Wen Ming Liu,Lingyu Wang,Kui Ren,Pengsu Cheng,Mourad Debbabi

DOI: https://doi.org/10.1007/978-3-642-31680-7_5

2012-01-01

Abstract:While web-based applications are becoming increasingly ubiquitous, they also present new security and privacy challenges. In particular, recent research revealed that many high profile Web applications might cause private user information to leak from encrypted traffic due to side-channel attacks exploiting packet sizes and timing. Moreover, existing solutions, such as random padding and packet-size rounding, are shown to incur prohibitive cost while still not ensuring sufficient privacy protection. In this paper, we propose a novel k-indistinguishable traffic padding technique to achieve the optimal tradeoff between privacy protection and communication and computational cost. Specifically, we first present a formal model of the privacy-preserving traffic padding (PPTP). We then formulate PPTP problems under different application scenarios, analyze their complexity, and design efficient heuristic algorithms. Finally, we confirm the effectiveness and efficiency of our algorithms by comparing them to existing solutions through experiments using real-world Web applications.

Wen Ming Liu,Lingyu Wang,Pengsu Cheng,Kui Ren,Shunzhi Zhu,Mourad Debbabi

DOI: https://doi.org/10.1109/tdsc.2014.2302308

2014-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:While web-based applications are gaining popularity, they also pose new security challenges. In particular, Chen et al. recently revealed that many popular Web applications actually leak out highly sensitive data from encrypted traffic due to side-channel attacks using packet sizes and timing [1]. They further demonstrated that existing solutions usually incur a high overhead while still not guaranteeing privacy protection. In this paper, we observe a striking similarity between this issue and another well studied problem, privacy-preserving data publishing (PPDP). Based on such a similarity, we propose a formal model for privacy-preserving traffic padding (PPTP) that encompasses privacy requirement, padding cost, and padding methods.

Shui Yu,Guofeng Zhao,Wanchun Dou,Simon James

DOI: https://doi.org/10.1109/tifs.2012.2197392

IF: 7.231

2012-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Anonymous communication has become a hot research topic in order to meet the increasing demand for web privacy protection. However, there are few such systems which can provide high level anonymity for web browsing. The reason is the current dominant dummy packet padding method for anonymization against traffic analysis attacks. This method inherits huge delay and bandwidth waste, which inhibits its use for web browsing. In this paper, we propose a predicted packet padding strategy to replace the dummy packet padding method for anonymous web browsing systems. The proposed strategy mitigates delay and bandwidth waste significantly on average. We formulated the traffic analysis attack and defense problem, and defined a metric, cost coefficient of anonymization (CCA), to measure the performance of anonymization. We thoroughly analyzed the problem with the characteristics of web browsing and concluded that the proposed strategy is better than the current dummy packet padding strategy in theory. We have conducted extensive experiments on two real world data sets, and the results confirmed the advantage of the proposed method.

Pandurang Kamat,Wenyuan Xu,Wade Trappe,Yanyong Zhang

DOI: https://doi.org/10.1109/icdcs.2007.146

2009-01-01

ACM Transactions on Sensor Networks

Abstract:Although the content of sensor messages describing "events of interest" may be encrypted to provide confidentiality, the context surrounding these events may also be sensitive and therefore should be protected from eavesdroppers. An adversary armed with knowledge of the network deployment, routing algorithms, and the base-station (data sink) location can infer the temporal patterns of interesting events by merely monitoring the arrival of packets at the sink, thereby allowing the adversary to remotely track the spatio-temporal evolution of a sensed event. In this paper we introduce the problem of temporal privacy for delay-tolerant sensor networks, and propose adaptive buffering at intermediate nodes on the source-sink routing path to obfuscate temporal information from the adversary. We first present the effect of buffering on temporal privacy using an information-theoretic formulation, and then examine the effect that delaying packets has on buffer occupancy. We observe that temporal privacy and efficient buffer utilization are contrary objectives, and then present an adaptive buffering strategy that effectively manages these tradeoffs. Finally, we evaluate our privacy enhancement strategies using simulations, where privacy is quantified in terms of the adversary's mean square error.

Yanfei Fan,Yixin Jiang,Haojin Zhu,Jiming Chen,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/twc.2011.122010.100087

IF: 10.4

2010-01-01

IEEE Transactions on Wireless Communications

Abstract:Privacy threat is one of the critical issues in multi-hop wireless networks, where attacks such as traffic analysis and flow tracing can be easily launched by a malicious adversary due to the open wireless medium. Network coding has the potential to thwart these attacks since the coding/mixing operation is encouraged at intermediate nodes. However, the simple deployment of network coding cannot achieve the goal once enough packets are collected by the adversaries. On the other hand, the coding/mixing nature precludes the feasibility of employing the existing privacy-preserving techniques, such as Onion Routing. In this paper, we propose a novel network coding based privacy-preserving scheme against traffic analysis in multi-hop wireless networks. With homomorphic encryption on Global Encoding Vectors (GEVs), the proposed scheme offers two significant privacy-preserving features, packet flow untraceability and message content confidentiality, for efficiently thwarting the traffic analysis attacks. Moreover, the proposed scheme keeps the random coding feature, and each sink can recover the source packets by inverting the GEVs with a very high probability. Theoretical analysis and simulative evaluation demonstrate the validity and efficiency of the proposed scheme.

Hao Zhou,Yingjie Wu,Sisi Zhong,Zhao Luo,Xiaodong Wang

DOI: https://doi.org/10.1109/icicee.2012.418

2012-01-01

Abstract:The query privacy issue in location-based services (LBS) has recently received considerable attention. To protect the query privacy of users, current state-of-the-art techniques adopt cloaking which cloaks the sender's location to k-anonymized spatial region (ASR), such that an attack based on the sender's location cannot identify the query source with probability larger than 1/k, among other k-1 users. However, these techniques do not consider that these k-1 additional mobile users with different privacy requirements may send request at the same time. In this paper, we propose a new attack model that an adversary who observes all the ASRs at one time can identify the query source with probability larger than 1/k based on prior knowledge of the locations of all users. And we propose our two algorithms, namely, Basic and Adaptive Algorithms, which strengthen the privacy guarantee to defend such inference attack while still support personalized user privacy requirements. We verify the effectiveness of the proposed algorithms by experiments on location data which synthetically generated on real road maps.

Mnassar Alyami,Abdulmajeed Alghamdi,Mohammed Alkhowaiter,Cliff Zou,Yan Solihin

DOI: https://doi.org/10.48550/arXiv.2309.05941

2023-09-12

Abstract:Despite encryption, the packet size is still visible, enabling observers to infer private information in the Internet of Things (IoT) environment (e.g., IoT device identification). Packet padding obfuscates packet-length characteristics with a high data overhead because it relies on adding noise to the data. This paper proposes a more data-efficient approach that randomizes packet sizes without adding noise. We achieve this by splitting large TCP segments into random-sized chunks; hence, the packet length distribution is obfuscated without adding noise data. Our client-server implementation using TCP sockets demonstrates the feasibility of our approach at the application level. We realize our packet size control by adjusting two local socket-programming parameters. First, we enable the TCP_NODELAY option to send out each packet with our specified length. Second, we downsize the sending buffer to prevent the sender from pushing out more data than can be received, which could disable our control of the packet sizes. We simulate our defense on a network trace of four IoT devices and show a reduction in device classification accuracy from 98% to 63%, close to random guessing. Meanwhile, the real-world data transmission experiments show that the added latency is reasonable, less than 21%, while the added packet header overhead is only about 5%.

Cryptography and Security

Wei Wang,Mehul Motani,Vikram Srinivasan

DOI: https://doi.org/10.1145/1455770.1455812

2008-01-01

Abstract:Low latency anonymity systems are susceptive to traffic analysis attacks. In this paper, we propose a dependent link padding scheme to protect anonymity systems from traffic analysis attacks while providing a strict delay bound. The covering traffic generated by our scheme uses the minimum sending rate to provide full anonymity for a given set of flows. The relationship between user anonymity and the minimum covering traffic rate is then studied via analysis and simulation. When user flows are Poisson processes with the same sending rate, the minimum covering traffic rate to provide full anonymity to m users is O(log m). For Pareto traffic, we show that the rate of the covering traffic converges to a constant when the number of flows goes to infinity. Finally, we use real Internet trace files to study the behavior of our algorithm when user flows have different rates.

Jonas Bushart,Christian Rossow

DOI: https://doi.org/10.48550/arXiv.1907.01317

2019-07-02

Abstract:DNS over TLS (DoT) and DNS over HTTPS (DoH) encrypt DNS to guard user privacy by hiding DNS resolutions from passive adversaries. Yet, past attacks have shown that encrypted DNS is still sensitive to traffic analysis. As a consequence, RFC 8467 proposes to pad messages prior to encryption, which heavily reduces the characteristics of encrypted traffic. In this paper, we show that padding alone is insufficient to counter DNS traffic analysis. We propose a novel traffic analysis method that combines size and timing information to infer the websites a user visits purely based on encrypted and padded DNS traces. To this end, we model DNS sequences that capture the complexity of websites that usually trigger dozens of DNS resolutions instead of just a single DNS transaction. A closed world evaluation based on the Alexa top-10k websites reveals that attackers can deanonymize at least half of the test traces in 80.2% of all websites, and even correctly label all traces for 32.0% of the websites. Our findings undermine the privacy goals of state-of-the-art message padding strategies in DoT/DoH. We conclude by showing that successful mitigations to such attacks have to remove the entropy of inter-arrival timings between query responses.

Cryptography and Security

Luo Tao,Wang LiangMin,Yin ShangNan,Shentu Hao,Zhao Hui

DOI: https://doi.org/10.1186/s13677-021-00244-8

2021-01-01

Journal of Cloud Computing

Abstract:Edge computing has developed rapidly in recent years due to its advantages of low bandwidth overhead and low delay, but it also brings challenges in data security and privacy. Website fingerprinting (WF) is a passive traffic analysis attack that threatens website privacy which poses a great threat to user’s privacy and web security. It collects network packets generated while a user accesses website, and then uses a series of techniques to discover patterns of network packets to infer the type of website user accesses. Many anonymous networks such as Tor can meet the need of hide identity from users in network activities, but they are also threatened by WF attacks. In this paper, we propose a website fingerprinting obfuscation method against intelligent fingerprinting attacks, called Random Bidirectional Padding (RBP). It is a novel website fingerprinting defense technology based on time sampling and random bidirectional packets padding, which can covert the real packets distribution to destroy the Inter-Arrival Time (IAT) features in the traffic sequence and increase the difference between the datasets with random bidirectional virtual packets padding. We evaluate the defense against state-of-the-art website fingerprinting attacks in real scenarios, and show its effectiveness.

Shui Yu,Theerasak Thapngam,Hou I. Tse,Jilong Wang

DOI: https://doi.org/10.1109/GLOCOMW.2010.5700205

2010-01-01

Abstract:Anonymous web browsing is an emerging hot topic with many potential applications for privacy and security. However, research on low latency anonymous communication, such as web browsing, is quite limited; one reason is the intolerable delay caused by the current dominant dummy packet padding strategy, as a result, it is hard to satisfy perfect anonymity and limited delay at the same time for web browsing. In this paper, we extend our previous proposal on using prefetched web pages as cover traffic to obtain perfect anonymity for anonymous web browsing, we further explore different aspects in this direction. Based on Shannon's perfect secrecy theory, we formally established a mathematical model for the problem, and defined a metric to measure the cost of achieving perfect anonymity. The experiments on a real world data set demonstrated that the proposed strategy can reduce delay more than ten times compared to the dummy packet padding methods, which confirmed the vast potentials of the proposed strategy.

Noah Apthorpe,Danny Yuxing Huang,Dillon Reisman,Arvind Narayanan,Nick Feamster

DOI: https://doi.org/10.2478/popets-2019-0040

2019-03-16

Abstract:The proliferation of smart home Internet of Things (IoT) devices presents unprecedented challenges for preserving privacy within the home. In this paper, we demonstrate that a passive network observer (e.g., an Internet service provider) can infer private in-home activities by analyzing Internet traffic from commercially available smart home devices even when the devices use end-to-end transport-layer encryption. We evaluate common approaches for defending against these types of traffic analysis attacks, including firewalls, virtual private networks, and independent link padding, and find that none sufficiently conceal user activities with reasonable data overhead. We develop a new defense, "stochastic traffic padding" (STP), that makes it difficult for a passive network adversary to reliably distinguish genuine user activities from generated traffic patterns designed to look like user interactions. Our analysis provides a theoretical bound on an adversary's ability to accurately detect genuine user activities as a function of the amount of additional cover traffic generated by the defense technique.

Cryptography and Security

Ethan Witwer,James Holland,Nicholas Hopper

DOI: https://doi.org/10.48550/arXiv.2208.02917

2022-08-05

Abstract:Website fingerprinting is an attack that uses size and timing characteristics of encrypted downloads to identify targeted websites. Since this can defeat the privacy goals of anonymity networks such as Tor, many algorithms to defend against this attack in Tor have been proposed in the literature. These algorithms typically consist of some combination of the injection of dummy "padding" packets with the delay of actual packets to disrupt timing patterns. For usability reasons, Tor is intended to provide low latency; as such, many authors focus on padding-only defenses in the belief that they are "zero-delay." We demonstrate through Shadow simulations that by increasing queue lengths, padding-only defenses add delay when deployed network-wide, so they should not be considered "zero-delay." We further argue that future defenses should also be evaluated using network-wide deployment simulations

Cryptography and Security

Jingyuan Fan,Chaowen Guan,Kui Ren,Yong Cui,Chunming Qiao

DOI: https://doi.org/10.1109/tnet.2017.2753044

2017-01-01

IEEE/ACM Transactions on Networking

Abstract:Widely used over the Internet to encrypt traffic, HTTPS provides secure and private data communication between clients and servers. However, to cope with rapidly changing and sophisticated security attacks, network operators often deploy middleboxes to perform deep packet inspection (DPI) to detect attacks and potential security breaches, using techniques ranging from simple keyword matching to more advanced machine learning and data mining analysis. But this creates a problem: how can middleboxes, which employ DPI, work over HTTPS connections with encrypted traffic while preserving privacy? In this paper, we present SPABox, a middlebox-based system that supports both keyword-based and data analysis-based DPI functions over encrypted traffic. SPABox preserves privacy by using a novel protocol with a limited connection setup overhead. We implement SPABox on a standard server and show that SPABox is practical for both long-lived and short-lived connection. Compared with the state-of-the-art Blindbox system, SPABox is more than five orders of magnitude faster and requires seven orders of magnitude less bandwidth for connection setup while SPABox can achieve a higher security level.

George Kadianakis,Theodoros Polyzos,Mike Perry,Kostas Chatzikokolakis

DOI: https://doi.org/10.48550/arXiv.2103.03831

2022-01-12

Abstract:Online anonymity and privacy has been based on confusing the adversary by creating indistinguishable network elements. Tor is the largest and most widely deployed anonymity system, designed against realistic modern adversaries. Recently, researchers have managed to fingerprint Tor's circuits -- and hence the type of underlying traffic -- simply by capturing and analyzing traffic traces. In this work, we study the circuit fingerprinting problem, isolating it from website fingerprinting, and revisit previous findings in this model, showing that accurate attacks are possible even when the application-layer traffic is identical. We then proceed to incrementally create defenses against circuit fingerprinting, using a generic adaptive padding framework for Tor based on WTF-PAD. We present a simple defense which delays a fraction of the traffic, as well as a more advanced one which can effectively hide onion service circuits with zero delays. We thoroughly evaluate both defenses, both analytically and experimentally, discovering new subtle fingerprints, but also showing the effectiveness of our defenses.

Cryptography and Security

Lei Duan,Tao Wei,Tielei Wang,Tianfang Guo,Wei Zou

2010-01-01

Abstract:Just-in-time (JIT)-spraying, which first appeared in Blackhat DC 2010, is a new kind of attack techniques based on JIS compilation. This technique allows attackers to bypass data execution prevention (DEP) and address space layout randomization (ASLR). There are not yet any public methods to prevent this kind of attack which makes users quite vulnerable. This attack was analyzed to build models for Sledge, Shellcode's handover, and other key points to develop a JIT-spraying prevention mechanism based on random instruction padding. Quantitative analysis of the method's effectiveness shows that the best solution reduces the success rate of JIT-spraying attacks to less than 10 -6 and only introduces about 13% more padding instructions. This approach is demonstrated in V8, which is the JavaScript engine of the Chrome browser, and the performance overhead is less than 1%. The mechanism can also be used in other JIT compilers to provide more effective safety protection combined with DEP and ASLR.

Song Wang,X. Sean Wang

DOI: https://doi.org/10.1109/MDM.2010.82

2010-01-01

Abstract:Spatial cloaking has been proposed and studied to protect mobile user privacy when using location based services (LBS). Traditional spatial cloaking methods are carried out by a trusted proxy known as location trusted server (LTS) to generate a region that contains at least k users for every request. The LTS is assumed to know the location of all users at all times, and perform the cloaking for all user requests. There are a number of disadvantages of relying on a single service for privacy preservation, including the scalability concern and the appropriate worry that this service “knows too much”. To ameliorate this single-service problem, in-device spatial cloaking may be more desirable. However, the sticky problem is that the device does not know, at the time of the request, the locations of all other users, which are necessary to obtain an appropriate cloaked region. With cloud services, it may be appropriate to assume that user-density information is available from cloud servers. These servers may collect user location information for different regions, or may use sophisticated method to estimate user densities for different places. When a request needs to be anonymized, the device goes to the cloud to acquire appropriate user density information to perform spatial cloaking. In this operating environment, traditional spatial cloaking methods such as Casper [9] need to be modified in order to guarantee safety. This paper proposes and studies a new algorithm and reports performance evaluation of the new algorithm and its optimized version, aiming at provably safe cloaking with minimized communication cost. Experimental results show that the new algorithms work well in the realistic evaluation environment.

Gaofeng Zhang,Yun Yang,Jinjun Chen

DOI: https://doi.org/10.1016/j.jcss.2011.12.020

IF: 1.043

2012-09-01

Journal of Computer and System Sciences

Abstract:Cloud computing promises an open environment where customers can deploy IT services in pay-as-you-go fashion while saving huge capital investment in their own IT infrastructure. Due to the openness, various malicious service providers can exist. Such service providers may record service requests from a customer and then collectively deduce the customer private information. Therefore, customers need to take certain actions to protect their privacy. Obfuscation with noise injection, that mixes noise service requests with real customer service requests so that service providers will be confused about which requests are real ones, is an effective approach in this regard if those request occurrence probabilities are about the same. However, current obfuscation with noise injection uses random noise requests. Due to the randomness it needs a large number of noise requests to hide the real ones so that all of their occurrence probabilities are about the same, i.e. service providers would be confused. In pay-as-you-go cloud environment, a noise request will cost the same as a real request. Hence, with the same level of confusion, i.e. customer privacy protection, the number of noise requests should be kept as few as possible. Therefore in this paper we develop a novel historical probability based noise generation strategy. Our strategy generates noise requests based on their historical occurrence probability so that all requests including noise and real ones can reach about the same occurrence probability, and then service providers would not be able to distinguish in between. Our strategy can significantly reduce the number of noise requests over the random strategy, by more than 90% as demonstrated by simulation evaluation.

computer science, theory & methods, hardware & architecture

Wei Liu,Chengrong Wu,Haolin Jin,Shiyong Zhang

DOI: https://doi.org/10.1109/cits.2016.7546416

2016-01-01

Abstract:Web security is an important part of information security. This paper proposes a new web anti-attack method based on URL randomization. Adding a random field in the URL leads that the attackers cannot get desired URLs through sniffing and scanning the static URLs. In the section of theoretical analysis, we analyze the probability that the attackers construct the correct URLs. Finally, we implement a prototype of the method we come up with and use it to measure the overhead the method will bring. Experiment results shows that the overhead the method brings is very little and this method has the significance of practical application.

Zhenyu Yang,Xi Xiao,Bin Zhang ,Guangwu Hu,Qing Li,Qixu Liu

DOI: https://doi.org/10.1007/978-3-031-46677-9_8

2023-01-01

Abstract:Website fingerprinting enables eavesdroppers to identify the website a user is visiting by network surveillance, even if the traffic is protected by anonymous communication technologies such as Tor. To defend against website fingerprinting attacks, Tor provides a circuit padding framework as the official way to implement padding defenses. However, the circuit padding framework can not support additional delay, which makes most defense schemes unworkable. In this paper, we study the patterns of HTTP requests and responses generated during website loading and analyze how these high-level features correlate with the underlying features of network traffic. We find that the HTTP requests sent and responses received continuously in a short period of time, which we call HTTP burst, have a significant impact on network traffic. Then we propose a novel website fingerprinting defense algorithm, Advanced Adaptive Padding(AAP). The design principle of AAP is similar to Adaptive Padding, which works by obfuscating burst features. AAP does not delay application packets and is in line with the design philosophy of low latency networks such as Tor. Besides, AAP uses a more sensible traffic obfuscation strategy, which makes it more effective. Experiments show that AAP outperforms other zero-delay defenses with moderate bandwidth overhead.