skip to main content
10.1145/3474369.3486875acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article
Public Access

Patch-based Defenses against Web Fingerprinting Attacks

Published: 15 November 2021 Publication History

Abstract

Anonymity systems like Tor are vulnerable to Website Fingerprinting (WF) attacks, where a local passive eavesdropper infers the victim's activity. WF attacks based on deep learning classifiers have successfully overcome numerous defenses. While recent defenses leveraging adversarial examples offer promise, these adversarial examples can only be computed after the network session has concluded, thus offering users little protection in practical settings.
We propose Dolos, a system that modifies user network traffic in real time to successfully evade WF attacks. Dolos injects dummy packets into traffic traces by computing input-agnostic adversarial patches that disrupt the deep learning classifiers used in WF attacks. Patches are then applied to alter and protect user traffic in real time. Importantly, these patches are parameterized by a user-side secret, ensuring that attackers cannot use adversarial training to defeat Dolos. We experimentally demonstrate that Dolos provides >94% protection against state-of-the-art WF attacks under a variety of settings, including adaptive countermeasures. Dolos outperforms prior defenses both in terms of higher protection performance as well as lower bandwidth overhead. Finally, we show that Dolos is provably robust to any attack under specific, but realistic, assumptions on the setting in which the defense is deployed.

References

[1]
Kota Abe and Shigeki Goto. 2016. Fingerprinting attack on Tor anonymity using deep learning. APAN 42 (2016), 15--20.
[2]
Naveed Akhtar, Jian Liu, and Ajmal Mian. 2018. Defense against universal ad- versarial perturbations. In Proc. of CVPR. 3389--3398.
[3]
Alexa Top websites 2017. https://www.alexa.com.
[4]
Eugene Bagdasaryan and Vitaly Shmatikov. 2020. Blind Backdoors in Deep Learning Models. arXiv preprint arXiv:2005.03823 (2020).
[5]
Arjun Nitin Bhagoji, Daniel Cullina, and Prateek Mittal. 2019. Lower bounds on adversarial robustness from optimal transport. In Proc. of NeurIPS. 7498--7510.
[6]
Sanjit Bhat, David Lu, Albert Kwon, and Srinivas Devadas. 2019. Var-CNN: A data-efficient website fingerprinting attack based on deep learning. PoPETS 2019, 4 (2019), 292--310.
[7]
Tom B Brown, Dandelion Mané, Aurko Roy, Martín Abadi, and Justin Gilmer. 2017. Adversarial patch. arXiv preprint arXiv:1712.09665 (2017).
[8]
Xiang Cai, Rishab Nithyanand, and Rob Johnson. 2014. Cs-buflo: A congestion sensitive website fingerprinting defense. In Proc. of WPES. 121--130.
[9]
Xiang Cai, Rishab Nithyanand, Tao Wang, Rob Johnson, and Ian Goldberg. 2014. A systematic approach to developing and evaluating website fingerprinting defenses. In Proc. of CCS. 227--238.
[10]
Xiang Cai, Xin Cheng Zhang, Brijesh Joshi, and Rob Johnson. 2012. Touching from a distance: Website fingerprinting attacks and defenses. In Proc. of CCS. 605--616.
[11]
Nicholas Carlini and David Wagner. 2017. Adversarial examples are not easily detected: Bypassing ten detection methods. In Proc. of AISec.
[12]
Zachary Charles, Harrison Rosenberg, and Dimitris Papailiopoulos. 2019. A geo- metric perspective on the transferability of adversarial directions. In Proc. of AI- STAT. PMLR, 1960--1968.
[13]
Giovanni Cherubin. 2017. Bayes, not naïve: Security bounds on website finger- printing defenses. PoPETS 2017, 4 (2017), 215--231.
[14]
Ping-yeh Chiang, Renkun Ni, Ahmed Abdelkader, Chen Zhu, Christoph Studor, and Tom Goldstein. 2020. Certified defenses for adversarial patches. arXiv preprint arXiv:2003.06693 (2020).
[15]
Wladimir De la Cadena, Asya Mitseva, Jens Hiller, Jan Pennekamp, Sebastian Reuter, Julian Filter, Thomas Engel, Klaus Wehrle, and Andriy Panchenko. 2020. TrafficSliver: Fighting Website Fingerprinting Attacks with Traffic Splitting. In Proc. of CCS. 1971--1985.
[16]
Ambra Demontis, Marco Melis, Maura Pintor, Matthew Jagielski, Battista Biggio, Alina Oprea, Cristina Nita-Rotaru, and Fabio Roli. 2019. Why do adversarial attacks transfer? explaining transferability of evasion and poisoning attacks. In Proc. of USENIX Security. 321--338.
[17]
Kevin P Dyer, Scott E Coull, Thomas Ristenpart, and Thomas Shrimpton. 2012. Peek-a-boo, i still see you: Why efficient traffic analysis countermeasures fail. In Proc. of IEEE S&P. IEEE, 332--346.
[18]
Reuben Feinman, Ryan R Curtin, Saurabh Shintre, and Andrew B Gardner. 2017. Detecting adversarial samples from artifacts. arXiv:1703.00410 (2017).
[19]
Jiajun Gong and Tao Wang. 2020. Zero-delay Lightweight Defenses against Web-site Fingerprinting. In Proc. of USENIX Security. 717--734.
[20]
Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).
[21]
Jamie Hayes. 2018. On visible adversarial perturbations & digital watermarking. In Proc. of CVPR. 1597--1604.
[22]
Jamie Hayes and George Danezis. 2016. k-fingerprinting: A robust scalable web- site fingerprinting technique. In Proc. of USENIX Security. 1187--1203.
[23]
Sébastien Henri, Gines Garcia-Aviles, Pablo Serrano, Albert Banchs, and Patrick Thiran. 2020. Protecting against Website Fingerprinting with Multihoming. PoPETS 2020, 2 (2020), 89--110.
[24]
Dominik Herrmann, Rolf Wendolsky, and Hannes Federrath. 2009. Website fin- gerprinting: attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier. In Proc. of CCSW. 31--42.
[25]
James K Holland and Nicholas Hopper. 2020. RegulaTOR: A Powerful Website Fingerprinting Defense. arXiv preprint arXiv:2012.06609 (2020).
[26]
Chengshang Hou, Gaopeng Gou, Junzheng Shi, Peipei Fu, and Gang Xiong. 2020. WF-GAN: Fighting Back Against Website Fingerprinting Attack Using Adversarial Learning. In Proc. of ISCC. IEEE, 1--7.
[27]
A. Ilyas, S. Santurkar, D. Tsipras, L. Engstrom, B. Tran, and A. Madry. 2019. Ad- versarial examples are not bugs, they are features. In Proc. of NeurIPS.
[28]
Marc Juarez, Mohsen Imani, Mike Perry, Claudia Diaz, and Matthew Wright. 2016. Toward an efficient website fingerprinting defense. In Proc. of ESORICS. Springer, 27--46.
[29]
Danny Karmon, Daniel Zoran, and Yoav Goldberg. 2018. Lavan: Localized and visible adversarial noise. In Proc. of ICML. PMLR, 2507--2515.
[30]
Bojan Kolosnjaji, Ambra Demontis, Battista Biggio, Davide Maiorca, Giorgio Gi- acinto, Claudia Eckert, and Fabio Roli. 2018. Adversarial malware binaries: Evading deep learning for malware detection in executables. In Proc. of EUSIPCO. IEEE, 533--537.
[31]
Jon Lee. 2004. A first course in combinatorial optimization. Vol. 36. Cambridge University Press.
[32]
Bai Li, Shiqi Wang, Suman Jana, and Lawrence Carin. 2020. Towards Understanding Fast Adversarial Training. arXiv preprint arXiv:2006.03089 (2020).
[33]
Marc Liberatore and Brian Neil Levine. 2006. Inferring the source of encrypted HTTP connections. In Proc. of CCS. 255--263.
[34]
Liming Lu, Ee-Chien Chang, and Mun Choon Chan. 2010. Website fingerprinting and identification using ordered feature sequences. In Proc. of ESORICS. Springer, 199--214.
[35]
Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards deep learning models resistant to adversarial attacks. In Proc. of ICLR.
[36]
Michael McCoyd, Won Park, Steven Chen, Neil Shah, Ryan Roggenkemper, Min-june Hwang, Jason Xinyu Liu, and David Wagner. 2020. Minority Reports Defense: Defending Against Adversarial Patches. arXiv preprint arXiv:2004.13799 (2020).
[37]
Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, Omar Fawzi, and Pascal Frossard. 2017. Universal adversarial perturbations. In Proc. of CVPR. 1765--1773.
[38]
Muzammal Naseer, Salman Khan, and Fatih Porikli. 2019. Local gradients smoothing: Defense against localized adversarial attacks. In Proc. of WACV. 1300--1307.
[39]
Milad Nasr, Alireza Bahramali, and Amir Houmansadr. 2021. Defeating DNN- Based Traffic Analysis Systems in Real-Time With Blind Adversarial Perturbations. In Proc. of USENIX Security.
[40]
Rishab Nithyanand, Xiang Cai, and Rob Johnson. 2014. Glove: A bespoke website fingerprinting defense. In Proc. of WPES. 131--134.
[41]
Sinno Jialin Pan and Qiang Yang. 2009. A survey on transfer learning. IEEE Transactions on knowledge and data engineering 22, 10 (2009), 1345--1359.
[42]
Andriy Panchenko, Fabian Lanze, Jan Pennekamp, Thomas Engel, Andreas Zinnen, Martin Henze, and Klaus Wehrle. 2016. Website Fingerprinting at Internet Scale. In Proc. of NDSS.
[43]
Andriy Panchenko, Lukas Niessen, Andreas Zinnen, and Thomas Engel. 2011. Website fingerprinting in onion routing based anonymization networks. In Proc. of WPES. 103--114.
[44]
Nicolas Papernot, Patrick McDaniel, Ananthram Swami, and Richard Harang. 2016. Crafting adversarial input sequences for recurrent neural networks. In Proc. of MILCOM. IEEE, 49--54.
[45]
Mike Perry. 2015. Tor Protocol Specification Proposal. https://gitweb.torproject.org/torspec.git/tree/proposals/254-padding-negotiation.txt.
[46]
Deyan Petrov and Timothy M Hospedales. 2019. Measuring the transferability of adversarial examples. arXiv preprint arXiv:1907.06291 (2019).
[47]
Muni Sreenivas Pydi and Varun Jog. 2020. Adversarial Risk via Optimal Transport and Optimal Couplings. In Proc. of ICML. 7814--7823.
[48]
Mohammad Saidur Rahman, Mohsen Imani, Nate Mathews, and Matthew Wright. 2020. Mockingbird: Defending against deep-learning-based website fin- gerprinting attacks with adversarial traces. TIFS (2020), 1594--1609.
[49]
Mohammad Saidur Rahman, Payap Sirinam, Nate Mathews, Kantha Girish Gangadhara, and Matthew Wright. 2020. Tik-Tok: The utility of packet timing in website fingerprinting attacks. PoPETS 2020, 3 (2020), 5--24.
[50]
Sukrut Rao, David Stutz, and Bernt Schiele. 2020. Adversarial training against location-optimized adversarial patches. arXiv preprint arXiv:2005.02313 (2020).
[51]
Shuhuai Ren, Yihe Deng, Kun He, and Wanxiang Che. 2019. Generating natural language adversarial examples through probability weighted word saliency. In Proc. of ACL. 1085--1097.
[52]
Vera Rimmer, Davy Preuveneers, Marc Juarez, Tom Van Goethem, and Wouter Joosen. 2018. Automated Website Fingerprinting through Deep Learning. In Proc. of NDSS.
[53]
Ali Shafahi, W Ronny Huang, Christoph Studer, Soheil Feizi, and Tom Goldstein. 2019. Are adversarial examples inevitable?. In ICLR.
[54]
Shai Shalev-Shwartz and Shai Ben-David. 2014. Understanding machine learning: From theory to algorithms. Cambridge university press.
[55]
Payap Sirinam, Mohsen Imani, Marc Juarez, and Matthew Wright. 2018. Deep fingerprinting: Undermining website fingerprinting defenses with deep learning. In Proc. of CCS. 1928--1943.
[56]
Payap Sirinam, Nate Mathews, Mohammad Saidur Rahman, and Matthew Wright. 2019. Triplet Fingerprinting: More Practical and Portable Website Fingerprinting with N-shot Learning. In Proc. of CCS. 1131--1148.
[57]
Dawn Song, Kevin Eykholt, Ivan Evtimov, Earlence Fernandes, Bo Li, Amir Rah- mati, Florian Tramer, Atul Prakash, and Tadayoshi Kohno. 2018. Physical adversarial examples for object detectors. In Proc. of WOOT.
[58]
Octavian Suciu, Radu Mrginean, Yitcan Kaya, Hal Daumé III, and Tudor Dumitra?. 2018. When Does Machine Learning FAIL? Generalized Transferability for Evasion and Poisoning Attacks. In Proc. of USENIX Security.
[59]
Qixiang Sun, Daniel R Simon, Yi-Min Wang, Wilf Russell, Venkata N Padmanabhan, and Lili Qiu. 2002. Statistical identification of encrypted web browsing traffic. In Proc. of IEEE S&P. IEEE, 19--30.
[60]
Florian Tramer and Dan Boneh. 2019. Adversarial training and robustness for multiple perturbations. In Proc. of NeurIPS. 5866--5876.
[61]
Eric Wallace, Shi Feng, Nikhil Kandpal, Matt Gardner, and Sameer Singh. 2019. Universal adversarial triggers for attacking and analyzing NLP. arXiv preprint arXiv:1908.07125 (2019).
[62]
Tao Wang, Xiang Cai, Rishab Nithyanand, Rob Johnson, and Ian Goldberg. 2014. Effective attacks and provable defenses for website fingerprinting. In Proc. of USENIX Security. 143--157.
[63]
Tao Wang and Ian Goldberg. 2017. Walkie-talkie: An efficient defense against passive website fingerprinting attacks. In Proc. of USENIX Security. 1375--1390.
[64]
Xiaosen Wang, Hao Jin, and Kun He. 2019. Natural language adversarial attacks and defenses in word level. arXiv preprint arXiv:1909.06723 (2019).
[65]
Eric Wong, Leslie Rice, and J Zico Kolter. 2020. Fast is better than free: Revisiting adversarial training. In Proc. of ICLR.
[66]
Zuxuan Wu, Ser-Nam Lim, Larry Davis, and Tom Goldstein. 2019. Making an invisibility cloak: Real world adversarial attacks on object detectors. arXiv preprint arXiv:1910.14667 (2019).
[67]
Chong Xiang, Arjun Nitin Bhagoji, Vikash Sehwag, and Prateek Mittal. 2020. PatchGuard: Provable Defense against Adversarial Patches Using Masks on Small Receptive Fields. arXiv preprint arXiv:2005.10884 (2020).
[68]
Jason Yosinski, Jeff Clune, Yoshua Bengio, and Hod Lipson. 2014. How transfer- able are features in deep neural networks?. In Proc. of NeurIPS.

Cited By

View all
  • (2024)KimeraPAD: A Novel Low-Overhead Real-Time Defense Against Website Fingerprinting Attacks Based on Deep Reinforcement LearningIEEE Transactions on Network and Service Management10.1109/TNSM.2024.336008221:3(2944-2961)Online publication date: Jun-2024
  • (2024)Website Fingerprinting on Encrypted Proxies: A Flow-Context-Aware Approach and CountermeasuresIEEE/ACM Transactions on Networking10.1109/TNET.2023.333727032:3(1904-1919)Online publication date: Jun-2024
  • (2024)RUDOLF: An Efficient and Adaptive Defense Approach Against Website Fingerprinting Attacks Based on Soft Actor-Critic AlgorithmIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.343681819(7794-7809)Online publication date: 2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
AISec '21: Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security
November 2021
210 pages
ISBN:9781450386579
DOI:10.1145/3474369
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 November 2021

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. adversarial patch
  2. privacy
  3. tor
  4. website fingerprinting

Qualifiers

  • Research-article

Funding Sources

Conference

CCS '21
Sponsor:

Acceptance Rates

Overall Acceptance Rate 94 of 231 submissions, 41%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)194
  • Downloads (Last 6 weeks)20
Reflects downloads up to 06 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)KimeraPAD: A Novel Low-Overhead Real-Time Defense Against Website Fingerprinting Attacks Based on Deep Reinforcement LearningIEEE Transactions on Network and Service Management10.1109/TNSM.2024.336008221:3(2944-2961)Online publication date: Jun-2024
  • (2024)Website Fingerprinting on Encrypted Proxies: A Flow-Context-Aware Approach and CountermeasuresIEEE/ACM Transactions on Networking10.1109/TNET.2023.333727032:3(1904-1919)Online publication date: Jun-2024
  • (2024)RUDOLF: An Efficient and Adaptive Defense Approach Against Website Fingerprinting Attacks Based on Soft Actor-Critic AlgorithmIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.343681819(7794-7809)Online publication date: 2024
  • (2024)WFDefProxy: Real World Implementation and Evaluation of Website Fingerprinting DefensesIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.332766219(1357-1371)Online publication date: 1-Jan-2024
  • (2024)You Can Glimpse but You Cannot Identify: Protect IoT Devices From Being FingerprintedIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.327585021:3(1210-1223)Online publication date: May-2024
  • (2024)Real-Time Website Fingerprinting Defense via Traffic Cluster Anonymization2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00247(3238-3256)Online publication date: 19-May-2024
  • (2024)Trace-agnostic and Adversarial Training-resilient Website Fingerprinting DefenseIEEE INFOCOM 2024 - IEEE Conference on Computer Communications10.1109/INFOCOM52122.2024.10621205(211-220)Online publication date: 20-May-2024
  • (2023)Characterizing Privacy Leakage in Encrypted DNS TrafficIEICE Transactions on Communications10.1587/transcom.2022EBP3014E106.B:2(156-165)Online publication date: 1-Feb-2023
  • (2023)Resisting DNN-Based Website Fingerprinting Attacks Enhanced by Adversarial TrainingIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.330452818(5375-5386)Online publication date: 1-Jan-2023
  • (2023)Prism: Real-Time Privacy Protection Against Temporal Network Traffic AnalyzersIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.326788518(2524-2537)Online publication date: 1-Jan-2023
  • Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media