Litao Qiao,Bang Wu,Shuijun Yin,Heng Li,Wei Yuan,Xiapu Luo

DOI: https://doi.org/10.1109/tifs.2023.3304528

IF: 7.231

2023-09-06

IEEE Transactions on Information Forensics and Security

Abstract:Deep neural network (DNN) based website fingerprinting (WF) attacks pose a severe threat to the privacy of Tor users. To overcome this challenge, adversarial perturbation based WF defenses have been recently proposed to fool the classifiers of attackers, through purposefully perturbing the user's traffic traces. Unfortunately, these defenses significantly deteriorate once the WF attacks are enhanced with adversarial training (AT). AT endows the WF attacks with more powerful website recognition capability, through learning the perturbed traffic traces generated by attackers. To resist the WF attacks enhanced by AT, we develop a black-box WF defense, called Acup3. First, Acup3 leverages many-to- one website imitation to make the traffic traces associated with different websites look more like each other, increasing the difficulty of website classification. Second, Acup3 generates trace-agnostic perturbations without accessing traffic traces, making it suitable for practical deployment. Third, Acup3 employs perturbation variation to diversify the traffic traces of different users visiting the same website, making the knowledge learnt from AT less helpful for WF attacks. Therefore, Acup3 is more robust against AT. Experiments demonstrate Acup3 markedly surpasses four representative WF defenses (e.g., Mockingbird and AWA) in defense capability and bandwidth overhead. Facing the state-of-the-art (SOTA) attack Var-CNN enhanced with AT, Acup3 depresses its attack success rate (ASR) from 98% to 24.29% with only 13.95% bandwidth overhead. Compared to the SOTA defense AWA, Acup3 causes a 24.5% larger decrement in ASR of WF attacks, and achieves a more than 100 times faster speed of perturbation generation.

computer science, theory & methods,engineering, electrical & electronic

Zhe Zhao,Guangke Chen,Jingyi Wang,Yiwei Yang,Fu Song,Jun Sun

DOI: https://doi.org/10.1145/3460319.3464822

2021-01-01

Abstract:As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that adversarial examples are significantly less robust than benign ones. As existing robustness measurement does not scale to large networks, we propose a novel defense framework, named attack as defense (A2D), to detect adversarial examples by effectively evaluating an example’s robustness. A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial since less robust examples are easier to attack. Extensive experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches. We also evaluate our defense against potential adaptive attacks and show that A2D is effective in defending carefully designed adaptive attacks, e.g., the attack success rate drops to 0% on CIFAR10.

Xi Xiao,Xiang Zhou,Zhenyu Yang,Le Yu,Bin Zhang,Qixu Liu,Xiapu Luo

DOI: https://doi.org/10.1016/j.cose.2023.103577

IF: 5.105

2024-01-01

Computers & Security

Abstract:Website fingerprinting (WF) enables eavesdroppers to identify the website a user is visiting by network surveillance, even if the traffic is protected by anonymous communication technologies such as Tor. To avoid this, several defense schemes have been proposed to protect users from the hazard of website fingerprinting attacks. However, some defenses are defeated by new attacks soon since they can not provide provable security guarantees; some defenses can not be deployed in practice since they incur high bandwidth overhead and latency overhead. In this paper, we survey existing WF defense schemes and make a comprehensive analysis. First, we divide WF defenses into four categories and introduce their principles and characteristics separately. Then, we point out some unreasonable settings in previous works and use a new experimental setting to evaluate WF defenses on a public dataset. We find many WF defenses are not as effective as they claim to be. Besides, we investigate the deployment of WF defenses and discuss some potential problems. Finally, we make some suggestions for researchers to design a feasible WF defense and make suggestions for users to protect their privacy.

Meng Shen,Kexin Ji,Zhenbo Gao,Qi Li,Liehuang Zhu,Ke Xu

2023-01-01

Abstract:Anonymity networks, e.g., Tor, are vulnerable to various website fingerprinting (WF) attacks, which allows attackers to perceive user privacy on these networks. However, the defenses developed recently can effectively interfere with WF attacks, e.g., by simply injecting dummy packets. In this paper, we propose a novel WF attack called Robust Fingerprinting (RF), which enables an attacker to fingerprint the Tor traffic under various defenses. Specifically, we develop a robust traffic representation method that generates Traffic Aggregation Matrix (TAM) to fully capture key informative features leaked from Tor traces. By utilizing TAM, an attacker can train a CNN-based classifier that learns common high-level traffic features uncovered by different defenses. We conduct extensive experiments with public real-world datasets to compare RF with state-of-the-art (SOTA) WF attacks. The closed-and open-world evaluation results demonstrate that RF significantly outperforms the SOTA attacks. In particular, RF can effectively fingerprint Tor traffic under the SOTA defenses with an average accuracy improvement of 8.9% over the best existing attack (i.e., Tik-Tok).

Qilei Yin,Zhuotao Liu,Qi Li,Tao Wang,Qian Wang,Chao Shen,Yixiao Xu

DOI: https://doi.org/10.1109/tdsc.2021.3104869

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In Website Fingerprinting (WF) attack, a local passive eavesdropper utilizes network flow information to identify which web pages a user is browsing. Previous researchers have demonstrated the feasibility and effectiveness of WF attacks under a strong Single Page Assumption: the network flow extracted by the adversary belongs to a single web page. In reality, the assumption may not hold because users tend to open multiple tabs simultaneously (or within a short period of time) so that their network traffic is mixed. In this article, we propose an automated multi-tab Website Fingerprinting attack that is able to accurately classify websites regardless of the number of simultaneously opened pages. Our design is powered by two innovative designs. First, we develop a split point classification method to dynamically identify the split point between the first page and its subsequent pages. As a result, the network traffic before the split point is solely generated for the first page. Then, we propose a new chunk-based WF classifier to infer the websites based on the initial chunk of clean traffic. For both classifiers, we apply automated feature selection to select a concise yet representative feature set. We implement a prototype of our design and perform extensive evaluations using SSH and Tor-based datasets to demonstrate the effectiveness of both our system components individually and the integrated system as a whole.

Mohammad Saidur Rahman,Mohsen Imani,Nate Mathews,Matthew Wright

DOI: https://doi.org/10.48550/arXiv.1902.06626

2020-10-29

Abstract:Website Fingerprinting (WF) is a type of traffic analysis attack that enables a local passive eavesdropper to infer the victim's activity, even when the traffic is protected by a VPN or an anonymity system like Tor. Leveraging a deep-learning classifier, a WF attacker can gain over 98% accuracy on Tor traffic. In this paper, we explore a novel defense, Mockingbird, based on the idea of adversarial examples that have been shown to undermine machine-learning classifiers in other domains. Since the attacker gets to design and train his attack classifier based on the defense, we first demonstrate that at a straightforward technique for generating adversarial-example based traces fails to protect against an attacker using adversarial training for robust classification. We then propose Mockingbird, a technique for generating traces that resists adversarial training by moving randomly in the space of viable traces and not following more predictable gradients. The technique drops the accuracy of the state-of-the-art attack hardened with adversarial training from 98% to 42-58% while incurring only 58% bandwidth overhead. The attack accuracy is generally lower than state-of-the-art defenses, and much lower when considering Top-2 accuracy, while incurring lower bandwidth overheads.

Cryptography and Security,Machine Learning

Xiaoyun Yuan,Tengyao Li,Lingling Li,Ruixiang Li,Zhiquan Wang,Xiangyang Luo

DOI: https://doi.org/10.1016/j.comnet.2024.110217

IF: 5.493

2024-01-29

Computer Networks

Abstract:Website Fingerprinting (WF) attacks on Tor are exploited to analyze encrypted traffic traces and infer the visited websites by analyzing traffic traces between users and the Tor entry guard. State-of-the-art WF methods have demonstrated impressive results in simulation experiments against Tor-protected network traffic. However, existing WF attacks have significant limitations in real-world scenarios due to potential mismatches between the data distribution in the experimental environment and that of the real world. Additionally, it is often unknown in advance which sites a client will access. In this paper, we propose a WF enhancing technique that leverages difficult-to-classify samples to train a website classifier, which exploits hard samples to train a website classifier using their distinctive features. We conduct a more detailed analysis of the impact that unbalanced data on WF attacks. In order to improve the performance, we extract misclassified traces from the unmonitored sites as the hard samples and train them using a triplet network structure to enhance their feature representation. By utilizing this method, an attacker can train a classifier that learns more features from the open world, potentially improving the accuracy and effectiveness of website fingerprinting techniques. This approach allows for a more comprehensive understanding of website characteristics and better discrimination between monitored and unmonitored sites. The experimental results demonstrate that the proposed technique has a substantial positive impact on the precision of misidentified traffic traces. The best recall rate achieved is 98.43%, while the average recall for hard samples is an impressive 93.28%. These results collectively highlight the effectiveness and reliability of the proposed technique in accurately identifying challenging traffic samples.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Yuwen Qian,Guodong Huang,Chuan Ma,Ming Ding,Long Yuan,Zi Chen,Kai Wang

DOI: https://doi.org/10.1109/tifs.2024.3432404

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The act of website fingerprinting, which involves monitoring traffic features to infer private user information, has attracted much attention in the research community recently. While previous studies primarily focused on classifying fingerprint information using clean traffic data, it remains a challenging task to apply fingerprinting to noisy traffic data or evade defensive measures. This work aims to address the challenges associated with website fingerprinting attacks and defense strategies in the presence of noise. Specifically, we introduce two novel attack methods: filter-assisted attack and augmentation-assisted attack. The first attack method leverages packet size distribution to effectively filter out noise, while the second one trains a classification model by incorporating artificial noise. Compared with the traditional website fingerprinting attacks, these proposed attack methods demonstrate superior resilience to noise and exceptional evasion capabilities against defensive measures (e.g., random packet defense, Walkie-Talkie, WTF-PAD, etc.). In parallel, we propose a list-assisted defense strategy that strikes a balance between defense performance and network overhead. This defense mechanism offers effective protection against website fingerprinting attacks while minimizing the impact on network performance. In our experiments, we employ a comprehensive dataset encompassing TCP/IP traffic with packet size information collected from three prominent web browsers, as well as Tor cell traffic without packet size information obtained from a Tor browser. We thoroughly evaluate our proposed methods in both closed-world and open-world scenarios. Our experimental results shed valuable insights into the influence of noise and the efficacy of different attack and defense approaches on website fingerprinting.

Yixiao Xu,Tao Wang,Qi Li,Qingyuan Gong,Yang Chen,Yong Jiang

DOI: https://doi.org/10.1145/3274694.3274697

2018-01-01

Abstract:In a Website Fingerprinting (WF) attack, a local, passive eavesdropper utilizes network flow information to identify which web pages a user is browsing. Previous researchers have extensively demonstrated the feasibility and effectiveness of WF, but only under the strong Single Page Assumption: the network flow extracted by the adversary always belongs to a single page. In other words, the WF classifier will never be asked to classify a network flow corresponding to more than one page, or part of a page. The Single Page Assumption is unrealistic because people often browse with multiple tabs. When this happens, the network flow induced by multiple tabs will overlap, and current WF attacks fail to classify correctly. Our work demonstrates the feasibility of WF with the relaxed Single Page Assumption: we can attack a client who visits more than one pages simultaneously. We propose a multi-tab website fingerprinting attack that can accurately classify multi-tab web pages if they are requested and sequentially loaded over a short period of time. In particular, we develop a new BalanceCascade-XGBoost scheme for an attacker to identify the start point of the second page such that the attacker can accurately classify and identify these multi-tab pages. By developing a new classifier, we only use a small chunk of packets, i.e., packets between the first page's start time to the second page's start time, to fingerprint website. Our experiments demonstrate that in the multi-tab scenario, WF attacks are still practically effective. We have an average TPR of 92.58% on SSH, and we can also averagely identify the page with a TPR of 64.94% on Tor. Specially, compared with previous WF classifiers, our attack achieves a significantly higher true positive rate using a restricted chunk of packets.

Meng Shen,Kexin Ji,Jinhe Wu,Qi Li,Xiangdong Kong,Ke Xu,Liehuang Zhu

DOI: https://doi.org/10.1109/sp54263.2024.00247

2024-01-01

Abstract:Website Fingerprinting (WF) attacks significantly threaten user privacy in anonymity networks such as Tor. While numerous defenses have been proposed, they are unable to efficiently defend against recent deep learning based WF attacks. In this paper, we propose Palette, a novel and practical WF defense that utilizes traffic cluster anonymization to protect live Tor traffic. By clustering websites with high similarity in traffic patterns and regulating them into a well-designed uniform pattern for a cluster (i.e., a group of similar websites), Palette prevents attackers from distinguishing between these similar websites within the cluster and further provides a strong anonymity guarantee. Comprehensive evaluations with public real-world datasets show that Palette is superior to the existing defenses, greatly reducing the accuracy of the state-of-the-art (SOTA) WF attacks with acceptable overheads. Furthermore, we implement Palette as a Pluggable Transport in the Tor network. The experiment results demonstrate that, on average, Palette effectively reduces the accuracy of the SOTA WF attacks by 73.60%, which improves the existing defenses by 33.50%-43.47%.

Alireza Bahramali,Ardavan Bozorgi,Amir Houmansadr

2023-09-19

Abstract:Website Fingerprinting (WF) is considered a major threat to the anonymity of Tor users (and other anonymity systems). While state-of-the-art WF techniques have claimed high attack accuracies, e.g., by leveraging Deep Neural Networks (DNN), several recent works have questioned the practicality of such WF attacks in the real world due to the assumptions made in the design and evaluation of these attacks. In this work, we argue that such impracticality issues are mainly due to the attacker's inability in collecting training data in comprehensive network conditions, e.g., a WF classifier may be trained only on samples collected on specific high-bandwidth network links but deployed on connections with different network conditions. We show that augmenting network traces can enhance the performance of WF classifiers in unobserved network conditions. Specifically, we introduce NetAugment, an augmentation technique tailored to the specifications of Tor traces. We instantiate NetAugment through semi-supervised and self-supervised learning techniques. Our extensive open-world and close-world experiments demonstrate that under practical evaluation settings, our WF attacks provide superior performances compared to the state-of-the-art; this is due to their use of augmented network traces for training, which allows them to learn the features of target traffic in unobserved settings. For instance, with a 5-shot learning in a closed-world scenario, our self-supervised WF attack (named NetCLR) reaches up to 80% accuracy when the traces for evaluation are collected in a setting unobserved by the WF adversary. This is compared to an accuracy of 64.4% achieved by the state-of-the-art Triplet Fingerprinting [35]. We believe that the promising results of our work can encourage the use of network trace augmentation in other types of network traffic analysis.

Cryptography and Security,Machine Learning

Haoyu Yin,Yingjian Liu,Zhongwen Guo,Yu Wang

DOI: https://doi.org/10.26599/tst.2024.9010073

2024-12-11

Tsinghua Science & Technology

Abstract:Recent advancements in deep learning (DL) have introduced new security challenges in the form of side-channel attacks. A prime example is the website fingerprinting attack (WFA), which targets anonymity networks like Tor, enabling attackers to unveil users' protected browsing activities from traffic data. While state-of-the-art WFAs have achieved remarkable results, they often rely on unrealistic single-website assumptions. In this paper, we undertake an exhaustive exploration of multi-tab website fingerprinting attacks (MTWFAs) in more realistic scenarios. We delve into MTWFAs and introduce MTWFA-SEG, a task involving the fine-grained packet-level classification within multi-tab Tor traffic. By employing deep learning models, we reveal their potential to threaten user privacy by discerning visited websites and browsing session timing. We design an improved fully convolutional model for MTWFA-SEG, which are enhanced by both network architecture advances and traffic data instincts. In the evaluations on interlocking browsing datasets, the proposed models achieve remarkable accuracy rates of over 68.6%, 71.8%, and 76.1% in closed, imbalanced open, and balanced open-world settings, respectively. Furthermore, the proposed models exhibit substantial robustness across diverse train-test settings. We further validate our designs in a coarse-grained task, MTWFA-MultiLabel, where they not only achieve state-of-the-art performance but also demonstrate high robustness in challenging situations.

computer science, information systems,engineering, electrical & electronic, software engineering

Guanlin Li,Yifei Chen,Jie Zhang,Jiwei Li,Shangwei Guo,Tianwei Zhang

DOI: https://doi.org/10.48550/arxiv.2310.07726

2023-01-01

Abstract:AI-Generated Content (AIGC) is gaining great popularity, with many emerging commercial services and applications. These services leverage advanced generative models, such as latent diffusion models and large language models, to generate creative content (e.g., realistic images and fluent sentences) for users. The usage of such generated content needs to be highly regulated, as the service providers need to ensure the users do not violate the usage policies (e.g., abuse for commercialization, generating and distributing unsafe content). A promising solution to achieve this goal is watermarking, which adds unique and imperceptible watermarks on the content for service verification and attribution. Numerous watermarking approaches have been proposed recently. However, in this paper, we show that an adversary can easily break these watermarking mechanisms. Specifically, we consider two possible attacks. (1) Watermark removal: the adversary can easily erase the embedded watermark from the generated content and then use it freely bypassing the regulation of the service provider. (2) Watermark forging: the adversary can create illegal content with forged watermarks from another user, causing the service provider to make wrong attributions. We propose Warfare, a unified methodology to achieve both attacks in a holistic way. The key idea is to leverage a pre-trained diffusion model for content processing and a generative adversarial network for watermark removal or forging. We evaluate Warfare on different datasets and embedding setups. The results prove that it can achieve high success rates while maintaining the quality of the generated content. Compared to existing diffusion model-based attacks, Warfare is 5,050~11,000x faster.

Xinhao Deng,Qilei Yin,Zhuotao Liu,Xiyuan Zhao,Qi Li,Mingwei Xu,Ke Xu,Jianping Wu

DOI: https://doi.org/10.1109/SP46215.2023.10179464

2023-01-01

Abstract:Website fingerprinting enables an eavesdropper to determine which websites a user is visiting over an encrypted connection. State-of-the-art website fingerprinting (WF) attacks have demonstrated effectiveness even against Tor-protected network traffic. However, existing WF attacks have critical limitations on accurately identifying websites in multi-tab browsing sessions, where the holistic pattern of individual websites is no longer preserved, and the number of tabs opened by a client is unknown a priori. In this paper, we propose ARES, a novel WF framework natively designed for multi-tab WF attacks. ARES formulates the multi-tab attack as a multi-label classification problem and solves it using a multi-classifier framework. Each classifier, designed based on a novel transformer model, identifies a specific website using its local patterns extracted from multiple traffic segments. We implement a prototype of ARES and extensively evaluate its effectiveness using our large-scale dataset collected over multiple months (by far the largest multi-tab WF dataset studied in academic papers.) The experimental results illustrate that ARES effectively achieves the multi-tab WF attack with the best F1-score of 0.907. Further, ARES remains robust even against various WF defenses.

Haoyu Yin,Yingjian Liu,Yue Li,Zhongwen Guo,Yu Wang

DOI: https://doi.org/10.1016/j.jnca.2023.103733

IF: 7.574

2023-11-01

Journal of Network and Computer Applications

Abstract:Deep learning (DL) technologies bring new threats to network security. Website fingerprinting attacks (WFA) using DL models can distinguish victim’s browsing activities protected by anonymity technologies. Unfortunately, traditional countermeasures (website fingerprinting defenses, WFD) fail to preserve privacy against DL models. In this paper, we apply adversarial example technology to implement new WFD with static analyzing (SA) and dynamic perturbation (DP) settings. Although DP setting is close to a real-world scenario, its supervisions are almost unavailable due to the uncertainty of upcoming traffics and the difficulty of dependency analysis over time. SA setting relaxes the real-time constraints in order to implement WFD under a supervised learning perspective. We propose Greedy Injection Attack (GIA), a novel adversarial method for WFD under SA setting based on zero-injection vulnerability test. Furthermore, Sniper is proposed to mitigate the computational cost by using a DL model to approximate zero-injection test. FCNSniper and RNNSniper are designed for SA and DP settings respectively. Experiments show that FCNSniper decreases classification accuracy of the state-of-the-art WFA model by 96.57% with only 2.29% bandwidth overhead. The learned knowledge can be efficiently transferred into RNNSniper. As an indirect adversarial example attack approach, FCNSniper can be well generalized to different target WFA models and datasets without suffering fatal failures from adversarial training.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Chuxu Song,Zining Fan,Hao Wang,Richard Martin

2024-07-28

Abstract:Website fingerprinting (WF) attacks identify the websites visited over anonymized connections by analyzing patterns in network traffic flows, such as packet sizes, directions, or interval times using a machine learning classifier. Previous studies showed WF attacks achieve high classification accuracy. However, several issues call into question whether existing WF approaches are realizable in practice and thus motivate a re-exploration. Due to Tor's performance issues and resulting poor browsing experience, the vast majority of users opt for Virtual Private Networking (VPN) despite VPNs weaker privacy protections. Many other past assumptions are increasingly unrealistic as web technology advances. Our work addresses several key limitations of prior art. First, we introduce a new approach that classifies entire websites rather than individual web pages. Site-level classification uses traffic from all site components, including advertisements, multimedia, and single-page applications. Second, our Convolutional Neural Network (CNN) uses only the jitter and size of 500 contiguous packets from any point in a TCP stream, in contrast to prior work requiring heuristics to find page boundaries. Our seamless approach makes eavesdropper attack models realistic. Using traces from a controlled browser, we show our CNN matches observed traffic to a website with over 90% accuracy. We found the training traffic quality is critical as classification accuracy is significantly reduced when the training data lacks variability in network location, performance, and clients' computational capability. We enhanced the base CNN's efficacy using domain adaptation, allowing it to discount irrelevant features, such as network location. Lastly, we evaluate several defensive strategies against seamless WF attacks.

Cryptography and Security

Jiajun Gong,Wuqi Zhang,Charles Zhang,Tao Wang

DOI: https://doi.org/10.1109/tifs.2023.3327662

IF: 7.231

2023-12-08

IEEE Transactions on Information Forensics and Security

Abstract:Tor, an onion-routing anonymity network, can be attacked by Website Fingerprinting (WF), which de-anonymizes encrypted web browsing traffic by analyzing its unique sequence characteristics. Although many defenses have been proposed, few have been implemented and tested in the real world; most state-of-the-art defenses were only simulated. Simulations fail to capture the real performance of these defenses as they make simplifying assumptions about the protocol stack and network conditions. To allow WF defenses to be analyzed as real implementations, we create WFDefProxy, the first general platform for WF defense implementation on Tor as pluggable transports. We implement three state-of-the-art WF defenses: FRONT, Tamaraw, and RegulaTor. We evaluate each defense extensively by directly collecting defended datasets under WFDefProxy. Our results show that simulation can be inaccurate in many cases. Specifically, Tamaraw's time overhead was underestimated by 22% in one setting and overestimated by 24% in another. RegulaTor's time overhead was underestimated by 30–40%. We find that a major source of simulation inaccuracy is that they cannot incorporate how packets depend on each other. We also find that adverse network conditions (which are ignored in simulation), especially congestion, can affect the evaluated overhead of defenses. These results show that it is important to evaluate defenses as implementations instead of only simulations to avoid errors in evaluation.

computer science, theory & methods,engineering, electrical & electronic

Jiawei Zhao,Lizhe Xie,Yuning Zhang,Siqi Gu,Zheng Wang,Yining Hu

DOI: https://doi.org/10.2139/ssrn.4850545

2024-01-01

Abstract:Deep Neural Networks (DNNs) have been shown to be vulnerable to adversarial examples. The existence of adversarial examples significantly hinders the development of deep learning technologies in domains with high-security requirements. However, current defense methods often lack universality, being effective only against specific adversarial attacks. This study focuses on analyzing adversarial examples through changes in model attention, classifying attack algorithms into attention-shifting and attention-attenuation categories. To counter attention-shifting attacks, a defense module named Feature Pyramid-based Attention Space-guided (FPAS) is proposed, which spatially retracts the shifting attention in adversarial examples, thereby enhancing the model's overall defense capability. Attention-based Non-Local (ANL) is a proposed defense module to counter attention-attenuation attacks. This module enhances the model's focus on critical features, efficiently constructing a robust defense model with low implementation cost and minimal intrusion into the original model. By integrating FPAS and ANL into the Wide-ResNet model within a boosting framework, the study demonstrates their synergistic defense capability. Even with eight adversarial samples embedded with adversarial patches, our FPAS_at and ANL_at models demonstrated significant improvements over the baseline, enhancing the average defense rate by 5.47% and 7.74%, respectively. Extensive experiments confirm that this universal defense strategy offers comprehensive protection against adversarial attacks at a lower implementation cost compared to current mainstream defense methods, while also being adaptable for integration with existing defense strategies to further enhance adversarial robustness.

Shawn Shan,Arjun Nitin Bhagoji,Haitao Zheng,Ben Y. Zhao

DOI: https://doi.org/10.48550/arXiv.2102.04291

2021-02-08

Abstract:Anonymity systems like Tor are vulnerable to Website Fingerprinting (WF) attacks, where a local passive eavesdropper infers the victim's activity. Current WF attacks based on deep learning classifiers have successfully overcome numerous proposed defenses. While recent defenses leveraging adversarial examples offer promise, these adversarial examples can only be computed after the network session has concluded, thus offer users little protection in practical settings. We propose Dolos, a system that modifies user network traffic in real time to successfully evade WF attacks. Dolos injects dummy packets into traffic traces by computing input-agnostic adversarial patches that disrupt deep learning classifiers used in WF attacks. Patches are then applied to alter and protect user traffic in real time. Importantly, these patches are parameterized by a user-side secret, ensuring that attackers cannot use adversarial training to defeat Dolos. We experimentally demonstrate that Dolos provides 94+% protection against state-of-the-art WF attacks under a variety of settings. Against prior defenses, Dolos outperforms in terms of higher protection performance and lower information leakage and bandwidth overhead. Finally, we show that Dolos is robust against a variety of adaptive countermeasures to detect or disrupt the defense.

Cryptography and Security

Yanbin Wang,Haitao Xu,Zhenhao Guo,Zhan Qin,Kui Ren

DOI: https://doi.org/10.1109/TIFS.2022.3158086

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The website fingerprinting (WF) attack enables a local eavesdropper to identify which website a client is visiting under encrypted network connections. By leveraging deep neural networks, the state-of-the-art WF attacks achieve high accuracy in classic experimental scenes. However, due to the high variance of neural networks, those attacks are sensitive to the specific information in the data and would result in less-than-ideal performance on data outside the training set or on data that is impacted by the effect of concept drift. In this paper, we present snWF, a novelWF attack, which leverages an out-of-the ordinary ensemble to reduce the variance of neural networks and improve the robustness of the attack. In a large open-world setting with 400,000 websites, snWF manages to determine whether a user is visiting a monitored website, with a true positive rate of 98.1% and a false positive rate of 5.7%. We also evaluated snWF in a more realistic attack scenario, termed as <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">wide-world</i> , to examine whether snWF can correctly classify websites that even an adversary has not seen before, and we found that snWF achieves a higher classification accuracy than the state-of-the-art attacks in this new setting. In addition, in the face of concept drift, snWF is found to be more resilient than any other attacks. Moreover, we are the first to reveal that under concept drift WF attacks suffer more severe performance degradation in a <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">open-world</i> setting than in a <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">closed-world</i> setting.