Correlation Attacks - Deanonymization

How Correlation Works

Correlation attacks match traffic entering an anonymity network with traffic exiting it. If an adversary can observe both ends, they can statistically link users to their activities despite encryption.

Attack Model

User ──[Enter Tor]──► [Tor Network] ──[Exit]──► Destination
  │                                                │
  └──────── Adversary observes both ───────────────┘
           (timing, volume, patterns)

Attack Types

Timing Correlation

Match packet timing at entry/exit

Passive

Volume Correlation

Match data amounts transferred

Statistical

Traffic Watermarking

Inject patterns into traffic flow

Active

Website Fingerprinting

Identify sites by traffic patterns

ML-based

Global Adversaries

!

Threat Level: Nation-state adversaries who can observe significant portions of internet infrastructure pose the greatest correlation attack risk. Five Eyes nations have extensive network observation capabilities.

Mitigations

Use cover traffic (constant data streams)
Randomize activity timing
High-latency mix networks for non-real-time
Don't use Tor from identifiable locations
Long-lived connections reduce sampling
Consider I2P for internal services