Junchi Xing,Chunming Wu

DOI: https://doi.org/10.1109/INFOCOMWKSHPS50562.2020.9162940

2020-01-01

Abstract:The widely used encryption of network traffic poses a great challenge to anomaly detection. Currently, the supervised and semi-supervised solutions suffer from the problems of noisy label of data, non-stationary traffic distribution, and huge resource consumption for offline training. To address this, in this paper, we present an unsupervised, robust, and online anomaly detection method for encrypted traffic by using deep dictionary learning, called D2LAD. D2LAD offers the potential to extract sequential features from raw encrypted traffic data with the help of an LSTM-based autoencoder. Then, according to the sequential features, D2LAD is able to explore the hidden normal patterns by iterative deep dictionary learning. Eventually, D2LAD can obtain the anomaly score of raw data by calculating its relevance to the deep dictionary. We implement a prototype of D2LAD and evaluate its effectiveness and performance by experiments using realistic datasets. The experimental results show that our method achieves high accuracy and low resource usage, and outperforms the representative state-of-the-art methods in real-world settings.

Meng Shen,Yiting Liu,Liehuang Zhu,Xiaojiang Du,Jiankun Hu

DOI: https://doi.org/10.1109/tifs.2020.3046876

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Encrypted web traffic can reveal sensitive information of users, such as their browsing behaviors. Existing studies on encrypted traffic analysis focus on website fingerprinting. We claim that fine-grained webpage fingerprinting, which speculates specific webpages on a same website visited by a victim, allows exploiting more user private information, e.g., shopping interests in an online shopping mall. Since webpages from the same website usually have very similar traffic traces that make them indistinguishable, existing solutions may end up with low accuracy. In this paper, we propose FineWP, a novel fine-grained webpage fingerprinting method. We make an observation that the length information of packets in bidirectional client-server interactions can be distinctive features for webpage fingerprinting. The extracted features are then fed into traditional machine learning models to train classifiers, which achieve both high accuracy and low training overhead. We collect two real-world traffic datasets and construct closed- and open-world evaluations to verify the effectiveness of FineWP. The experimental results demonstrate that FineWP is superior to the state-of-the-art methods in terms of accuracy, time complexity and stability.

computer science, theory & methods,engineering, electrical & electronic

Meng Shen,Zhenbo Gao,Liehuang Zhu,Ke Xu

DOI: https://doi.org/10.1109/iwqos52092.2021.9521272

2021-01-01

Abstract:Fine-grained website fingerprinting (WF) enables potential attackers to infer individual webpages on a monitored website that victims are visiting, by analyzing the resulting traffic protected by security protocols such as TLS. Most existing studies focus on WF at the granularity of website, which takes website homepages as their representatives for fingerprinting. Fine-grained WF can reveal more user privacy, such as online purchasing habits and video-viewing interests, and can also be employed for web censorship. Due to striking similarly of webpages on a same website, it is still an open problem to conduct fine-grained WF in an accurate and time-efficient way.In this paper, we propose BurNet, a fine-grained WF method using Convolutional Neural Networks (CNNs). To extract differences of similar webpages, we propose a new concept named unidirectional burst, which is a sequence of packets corresponding to a piece of HTTP message. BurNet takes as input unidirectional burst sequences, instead of bidirectional packet sequences, which makes it applicable to local and remote attack scenarios. BurNet employs CNNs to build a powerful classifier, where sophisticated architecture is designed to improve classification accuracy while reducing time complexity in training. We collect real-world datasets from two well-known websites and conduct extensive experiments to evaluate the performance of BurNet. The closed-world evaluation results show that BurNet outperforms the state-of-the-art methods in both attack scenarios. In the more realistic open-world setting, BurNet can achieve 0.99 precision and 0.99 recall. BurNet is also superior to its CNN-based counterparts in terms of training efficiency.

Xueqin Zhang,Min Zhao,Jiyuan Wang,Shuang Li,Yue Zhou,Shinan Zhu

DOI: https://doi.org/10.3390/electronics11070977

IF: 2.9

2022-03-22

Electronics

Abstract:The SSL/TLS protocol is widely used in data encryption transmission. Aiming at the problem of detecting SSL/TLS-encrypted malicious traffic with small-scale and unbalanced training data, a deep-forest-based detection method called DF-IDS is proposed in this paper. According to the characteristics of SSL/TSL protocol, the network traffic was split into sessions according to the 5-tuple information. Each session was then transformed into a two-dimensional traffic image as the input of a deep-learning classifier. In order to avoid information loss and improve the detection efficiency, the multi-grained cascade forest (gcForest) framework was simplified with only cascade structure, which was named cascade forest (CaForest). By integrating random forest and extra trees in the CaForest framework, an end-to-end high-precision detector for small-scale and unbalanced SSL/TSL encrypted malicious traffic was realized. Compared with other deep-learning-based methods, the experimental results showed that the detection rate of DF-IDS was 6.87% to 29.5% higher than that of other methods on a small-scale and unbalanced dataset. The advantage of DF-IDS was more obvious in the multi-classification case.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zihao Wang,Vrizlynn L. L. Thing

DOI: https://doi.org/10.1016/j.cose.2023.103143

2023-04-07

Abstract:The popularity of encryption mechanisms poses a great challenge to malicious traffic detection. The reason is traditional detection techniques cannot work without the decryption of encrypted traffic. Currently, research on encrypted malicious traffic detection without decryption has focused on feature extraction and the choice of machine learning or deep learning algorithms. In this paper, we first provide an in-depth analysis of traffic features and compare different state-of-the-art traffic feature creation approaches, while proposing a novel concept for encrypted traffic feature which is specifically designed for encrypted malicious traffic analysis. In addition, we propose a framework for encrypted malicious traffic detection. The framework is a two-layer detection framework which consists of both deep learning and traditional machine learning algorithms. Through comparative experiments, it outperforms classical deep learning and traditional machine learning algorithms, such as ResNet and Random Forest. Moreover, to provide sufficient training data for the deep learning model, we also curate a dataset composed entirely of public datasets. The composed dataset is more comprehensive than using any public dataset alone. Lastly, we discuss the future directions of this research.

Cryptography and Security,Artificial Intelligence,Machine Learning

Zhuoxue Song,Ziming Zhao,Fan Zhang,Gang Xiong,Guang Cheng,Xinjie Zhao,Shize Guo,Binbin Chen

DOI: https://doi.org/10.1109/tdsc.2023.3245411

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Traffic classification occupies a significant role in cybersecurity and network management. The widespread of encryption transmission protocols such as SSL/TLS has led to the dominance of deep learning based approaches. In cybersecurity, strong adversaries often complicate their strategies by constantly developing emerging attacks. Meanwhile, security practitioners desire to grasp the reasons for inference results. However, existing deep learning approaches lack efficient adaptation for incremental traffic types and often have less interpretability. In this paper, we propose I $^{2}$ RNN, an Incremental and Interpretable Recurrent Neural Network for encrypted traffic classification. The I $^{2}$ RNN proposes a novel propagation process to extract the sequence fingerprints from sessions with local robustness. Meanwhile, this proposal provides interpretability including time-series feature attribution and inter-class similarity portrait. Moreover, we design I $^{2}$ RNN in an incremental manner to adapt to emerging traffic types. The I $^{2}$ RNN only needs to train an additional set of parameters for the newly added traffic type rather than retraining the whole model with the entire dataset. Extensive experimental results show that our I $^{2}$ RNN can achieve remarkable performance in traffic classification, incremental learning, and model interpretability. Compared with other local interpretability methods, our I $^{2}$ RNN exhibits excellent stability, robustness, and effectiveness in the interpretation of network traffic data.

Se Eun Oh,Saikrishna Sunkam,Nicholas Hopper

DOI: https://doi.org/10.48550/arXiv.1711.03656

2017-11-10

Cryptography and Security

Abstract:Recent advances in learning Deep Neural Network (DNN) architectures have received a great deal of attention due to their ability to outperform state-of-the-art classifiers across a wide range of applications, with little or no feature engineering. In this paper, we broadly study the applicability of deep learning to website fingerprinting. We show that unsupervised DNNs can be used to extract low-dimensional feature vectors that improve the performance of state-of-the-art website fingerprinting attacks. When used as classifiers, we show that they can match or exceed performance of existing attacks across a range of application scenarios, including fingerprinting Tor website traces, fingerprinting search engine queries over Tor, defeating fingerprinting defenses, and fingerprinting TLS-encrypted websites. Finally, we show that DNNs can be used to predict the fingerprintability of a website based on its contents, achieving 99% accuracy on a data set of 4500 website downloads.

Liming Lu,Ee-Chien Chang,Mun Choon Chan

DOI: https://doi.org/10.1007/978-3-642-15497-3_13

2010-01-01

Abstract:We consider website fingerprinting over encrypted and proxied channel. It has been shown that information on packet sizes is sufficient to achieve good identification accuracy. Recently, traffic morphing [1] was proposed to thwart website fingerprinting by changing the packet size distribution so as to mimic sonic other website, while minimizing bandwidth overhead. In this paper, we point out that packet ordering information, though noisy, can be utilized to enhance website fingerprinting. In addition, traces of the ordering information remain even under traffic rnorphing and they can be extracted for identification. When web access is performed over OpenSSH and 2000 profiled websites, the identification accuracy of our scheme reaches 81%, which is 11% better than Liberatore and Levine's scheme presented in CCS'06 [2]. We are able to identify 78% of the morphed traffic among 2000 websites while Liberatore and Levine's scheme identifies only 52%. Our analysis suggests that an effective countermeasure to website fingerprinting should not; only hide the packet size distribution, but also aggressively remove the ordering information.

Tiantian Zhang,Dongyang Xu,Pinyi Ren,Keping Yu,Mohsen Guizani

DOI: https://doi.org/10.1109/tvt.2023.3316639

IF: 6.8

2024-01-01

IEEE Transactions on Vehicular Technology

Abstract:The rapid advancement of the Internet of Things (IoT) and intelligent vehicle networks has led to the widespread deployment of massive long-range (LoRa) nodes. These nodes play a crucial role in facilitating the sharing of critical information towards various vehicles. However, a significant challenge that persists is the secure authentication of LoRa. Recently, radio frequency fingerprinting (RFF) emerges as a robust potential solution, offering both rapid and scalable identification capabilities. By harnessing machine learning (ML) techniques, the inherent hardware-level, unique, and resilient features of RFF can be throughly explored. Given the inherent non-identical (heterogeneity) of LoRa networks and the non-stationary characteristics of chirp signals, conventional approaches prove inadequate in effectively capturing the RFF features. To surmount these challenges, a novel scheme termed as “deep federated learning network (DFLNet)” is proposed. DFLNet facilitates distributed RFF learning while ensuring privacy preservation within diverse LoRa networks. Addressing the heterogeneity of datasets, we incorporate an adaptive optimizer that contributes to the efficient convergence improvement. The DFLNet adeptly manages computational demands and privacy concerns through the utilization of mobile edge computing (MEC) servers, thus enabling distributed learning. Empirical evaluations substantiate the efficacy of DFLNet, attaining an impressive identification accuracy of up to approximately 96.7% utilizing merely around 5000 samples per client, while concurrently ensuring a robust privacy preservation.

Bo Gao,Weiwei Liu,Guangjie Liu,Fengyuan Nie

DOI: https://doi.org/10.1109/tccn.2024.3350531

IF: 6.359

2024-01-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:Website fingerprinting (WF) attacks play a crucial role in network traffic analysis for ensuring network security and management. Despite increasing TLS encryption for user privacy, HTTP traffic dominates phishing and pirate website. Fast flux service networks, round robin domain name system, and content delivery networks have rendered IP address or domain name-based WF attacks less effective. Manual feature-based machine learning and recent end-to-end deep learning methods have showed promise. Nevertheless, website content updates induce concept-drift, limiting their accuracy. This study exploits the fact that resource types and website layouts are usually consistent, whereas specific resources are dynamically changing. The resource knowledge extracted from HTTP request packets is utilized to construct a graph representation of website browsing traffic. Then, a heterogeneous graph neural network specifically designed for website fingerprinting using this representation is proposed. This resource knowledge-driven graph learning framework can retain valuable pattern information while mitigating the impact of the concept-drift. The proposed WF attack is evaluated using a real-world dataset comprising over 120,000 malicious and more than 940,000 benign website flows. It can achieve over 98% accuracy when determining benign-malicious websites and 97.6% in identifying website types. These results demonstrate a notable improvement over state-of-the-art WF attacks.

telecommunications

Vera Rimmer,Davy Preuveneers,Marc Juarez,Tom Van Goethem,Wouter Joosen

DOI: https://doi.org/10.14722/ndss.2018.23105

2017-12-06

Abstract:Several studies have shown that the network traffic that is generated by a visit to a website over Tor reveals information specific to the website through the timing and sizes of network packets. By capturing traffic traces between users and their Tor entry guard, a network eavesdropper can leverage this meta-data to reveal which website Tor users are visiting. The success of such attacks heavily depends on the particular set of traffic features that are used to construct the fingerprint. Typically, these features are manually engineered and, as such, any change introduced to the Tor network can render these carefully constructed features ineffective. In this paper, we show that an adversary can automate the feature engineering process, and thus automatically deanonymize Tor traffic by applying our novel method based on deep learning. We collect a dataset comprised of more than three million network traces, which is the largest dataset of web traffic ever used for website fingerprinting, and find that the performance achieved by our deep learning approaches is comparable to known methods which include various research efforts spanning over multiple years. The obtained success rate exceeds 96% for a closed world of 100 websites and 94% for our biggest closed world of 900 classes. In our open world evaluation, the most performant deep learning model is 2% more accurate than the state-of-the-art attack. Furthermore, we show that the implicit features automatically learned by our approach are far more resilient to dynamic changes of web content over time. We conclude that the ability to automatically construct the most relevant traffic features and perform accurate traffic recognition makes our deep learning based approach an efficient, flexible and robust technique for website fingerprinting.

Cryptography and Security,Machine Learning

Chuxu Song,Zining Fan,Hao Wang,Richard Martin

2024-07-28

Abstract:Website fingerprinting (WF) attacks identify the websites visited over anonymized connections by analyzing patterns in network traffic flows, such as packet sizes, directions, or interval times using a machine learning classifier. Previous studies showed WF attacks achieve high classification accuracy. However, several issues call into question whether existing WF approaches are realizable in practice and thus motivate a re-exploration. Due to Tor's performance issues and resulting poor browsing experience, the vast majority of users opt for Virtual Private Networking (VPN) despite VPNs weaker privacy protections. Many other past assumptions are increasingly unrealistic as web technology advances. Our work addresses several key limitations of prior art. First, we introduce a new approach that classifies entire websites rather than individual web pages. Site-level classification uses traffic from all site components, including advertisements, multimedia, and single-page applications. Second, our Convolutional Neural Network (CNN) uses only the jitter and size of 500 contiguous packets from any point in a TCP stream, in contrast to prior work requiring heuristics to find page boundaries. Our seamless approach makes eavesdropper attack models realistic. Using traces from a controlled browser, we show our CNN matches observed traffic to a website with over 90% accuracy. We found the training traffic quality is critical as classification accuracy is significantly reduced when the training data lacks variability in network location, performance, and clients' computational capability. We enhanced the base CNN's efficacy using domain adaptation, allowing it to discount irrelevant features, such as network location. Lastly, we evaluate several defensive strategies against seamless WF attacks.

Cryptography and Security

Zhuoxue Song,Ziming Zhao,Fan Zhang,Gang Xiong,Guang Cheng,Xinjie Zhao,Shize Guo,Binbin Chen

DOI: https://doi.org/10.1109/TDSC.2023.3245411

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Traffic classification occupies a significant role in cybersecurity and network management. The widespread of encryption transmission protocols such as SSL/TLS has led to the dominance of deep learning based approaches. In cybersecurity, strong adversaries often complicate their strategies by constantly developing emerging attacks. Meanwhile, security practitioners desire to grasp the reasons for inference results. However, existing deep learning approaches lack efficient adaptation for incremental traffic types and often have less interpretability. In this paper, we propose I <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$^{2}$</tex-math></inline-formula> RNN, an Incremental and Interpretable Recurrent Neural Network for encrypted traffic classification. The I <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$^{2}$</tex-math></inline-formula> RNN proposes a novel propagation process to extract the sequence fingerprints from sessions with local robustness. Meanwhile, this proposal provides interpretability including time-series feature attribution and inter-class similarity portrait. Moreover, we design I <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$^{2}$</tex-math></inline-formula> RNN in an incremental manner to adapt to emerging traffic types. The I <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$^{2}$</tex-math></inline-formula> RNN only needs to train an additional set of parameters for the newly added traffic type rather than retraining the whole model with the entire dataset. Extensive experimental results show that our I <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$^{2}$</tex-math></inline-formula> RNN can achieve remarkable performance in traffic classification, incremental learning, and model interpretability. Compared with other local interpretability methods, our I <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$^{2}$</tex-math></inline-formula> RNN exhibits excellent stability, robustness, and effectiveness in the interpretation of network traffic data.

Chang Liu,Gang Xiong,Gaopeng Gou,Siu-Ming Yiu,Zhen Li,Zhihong Tian

DOI: https://doi.org/10.1007/s11280-021-00940-0

2021-10-07

World Wide Web

Abstract:With the rapid development of Internet, network management and monitoring face a number of challenges, one of which is traffic classification. Meanwhile, SSL/TLS protocols are extensively used to encrypt the communication payloads, which makes traditional rule-based classification methods not applicable. Without fingerprints of sufficient distinguishing power, other existing methods cannot achieve satisfactory performances on encrypted traffic classification. In this paper, we focus on SSL/TLS encrypted traffic, and propose the Adaptive Fingerprint with Multi-level Attributes (AFMA) to classify them. AFMA combines field-level and sequence-level attributes to tackle encrypted traffic classification problem. Specifically, the distribution of server-to-client ciphersuites on applications is first imported to characterize application preferences. Moreover, besides message type sequences, length block sequences are especially designed to highlight the differences in application fingerprints. In addition, AFMA can adaptively learn the distributions for constructing the fingerprint by analyzing the overall statistics of the applications. The performance of AFMA was verified on a real-world dataset of a campus network (with 956,000+ SSL/TLS traffic flows for 18 popular applications). Our experiments show that AFMA could achieve a true positive rate of up to 99.46% and a false positive rate as low as 0.03%, which outperforms the state-of-the-art methods and our previous method.

Fengrui Xiao,Feng Yang,Shuangwu Chen,Jian Yang

DOI: https://doi.org/10.1007/978-3-030-94029-4_1

2022-01-01

Abstract:Nowadays, network traffic detection plays a very important role in protecting cyberspace security, and more and more applications realize data privacy protection through encryption technology. Regular expression matching based methods, such as deep packet inspection that relies on plaintext traffic cannot be applied to detecting encrypted random communication content, and the existing detecting methods based on time-series features often ignore the encryption protocol features. In this work, we design an ensemble learning system based on stack algorithms to identify encrypted malicious traffic, which can detect the interactive behavior and the encryption protocols simultaneously. In detail, we construct a deep learning classifier based on Long Short-Term Memory (LSTM) for time-series features, and a machine learning classifier based on random forests for encryption protocol features. Then, we use the stacking algorithm in ensemble learning to combine them to form a new classifier. Finally, relying on the Datacon2020 dataset, extensive experiments are conducted. The experimental results indicate that the proposed method improves the detection rate of encrypted malicious traffic while keeping a low false positive rate.

Xinhao Deng,Qi Li,Ke Xu

2024-07-01

Abstract:Website Fingerprinting (WF) attacks identify the websites visited by users by performing traffic analysis, compromising user privacy. Particularly, DL-based WF attacks demonstrate impressive attack performance. However, the effectiveness of DL-based WF attacks relies on the collected complete and pure traffic during the page loading, which impacts the practicality of these attacks. The WF performance is rather low under dynamic network conditions and various WF defenses, particularly when the analyzed traffic is only a small part of the complete traffic. In this paper, we propose Holmes, a robust and reliable early-stage WF attack. Holmes utilizes temporal and spatial distribution analysis of website traffic to effectively identify websites in the early stages of page loading. Specifically, Holmes develops adaptive data augmentation based on the temporal distribution of website traffic and utilizes a supervised contrastive learning method to extract the correlations between the early-stage traffic and the pre-collected complete traffic. Holmes accurately identifies traffic in the early stages of page loading by computing the correlation of the traffic with the spatial distribution information, which ensures robust and reliable detection according to early-stage traffic. We extensively evaluate Holmes using six datasets. Compared to nine existing DL-based WF attacks, Holmes improves the F1-score of identifying early-stage traffic by an average of 169.18%. Furthermore, we replay the traffic of visiting real-world dark web websites. Holmes successfully identifies dark web websites when the ratio of page loading on average is only 21.71%, with an average precision improvement of 169.36% over the existing WF attacks.

Cryptography and Security,Artificial Intelligence,Machine Learning

Xiyuan Zhao,Xinhao Deng,Qi Li,Yunpeng Liu,Zhuotao Liu,Kun Sun,Ke Xu

2024-09-06

Abstract:Website Fingerprinting (WF) attacks can effectively identify the websites visited by Tor clients via analyzing encrypted traffic patterns. Existing attacks focus on identifying different websites, but their accuracy dramatically decreases when applied to identify fine-grained webpages, especially when distinguishing among different subpages of the same website. WebPage Fingerprinting (WPF) attacks face the challenges of highly similar traffic patterns and a much larger scale of webpages. Furthermore, clients often visit multiple webpages concurrently, increasing the difficulty of extracting the traffic patterns of each webpage from the obfuscated traffic. In this paper, we propose Oscar, a WPF attack based on multi-label metric learning that identifies different webpages from obfuscated traffic by transforming the feature space. Oscar can extract the subtle differences among various webpages, even those with similar traffic patterns. In particular, Oscar combines proxy-based and sample-based metric learning losses to extract webpage features from obfuscated traffic and identify multiple webpages. We prototype Oscar and evaluate its performance using traffic collected from 1,000 monitored webpages and over 9,000 unmonitored webpages in the real world. Oscar demonstrates an 88.6% improvement in the multi-label metric Recall@5 compared to the state-of-the-art attacks.

Cryptography and Security,Artificial Intelligence

Tiantian Zhang,Dongyang Xu,Pinyi Ren

DOI: https://doi.org/10.1109/iwcmc58020.2023.10183171

2023-01-01

Abstract:The rapid development of the Internet of Things (IoT) has highlighted the critical importance of security and privacy in cognitive cities. In this context, radio frequency fingerprinting (RFF) identification has emerged as an excellent authentication scheme that provides intelligent and efficient identification in IoT systems. By leveraging RFF, we can improve the security and privacy of cognitive cities while also enhancing their operational efficiency. The RF nonlinear features are unique and unchanging, operating at the hardware level. This attribute renders them amenable to sufficient learning through convolution neural networks (CNNs), which have demonstrated remarkable identification accuracy. Nonetheless, CNNs suffer from a lack of strong interpretability and necessitate vast quantities of training data. Additionally, the enormous amount of data required for training imposes greater demands on computing resources, which are often inadequate in IoT. Moreover, traditional training schemes employ centralized datasets, which cannot ensure corresponding privacy. More recently, federated learning and fractional wavelet scattering network have been proposed to solve the problems above. To address this issue, we in this paper proposed a deep federated radio fingerprinting based on fractional wavelet scattering network (DFFNet) which can acquire the subtle features from non-stationary signals. The advantage of DFFNet is that the federated learning is applied to achieve privacy preserving during the learning process. Meanwhile, fractional wavelet is suitable for non-stationary signal's features extraction with high interpretability. The representative experiment results demonstrate that hybrid federated framework DFFNet achieve about 99.1% identification accuracy under practical application.

Haoyu Yin,Yingjian Liu,Zhongwen Guo,Yu Wang

DOI: https://doi.org/10.26599/tst.2024.9010073

2024-12-11

Tsinghua Science & Technology

Abstract:Recent advancements in deep learning (DL) have introduced new security challenges in the form of side-channel attacks. A prime example is the website fingerprinting attack (WFA), which targets anonymity networks like Tor, enabling attackers to unveil users' protected browsing activities from traffic data. While state-of-the-art WFAs have achieved remarkable results, they often rely on unrealistic single-website assumptions. In this paper, we undertake an exhaustive exploration of multi-tab website fingerprinting attacks (MTWFAs) in more realistic scenarios. We delve into MTWFAs and introduce MTWFA-SEG, a task involving the fine-grained packet-level classification within multi-tab Tor traffic. By employing deep learning models, we reveal their potential to threaten user privacy by discerning visited websites and browsing session timing. We design an improved fully convolutional model for MTWFA-SEG, which are enhanced by both network architecture advances and traffic data instincts. In the evaluations on interlocking browsing datasets, the proposed models achieve remarkable accuracy rates of over 68.6%, 71.8%, and 76.1% in closed, imbalanced open, and balanced open-world settings, respectively. Furthermore, the proposed models exhibit substantial robustness across diverse train-test settings. We further validate our designs in a coarse-grained task, MTWFA-MultiLabel, where they not only achieve state-of-the-art performance but also demonstrate high robustness in challenging situations.

computer science, information systems,engineering, electrical & electronic, software engineering

Daichong Chao

DOI: https://doi.org/10.1145/3404555.3404590

2020-04-23

Abstract:Malicious encrypted traffic poses great threat to cyber security owing to encryption and the ability to bypass traditional traffic detection schemes. Malicious encrypted traffic identification is a challenging task and has attracted researchers&#x27; attention nowadays. Existing research way mainly extracts various statistical features of data-flow, which relies artificial experience heavily. To round the above problem. a fingerprint enhancement and second-order Markov chain based scheme is proposed in this paper, obtaining features more easily. Fingerprint enhancement is done to replace SSL fingerprint by refining data-flow&#x27;s behavior. Then enhanced fingerprint is fed to second-order Markov chain to obtain dominating feature for identification model. To our best knowledge, this paper is the first one focusing on using fingerprint and second order Markov chain to simplify feature extraction. Finally, the proposed scheme is verified based on public dataset Stratosphere IPS.