Tao Wang
ABSTRACT
To defeat Website Fingerprinting (WF) attacks that threaten privacy on anonymity technologies such as Tor, defenses have been proposed and evaluated under the multi-page setting. The multi-page setting was designed as a difficult setting for the attacker and therefore gives too much of an advantage to the defense, allowing weak defenses to show success. We argue that all WF defenses should instead be evaluated under the one-page setting so that the defender needs to meet a higher standard of success.
Evaluating known WF defenses under the one-page setting, we found that Decoy, Front and Tamaraw all failed to defend against WF attacks. None of these defenses were shown to be vulnerable in previous work. In Tamaraw's case, the attacker's TPR increases 13 times from 2.9% to 37% with 4.4% FPR; he can also achieve 91% TPR and 21% FPR. We also found that these attacks were able to succeed in a wide array of newly defined WF scenarios that could not be captured by the standard laboratory scenario. In response, we create the first defense that is strong enough for the one-page setting by augmenting Tamaraw with greater randomization overhead so that its anonymity sets are more evenly dispersed.
- Sanjit Bhat, David Lu, Albert Kwon, and Srinivas Devadas. [n.d.]. Var-CNN: A Data-Efficient Website Fingerprinting Attack Based on Deep Learning. Privacy Enhancing Technologies, Vol. 1, 19.Google Scholar
- Xiang Cai, Rishab Nithyanand, Tao Wang, Ian Goldberg, and Rob Johnson. 2014. A Systematic Approach to Developing and Evaluating Website Fingerprinting Defenses. In Proceedings of the 21st ACM Conference on Computer and Communications Security.Google ScholarDigital Library
- Xiang Cai, Xin Cheng Zhang, Brijesh Joshi, and Rob Johnson. 2012. Touching from a Distance: Website Fingerprinting Attacks and Defenses. In Proceedings of the 19th ACM Conference on Computer and Communications Security. 605--616.Google ScholarDigital Library
- Giovanni Cherubin, Jamie Hayes, and Marc Juarez. 2017. Website Fingerprinting Defenses at the Application Layer. Proceedings on Privacy Enhancing Technologies (2017).Google ScholarCross Ref
- Wladimir De la Cadena, Asya Mitseva, Jens Hiller, Jan Pennekamp, Sebastian Reuter, Julian Filter, Thomas Engel, Klaus Wehrle, and Andriy Panchenko. 2020. TrafficSliver: Fighting Website Fingerprinting Attacks with Traffic Splitting. In Proceedings of the 27th ACM Conference on Computer and Communications Security.Google ScholarDigital Library
- R. Dingledine, N. Mathewson, and P. Syverson. 2004. Tor: The second-generation onion router. In Proceedings of the 13th USENIX Security Symposium.Google ScholarDigital Library
- Kevin P Dyer, Scott E Coull, Thomas Ristenpart, and Thomas Shrimpton. 2012. Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail. In Proceedings of the 2012 IEEE Symposium on Security and Privacy. 332--346.Google ScholarDigital Library
- Jiajun Gong and Tao Wang. 2020. Zero-Delay Lightweight Defenses against Website Fingerprinting. In Proceedings of the 29th USENIX Security Symposium (to appear).Google ScholarDigital Library
- Jamie Hayes and George Danezis. 2016. k-Fingerprinting: A Robust Scalable Website Fingerprinting Technique. In Proceedings of the 25th USENIX Security Symposium.Google Scholar
- Marc Juarez, Mohsen Imani, Mike Perry, Claudia Diaz, and Matthew Wright. 2016. Toward an Efficient Website Fingerprinting Defense. In Computer Security--ESORICS 2016. Springer, 27--46.Google ScholarCross Ref
- Andriy Panchenko, Fabian Lanze, Andreas Zinnen, Martin Henze, Jan Pennekamp, Klaus Wehrle, and Thomas Engel. 2016. Website Fingerprinting at Internet Scale. In Proceedings of the 23rd Network and Distributed System Security Symposium.Google ScholarCross Ref
- Andriy Panchenko, Lukas Niessen, Andreas Zinnen, and Thomas Engel. 2011. Website Fingerprinting in Onion Routing Based Anonymization Networks. In Proceedings of the 10th ACM Workshop on Privacy in the Electronic Society. 103--114.Google ScholarDigital Library
- Vera Rimmer, Davy Preuveneers, Marc Juarez, Tom Van Goethem, and Wouter Joosen. 2018. Automated Website Fingerprinting through Deep Learning. In Proceedings of the 25th Network and Distributed System Security Symposium.Google ScholarCross Ref
- Vitaly Shmatikov and Ming-Hsiu Wang. 2006. Timing analysis in low-latency mix networks: Attacks and defenses. In Computer Security--ESORICS 2006. 18--33.Google Scholar
- Payap Sirinam, Mohsen Imani, Marc Juarez, and Matthew Wright. 2018. Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning. In Proceedings of the 25th ACM Conference on Computer and Communications Security. ACM, 1928--1943.Google ScholarDigital Library
- Qixiang Sun, Daniel R Simon, Yi-Min Wang, Wilf Russell, Venkata N Padmanabhan, and Lili Qiu. 2002. Statistical Identification of Encrypted Web Browsing Traffic. In Proceedings of the 2002 IEEE Symposium on Security and Privacy. IEEE, 19--30.Google ScholarDigital Library
- Tao Wang. 2020. High Precision Open-World Website Fingerprinting. In Proceedings of the 2020 IEEE Symposium on Security and Privacy.Google ScholarCross Ref
- Tao Wang, Xiang Cai, Rishab Nithyanand, Rob Johnson, and Ian Goldberg. 2014. Effective Attacks and Provable Defenses for Website Fingerprinting. In Proceedings of the 23rd USENIX Security Symposium.Google Scholar
- Tao Wang and Ian Goldberg. 2017. Walkie-Talkie: An Efficient Defense Against Passive Website Fingerprinting Attacks. In Proceedings of the 26th USENIX Security Symposium.Google Scholar
- Charles V Wright, Scott E Coull, and Fabian. Monrose. 2009. Traffic Morphing: An Efficient Defense against Statistical Traffic Analysis. In Proceedings of the 16th Network and Distributed Security Symposium. 237--250.Google Scholar
Index Terms
- The One-Page Setting: A Higher Standard for Evaluating Website Fingerprinting Defenses
Recommendations
Patch-based Defenses against Web Fingerprinting Attacks
AISec '21: Proceedings of the 14th ACM Workshop on Artificial Intelligence and SecurityAnonymity systems like Tor are vulnerable to Website Fingerprinting (WF) attacks, where a local passive eavesdropper infers the victim's activity. WF attacks based on deep learning classifiers have successfully overcome numerous defenses. While recent ...
TrafficSliver: Fighting Website Fingerprinting Attacks with Traffic Splitting
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications SecurityWebsite fingerprinting (WFP) aims to infer information about the content of encrypted and anonymized connections by observing patterns of data flows based on the size and direction of packets. By collecting traffic traces at a malicious Tor entry node --...
Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityWebsite fingerprinting enables a local eavesdropper to determine which websites a user is visiting over an encrypted connection. State-of-the-art website fingerprinting attacks have been shown to be effective even against Tor. Recently, lightweight ...
Comments