Skip to main content
SpringerLink
Log in
Book cover

International Conference on Web Information Systems and Technologies

WEBIST 2018: Web Information Systems and Technologies pp 99–124Cite as

IUPTIS: Fingerprinting Profile Webpages in a Dynamic and Practical DPI Context

  • Conference paper
  • First Online:

  • 318 Accesses

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 372))

Abstract

In this paper, we propose an extended overview of a novel webpage fingerprinting technique ‘IUPTIS’ that allows an adversary to identify webpage profiles in an encrypted HTTPS traffic trace. Our approach works by identifying sequences of image resources, uniquely attributed to each webpage. Assumptions of previous state-of-the-art methods are reduced by developing an approach that does not depend on the browser utilized. Additionally, it outperforms previous methods by allowing webpages to be dynamic in content and permitting a limited number of browser and CDN-cached resources. These easy-to-use properties make it viable to apply our method in DPI frameworks where performance is crucial. With practical experiments on social media platforms such as Pinterest and DeviantArt, we show that IUPTIS is an accurate and robust technique to fingerprint profile webpages in a realistic scenario. To conclude, we propose several defenses that are able to mitigate IUPTIS in privacy-enhanced tools such as Tor.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Source Code and Dataset

The source code and dataset of the Pinterest experiment can be found here: https://github.com/M-DiMartino/IUPTIS.

Notes

  1. 1.

    IUPTIS stands for ‘Identifying User Profiles Through Image Sequences’.

  2. 2.

    Note the difference between browser-cached and CDN-cached images. We are talking about the latter here.

  3. 3.

    Previous work regarding fingerprinting often have slightly different ways of defining positives and negatives.

  4. 4.

    Categories: Movie, Sport, Travel, Music, Games, Clothing, Science, Food and Business.

  5. 5.

    ‘https://www.deviantart.com/[USER_NAME]/gallery’.

  6. 6.

    https://hotels.com/ho[NUMBER]/?[GET_PARAMS].

References

  1. Pinterest (2018). https://www.pinterest.com. Accessed 13 Nov 2018

  2. Brandwatch: Brandwatch Peer Index (2017). https://www.brandwatch.com/p/peerindex-and-brandwatch. Accessed 14 Oct 2017

  3. Brissaud, P.O., Francois, J., Chrisment, I., Cholez, T., Bettan, O.: Passive monitoring of HTTPS service use. In: 14th International Conference on Network and Service Management (CNSM 2018), Rome, Italy , p. 7, November 2018. https://hal.inria.fr/hal-01943936

  4. Cai, X., Nithyanand, R., Johnson, R.: CS-BuFLO: a congestion sensitive website fingerprinting defense. In: Proceedings of the 13th Workshop on Privacy in the Electronic Society, WPES 2014, pp. 121–130. ACM, New York (2014). https://doi.org/10.1145/2665943.2665949

  5. Cai, X., Nithyanand, R., Wang, T., Johnson, R., Goldberg, I.: A systematic approach to developing and evaluating website fingerprinting defenses. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 227–238. ACM, New York (2014). https://doi.org/10.1145/2660267.2660362

  6. Cai, X., Zhang, X.C., Joshi, B., Johnson, R.: Touching from a distance: website fingerprinting attacks and defenses. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 605–616. ACM, New York (2012). https://doi.org/10.1145/2382196.2382260

  7. Cao, Y., Li, S., Wijmans, E.: (Cross-)browser fingerprinting via OS and hardware level features. In: NDSS (2017)

    Google Scholar 

  8. Cheng, H., Cheng, H., Avnur, R.: Traffic analysis of SSL encrypted web browsing (1998)

    Google Scholar 

  9. Cherubin, G.: Bayes, not Naïve: security bounds on website fingerprinting defenses. In: PoPETs, pp. 215–231 (2017)

    Google Scholar 

  10. Cherubin, G., Hayes, J., Juarez, M.: Website fingerprinting defenses at the application layer. Proc. Priv. Enhanc. Technol. 2017(2), 186–203 (2017)

    Article  Google Scholar 

  11. Coull, S.E., Collins, M.P., Wright, C.V., Monrose, F., Reiter, M.K.: On web browsing privacy in anonymized NetFlows. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, SS 2007, USENIX Association, Berkeley, CA, USA, pp. 23:1–23:14 (2007). http://dl.acm.org/citation.cfm?id=1362903.1362926

  12. Di Martino, M., Robyns, P., Quax, P., Lamotte, W.: Iuptis: a practical, cache-resistant fingerprinting technique for dynamic webpages. In: WEBIST (2018)

    Google Scholar 

  13. Dyer, K.P., Coull, S.E., Ristenpart, T., Shrimpton, T.: Peek-a-boo, i still see you: why efficient traffic analysis countermeasures fail. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 332–346. IEEE Computer Society, Washington (2012). https://doi.org/10.1109/SP.2012.28

  14. The Economist: Very personal finance (2012). http://www.economist.com/node/21556263. Accessed 10 Sept 2017

  15. Ejeta, T.G., Kim, H.J.: Website fingerprinting attack on psiphon and its forensic analysis. In: Kraetzer, C., Shi, Y.-Q., Dittmann, J., Kim, H.J. (eds.) IWDW 2017. LNCS, vol. 10431, pp. 42–51. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-64185-0_4

    Chapter  Google Scholar 

  16. Estêvão, F.P.C.: Fingerprinting HTTP/2 web pages (2017)

    Google Scholar 

  17. European Commission: Data protection (2018). https://ec.europa.eu/info/law/law-topic/data-protection_en. Accessed 17 June 2018

  18. Council of the European Union: Common challenges in combating cybercrime, p. 5 (2017). http://data.consilium.europa.eu/doc/document/ST-7021-2017-INIT/en/pdf

  19. Gallagher, S.: Chinese government launches man-in-middle attack against icloud [updated]. Ars Technica (2014). https://arstechnica.com/information-technology/2014/10/chinese-government-launches-man-in-middle-attack-against-icloud/

  20. Hayes, J., Danezis, G.: k-fingerprinting: a robust scalable website fingerprinting technique. In: 25th USENIX Security Symposium (USENIX Security 16), USENIX Association, Austin, TX, pp. 1187–1203 (2016)

    Google Scholar 

  21. Herrmann, D., Wendolsky, R., Federrath, H.: Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial NaïVe-bayes classifier. In: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, CCSW 2009, pp. 31–42. ACM, New York (2009). https://doi.org/10.1145/1655008.1655013

  22. Husák, M., Čermák, M., Jirsík, T., Čeleda, P.: HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting. EURASIP J. Inf. Secur. 2016(1), 6 (2016). https://doi.org/10.1186/s13635-016-0030-7

    Article  Google Scholar 

  23. InformAction: Noscript. https://noscript.net/. Accessed 18 Oct 2018

  24. Juarez, M., Afroz, S., Acar, G., Diaz, C., Greenstadt, R.: A critical evaluation of website fingerprinting attacks. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 263–274. ACM, New York (2014). https://doi.org/10.1145/2660267.2660368

  25. Juarez, M., Imani, M., Perry, M., Diaz, C., Wright, M.: Toward an efficient website fingerprinting defense. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 27–46. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45744-4_2

    Chapter  Google Scholar 

  26. Kwon, A., AlSabah, M., Lazar, D., Dacier, M., Devadas, S.: Circuit fingerprinting attacks: passive deanonymization of tor hidden services. In: 24th USENIX Security Symposium (USENIX Security 15), USENIX Association, Washington, D.C., pp. 287–302 (2015). https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/kwon

  27. Liberatore, M., Levine, B.N.: Inferring the source of encrypted HTTP connections. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 255–263. ACM, New York (2006). https://doi.org/10.1145/1180405.1180437

  28. Liu, L., Preoţiuc-Pietro, D., Riahi, Z., Moghaddam, M.E., Ungar, L.: Analyzing personality through social media profile picture choice. In: ICWSM (2016)

    Google Scholar 

  29. Lu, L., Chang, E.-C., Chan, M.C.: Website fingerprinting and identification using ordered feature sequences. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 199–214. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15497-3_13

    Chapter  Google Scholar 

  30. Luo, X., Zhou, P., Chan, E.W.W., Lee, W., Chang, R.K.C., Perdisci, R.: HTTPOS: sealing information leaks with browser-side obfuscation of encrypted flows. In: Proceedings of the Network and Distributed Systems Symposium (NDSS). The Internet Society (2011). http://hdl.handle.net/10397/50561

  31. Miller, B., Huang, L., Joseph, A.D., Tygar, J.D.: I know why you went to the clinic: risks and realization of HTTPS traffic analysis. In: De Cristofaro, E., Murdoch, S.J. (eds.) PETS 2014. LNCS, vol. 8555, pp. 143–163. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08506-7_8

    Chapter  Google Scholar 

  32. Morla, R.: Effect of pipelining and multiplexing in estimating HTTP/2.0 web object sizes. ArXiv e-prints (2017)

    Google Scholar 

  33. Panchenko, A., et al.: Website fingerprinting at internet scale. In: NDSS (2016)

    Google Scholar 

  34. Panchenko, A., Niessen, L., Zinnen, A., Engel, T.: Website fingerprinting in onion routing based anonymization networks. In: Proceedings of the 10th Annual ACM Workshop on Privacy in the Electronic Society, WPES 2011, pp. 103–114. ACM, New York, (2011). https://doi.org/10.1145/2046556.2046570

  35. Perez, S.: Facebook starts pushing its data tracking onavo vpn within its main mobile app (2018). https://techcrunch.com/2018/02/12/facebook-starts-pushing-its-data-tracking-onavo-vpn-within-its-main-mobile-app/

  36. Project, T.T.: Tor. https://www.torproject.org. Accessed 17 June 2018

  37. Rao, A., Spasojevic, N., Li, Z., Dsouza, T.: Klout score: measuring influence across multiple social networks. In: 2015 IEEE International Conference on Big Data (Big Data), pp. 2282–2289 (2015)

    Google Scholar 

  38. Rimmer, V., Preuveneers, D., Juarez, M., Van Goethem, T., Joosen, W.: Automated feature extraction for website fingerprinting through deep learning (2017, to appear)

    Google Scholar 

  39. Statcounter: Statcounter Global Stats (2018). http://gs.statcounter.com/. Accessed 06 Nov 2018

  40. Sun, Q., Simon, D.R., Wang, Y.M., Russell, W., Padmanabhan, V.N., Qiu, L.: Statistical identification of encrypted web browsing traffic. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, SP 2002, pp. 19–30. IEEE Computer Society, Washington, (2002). http://dl.acm.org/citation.cfm?id=829514.830535

  41. Wang, T.: Website fingerprinting: attacks and defenses (Doctoral dissertation), university of Waterloo, Canada (2015)

    Google Scholar 

  42. Wang, T., Goldberg, I.: Walkie-talkie: an efficient defense against passive website fingerprinting attacks. In: 26th USENIX Security Symposium (USENIX Security 17), USENIX Association, Vancouver, BC, pp. 1375–1390 (2017). https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/wang-tao

  43. WiFi4EU: Free wi-fi for europeans (2016). https://ec.europa.eu/digital-single-market/en/policies/wifi4eu-free-wi-fi-europeans

  44. Wijnants, M., Marx, R., Quax, P., Lamotte, W.: HTTP/2 Prioritization and its Impact on Web Performance. In: The Web Conference WWW 2018 (2018)

    Google Scholar 

  45. Wright, C.V., Coull, S.E., Monrose, F.: traffic morphing: an efficient defense against statistical traffic analysis. In: Proceedings of the 16th Network and Distributed Security Symposium, pp. 237–250. IEEE (2009)

    Google Scholar 

Download references

Acknowledgements

We thank the anonymous reviewers for their insightful feedback.

Author information

Authors and Affiliations

  1. Hasselt University/tUL - Expertise Center for Digital Media, Hasselt, Belgium

    Mariano Di Martino, Pieter Robyns & Wim Lamotte

  2. Hasselt University/tUL/Flanders Make - Expertise Center for Digital Media, Hasselt, Belgium

    Peter Quax

Authors
  1. Mariano Di Martino
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Pieter Robyns
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Peter Quax
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Wim Lamotte
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mariano Di Martino .

Editor information

Editors and Affiliations

  1. University of Seville, Seville, Spain

    María José Escalona

  2. University of Seville, Seville, Spain

    Francisco Domínguez Mayo

  3. University of Agder, Kristiansand, Norway

    Tim A. Majchrzak

  4. University of Paris 1, Paris, France

    Valérie Monfort

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Di Martino, M., Robyns, P., Quax, P., Lamotte, W. (2019). IUPTIS: Fingerprinting Profile Webpages in a Dynamic and Practical DPI Context. In: Escalona, M., Domínguez Mayo, F., Majchrzak, T., Monfort, V. (eds) Web Information Systems and Technologies. WEBIST 2018. Lecture Notes in Business Information Processing, vol 372. Springer, Cham. https://doi.org/10.1007/978-3-030-35330-8_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-35330-8_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-35329-2

  • Online ISBN: 978-3-030-35330-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation