, the Tor user sends data to the local Onion Proxy, malicious router, is excluded when circuits are built because which subsequently forwards the data to the remote server its owner, the human entity , is neither a friend of user x through the circuit. To provide sufficient anonymity, the circuit nor his friends’ friend. Using this approach, STor can allocate changes every ten minutes. In the Tor network, a larger number trust-based circuits in a decentralized manner without the need of candidate routers usually imply better anonymity service. of directory servers and exclude (potentially) malicious routers We refer the anonymity service that is determined by the with the help of trust relationships from real-world social number of candidate routers to as baseline anonymity, because networks. it provides the necessary (but not sufficient) mechanisms for For user x, some of their friends or some friends of friends anonymity communication. (e.g., {, |) belong to both social networks A and B, which 3

Tor STor Social Network A Social Network B

Directory Servers ⑥ ② ④

⑦ Tor User ⑤ ③ Tor Network ⑧ Tor User ①

Tor Network Web Server ② ③ Tor Proxy ⑥ Web Server ① ⑧ ④ ⑦ Tor Proxy ⑤

Tor Routers Malicious Router Entities of STor User in Social Networks

Tor Circuit Directory Server Control Circuit Friendship Between Two Entities

Fig. 1. Architecture of Tor and STor.

are considered as merged entities by STor. That is, STor can q p Fi,r 1, (p q) L . Fi,r has a recursive definition { | ∈ − → ∈ } manage trust relationships across multiple social networks. with Fi,1 = q (i q) L as the base case. An entity Section 3.1 will further elaborate on this. Furthermore, each could be a member{ | → of multiple∈ } friendship circles of another entity can generally possess more than one router in STor and entity. The friendship circle of entity i is therefore given by access STor through multiple proxies. In the interest of clarity, Fi = Fi,1 Fi,2 ... Fi,g, where g is the maximum number we consider in the rest of this paper only the case that each of directed∪ links∪ between∪ entity i and their friends. We use user has a single router and uses a single proxy. F to denote the number of entities in F . Obviously, F || i|| i i,1 includes entity i’s friends and Fi,r(r > 1) contains the friends s 3 DESIGNOF STOR of i’s friends. Additionally, we define Fi as the friendship circle of entity i in social network s S and subsequently STor, as a social network based Tor, harnesses the trust s S ∈ Fi = Fi . relationship from existing real-world social networks to help s∪ S ∈S users obtain secure anonymity by using trust-based circuits. Fig. 2 shows an example of the friendship circles for entity This section addresses the challenges in the design of STor, 1 which has a total of 12 friends and friends of friends. Four of including the calculation of the direct and indirect trust, them are in their 1-hop friendship circle (i.e., friends), while using the trust relationship to facilitate router selection. We the rest are in their 2-hop friendship circle (i.e., friends of also discuss the impacts on the performance and baseline friends). Each directed link is associated with a trust value, anonymity provided by Tor. which will be defined next.

8 9 t v >9 3- 3- 3.1 Modeling the trust relationship 2-hop Friendship >8 tv Circle of Entity 1 3 (F1,2)

We model the social structure of STor as a weighted directed 3 1-hop Friendship > - 7 1 Circle of Entity 1 10 v cyclic graph, = , , whose nodes represent human enti- t t G N L v (F1,1) 10 2- -> h i >7 tv4 ties and directed links indicate their uni-directional friendships. 2 tv1->2 1 tv1->4 4 tv 6 t 4 > v Each link has a trust value indicating the level of trust a 2- -> tv 1 11 - > person places in their friend in STor. Let N = 1, 2, . . . , n 6 5 11 { } denote the set of human entities (i.e., nodes on the graph) and 5 t 3 v 1 5 -> -> 5 1 L = (i j), i, j N the set of uni-directional friendships tv 2 between{ → human entities∈ } (i.e., links on the graph), where i j 13 12 indicates that entity i trusts entity j. → Fig. 2. Entity 1’s friendship circle. As discussed in Section 2, STor admits trust relationships from multiple social networks. Therefore, we have G = s s s G = N , L , where, S = s, s = 1, 2,... s∪ S hs ∪ S s∪ S i {S } Sis∈ the set ofS social∈ networksS ∈ used in STor. For a given social 3.2 Computing the direct trust s s s network s, the subgraph G = N , L represents the We define trust value as the degree of trust one entity assigns S s s h i structure of s. N and L are the respective sets in s. to his friend directly, denoted as tv [0, 1]. Let tvi j If entity Si can reach entity j through an acyclicS path represent the trust value entity i gives to∈j, j F . As each→ ∈ i,1 comprising r directed links in graph G, entity j belongs to entity can make friends in more than one social network, let s the r-hop friendship circle of entity i, denoted as Fi,r = tvi j denote the trust value that entity i places in j in social → 4

network s. If entities i and j are friends in more than one 2 tv 2->5=0.7 social network,S the highest trust value will be used, that is,

5= 5 t > 2- 6

v > 5 s 1- 0. 1 td = tvi j = max tv . - 7 t i j > . v

s 2 *0 5 . 4

→ (i j) , s = 8 L S → . 0 -

0 > 0 = → ∈ S ∈ 5 5 Trust value s > =

. - 8 1 The trust value tv can be computed based on quantitative v 0 i j t . = 8 → >5 d 1- and qualitative social attributes. Quantitative social attributes t 5= 8 -> 4 Trust distance >4 .6 3- 0 -> = are quantifiable, such as the communication frequency be- td1 0.8 4 1 .9* *0 9 tween two friends and the duration of their friendship in the tv 0.9 0. 1- = >3= >4 0. 3- 9 tv .6 social network. Higher communication frequency and longer 3 =0 >3 friendship generally result in a higher trust value. A Tor Trust score tv4- ts1=>5=max(td1->5,td1->2->5,td1->3->4->5)=td1->3->4->5=0.648 router’s uptime is also considered as a quantitative social attribute. Qualitative social attributes, on the other hand, Fig. 3. An example for the trust value, trust distance, and represent qualitative features, such as the relationship between trust score. two people, and their majors and careers. For example, a family member should receive more trust than a stranger, and a friend with a major and a career in computer security should The problem of calculating the trust score from each entity receive additional trust. to his friends can be formulated as a longest path problem In the real social networks, the relationships between friends with a non-increasing distance function (i.e., Eq. (1)). It is are imprecise because the environments are uncertainty and well known that the shortest path problem can be solved in vagueness [31], thus converting social attributes into a trust polynomial time when the distance function is non-decreasing value can be effectively handled by the fuzzy model [43], in a weighted directed cyclic graph [44]. Therefore, by con- which is especially useful for imprecise categories [32]. The verting the distance function from non-decreasing to non- fuzzy model can help calibrate the measure of social trust by increasing, the longest path problem in STor can be solved using set membership relevant to substantive knowledge from efficiently by converted it into a shortest path problem. A social attributes [32]. However, as there is a lack of quan- dynamic programming algorithm can subsequently be used to tifiable units, the qualitative attributes, which are important solve this problem in polynomial time. elements in STor, cannot be converted by using a fuzzy model According to Eq. (1) and tv [0, 1], we have td [0, 1]. ∈ ∈ directly. To overcome this problem, we propose a novel input Therefore, independent fuzzy model to determine the trust value based max td(Γc ) 1 min (1 td(Γc )). c i j c i j on both quantitative and qualitative social attributes. Section Γ i→j → ≡ − Γ i→j − → ∀ i→j ∈P ∀ i→j ∈P 4 details this fuzzy process. Based on this, the definition of trust scores can be transformed to ts = 1 min (1 td(Γc )). By defining i j c i j 3.3 Computing the indirect trust ⇒ − Γi→j Pi→j − → ∀ ∈c c distrust distance as utd(Γi j) = 1 td(Γi j), which is a In STor, the degree of indirect trust is computed through → − → trust propagation over the underlying friendship paths. Let non-decreasing distance function, the longest trust distance c problem is converted to a shortest distrust distance problem. Pi j = Γi j, c = 1, 2,...,C be the set containing all the friendship→ { paths→ starting from entity} i to entity j, where the The Fibonacci heap can be used to implement the typical c Dijkstra algorithm [45] to determine the Fi shortest paths friendship path Γi j = i h1 ... hr 1 j indicates || || trust propagation from→ entity→ i to→ their →r-hop− friend→ j through from each entity i to his friends and friends of friends (i.e., j Fi) with a time complexity of O( Fi log( Fi )). intermediate friends h1, . . . , hr 1 and Pi j = C is the ∀ ∈ || || × || || − c|| → || number of paths in the set. For each Γi j, a trust distance, c → denoted as td(Γi j), represents the degree of trust entity i 3.4 Trust-based Onion Routing Algorithm → places in j over this path. In Tor, directory servers select routers from the available ones Since td(Γc ) should be a non-increasing function of r, i j to construct circuits. Let bj denote the available bandwidth of we compute it→ by multiplying the trust value of each link: Pn entity j. The probability of selecting router j is bj/ k=1 bk c [25] for n available routers. In contrast, entity i in STor can td(Γi j) = tvi h1 ... tvhr−1 j. (1) → → × × → only select Onion routers from candidates that are confined to Moreover, we define a trust score as the highest degree of trust Fi and the probability of selecting router j (i.e., P rij) is entity i can give to entity j, denoted as tsi j, by considering ⇒ (1 ω) tsi j + ω BWj all possible friendship paths. Thus, P r = − × ⇒ × , (3) ij P ((1 ω) ts + ω BW ) c k Fi i k k ts = max td(Γ ). ∈ − × ⇒ × i j c i j (2) ⇒ Γi→j Pi→j → ∀ ∈ where BWj = bj/maxx Fi (bx) is a normalized bandwidth Fig. 3 illustrates an example of computing the trust value, and ω [0, 1] is a parameter∈ to balance the trust score with trust distance, and trust score. In this example, entity 5 belongs bandwidth.∈ A small ω gives more weight to the trust score, to F1,1, F1,2, and F1,3 simultaneously and three different paths whereas a large ω gives more weight to bandwidth. With this connect entity 1 with entity 5: 1 5, 1 2 5, and new algorithm, the STor users can only select routers from → → → 1 3 4 5. The trust score ts1 5 equals 0.648, which their friendship circle and have a high probability of choosing is→ the maximum→ → trust distance given by⇒ the last path. routers with a high trust score. 5

3.5 Effects on Tor networks which is associated with a relevant input fuzzy set. Each input 3.5.1 Effect on performance fuzzy set consists of a group of qualitative values (i.e., called linguistic values in [43]) and these values can be converted Although parameter ω in Eq. (3) can be increased to give a into membership functions whose elements have degrees of high probability of connecting to routers with large bandwidth, membership. An quantitative input variable can obtain their the candidate routers are still restricted to a user’s friendship membership grade from each membership function in their circle in STor, which is only a subset of the Tor network. relevant input fuzzy set. Each grade can be mapped to a As a result, the circuit established in STor may not enjoy the corresponding membership function in a corresponding output best performance, because other routers outside the friendship fuzzy set specified by the fuzzy rules. Finally, the fuzzy model circle cannot be used. This problem could be resolved by en- uses defuzzification methods to determine quantitative outputs. couraging users to invite more friends to join STor, especially Note that the quantitative input variable and their relevant input those with high bandwidth routers. Particularly, STor can build fuzzy set have to be related to the same property. For example, up a similar recruiting platform, like BRAIDS [46], to benefit if the quantitative input variable is a value of temperature, its users who successfully request their friends to participate in relevant input fuzzy set must be the qualitative description of STor. temperature. 3.5.2 Effect on baseline anonymity To integrate the quantitative social attributes into the trust value by the traditional fuzzy model, we can use their quan- In anonymity networks, the baseline anonymity service can titative values as the quantitative input variables and design be achieved by forming circuits from a large set of can- an input fuzzy set with a set of reasonable membership didate routers. STor obtains secure anonymity by using the functions to represent imprecise categories for each quanti- trust-based routing algorithm to circumvent malicious routers. tative attribute. Unlike the quantitative attributes, the lack of However, the STor users can only select routers from their quantitative values make the qualitative social attributes hard friendship circle. As a result, the baseline anonymity could to be converted by using the traditional fuzzy model directly. be degraded. To abate this possible degradation, users are To overcome this challenge, we propose a novel fuzzy encouraged to make more friends with existing users in STor model, called the input independent fuzzy model, to determine or introduce more outside friends to join STor. Enlarging social relationships. In this model, the quantitative input vari- the friendship circle unfortunately may run into the risk of ables can obtain their membership grade over unrelated input including malicious routers, because it is more likely to include fuzzy sets (i.e., input independent). As a result, by allowing friends with low trust. To address this problem, we use a quantitative social attributes to get their membership grade threshold, tsh, to filter out the friends with low trust scores. over different qualitative social attributes, the trust value can If an entity’s trust score is lower than tsh, his router will be determined based on both quantitative and qualitative social not be considered for circuit establishment. The friendship attributes by using the input independent fuzzy model. circle is therefore refined to a trustworthy friendship circle TFi = j Fi, tsi j tsh , and TFi is the size of TFi. { ∈ ⇒ ≥ } || || 4.2 The input independent fuzzy model 4 DETERMINATION OF TRUST VALUEAC- The input independent fuzzy model considers each qualitative social attribute as an input fuzzy set, and converts their CORDINGTO SOCIAL ATTRIBUTES qualitative values to membership functions. By allowing the In Section 3.2 we derive an algorithm to merge trust values quantitative social attributes to obtain their membership grade from multiple social networks and mention the use of an over unrelated qualitative social attributes, a quantitative trust input independent fuzzy model to convert both quantitative and value is yielded according to both qualitative and quantitative qualitative attributes into a trust value in each social network. social attributes. This section details this process. Section 4.1 elucidates the Comparing with the traditional fuzzy model, there are three challenges of the conversion by using the traditional fuzzy major improvements in this new model, as shown in Fig. 4: model. Section 4.2 highlights the advantages of the input The quantitative input variable can calculate their mem- independent fuzzy model and demonstrates its theoretical • bership grade over unrelated input fuzzy sets that are design. This model is subsequently applied to STor in Section defined by qualitative social attributes (i.e., input inde- 4.3. As an example, a real case for the conversion by using the pendent). input independent fuzzy model is illustrated in Section 4.4. The quantitative input variable can only obtain their • membership grade from an exclusively selected mem- 4.1 Challenges in the use of traditional fuzzy model bership function in each input fuzzy set. This selected In the social realm, as social environments are always uncer- membership function is specified by the qualitative value tainty and vagueness, the social relationships between friends of each qualitative social attribute. A density constant is introduced to balance the de- are imprecise [31]. The fuzzy model [43] is therefore an • appropriate technique to handle the conversion from social fuzzification when different output membership functions attributes to the trust values [31]. surround different sizes of area. Traditionally, the fuzzy model [43] includes various quanti- As a result, the input independent fuzzy model shows its tative input variables (i.e., called crisp inputs in [43]), each of advantages for determining the trust value as follows. 6

Quantitative Input Variable Quantitative Output Variable Quantitative Input Quantitative Output Quantitative Social Attributes (Ɛ) Trust Value(tv*) Variable Variable

Defuzzification Defuzzification Without Density Matched Fuzzy Rules With Density map matched input membership Input Set Related Fuzzy Rules Input Sets for function, specified by the value map all the input membership Output of each qualitative social Output to Quantitative Qualitative Social functions to the output domain attribute, to the output domain Fuzzy Set Fuzzy Sets Attributes Input Variable

(a) The input independent fuzzy model. (b) The traditional fuzzy model.

Fig. 4. Difference between the input independent fuzzy model and the traditional fuzzy model.

This model is able to handle the uncertainty and vague- set and their qualitative values are converted into membership • ness of the social relationships, which are usual features functions, as: in the social realm [31], thus helping convert social S k k k = A , A = ( A , µ Ak ( )) , attributes into the trust value. p p I k I I { I I E } ∀A ∈A With the help of quantitative social attributes, qualitative k µ Ak ( ) = : A [0, 1] , (5) • p p social attributes can be converted by using this model. I E {E I → } where, k , p [1, 2,...], D Ak [0, 1], A p Both quantitative and qualitative social attributes can thus A ∈ ∈ E ∈ I ⊆ be used to determine the trust value simultaneously. where A = k, k [1, 2, 3,...] represents all the qualitative This model is flexible as unlimited number of social {A ∈ } • social attributes in the considered social network. k is the attributes can be taken into account. Moreover, the qual- k A kth social attribute in A and A represents the input fuzzy itative social attributes can define different number of k I set of . A is the pth qualitative value of qualitative social membership functions to implement different levels of Ak Ip attribute k, while µ Ak ( ) is their membership function that conversion accuracy from social attributes to the trust A p E can be used to map I to the degree of membership for this value. E qualitative social attribute. D Ak is the definition domain of p I the membership function µ Ak ( ). 4.2.1 The quantitative input variable p E Unlike the input fuzzy sets,I we have only one output fuzzy We use to denote the quantitative input variable in this model E set in the input independent fuzzy model. This output fuzzy and compute it based on all the quantitative social attributes. set is relevant to the quantitative output (i.e., trust value) but In each social network, is calculated as: E includes various qualitative descriptions of it. We define the P output fuzzy set as: = (πe (Ee)), E Ee × E ∀ ∈EP where, (π ) = 1, (4) = ( q, µ q (tv)) , µ q (tv) = tv : q [0, 1] , e O { O O } O { O → } (6) Ee ∀ ∈E where, q [1, 2,...], tv D q [0, 1], (E ) [0, 1], π [0, 1], e [1, 2,...]. ∈ ∈ O ⊆ E e ∈ e ∈ ∈ where q is the qth qualitative description of output fuzzy set = Ee, e [1, 2, 3,...] represents the set of all the O E and can be represented as a membership function, µ q (tv). { ∈ } O quantitative social attributes in each social network and Ee O D q is the definition domain of µ q (tv). O O is the eth quantitative social attribute in E. (Ee) is the E normalized quantified value of quantitative attribute Ee while 4.2.3 The fuzzy rules πe is the weight of Ee. s The fuzzy logic rule for correlating the pth membership For example, in social network Ss, i j(Ee) is used to represent the quantifiable value of quantitativeE → attribute function in the kth input set with a corresponding qth output s membership function is defined as: Ee between entity i and j F . Thus their normalized s ∈ i s quantitative value can be calculated as k i j(Ee) i j(Ee) = IF The Qualitative Value of k belongs to A , s Es → s E → Rule k.p A Ip i j(Ee)/max( i p(Ee)), where, Fi is the friendship circle p F s THEN Trust Value is q. E → i E → O of entity i in∈ social network , as defined in Section 3.1. Ss For each qualitative social attribute k A, if its qualitative k A ∈ value belongs to pA=pm , the corresponding fuzzy rule k.pm is kI 4.2.2 The fuzzy sets used to map A to . We call the fuzzy rule, k.pm which Ipm Oqm The input independent fuzzy model enables the ability to is selected by the qualitative value of , as the matched rule. Ak calculate the membership of quantitative input variable over For each matched rule, the input membership grade µ Ak ( ), pm E unrelated input fuzzy sets, and use membership functions calculated according to the quantitative input variableI , can to represent the qualitative values in each qualitative social be used to truncate the corresponding membership functionE in attribute. can thus obtain their membership over any quali- the output fuzzy set. Thus, there is a truncated membership tative socialE attributes in each social network. More precisely, function in the output domain for each qualitative social each qualitative social attribute is defined as an input fuzzy attribute , in which the input membership function is Ak 7

selected by the matched rule k.pm: STor defines three membership functions for each input fuzzy ( set and use five membership functions in the output set. A A µ k ( ), µ qm (tv) µ k ( ) pm E O ≥ pm E For each qualitative social attribute , their qualitative µk.pm ( , tv) = I I k A A E µ qm (tv), µ qm (tv) < µ k ( ) (7) k pm values, A , are defined as: O O I E p A I where, D k [0, 1], tv D q [0, 1]. p m E ∈ I m ⊆ ∈ O ⊆  k  (POSITIVE) , p = 1 k k 4.2.4 The defuzzification process pA = (NEUT RAL) , p = 2 I  k (14) In the defuzzification process, the output trust value tv∗( ) (NEGAT IV E) , p = 3 E is calculated as the center of mass of a shape. The shape where, k A, p [1, 2, 3]. A ∈ ∈ is surrounded by the union of the truncated membership functions µ ( , tv) for all the considered qualitative social And the qualitative values of the output set, q, are: k.pm E O attributes k A and the tv axis in the output domain.  A ∈ LARGEST, q = 1 For each qualitative social attribute k=K , if its qualitative  A  LARGE, q = 2 value matches the rule K.pm, the positions in the tv axis  q = NORMAL, q = 3 weighted by the masses of the truncated membership function O  (15)  SMALL, q = 4 µK.pm ( , tv) can be computed as:  E  SMALLEST, q = 5 ( ) = R 1 tv ρ µ ( , tv)d(tv). (8) where, q [1, 2, 3, 4, 5]. MPK.pm E tv=0 × q × K.pm E ∈ and the total mass of this truncated membership function as: If the qualitative value of qualitative social attribute k be- k A 1 longs to (POSITIVE) , it indicates that this value will cause ( ) = R ρ µ ( , tv)d(tv). (9) MK.pm E tv=0 q × K.pm E a large trust value. If the value belongs to (NEGAT IV E)k, k Therefore, tv∗( ) can be computed as the center of the mass a small trust value will be yielded. (NEUT RAL) , unlike according to Greiner’sE algorithm [47]: the other two, will result in the intermediate trust value. In P the output set, both = LARGEST and = LARGE k.p ( ) 1 2 MP m E O O Ak∈A tv ( ) = P . (10) indicate larger trust values but with different magnitudes. In ∗ k.p ( ) E M m E Ak∈A contrast, 4 = SMALL and 5 = SMALLEST reflect different levelsO of small trust values.O Particularly, when only one social attribute K is used, its output trust value can be computed as: A Based on these definitions, following fuzzy rules for each qualitative social attribute k are designed: K.pm ( ) A tv ( ) = MP E . (11) A k∗=K,p=pm K.p ( ) k k E M m E IF The Qualitative Value of Ak belongs to I1 = POSITIVE , Rule k.1 i.O = LARGEST. Unlike the the center of gravity defuzzification algorithm THEN Trust Value is { 1 ii.O2 = LARGE. in the traditional fuzzy model [48], here a density constant Ak k IF The Qualitative Value of Ak belongs to I2 = NEUT RAL , ρq, which is associated with each of the corresponding output Rule k.2 THEN Trust Value is O3 = NORMAL. A membership function µ q (tv), is introduced to the center of k k O IF The Qualitative Value of Ak belongs to I3 = NEGAT IV E , mass algorithm in Eq. (8) and Eq. (9). ρq must satisfy the Rule k.3 i.O = SMALL. THEN Trust Value is { 4 following identical equation: ii.O5 = SMALLEST. R 1 R 1 As there is a very strong link between triangular plots ρqx µ q d(tv) ρqy µ q d(tv), tv=0 × O x ≡ tv=0 × O y (12) and most forms of social attributes [32], STor employs the where, q , q . ∀O x O y ⊆ O triangular membership function definition [49] to declare This equation guarantees that all the output membership func- membership functions both in input and output fuzzy sets. tions provide the same weight to the final trust value tv∗( ). k E Since fuzzy rules map (POSITIVE) to larger trust values As a larger leads to a higher trust value, the fuzzy sets k E while (NEGAT IV E) to smaller ones, and considering and rules should be designed to let function tv∗( ) be non- E larger yielding larger trust values, membership function decreasing, thus the inequality Eq. (13) should be satisfied. of (POSITIVEE )k should be increasing when increases k E 0 d(tv∗( )) and that of (NEGAT IV E) needs to be decreasing. For (tv∗( )) = d( )E 0. (13) k E E ≥ (NEUT RAL) , their membership function is designed to increases at first then goes down. By considering inequality 4.3 Application in STor Eq. (13), we thus define the membership functions in input In STor, each qualitative social attribute forms an input fuzzy fuzzy sets as follows: set, while only one output fuzzy set is used. Note that more membership functions declarations in a fuzzy set can lead to µ Ak ( ) = , [0, 1], I1 E E E ∈ finer-grained quantitative conversion. In our model, STor can  , [0, 0.5], µ Ak ( ) = E E ∈ (16) be designed with different numbers of membership functions 2 E 1 , [0.5, 1], I − E E ∈ in each input fuzzy set (i.e., the qualitative social attribute) µ Ak ( ) = 1 , [0, 1]. 3 E − E E ∈ and output fuzzy set to achieve different levels of conversion I accuracy for the trust value when necessary. As a case study, Similarly, the membership functions in the output fuzzy sets 8

, q [1, 2, 3, 4, 5] are defined as: Fig. 6(c) and 6(d) demonstrate that the rule K.3.ii can map all Oq ∈  the to smaller tv∗( ) and ( ) values than the rule K.3.i. 4 tv 3, tv [0.75, 1], E E MP E µ 1 (tv) = × − ∈ Therefore, there is a tendency to set rule K.3 as K.3.ii if the O 0, tv others, value NEGAT IV EK of qualitative social attribute  4 tv 2, tv ∈ [0.5, 0.75], k=K  has a stronger possibility of leading to a smaller trust value.A µ (tv) = 4 × 4 −tv, tv ∈ [0.75, 1], 2 STor is capable of including an unlimited number of qual- O  − × ∈ 0, tv others, itative and quantitative social attributes in the conversion of  4 tv 1, tv ∈ [0.25, 0.5],  × − ∈ the trust value. Table 1 lists 10 possible qualitative social µ (tv) = 3 4 tv, tv [0.5, 0.75], (17) 3 attributes that come from popular social networks on the O  − × ∈ 0, tv others, Internet, including Facebook, LinkedIn, MSN, and QQ. It  4 tv, tv ∈ [0, 0.25],  × ∈ also details which qualitative values taken from them can be µ (tv) = 2 4 tv, tv [0.25, 0.5], 4 classified into particular k . More qualitative social attributes O  − × ∈ pA 0, tv others, can be included in STorI even if they are not listed in the table.  1 4 tv, tv ∈ [0, 0.25], µ 5 (tv) = − × ∈ O 0, tv others. ∈ 4.4 Example of trust value calculation Fig. 5(a) and 5(b) illustrate the membership functions of In this example, only E = freq (i.e., the communication O 1 and in STor, respectively. frequency between two friends) and E = time (i.e., I 2 To meet the requirement of Eq. (12), ρq can be set as: the duration of their friendship) are considered as quantitative social attributes. Assuming that the same weight,  2, q = 1, q = 5 ρ = (18) π = π = 0.5, is assigned to each of them, then between q 1, q = 2, q = 3, q = 4. 1 2 E entities i and j in social network s can be calculated as s s s S Considering Eqs. (7-9), Eq. (11), and Eqs. (16-18), for i j = ( i j(freq) + i j(time))/2 according to Eqn. (4). each qualitative social attribute with each rule, , E → Es → E → s s k=K K.1.i Here, i j(freq) = i j(freq)/max( i p(freq)), A E → E → p F s E → K.1.ii, K.2, K.3.i and K.3.ii, ( ), ( ) and ∈ i K.pm K.pm s s s MP E M E i j(time) = i j(time)/max( i p(time)). tvk∗=K,p=p ( ) can be calculated as follows. Appendix A p F s m E E → E → i E → details the calculation process. In social network , only qualitative∈ social attributes = Ss A1 1 3 2 Major and 2 = Relationship are considered. Figs. 5(c)- K.1.i( ) = 48 ( + 9 21 ), [0, 1], A MP E − 3 E 2 E − E E ∈ 5(d) illustrate the input fuzzy sets with their membership K.1.ii( ) = 16 ( 2 ), [0, 1], MP E − 1 E 2 − E E ∈ functions for these two attributes. Their fuzzy rules are defined K.2( ) = 8 ( 2 ), [0, 0.5], MP E − 1 E2 − E E ∈ (19) below: K.2( ) = 8 ( 1), [0.5, 1], MP E −1 E2 − E ∈ IF Major belongs to SECURITY-RELATED, K.3.i( ) = 16 ( 1), [0, 1], Rule 1.1 MP E − 1 E 3− E ∈ THEN Trust Value is LARGE. K.3.ii( ) = ( 1), [0, 1], MP E − 48 E − E ∈ IF Major belongs to COMPUTER-RELATED, Rule 1.2 THEN Trust Value is NORMAL. ( ) = 1 ( 2 2 ), [0, 1], K.1.i 4 IF Major belongs to OTHERS, M (E ) =− 1 (E 2− 2E ), E ∈ [0, 1], Rule 1.3 K.1.ii 4 THEN Trust Value is SMALL. M E( ) =− 1E( 2− 2E ), E ∈ [0, 0.5], K.2 4 (20) M (E) = − 1 (E2 − 1)E, E ∈ [0.5, 1], IF Relationship belongs to RELATIVE, K.2 4 Rule 2.1 M E −1 2E − E ∈ THEN Trust Value is LARGEST. K.3.i( ) = 4 ( 1), [0, 1], M (E ) =− 1 (E 2− 1), E ∈ [0, 1]. IF Relationship belongs to SCHOOLMATE, K.3.ii 4 Rule 2.2 M E − E − E ∈ THEN Trust Value is NORMAL. 2+9 21 IF Relationship belongs to STRANGER, tvK.∗ 1.i( ) = E12( E−2) , [0, 1], Rule 2.3 E 3 E− E ∈ THEN Trust Value is SMALLEST. tvK.∗ 1.ii( ) = 4 , [0, 1], E 1 E ∈ In this definition, rules 1.1 and 1.3 adopt respective candidate tvK.∗ 2( ) = 2 , [0, 1], (21) E 1 E ∈ rules k.1.ii and k.3.i, while rule 2.1 and 2.3 implement tvK.∗ 3.i( ) = 4 , [0, 1], E 2+ +1 E ∈ respective candidates k.1.i and k.3.ii. This is due to social tvK.∗ 3.ii( ) = E12( E+1) , [0, 1]. E E E ∈ attribute 2 = Relationship possessing a stronger ability to Rule K.1 has two candidate rules, K.1.i and K.1.ii, to affect theA trust value. k k map each A = POSITIVE to = LARGEST and Figs. 7(a)-7(b) show the process of calculating the trust I1 O1 2 = LARGE, respectively. These two rules reflect different value through the input independent fuzzy model based on levelsO of a large trust that (POSITIVE)k can result in. As both qualitative and quantitative social attributes. Consider shown in Figs. 6(a)-6(b), rule K.1.i has the ability to convert entity i’s two friends, entities j1 and j2, entity j1 is a relative any of the to a higher tv∗( ) and ( ) than rule K.1.ii. and majors in network security while entity j2 is a stranger That is, candidateE rule K.1.iE can beMP usedE as rule K.1 when and majors in computer science. If both of them have the same K s s the value POSITIVE of qualitative social attribute k=K i j1 = i j2 = 0.75 with respect to entity i, the relative A E → E → s has a stronger possibility of leading to a larger trust value. (i.e., j1) will achieve a trust value of tvi j1 (0.75) = 0.8313 → Similarly, rule K.3 uses K.3.i and K.3.ii, which indicate while the stranger (i.e., j2) will only receive a trust value of k s (NEGAT IV E) can lead to different degrees of small trust. tvi j2 (0.75) = 0.375. → 9

1 1 1 1 SMALL LARGE NEGATIVE POSITIVE OTHERS STRANGER RELATIVE NORMAL SMALLEST LARGEST SECURITY-RELATED

μ(tv) 0.5 μ(Ɛ) 0.5 μ(Ɛ) 0.5 μ(Ɛ) 0.5

NEUTRAL SCHOOLMATE COMPUTER-RELATED The Input Independent Input Fuzzy Set Major Relationship 0 0 0 0 0 0.25 0.5 0.75 1 0 0.5 1 0 0.5 1 0 0.5 1 Quantitative Output: trust value(tv) Quantitative Input Variable(Ɛ) Quantitative Input Variable(Ɛ) Quantitative Input Variable(Ɛ) (a) The Output Fuzzy Set. (b) The Input Independent Input Fuzzy (c) The Input Fuzzy Set where the (d) The Input Fuzzy Set where the Set. attribute is A1 = Major. attribute is A2 = Relationship. Fig. 5. Membership Functions Definition in Fuzzy Sets.

0.3 1 ) 0.4 0.08 ) ) E ) E ( ( E E ( ( 0.3 0.06 =1 0.9 0.2 =3 =3 =1 Rule K.1.i Rule K.3.i Rule K.3.ii Rule K.3.i K,p 0.2 K,p 0.04 K,p = K,p Rule K.3.ii Rule K.1.i =

Rule K.1.ii k k = = 0.8 0.1 ∗ ∗ k k 0.1 0.02 tv tv Rule K.1.ii MP 0.7 0 0 MP 0 0 0.2 0.4 0.6 0.8 1 0 0.2 0.4 0.6 0.8 1 0 0.2 0.4 0.6 0.8 1 0 0.2 0.4 0.6 0.8 1 E E E E (a) tv∗(E) for rules K.1.i and K.1.ii. (b) MP(E) for rules K.1.i and (c) tv∗(E) for rules K.3.i and K.3.ii. (d) MP(E) for rules K.3.i and K.1.ii. K.3.ii.

Fig. 6. ( ) and tv∗( ) for a single social attribute with rules K.1 and K.3. MP E E Ak=K TABLE 1 Qualitative social attributes from existing social networks.

Ak k Ak k Ak k k Qualitative Attribute ( k) = (POSITIVE) = (NEUT RAL) = (NEGAT IV E) Source Social Network A I1 I2 I3 1 Major SECURITY-RELATED COMPUTER-RELATED OTHERS Facebook, LinkedIn 2 Relationship RELATIVE SCHOOLMATE STRANGER Facebook, LinkedIn, MSN 3 Career SECURITY-RELATED COMPUTER-RELATED OTHERS Facebook, LinkedIn 4 Recommendation POSITIVE NONE NEGATIVE LinkedIn 5 Citizenship FELLOW-CITIZEN NEUTRAL-CITIZEN ENEMY-CITIZEN Facebook, MSN, QQ 6 Geolocation SAME-CITY SAME-COUNTRY DIFFERENT-COUNTRY Facebook, QQ 7 Religion SAME RELIGION NO RELIGION DIFFERENT RELIGION Facebook 8 Political View SAME-VIEW NEUTRAL-VIEW DIFFERENT-VIEW Facebook 9 Hometown SAME-CITY SAME-COUNTRY DIFFERENT-COUNTRY Facebook 10 Position SAME-COMPANY NEUTRAL-COMPANY RIVAL-COMPANY Facebook,LinkedIn ......

5 EVALUATION simulate STor with 2, 500 user entities who run up STor In this section, we first adopt the Markov random graph routers. Each entity can also act as a STor user to acquire to model the architecture of STor with 2, 500 entities and anonymity service from its friends. Following the models deploy a testing network of Tor using PlanetLab nodes [50] to and methods presented in [52], we use the Markov random implement STor network. As a consequence, we randomize graph model (i.e., P* model with the Markov dependency) the social attributes of each entity in STor and calculate to represent the underlying friendship graph G in STor. In the trust scores among them with the help of the input accordance with [52], the friendship between two entities is independent fuzzy model and the trust propagation algorithm. established with an exponential family of distributions yielded By conducting the evaluations in both simulation and ex- by the Hammersley-Clifford theorem. Particularly, we follow periments over PlanetLab nodes, We show STor’s ability to the trilogy papers [53]–[55] to select parameters in these obtain secure anonymity and the impact on performance and exponential family of distributions. In this simulation setup, baseline anonymity. Moreover, a better scalability has been we finally establish the graph G of STor with 2, 500 friendship demonstrated in STor compared to Tor. circles Fi, where, 1974 Fi 1981. Beside that, Each entity is associated with≤ a value|| || ranging≤ in (0,10MB] as its bandwidth of the Tor or STor router. 5.1 Experiment Setup 5.1.1 Simulation 5.1.2 PlanetLab Platform As reported at the 5th Oct. 2011 in [51], there are about To evaluate STor using the Internet, a private Tor network was 2, 389 public routers in the Tor network. As a result, we set up in PlanetLab platform [50]. 101 PlanetLab nodes were 10

RELATIVE μ=0.75 LARGE NORMAL Input: Ɛ=0.75 Input: Ɛ=0.75 COMPUTER RELATED Rule 1.1: Rule 1.2: μ=0.25 IF Major is SECURITY-RELATED, IF Major is COMPUTER-RELATED, THEN Trust Value is LARGE THEN Trust Value is NORMAL

quantitative input variable(Ɛ) 0.75 trust value(tv) quantitative input variable(Ɛ) 0.75 trust value(tv) RELATED SECURITY LARGEST STRANGER SMALLST μ=0.75 Rule 2.1: IF Relationship is RELATIVE, Rule 2.3: μ=0.25 THEN Trust Value is LARGEST IF Relationship is STRANGER, THEN Trust Value is SMALLST

quantitative input variable(Ɛ) 0.75 trust value(tv) quantitative input variable(Ɛ) 0.75 trust value(tv) tv=0.8125 tv=0.9375

Center of Mass Defuzzification: tv=0.6875 Center of Mass Defuzzification: tv=0.1875 tv=0.3125 tv=0.6875

ρq=2=1 ρq=1=2 ρq=5=2 ρq=3=1 0 0.5 0.75 1 0 0.25 0.75 1

Output: tv*=0.8313 Output: tv*=0.375

A1 A1 (a) A1=Major, I1 =SECURITY-RELATED, A2=Relationship, (b) A1=Major, I2 =COMPUTER-RELATED, A2 A2 I1 =RELATIVE. A2=Relationship, I3 =STRANGER. Fig. 7. Fuzzification and Defuzzification process in the input independent fuzzy model.

0.85 0.8 0.8

0.84 0.75 0.6 Rule 1.1 + Rule 2.3

Rule 1.1 + Rule 2.1 ) ) ) E E E ( ( (

0.83 ∗ 0.7 0.4 ∗ Rule 1.1 + Rule 2.2 ∗ tv tv tv 0.82 0.65 0.2

0.81 0 0 0.2 0.4 0.6 0.8 1 0 0.2 0.4 0.6 0.8 1 0 0.2 0.4 0.6 0.8 1 E E E (a) Major is SECURITY-RELATED, (b) Major is SECURITY-RELATED, (c) Major is SECURITY-RELATED, Relationship is RELATIVE. Relationship is SCHOOLMATE. Relationship is STRANGER.

1 1 0.4

0.9 Rule 1.2 + Rule 2.2 0.3 ) ) ) E E Rule 1.2 + Rule 2.1 E ( ( 0.8 ( 0.5 0.2 ∗ ∗

∗ Rule 1.2 + Rule 2.3 tv tv tv 0.7 0.1

0 0 0 0.2 0.4 0.6 0.8 1 0 0.2 0.4 0.6 0.8 1 0 0.2 0.4 0.6 0.8 1 E E E (d) Major is COMPUTER-RELATED, (e) Major is COMPUTER-RELATED, (f) Major is COMPUTER-RELATED, Relationship is RELATIVE. Relationship is SCHOOLMATE. Relationship is STRANGER.

1 0.45 0.19

0.8 0.4 ) ) Rule 1.3 + Rule 2.1 ) 0.18 Rule 1.3 + Rule 2.3 E E E ( ( 0.6 0.35 ( ∗ ∗ ∗ tv tv Rule 1.3 + Rule 2.2 tv 0.17 0.4 0.3

0.2 0.25 0.16 0 0.2 0.4 0.6 0.8 1 0 0.2 0.4 0.6 0.8 1 0 0.2 0.4 0.6 0.8 1 E E E (g) Major is OTHERS, Relationship is (h) Major is OTHERS, Relationship is (i) Major is OTHERS, Relationship is RELATIVE. SCHOOLMATE. STRANGER. Fig. 8. Trust value for different Relationship and Major. randomly chosen from around the globe and installed with the code was modified to bypass the existing circuit selection Tor (V0.2.1.26). A node in Japan (133.15.59.1) was chosen as algorithm and insert a new selection method in line with the directory server and a node in Taiwan (140.109.17.181) Eq. (3). We have disabled the uptime based policies for exit was chosen as the an onion proxy. The remaining 99 nodes and entry nodes in the Tor as attackers are easy to bypass were set up as onion routers, which reported bandwidths from them by setting up malicious routers for a period of time to 21.9KB to 336.3KB to the directory server. The configuration receive trust. As a consequence, we choose 100 entities from option “TestingTorNetwork” was set to 1 to allow the nodes to the friendship graph G, which is generated in Section 5.1.1. work as an independent private Tor network. In addition, the These entities include at least one friendship circle Fi with function smartlist choose by bandwidth() in Tor’s source F = 99. Finally, we apply these entities to STor network || i|| 11 in PlanetLab nodes. [56]. Instead of the self-reporting approach, the opportunistic method allows directory servers to measure the authentic 5.2 Turst Score Calculation bandwidth provided by Tor routers. Therefore, random routers are considered to be malicious in this implementation, called The input independent fuzzy model, defined in section 4.2, is Opportunistic Tor. used to initialize the trust value in each directed link on the In STor, users utilize social networks to select trustwor- graph that is generated in Section 5.1.1. Only qualitative G thy routers from their friendship circles. Although friendship social attributes and are 1 = Major 2 = Relationship circles cannot guarantee to exclude all the malicious routers, considered in thisA case and the fuzzyA rules defined in section friends with smaller trust score are more likely to set up mali- 4.4 are adopted directly. Therefore, tv∗( ) can be calculated 1.pE1( )+ 2.p2( ) cious routers or possess vulnerable routers. Since STor allows according to Eq.(10) as tv∗( ) = MP E MP E , for E 1.p1( )+ 2.p2( ) users to establish circuits by taking the trust into consideration, all rules (1.p1 + 2.p2), p1, p2 [1, 2M, 3]. Fig.E 8M demonstratesE ∈ we use Practical STor, where routers with smaller trust score the trust values calculated by using the input independent are more likely to be malicious, to demonstrate the expected fuzzy model for different social attributes. A relative who implementation of STor. In contrast, the Theoretical STor, majors in network security obtains trust values ranging in in which malicious routers are excluded by users’ friendship around 0.81 to more than 0.83, but a stranger with an security circle, is used to show STor with the theoretically maximum major only receives trust values from less than 0.2 to about secure anonymity. 0.75. The relative always receives higher trust values than the stranger. When we consider another stranger who majors 5.3.1 Secure Anonymity in Simulation in literature arts (i.e., belongs to OTHERS), the trust values In the simulation, we conduct the experiments in four different drop to the range of [0.16, 0.19]. Moreover, with (i.e., the E malicious routers occupancies, representing 5%, 10%, 15% values of the quantitative social attributes) increasing, the trust and 20% candidate routers are malicious respectively. We value never decreases. We can thus observe that a higher trust regard a round of simulation as an user selecting a router in value will be obtained by the friend whose social attributes 1000 times and use the ratio of malicious routers to selected lead to more trustworthy. We therefore demonstrate that the routers, denoted as MR, in each round to measure secure input independent fuzzy model can correctly and effectively R anonymity. Therefore, smaller MR indicates better secure convert both quantitative and qualitative social attributes into R anonymity. Particularly, MR = 0 leads to the maximum trust values. secure anonymity. R In our experiment, we randomize the values of the quan- To evaluate the secure anonymity, we conduct 1000 rounds titative and qualitative social attributes between each two of simulation in different implementations of Tor and STor friends. After calculating the trust values by using the input over different malicious routers occupancies. Note that Prac- independent fuzzy model, we adopt the trust propagation tical STor fixes both ω, a parameter defined in Eqn.(3), and algorithm, which is proposed in Section 3.3, to generate the tsh, a threshold defined in section 3.5.2, to 0 in this evaluation. trust scores of each entity’s friends or friends of friends. Figs. 9(a)-9(d) show the CDF of secure anonymity, measured by MR, for different implementations of Tor and STor. 5.3 Experiment to Assess Secure Anonymity AmongR Original Tor, Opportunistic Tor and Practical STor, To evaluate the secure anonymity of Tor and STor, two although their secure anonymity decreases when the malicious different implementations of Tor and STor are considered and routers occupancy climbs from 5% to 20%, Practical STor outlined in Table 2. always shows much better secure anonymity than the other two (e.g., smaller than one tenth of MR compared with TABLE 2 that of Original Tor). Particularly, PracticalR STor gives out Different Implementations of Tor and STor. approximately MR = 0 distribution when 5% candidate routers are malicious,R thus demonstrating Practical STor can Implementation Description achieve around the maximum secure anonymity when the Original Tor Tor routers with higher self-reported bandwidth are maliciousmalicious routers occupancy is small. Beside that, Theoretical Opportunistic Tor Random Tor routers are considered to be malicious STor is constant to show the maximum secure anonymity (i.e., Practical STor Friends with smaller trust score are more likely to set up malicious routers MR = 0) regardless the malicious routers occupancies. That Theoretical STor Friendship circle excludes malicious routers isR because malicious routers are excluded by friendship circles. STor uses ω, a parameter defined in Eqn.(3), to balance the Originally, Tor routers self-report their available bandwidth secure anonymity and performance for the trust-based routers to directory servers for circuit establishment and attackers selection. A large ω puts more weight to bandwidth, but a can thus simply announce high bandwidth in order to launch small ω has more weight to the trust score. According to en- attacks. We regard this implementation as Original Tor, in tities with different trust score obtaining different bandwidth, which routers with higher bandwidth are considered to be we have two cases listed in Table 3. The Best Case is for malicious. This implementation illustrates the minimum secure entities outside of the friendship circle receive low bandwidth anonymity obtained by Tor. To mitigate the affects caused by and friends with high trust score possess high bandwidth the falsely high bandwidth announcement, an opportunistic routers inside the friendship circle, while the Worst Case is for bandwidth measurement algorithm has been proposed [27], entities outside of the friendship circle have high bandwidth 12

1 1 1 1

Original Tor Original Tor Opportunistic Tor Opportunistic Tor 0.5 Original Tor 0.5 Original Tor 0.5 0.5 CDF CDF CDF Practical STor CDF Practical STor Opportunistic Tor Opportunistic Tor Theoretical STor Theoretical STor Practical STor Practical STor Theoretical STor Theoretical STor 0 0 0 0 0 10% 20% 30% 40% 0 10% 20% 30% 40% 0 10% 20% 30% 40% 0 10% 20% 30% 40% The Ratio of Malicious Routers to Selected Routers The Ratio of Malicious Routers to Selected Routers The Ratio of Malicious Routers to Selected Routers The Ratio of Malicious Routers to Selected Routers (a) 5% Candidate Routers are Malicious. (b) 10% Candidate Routers are Malicious. (c) 15% Candidate Routers are Malicious. (d) 20% Candidate Routers are Malicious.

Fig. 9. The Ratio of Malicious Routers to Selected Routers (i.e., MR) of Tor and STor in Different Implementations. R

1 1 1 1

0.5 ω=0 0.5 ω=0 0.5 ω=0 0.5 ω=0 CDF CDF CDF ω=0.4 CDF ω=0.4 ω=0.4 ω=0.4 ω=0.7 ω=0.7 ω=0.7 ω=0.7 ω=1 ω=1 ω=1 ω=1 0 0 0 0 0 2% 4% 6% 8% 10% 12% 0 2% 4% 6% 8% 10% 12% 0 10% 20% 30% 40% 0 10% 20% 30% 40% The Ratio of Malicious Routers to Selected Routers The Ratio of Malicious Routers to Selected Routers The Ratio of Malicious Routers to Selected Routers The Ratio of Malicious Routers to Selected Routers (a) The Best Case when 5% Candidate (b) The Worst Case when 5% Candidate (c) The Best Case when 20% Candidate (d) The Worst Case when 20% Candidate Routers are Malicious. Routers are Malicious. Routers are Malicious. Routers are Malicious. Fig. 10. The Ratio of Malicious Routers to Selected Routers of Practical STor in Different ω.

TABLE 3 Different Cases for Trust Score and Bandwidth in Each Router.

Case Description

the Best Case Entities outside of the friendship circle possess low bandwidth routers and highly trusted friends with high bandwidth routers inside the friendship circle the Worst Case Entities outside of the friendship circle possess high bandwidth routers and highly trusted friends with low bandwidth routers inside the friendship circle and friends with high trust score obtain low bandwidth routers directory server to record which routers are used to establish inside the friendship circle. which circuits. The structure of Tor and STor have been In the evaluation of ω, tsh is set to 0. Figs. 10(a) and generated in Section 5.1.2. Unlike the simulation, we regard 10(b) show the MR for the Best Case and the Worst Case in a round of PlanetLab experiment as an user forming a circuit Practical STor withR different ω when 5% Candidate Routers with 3 routers in 1000 times and use the ratio of malicious are Malicious. With ω growing up from 0 to 1, the MR is circuits to formed circuits, denoted as MC, to measure secure sharply increasing from less than 0.5% to around 10%R in the anonymity. We consider a circuit as maliciousR if at least one Worst Case, whereas the MR is slightly increased in the Best router in this circuit is malicious. Case. Figs. 10(c) and 10(d)R illustrate the similar result when 20% Candidate Routers are Malicious. The effectiveness of ω in balancing the secure anonymity and performance for these two cases will be detailed in Section 5.4. Fig. 12(a) shows the secure anonymity, measured by MC, To obtain better secure anonymity in Practical STor at the for Original Tor, Opportunistic Tor, Practical STor andR The- cost of baseline anonymity, the trustworthy friendship circle, oretical STor when 20% candidate routers are malicious. defined in Section 3.5.2, can be used. More precisely, a trust Practical STor obtains less than one fifth of MC in the R score threshold, ths, can filter out friends with smaller trust comparison with Opportunistic Tor and less than one eighth score, which are more likely to deploy malicious or vulnerable of MC compared with Original Tor, thus demonstrating R routers. In the evaluation of tsh, ω is set to 0. Figs. 11(a)- much better secure anonymity. Theoretical STor still stays at 11(d) illustrate the secure anonymity, measured by MR, in = 0 as friendship circles exclude any malicious routers. R MC Practical STor when malicious routers occupancy is 5%, 10%, Figs.R 12(b) and 12(c) give out the secure anonymity for the 15% and 20%. Coupled with tsh growing up from 0 to 0.035, Best and Worst cases in different ω when malicious routers the MR drops to around 0%, even in the case that 20% occupancy is 20%. When ω increases from 0 to 1, the R MC candidate routers are malicious. We therefore observe that grows up from less than 10% to around 30% in theR Best higher tsh leads to better secure anonymity. The corresponding Case but to more than 70% in the Worst Case. The balance impact caused by tsh to the baseline anonymity will be between the secure anonymity and performance for these two elaborated in Section 5.5. cases over PlanetLab will be detailed in Section 5.4. Fig. 12(d) illustrates that better secure anonymity is achieved with higher 5.3.2 Secure Anonymity in Experiments over PlanetLab tsh, which filters more friends with low trust score. We obtain To conduct the experiments over PlanetLab platform, we the similar MC for tsh = 0.005, 0.015 and 0.025, because modify the source code of Tor (V0.2.1.26) to let the onion there are seldomR friends with trust score between 0.005 and proxy request to form circuits automatically and allow the 0.025 in the friendship circle. 13

1 1 1 1 ts =0 ts =0 ts =0 ts =0 h h h h ts =0.005 ts =0.005 ts =0.005 ts =0.005 h h h h 0.5 ts =0.015 0.5 ts =0.015 0.5 ts =0.015 0.5 ts =0.015 CDF CDF CDF CDF h h h h ts =0.025 ts =0.025 ts =0.025 ts =0.025 h h h h ts =0.035 ts =0.035 ts =0.035 ts =0.035 h h h h 0 0 0 0 0 1% 2% 3% 0 1% 2% 3% 0 1% 2% 3% 0 1% 2% 3% The Ratio of Malicious Routers to Selected Routers The Ratio of Malicious Routers to Selected Routers The Ratio of Malicious Routers to Selected Routers The Ratio of Malicious Routers to Selected Routers (a) 5% Candidate Routers are Malicious. (b) 10% Candidate Routers are Malicious. (c) 15% Candidate Routers are Malicious. (d) 20% Candidate Routers are Malicious.

Fig. 11. The Ratio of Malicious Routers to Selected Routers (i.e., MR) of Practical STor in Different ts . R h

1 1 1 1 ts =0 h ts =0.005 h ω ω=0 ts =0.015 0.5 0.5 =0 0.5 0.5 h CDF

Original Tor CDF CDF CDF ω ω Opportunistic Tor =0.4 =0.4 ts =0.025 ω ω=0.7 h Practical STor =0.7 ts =0.035 Theoretical STor ω=1 ω=1 h

0 0 0 0 0 20% 40% 60% 0 20% 40% 60% 80% 0 20% 40% 60% 80% 0 2% 4% 6% 8% The Ratio of Malicious Circuits to Formed Circuits The Ratio of Malicious Circuits to Formed Circuits The Ratio of Malicious Circuits to Formed Circuits The Ratio of Malicious Circuits to Formed Circuits

(a) Different Implementations in Tor and (b) Different ω in the Best Case. (c) Different ω in the Worst Case. (d) Different tsh in STor. STor.

Fig. 12. The Ratio of Malicious Circuits to Formed Circuits (i.e., MC) Obtained from PlanetLab Nodes when 20% Candidate Routers are Malicious. R

1 1 1 1 ω ω STor, ω=0 Practical STor, =0 Practical STor, =0 ω ω STor, ω=0.4 Practical STor, =0.4 Practical STor, =0.4 STor, ω=0 ω ω STor, ω=0.7 Practical STor, =0.7 Practical STor, =0.7 STor, ω=0.4 0.5 0.5 ω 0.5 Practical STor, ω=1 0.5 Practical STor, ω=1 CDF CDF CDF CDF STor, =1 STor, ω=0.7 Tor Tor Tor STor, ω=1 Tor

0 0 0 0 2 3 4 5 6 7 8 2 3 4 5 6 7 8 0 20 40 60 80 0 20 40 60 80 Average Bandwidth per 1000 Selected Routers (MB) Average Bandwidth per 1000 Selected Router (MB) Average Bandwidth per 1000 Formed Circuits (KB) Average Bandwidth per 1000 Formed Circuits (KB) (a) The Best Case in Simulation. (b) The Worst Case in Simulation. (c) The Best Case in Experiments over (d) The Worst Case Experiments over Plan- PlanetLab Nodes. etLab Nodes. Fig. 13. The Average Bandwidth per 1000 Selected Routers in Simulation (MBytes) and Experiments over PlanetLab Nodes (Kbytes).

2000 2000 80 1000 1500 800 60 1500 || || i || || i i 600 i

||F 1000

40 ||TF ||TF ||TF 1000 400 500 20 200 500 0 0 100 700 1300 1900 2500 ts 0 ts ts Size of STor 0 0.02 0.04 h 0.06 0.08 0.1 0 0.02 0.04 h 0.06 0.08 0.1 0 0.02 0.04 h 0.06 0.08 0.1

(a) Size of Friendship Circle (i.e., Fi ) in (b) Size of Trustworthy Friendship Circle (c) Size of Trustworthy Friendship Circle (d) Size of Trustworthy Friendship Circle || || different Size of STor. (i.e., TFi ) in different tsh when the (i.e., TFi ) in different tsh when the (i.e., TFi ) in different tsh when the || || || || || || Size of STor is 100. Size of STor is 1300. Size of STor is 2500. Fig. 14. Size of (Trustworthy) Friendship Circle (i.e., F or TF ) in different Size of STor and ts || i|| || i|| h

5.4 Experiment to Assess Performance with the ability to set up high bandwidth routers to participate 5.4.1 Performance in Simulation in STor when their friendship circle meets the Worst Case. In the simulation of performance, each router is randomly With the ω increasing from 0 to 1, the average bandwidth of assigned with a value in (0,10MB] as its bandwidth. The Practical STor decreases from about 8MB to around 6.5MB in average bandwidth for each round of simulation is calculated the Best Case while grows up from less than 2MB to around as the average value among 1000 selected routers. Figs. 13(a) 5MB in the Worst Case. In comparison with Figs. 10(c) and and 13(b) show the CDF of the average bandwidth for Tor 10(d), we can therefore observe that STor achieves the same and Practical STor over different ω in the Best and Worst trend of secure anonymity and performance for the Best Case, Cases. Since the friendship circle excludes routers with large while ω can help users obtain better anonymity in the sacrifice bandwidth in the Worst Case but eliminates small bandwidth of performance or vice versa. Particularly, lower ω leads to ones in the Best Case, Practical STor with ω = 1 (i.e., better performance (i.e., higher average bandwidth) and better selecting routers solely based on bandwidth in Practical STor) secure anonymity (i.e., lower MR) in Figs. 13(a) and 10(c), obtains smaller bandwidth distribution than Tor for the Worst respectively. That is because theR rate of trust score’s variance is Case, whereas larger bandwidth distribution for the Best Case. a little bit larger than that of bandwidth’s variance in our social Therefore, it is necessary for users to encourage more friends network model and larger rate of the variance leads to both 14

better performance and secure anonymity in the Best Case. routers are malicious, tsh = 0.035 can help STor reach around Note that, if the rate of bandwidth’s variance is larger than that the theoretically maximum secure anonymity (i.e., MR = 0). R of trust score’s variance, larger ω obtains better performance Meanwhile, this tsh = 0.035 facilitate STor with 2500 entities and secure anonymity in the Best Case. obtain a similar baseline anonymity as Tor with 1600 candidate routers. 5.4.2 Performance in Experiments over PlanetLab For the performance evaluation over PlanetLab platform, we 6 RELATED WORK regard the average bandwidth for each round as the average value among 1000 formed circuits. We consider the lowest Malicious router based attacks, such as correlation attacks bandwidth among 3 routers in a circuit as the bandwidth of [16]–[21], congestion attacks [22], disclosure attacks [23] this circuit. In Fig. 13(c), the average bandwidth of Practical and latency based client location attacks [24] etc., have STor is decreased from about 80KB to less than 65KB when demonstrated severe threats to the state-of-the-art anonymity the ω increases from 0 to 1 in the Best Case. By contrast, 13(d) networks. To launch these attacks, at least one malicious shows an escalating trend of the average bandwidth in Practical router is required to observe or manipulate the relayed traffic. STor with the ω growing up in the Worst Case. By comparing Particularly, the anonymity networks suffers a fundamental Figs. 12(b) and 12(c), we can see that STor achieves the same limit in protecting the baseline anonymity when attackers variation of secure anonymity and performance for the Best possess sufficient malicious routers to observe the traffic [57]. Case and larger rate of the variance leads to better results in To evade malicious routers, some pioneer mechanisms have this case. ω, on the other hand, can be used to help users been proposed [25], [27], [56], [58], [59]. Tor uses guard obtain better anonymity at the cost of performance and vice routers at the entry point and selects exit routers accord- versa for the worst case. It is in accordance to the simulation ing to the exit node policy to circumvent malicious routers results. Unlike that, experiments over PlanetLab nodes show [25]. This method relies on a group of directory servers to that Tor obtains a similar bandwidth distribution as Practical check each routers’ credibility only according to their up- STor with ω = 1. That is because, according to the setup that time. Furthermore, an opportunistic bandwidth measurement is elaborated in Section 5.1.2, the owners of Tor routers over algorithm has been proposed to replace the existing self- PlanetLab platform are all belong to the friendship circle of reporting method [27], [56], thus helping Tor users reduce STor in our experiments. the hurt caused by malicious routers that announce false bandwidth. Some reputation systems [58], [59], on the other hand, are designed to verify the correctness of each router in 5.5 Experiment to Assess Baseline Anonymity and MIX Cascade networks, thus potentially detecting malicious Scalability routers and making the circuits more reliable. However, these Both baseline anonymity and scalability can be measured by mechanisms cannot help anonymity networks achieve trust- the number of candidate routers. A large number of candidate based anonymous communication, because they have not taken routers provides a better baseline anonymity, but leads to a trust into consideration when selecting routers. worse scalability. STor confine candidate routers to users’ A pioneer security analysis for the Onion Routing has (trustworthy) friendship circle, thus Fi and TFi are implicitly indicated the necessary of trust-based routing al- effective to reflect the baseline anonymity|| || and scalability|| || of gorithm [60]. Furthermore, by understanding the importance STor. In this evaluation, the model used in Section 5.1.1 of the trust, the adversary models and routing algorithms is adopted to simulate STor with different number of user for the trust-based anonymous communication have been entities. The structure of STor in each size is generated for demonstrated [12], [13]. Unlike these studies that focus on 100 times. why the trust is necessary for anonymous communication, Fig. 14(a) demonstrates that, although Fi proportionally STor is a practical solution on how to introduce the trust to grows up when the size of STor increases|| from|| 100 to 2500, anonymous communication. Beside that, many studies [9]– the size of STor retains to be larger than Fi (i.e., Fi [11] have appeared to use peer-to-peer approaches for scal- is around 80% to the size of STor in our|| model).|| As|| || a able anonymous communication. They mainly focus on the result, STor receives a reduction in its baseline anonymity design of anonymous P2P lookup mechanisms in the scalable but an improvement for its scalability. However, the baseline architecture. Unlike that, the social network based trust model anonymity of STor can be enhanced with the inflation of STor. introduces trust-based scalability to anonymity networks. For instance, as STor with 2500 entities obtains an average of A number of fuzzy model based approaches have been 2000 friends in Fi, it shows the similar baseline anonymity as proposed to calculate the trust according to quantitative social Tor with 2000 candidate routers. properties and propagate the trust over the semantic web social As shown in Figs. 14(b)-14(d), the TF keeps a de- networks [61]–[65]. However, these studies calculate trust by || i|| creasing trend when tsh = 0 grows up to tsh = 0.1 in using the traditional fuzzy model, thus loosing the function- STor with 100, 1300 and 2500 user entities. By comparing ality to convert the qualitative social attributes. Moreover, a with Fig. 11, which shows large tsh helps STor obtain better basic model for the propagation of trust and distrust over a secure anonymity, we can thus observe that tsh is able to trust graph is proposed by [66], as well as the Friend-to-Friend help balance the secure anonymity (and the scalability) with networks (e.g., [67], [68]) have been designed to use the trust the baseline anonymity. Particularly, even when 20% candidate from real-world social networks for data sharing. STor, on the 15 other hand, introduces trust and trust propagation to anonymity [21] Y. Zhu, X. Fu, B. Graham, R. Bettati, and W. Zhao, “Correlation-based networks from the real-world social networks. traffic analysis attacks on anonymity networks,” IEEE Transactions on Parallel and Distributed Systems, 2009. [22] N. S. Evans, R. Dingledine, and C. Grothoff, “A practical congestion attack on Tor using long paths,” in Proc. USENIX Security, 2009. 7 CONCLUSIONS [23] D. AGRAWAL and D. KESDOGAN, “Measuring anonymity: the dis- We have proposed a novel social network based trust model for closure attack,” IEEE security & privacy, 2003. [24] N. HOPPER, E. Y. VASSERMAN, and E. CHAN-TIN, “How much trust-based anonymous communication. This model determine anonymity does network latency leak?” ACM Transactions on Informa- trust relationships from real-world social networks. More tion and System Security, 2010. precisely, an input independent fuzzy model has been devised [25] “Tor path selection specification,” http://tor.hermetix.org/svn/trunk/doc/ spec/path-spec.txt. and used to convert both quantitative and qualitative social [26] M. Wright, M. Adler, B. N. Levine, and C. Shields, “Defending attributes into trust values in various social networks. We anonymous communication against passive logging attacks,” in Proc. also propose a trust propagation algorithm to propagate trust IEEE Symp. Security and Privacy, 2003. [27] R. Snader and N. Borisov, “A tune-up for Tor: Improving security and over the anonymity networks. By applying this trust model performance in the Tor network,” in Proc. NDSS, 2008. to the Tor network, we have designed STor, a social network [28] “The great firewall reveale,” http://www.internetfreedom.org/files/ based Tor. Extensive experimental results have demonstrated WhitePaper/ChinaGreatFirewallRevealed.pdf. [29] “Tor: Bridges,” https://www.torproject.org/docs/bridges. that STor is effective in helping users circumvent malicious [30] P. Mittal, F. Olumofin, C. Troncoso, N. Borisov, and I. Goldberg, “PIR- routers in a distributed style. With the help of trusted friends, Tor: Scalable anonymous communication using private information STor users obtain secure anonymity without inducing severe retrieval,” in Proc. USENIX Security, 2011. [31] M. J. Smithson and J. Verkuilen, Fuzzy Set Theory: Applications in the performance and baseline anonymity degradation. This social Social Sciences, 1st, Ed. Sage Publications, 2006. network based trust model can be widely adopted to introduce [32] C. C. Ragin, Fuzzy-set social science. The University of Chicago Press, trust to other anonymity networks. 2000. [33] J. Douceur, “The Sybil attack,” in Proc. IPTPS, 2002. [34] B. Viswanath, A. Post, K. P. Gummadi, and A. Mislove, “An analysis of EFERENCES social network-based Sybil defenses,” in Proc. ACM SIGCOMM, 2010. R [35] A. Mohaisen, N. J. Hopper, and Y. Kim, “Keep your friends close: [1] D. Chaum, “Untraceable electronic mail, return addresses, and digital Incorporating trust into social network-based Sybil defenses,” in Proc. pseudonyms,” Communications of the ACM, 1981. IEEE INFOCOM, 2011. [2] D. Goldschlag, M. Reedy, and P. Syverson, “Onion routing for anony- [36] C. Lesniewski-Laas and M. F. Kaashoek, “Whanau:¯ A Sybil-proof mous and private Internet connections,” Communications of the ACM, distributed hash table,” in Proc. USENIX NSDI, 2010. 1999. [37] N. Tran, J. L. B. Min, and L. Subramanian, “Sybil-resilient online [3] M. Reiter and A. Rubin, “Crowds: Anonymity for web transactions,” content voting,” in Proc. USENIX NSDI, 2009. ACM Transactions on Information and System Security, 1998. [38] G. Danezis and P. Mittal, “SybilInfer: Detecting Sybil nodes using social [4] P. Boucher, I. Goldberg, and A. Shostack, “Freedom system 2.0 archi- networks,” in Proc. IEEE Symp. Security and Privacy, 2009. tecture,” http://www.freedom.net/info/whitepapers/, 2000. [39] H. Yu, P. B. Gibbons, M. Kaminsky, and F. Xiao, “SybilLimit: A near- [5] O. Berthold, H. Federrath, and S. Kopsell,¨ “Web mixes: A system optimal social network defense against Sybil attacks,” in Proc. IEEE for anonymous and unobservable Internet access,” in Proc. Designing Symp. Security and Privacy, 2008. Privacy Enhancing Technologies, 2000. [40] H. Yu, M. Kaminsky, P. B. Gibbons, and A. Flaxman, “SybilGuard: [6] C. Gulcu and G. Tsudik, “Mixing E-mail with Babel,” in Proc. NDSS, Defending against Sybil attacks via social networks,” in Proc. ACM 1996. SIGCOMM, 2006. [7] G. Danezis, R. Dingledine, and N. Mathewson, “Mixminion: Design of [41] Y. Boshmaf, K. Beznosov, and M. Ripeanu, “Automated social engi- a type iii anonymous remailer protocol,” in Proc. IEEE Symp. Security neering attacks in OSNs,” in The Office of the Privacy Commissioner of and Privacy, 2003. Canada (Ottawa), 2010. [8] R. Dingledine, N. Mathewson, and P. Syverson, “Tor: The second- [42] M. Balduzzi, C. Platzer, T. Holz, E. Kirda, D. Balzarotti, and C. Kruegel, generation onion router,” in Proc. USENIX Security, 2004. “Abusing social networks for automated user profiling,” in Proc. RAID, [9] J. McLachlan, A. Tran, N. Hopper, and Y. Ki, “Scalable onion routing 2010. with Torsk,” in Proc. ACM CCS, 2009. [43] L. Zadeh, “Fuzzy sets,” Information and Control, 1965. [10] A. Panchenko, S. Richter, and A. Rach, “Nisan: network information [44] M. R. Garey and D. S. Johnson, Computers and Intractability: A Guide service for anonymization networks,” in Proc. ACM CCS, 2009. to the Theory of NP-Completeness. W. H. Freeman & Co. New York, [11] Q. Wang, P. Mittal, and N. Boriso, “In search of an anonymous and NY, USA, 1979. secure lookup: attacks on structured peer-to-peer anonymous communi- [45] M. Sniedovich, “Dijkstra’s algorithm revisited: The dynamic program- cation systems,” in Proc. ACM CCS, 2010. ming connexion,” Control and Cybernetics, 2006. [12] A. Johnson and P. Syverson, “More anonymous onion routing through [46] R. Jansen, N. Hopper, and Y. Ki, “Recruiting new Tor relays with trust,” in Proc. IEEE CSF, 2009. braids,” in Proc. ACM CCS, 2010. [13] P. Syverson, A. Johnson, R. Dingledine, and N. Mathewson, “Trust- [47] W. Greiner, “Center of gravity,” Classical Mechanics, 2010. based anonymous communication: Adversary models and routing algo- [48] E. V. Broekhoven and B. D. Baet, “Fast and accurate center of gravity rithms,” in Proc. ACM CCS, 2011. defuzzification of fuzzy system outputs defined on trapezoidal fuzzy [14] I. Goldberg, “On the security of the Tor authentication protocol,” in partitions,” Fuzzy Sets and Systems, 2006. Proc. PET, 2006. [49] W. Pedrycz, “Why triangular membership functions?” Fuzzy Sets and [15] “Who uses Tor,” http://www.torproject.org/about/torusers.html.en. Systems, 1994. [16] S. Murdoch and G. Danezis, “Low-cost traffic analysis of Tor,” in Proc. [50] “PlanetLab,” http://www.planet-lab.org. IEEE Symp. Security and Privacy, 2005. [51] “Tor Network Status,” http://torstatus.blutmagie.de. [17] L. Øverlier and P. Syverson, “Locating hidden servers,” in Proc. IEEE [52] P. Carrington, J. Scott, and S. Wasserman, Models and Methods in Social Symp. Security and Privacy, 2006. Network Analysis, 1st, Ed. New York: Cambridge University Press, [18] K. Bauer, D. McCoy, D. Grunwald, T. Kohno, and D. Sicker, “Low- 2005. resource routing attacks against Tor,” in Proc. ACM Workshop on [53] S. Wasserman and P. Pattison, “Logit models and logistic regressions Privacy in the Electronic Society, 2007. for social networks: I.an introduction to markov random graphs and [19] X. Fu and Z. Ling, “One cell is enough to break Tor’s anonymity,” in p*.” Psychometrika, 1996. Black Hat DC, 2009. [54] P. Pattison and S. Wasserman, “Logit models and logistic regressions [20] Z. Ling, J. Luo, W. Yu, X. Fu, D. Xuan, and W. Jia, “A new cell counter for social networks: Ii.multivariate relations.” British Journal of Mathe- based attack against Tor,” in Proc. ACM CCS, 2009. matical and Statistical Psychology, 1999. 16

[55] G. L. Robins, P. Pattison, and S. Wasserman, “Logit models and logistic Rule K.1.ii regressions for social networks, iii. valued relations.” Psychometrika, 1999. For a single social attribute, k=K , with its matched rule, k=K A [56] R. Snader and N. Borisov, “Improving security and performance in K.1.ii, input fuzzy set 1A is mapped to output fuzzy set the Tor network through tunable path selection,” IEEE Transactions on I . Based on Eq. (16) and Eq. (17), µ A ( ) = , Dependable and Secure Computing 2 k=K , 2010. O I1 E E E ∈ [57] D. Kesdogan, D. Agrawal, V. Pham, and D. Rautenbach, “Fundamental [0, 1], µ 2 (tv) = 4 tv 2, tv [0.5, 0.75] and µ 2 (tv) = limits on the anonymity provided by the mix technique,” in Proc. IEEE O × − ∈ O 4 4 tv, tv [0.75, 1]. Thus, µK.1.ii( , tv) can be computed Symp. Security and Privacy, 2006. − × ∈ E [58] R. Dingledine, M. J. Freedman, D. Hopwood, and D. Molna, “A repu- according to Eq. (7) as: tation system to increase mix-net reliability,” in Proc. The International  1 +2 Workshop on Information Hiding, 2001. 4 tv 2, 2 tv E 4  × − +2≤ ≤ 4 [59] R. Dingledine and P. Syverson, “Reliable MIX cascade networks through µK.1.ii( , tv) = , E 4 tv −E4 reputation,” in Financial Cryptography, 2003. E E 4 ≤ ≤  4 4 tv, −E tv 1 [60] C. Landwehr, M. Reed, P. Syverson, and G. Tsudik, “Towards and 4 [0, 1], tv [0.5, 1]−. × ≤ ≤ analysis of onion routing security,” in Proc. Workshop on Design Issues E ∈ ∈ in Anonymity and Unobservability, 2000. As ρ = 1 is defined in Eq. (18), ( ) can be [61] J. Sabater and C. Sierra, “Reputation and social network analysis in q=2 MPK.1.ii E multi-agent systems,” in Proceedings of the First Int. Joint Conference calculated according to Eq. (8) as: on Autonomous Agents and Multiagent Systems, 2002. E+2 [62] M. Lesani and S. Bagheri, “Fuzzy trust inference in trust graphs and R 4 K.1.ii( ) = 1 (tv ρq=2 (4 tv 2))d(tv) its application in semantic web social networks,” in Proc. Automation 2 MP E E × × × − Congress, 2006. R 4 4 + E+2− (tv ρq=2 )d(tv) [63] S. Kim and S. Han, “The method of inferring trust in web-based social 4 × × E network using fuzzy,” in Proc. The International Workshop on Machine R 1 3 2 + 4−E (tv ρq=2 (4 4 tv))d(tv) = 16 ( 2 ). Intelligience Research, 2009. 4 × × − × − E − E [64] M. Lesani and S. Bagheri, “Fuzzy trust aggregation and personalized Considering Eq. (9), ( ) can be determined to be: trust inference in virtual social networks,” Computational Intelligence, MK.1.ii E 2009. E+2 R 4 [65] M. Lesani and S. Bagheri, “Applying and inferring fuzzy trust in K.1.ii( ) = 1 (ρq=2 (4 tv 2))d(tv) semantic web social networks,” Semantic Web and Beyond, 2006. M E 2 × × − 4 E [66] R. Guha, R. Kumar, P. Raghavan, and A. Tomkins, “Propagation of trust R 4 + E+2− (ρq=2 )d(tv) and distrust,” in Proc. WWW, 2004. 4 × E 1 [67] B. Popescu, B. Crispo, and A. Tanenbaum, “Safe and private data sharing R 1 2 + 4−E (ρq=2 (4 4 tv))d(tv) = 4 ( 2 ). with Turtle: Friends team-up and beat the system,” in Proc. Cambridge 4 × − × − E − E Workshop on Security Protocols, 2004. Therefore, Eq. (11) can be used to calculate tv∗ ( ) as: [68] T. Isdal, M. Piatek, A. Krishnamurthy, and T. Anderson, “Privacy- K.1.ii E preserving P2P data sharing with OneSwarm,” in Proc. ACM SIG- K.1.ii( ) 3 tv ( ) = MP E = . COMM, 2010. K.∗ 1.ii K.1.ii( ) 4 E M E

Rule K.2 APPENDIX A For a single social attribute, k=K , with its matched rule, Rule K.1.i k=K A K.2, input fuzzy set A is mapped to output fuzzy set . I2 O3 For a single social attribute, k=K , with its matched rule, Based on Eq. (16) and Eq. (17), µ Ak=K ( ) = , [0, 0.5], k=K A I2 E E E ∈ K.1.i, input fuzzy set A is mapped to output fuzzy set A 1 µ k=K ( ) = 1 , [0.5, 1], µ 3 (tv) = 4 tv 1, tv I 2 E −E E ∈ O × − ∈ 1. Based on Eq. (16) and Eq. (17), µ Ak=K ( ) = , I O 1 E E E ∈ [0.25, 0.5] and µ 2 (tv) = 3 4 tv, tv [0.5, 0.75]. Thus, and I . Thus, O − × ∈ [0, 1] µ 1 (tv) = 4 tv 3, tv [0.75, 1] µK.2( , tv) can be computed according to Eq. (7) when µ ( , tv)Ocan be computed× according− to∈ Eq. (7): E E ∈ K.1.i E [0, 0.5] as:  +3 , E tv 1  1 +1 4 4 tv 1, 4 tv E 4 µK.1.i( , tv) = E 3 ≤ ≤+3  × − +1≤ ≤ 3 E 4 tv 3, tv E µ ( , tv) = , E tv −E × − 4 ≤ ≤ 4 K.2 E E 4 ≤ ≤ 4 [0, 1], tv [0.75, 1].  3 4 tv, 3 tv 3 E ∈ ∈ −E4 4 [0, 0.5], tv [0−.25,×0.75]. ≤ ≤ As ρq=1 = 2 is defined in Eq. (18), K.1.i( ) can be E ∈ ∈ MP E calculated according to Eq. (8) as: And when [0.5, 1] as E ∈ E+3  1 2 R 4 4 tv 1, tv −E K.1.i( ) = 3 (tv ρq=1 (4 tv 3))d(tv)  4 4 MP E 4 × × × − × − 2 ≤ ≤ 2+ R 1 1 3 2 µK.2( , tv) = 1 , −E4 tv 4E + E+3 (tv ρq=1 )d(tv) = ( + 9 21 ). E − E 2+ ≤ ≤ 3 4 48  3 4 tv, E tv × × E − E E − E − × 4 ≤ ≤ 4 Considering Eq. (9), ( ) can be determined to be: [0.5, 1], tv [0.25, 0.75]. MK.1.i E E ∈ ∈ R 1 As ρq=3 = 1 is defined in Eq. (18), K.2( ) can be K.1.i( ) = E+3 (ρq=1 )d(tv) MP E 4 calculated according to Eq. (8) as follows. When [0, 0.5]: M E+3 E × E R 4 1 2 E ∈ + 3 (ρq=1 (4 tv 3))d(tv) = ( 2 ). E+1 4 4 R 4 × × − − E − E K.2( ) = 1 (tv ρq=3 (4 tv 1))d(tv) MP E 4 × × × − 3 E Therefore, Eq. (11) can be used to calculate tvK.∗ 1.i( ) as: R − 4 E + E+1 (tv ρq=3 )d(tv) 4 2 3 × × E K.1.i( ) +9 21 tv∗ ( ) = MP E = E E− . R 4 1 2 K.1.i K.1.i( ) 12( 2) + 3−E (tv ρq=3 (3 4 tv))d(tv) = 8 ( 2 ). E M E E− 4 × × − × − E − E 17

And when [0.5, 1]: Rule K.3.ii E ∈ 2−E R 4 For a single social attribute, k=K , with its matched rule, K.2( ) = 1 (tv ρq=3 (4 tv 1))d(tv) k=K A 4 M 2+EE × × × − K.3.ii, input fuzzy set 3A is mapped to output fuzzy set R 4 I + 2−E (tv ρq=3 (1 ))d(tv) 5. Based on Eq. (16) and Eq. (17), µ Ak=K ( ) = 1 , 4 3 3 × × − E O I E −E E ∈ R 4 1 2 [0, 1] and µ 5 (tv) = 1 4 tv, tv [0, 0.25]. Thus, + 2+E (tv ρq=3 (3 4 tv))d(tv) = 8 ( 1). O − × ∈ 4 × × − × − E − µ ( , tv) can be computed according to Eq. (7) as: K.3.ii E Considering Eq. (9), K.2( ) can be determined as below.  M E 1 , 0 tv E4 When [0, 0.5]: µK.3.ii( , tv) = − E ≤ ≤ 1 E 1 4 tv, E tv E ∈ E+1 4 4 R 4 − × ≤ ≤ K.2( ) = 1 (ρq=3 (4 tv 1))d(tv) [0, 1], tv [0, 0.25]. M E 4 × × − E ∈ ∈ 3 E R 4 As ρ = 2 is defined in Eq. (18), ( ) can be + E+1− (ρq=3 )d(tv) q=5 K.3.ii 4 MP E 3 × E calculated according to Eq. (8) as: R 4 1 2 + 3−E (ρq=3 (3 4 tv))d(tv) = 4 ( 2 ). E 4 × − × − E − E R 4 K.3.ii( ) = 0 (tv ρq=5 (1 ))d(tv) And when [0.5, 1]: MP1 E × × − E R 4 1 3 E ∈ 2−E + E (tv ρq=4 (1 4 tv))d(tv) = (1 ). 4 48 R 4 × × − × − − E K.2( ) = 1 (ρq=3 (4 tv 1))d(tv) 4 M 2+EE × × − Considering Eq. (9), K.3.ii( ) can be determined to be: R 4 M E + 2−E (ρq=3 (1 ))d(tv) E 4 × − E R 4 3 ( ) = (ρ (1 ))d(tv) R 4 1 2 K.3.ii 0 q=5 + (ρ (3 4 tv))d(tv) = ( 1). M 1 E × − E 2+E q=3 4 R 4 1 4 2 × − × − E − + E (ρq=4 (1 4 tv))d(tv) = 4 (1 ). 4 × − × − − E Therefore, Eq. (11) can be used to calculate tvK.∗ 2( ) as E Therefore, Eq. (11) can be used to calculate tv∗ ( ) as: follows. When [0, 0.5]: K.3.ii E E ∈ 2 ( ) 1 ( 2 2 ) K.3.ii( ) + +1 K.2 8 1 tv∗ ( ) = MP E = E E . tv∗ ( ) = MP E = − 1 E2− E = . K.3.ii K.3.ii( ) 12( +1) K.2 K.2( ) ( 2 ) 2 E E M E − 4 E − E M E E And when [0.5, 1]: E ∈ 1 2 K.2( ) 8 ( 1) 1 tv∗ ( ) = MP E = − 1 E2− = . K.2 K.2( ) ( 1) 2 E M E − 4 E − 1 Thus tv∗ ( ) = , [0, 1]. K.2 E 2 E ∈ Rule K.3.i

For a single social attribute, k=K , with its matched rule, k=K A K.3.i, input fuzzy set A is mapped to output fuzzy set I3 4. Based on Eq. (16) and Eq. (17), µ Ak=K ( ) = 1 , O I3 E −E E ∈ [0, 1], µ 4 (tv) = 4 tv, tv [0, 0.25] and µ 4 (tv) = 2 O × ∈ O − 4 tv, tv [0.25, 0.5]. Thus, µK.3.i( , tv) can be computed according× to∈ Eq. (7) as: E  1 4 tv, 0 tv −E4  × 1 ≤ ≤ 1+ µK.3.i( , tv) = 1 , −E4 tv 4E E  − E 1+ ≤ ≤ 1 2 4 tv, 4E tv 2 [0, 1], tv [0, 0.−5]. × ≤ ≤ E ∈ ∈ As ρq=4 = 1 is defined in Eq. (18), K.3.i( ) can be calculated according to Eq. (8) as: MP E 1−E R 4 K.3.i( ) = 0 (tv ρq=4 (4 tv))d(tv) MP1−E E × × × R 4 + 1+E (tv ρq=4 (1 ))d(tv) 4 1 × × − E R 2 1 2 + 1+E (tv ρq=4 (2 4 tv))d(tv) = 16 (1 ). 4 × × − × − − E Considering Eq. (9), K.3.i( ) can be determined to be: 1−EM E R 4 K.3.i( ) = 0 (ρq=4 (4 tv))d(tv) M 1−E E × × R 4 + 1+E (ρq=4 (1 ))d(tv) 4 1 × − E R 2 1 2 + 1+E (ρq=4 (2 4 tv))d(tv) = 4 (1 ). 4 × − × − − E Therefore, Eq. (11) can be used to calculate tv∗ ( ) as: K.3.i E K.3.i( ) 1 tv ( ) = MP E = . K.∗ 3.i K.3.i( ) 4 E M E