Defending Against Deep Learning-Based Traffic Fingerprinting Attacks With Adversarial Examples
Article No.: 1, Pages 1 - 23
Abstract
In an increasingly digital and interconnected world, online anonymity and privacy are paramount issues for Internet users. To address this, tools like The Onion Router (Tor) offer anonymous and private communication by routing traffic through multiple relays with multiple layers of encryption. However, traffic fingerprinting attacks have threatened anonymity and privacy. In response, the community has proposed additional defenses for Tor, but fingerprinting techniques that utilize deep neural networkss (DNNs) have undermined many of these defenses. The latest defenses that are both lightweight and robust against DNNs use adversarial examples, but these defenses require either the full traffic trace beforehand or a database of pre-computed adversarial examples. We propose Prism, a defense against fingerprinting attacks that utilizes adversarial examples with neither prior access to the full traffic trace nor a database. We describe a novel method of adversarial example generation as input is learned over time. Prism injects these adversarial examples into the Tor traffic stream to prevent DNNs from accurately classifying both websites and videos that a user is viewing, even if the DNN is hardened by adversarial training. We also show that the Tor network could implement Prism entirely on relays under certain conditions, extending the defense to users who may run Tor on devices without graphics processing units.
References
[1]
Armon Barton. 2018. Defending Neural Networks Against Adversarial Examples. Ph. D. Dissertation. University of Texas Arlington, Arlington, TX.
[2]
Armon Barton and Matthew Wright. 2016. DeNASA: Destination-naive AS-awareness in anonymous communications. Proceedings on Privacy Enhancing Technologies 2016, 4 (2016), 356–372.
[3]
Sanjit Bhat, David Lu, Albert Kwon, and Srinivas Devadas. 2019. Var-CNN: A data-efficient website fingerprinting attack based on deep learning. Proceedings on Privacy Enhancing Technologies 2019, 4 (2019), 292–310.
[4]
Tom B. Brown, Dandelion Mané, Aurko Roy, Martín Abadi, and Justin Gilmer. 2018. Adversarial patch. arxiv:1712.09665 [cs.CV] (2018). https://arxiv.org/abs/1712.09665
[5]
Xiang Cai, Rishab Nithyanand, Tao Wang, Rob Johnson, and Ian Goldberg. 2014. A systematic approach to developing and evaluating website fingerprinting defenses. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 227–238.
[6]
Xiang Cai, Xincheng Zhang, Brijesh Joshi, and Rob Johnson. 2012. Touching from a distance: Website fingerprinting attacks and defenses. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 605–616.
[7]
Carlos Campuzano. 2021. Towards Video Fingerprinting Attacks over Tor. Master’s Thesis. Naval Postgraduate School, Monterey, CA.
[8]
Giovanni Cherubin, Rob Jansen, and Carmela Troncoso. 2022. Online website fingerprinting: Evaluating website fingerprinting attacks on Tor in the real world. In Proceedings of the USENIX Security Symposium. 753–770.
[9]
Xinhao Deng, Qilei Yin, Zhuotao Liu, Xiyuan Zhao, Qi Li, Mingwei Xu, Ke Xu, and Jianping Wu. 2023. Robust multi-tab website fingerprinting attacks in the wild. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 1005–1022.
[10]
Roger Dingledine, Nick Mathewson, and Paul Syverson. 2004. Tor: The second-generation onion router. In Proceedings of the USENIX Security Symposium, Vol. 4. 303–320.
[11]
Kevin P. Dyer, Scott E. Coull, Thomas Ristenpart, and Thomas Shrimpton. 2012. Peek-a-boo, I still see you: Why efficient traffic analysis countermeasures fail. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 332–346.
[12]
Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. arxiv:1412.6572 [stat.ML] (2015). https://arxiv.org/abs/1412.6572
[13]
Shixiang Gu and Luca Rigazio. 2015. Towards deep neural network architectures robust to adversarial examples. arxiv:1412.5068 [cs.LG] (2015). https://arxiv.org/abs/1412.5068
[14]
Dominik Herrmann, Rolf Wendolsky, and Hannes Federrath. 2009. Website fingerprinting: Attacking popular privacy enhancing technologies with the multinomial naïve-Bayes classifier. In Proceedings of the ACM Workshop on Cloud Computing Security. ACM, New York, NY, USA, 31–42.
[15]
Andrew Hintz. 2002. Fingerprinting websites using traffic analysis. In Proceedings of the Workshop on Privacy Enhancing Technologies. 171–178.
[16]
Mohsen Imani, Armon Barton, and Matthew Wright. 2018. Guard sets in Tor using as relationships. Proceedings on Privacy Enhancing Technologies 2018, 1 (2018), 145–165.
[17]
Aaron Johnson, Chris Wacek, Rob Jansen, Micah Sherr, and Paul Syverson. 2013. Users get routed: Traffic correlation on Tor by realistic adversaries. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 337–348.
[18]
Marc Juarez, Sadia Afroz, Gunes Acar, Claudia Diaz, and Rachel Greenstadt. 2014. A critical evaluation of website fingerprinting attacks. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 263–274.
[19]
Marc Juarez, Mohsen Imani, Mike Perry, Claudia Diaz, and Matthew Wright. 2016. Toward an efficient website fingerprinting defense. In Proceedings of the European Symposium on Research in Computer Security. 27–46.
[20]
David Lu, Sanjit Bhat, Albert Kwon, and Srinivas Devadas. 2018. DynaFlow: An efficient website fingerprinting defense based on dynamically-adjusting flows. In Proceedings of the ACM Workshop on Privacy in the Electronic Society. ACM, New York, NY, USA, 109–113.
[21]
Jiajun Lu, Theerasit Issaranon, and David Forsyth. 2017. SafetyNet: Detecting and rejecting adversarial examples robustly. arxiv:1704.00103 [cs.CV] (2017). https://arxiv.org/abs/1704.00103
[22]
Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2019. Towards deep learning models resistant to adversarial attacks. arxiv:1706.06083 [stat.ML] (2019). https://arxiv.org/abs/1706.06083
[23]
Nate Mathews, James K. Holland, Se Eun Oh, Mohammad Saidur Rahman, Nicholas Hopper, and Matthew Wright. 2023. SoK: A critical evaluation of efficient website fingerprinting defenses. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 969–986.
[24]
Milad Nasr, Alireza Bahramali, and Amir Houmansadr. 2021. Defeating DNN-based traffic analysis systems in real-time with blind adversarial perturbations. In Proceedings of the USENIX Security Symposium. 2705–2722.
[25]
Se Eun Oh, Nate Mathews, Mohammad Saidur Rahman, Matthew Wright, and Nicholas Hopper. 2021. GANDaLF: GAN for data-limited fingerprinting. Proceedings on Privacy Enhancing Technologies 2021, 2 (2021), 305–322.
[26]
Andriy Panchenko, Fabian Lanze, Jan Pennekamp, Thomas Engel, Andreas Zinnen, Martin Henze, and Klaus Wehrle. 2016. Website fingerprinting at Internet scale. In Proceedings of the Network and Distributed System Security Symposium. 1–15.
[27]
Andriy Panchenko, Lukas Niessen, Andreas Zinnen, and Thomas Engel. 2011. Website fingerprinting in onion routing based anonymization networks. In Proceedings of the ACM Workshop on Privacy in the Electronic Society. ACM, New York, NY, USA, 103–114.
[28]
Mohammad Saidur Rahman, Mohsen Imani, Nate Mathews, and Matthew Wright. 2021. Mockingbird: Defending against deep-learning-based website fingerprinting attacks with adversarial traces. IEEE Transactions on Information Forensics and Security 16 (2021), 1594–1609.
[29]
Mohammad Saidur Rahman, Nate Matthews, and Matthew Wright. 2019. Poster: Video fingerprinting in Tor. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 2629–2631.
[30]
Mohammad Saidur Rahman, Payap Sirinam, Nate Mathews, Kantha Girish Gangadhara, and Matthew Wright. 2020. Tik-Tok: The utility of packet timing in website fingerprinting attacks. Proceedings on Privacy Enhancing Technologies 2020, 3 (2020), 5–24.
[31]
Vera Rimmer, Davy Preuveneers, Marc Juarez, Tom Van Goethem, and Wouter Joosen. 2018. Automated website fingerprinting through deep learning. In Proceedings of the Network and Distributed System Security Symposium. 1–15.
[32]
Shawn Shan, Arjun Nitin Bhagoji, Haitao Zheng, and Ben Y. Zhao. 2021. A real-time defense against website fingerprinting attacks. arxiv:2102.04291 [cs.CR] (2021). https://arxiv.org/abs/2102.04291
[33]
Payap Sirinam, Mohsen Imani, Marc Juarez, and Matthew Wright. 2018. Deep fingerprinting: Undermining website fingerprinting defenses with deep learning. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 1928–1943.
[34]
Payap Sirinam, Nate Mathews, Mohammad Saidur Rahman, and Matthew Wright. 2019. Triplet fingerprinting: More practical and portable website fingerprinting with n-shot learning. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 1131–1148.
[35]
Sagar Vaze, Kai Han, Andrea Vedaldi, and Andrew Zisserman. 2022. Open-set recognition: A good closed-set classifier is all you need?arxiv:2110.06207 [cs.CV] (2022). https://arxiv.org/abs/2110.06207
[36]
Tim Walsh, Trevor Thomas, and Armon Barton. 2024. Exploring the capabilities and limitations of video stream fingerprinting. In Proceedings of the IEEE Security Privacy Workshop on Designing Security for the Web. IEEE, 28–39.
[37]
Tao Wang. 2020. High precision open-world website fingerprinting. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 152–167.
[38]
Tao Wang and Ian Goldberg. 2013. Improved website fingerprinting on Tor. In Proceedings of the ACM Workshop on Privacy in the Electronic Society. ACM, New York, NY, USA, 201–212.
[39]
Tao Wang and Ian Goldberg. 2017. Walkie-Talkie: An efficient defense against passive website fingerprinting attacks. In Proceedings of the USENIX Security Symposium. 1375–1390.
[40]
Xiaoyong Yuan, Pan He, Qile Zhu, and Xiaolin Li. 2019. Adversarial examples: Attacks and defenses for deep learning. IEEE Transactions on Neural Networks and Learning Systems 30, 9 (2019), 2805–2824.
Index Terms
- Defending Against Deep Learning-Based Traffic Fingerprinting Attacks With Adversarial Examples
Recommendations
Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityWebsite fingerprinting enables a local eavesdropper to determine which websites a user is visiting over an encrypted connection. State-of-the-art website fingerprinting attacks have been shown to be effective even against Tor. Recently, lightweight ...
Patch-based Defenses against Web Fingerprinting Attacks
AISec '21: Proceedings of the 14th ACM Workshop on Artificial Intelligence and SecurityAnonymity systems like Tor are vulnerable to Website Fingerprinting (WF) attacks, where a local passive eavesdropper infers the victim's activity. WF attacks based on deep learning classifiers have successfully overcome numerous defenses. While recent ...
A comprehensive analysis of website fingerprinting defenses on Tor
AbstractWebsite fingerprinting (WF) enables eavesdroppers to identify the website a user is visiting by network surveillance, even if the traffic is protected by anonymous communication technologies such as Tor. To avoid this, several defense schemes ...
Comments
Information & Contributors
Information
Published In
This paper is authored by an employee(s) of the United States Government and is in the public domain. Non-exclusive copying or redistribution is allowed, provided that the article citation is given and the authors and agency are clearly identified as its source.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 November 2024
Online AM: 03 October 2024
Accepted: 22 September 2024
Revised: 06 September 2024
Received: 01 April 2024
Published in TOPS Volume 28, Issue 1
Check for updates
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 256Total Downloads
- Downloads (Last 12 months)256
- Downloads (Last 6 weeks)114
Reflects downloads up to 28 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in