Xujing Huang

DOI: https://doi.org/10.1145/3436369.3436478

2020-10-30

Abstract:Information leakage by side channels in web applications is a major security threat, even when web traffic is encrypted. In this paper, we describe an automated system to analyse leakages of user privacy. Previous works focus on communications directly interacting with sensitive information. We show how, in real-world web applications, user information can be leaked through "non-intuitive" communications, which do not contain direct interactions with sensitive information. Unexpectedly, we found that user privacy can be leaked more from this kind of "non-intuitive" communication than direct interactions. This work also discloses user identities can be inferred by traffic analysis. In this work, we combine machine learning to recognize traffic pattern, i.e., Hidden Markov model is used to fingerprint web traffic of user privacy.

Brad Miller,Ling Huang,A. D. Joseph,J. D. Tygar

DOI: https://doi.org/10.48550/arXiv.1403.0297

2014-03-03

Abstract:Revelations of large scale electronic surveillance and data mining by governments and corporations have fueled increased adoption of HTTPS. We present a traffic analysis attack against over 6000 webpages spanning the HTTPS deployments of 10 widely used, industry-leading websites in areas such as healthcare, finance, legal services and streaming video. Our attack identifies individual pages in the same website with 89% accuracy, exposing personal details including medical conditions, financial and legal affairs and sexual orientation. We examine evaluation methodology and reveal accuracy variations as large as 18% caused by assumptions affecting caching and cookies. We present a novel defense reducing attack accuracy to 27% with a 9% traffic increase, and demonstrate significantly increased effectiveness of prior defenses in our evaluation context, inclusive of enabled caching, user-specific cookies and pages within the same website.

Cryptography and Security

Meng Shen,Yiting Liu,Liehuang Zhu,Xiaojiang Du,Jiankun Hu

DOI: https://doi.org/10.1109/tifs.2020.3046876

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Encrypted web traffic can reveal sensitive information of users, such as their browsing behaviors. Existing studies on encrypted traffic analysis focus on website fingerprinting. We claim that fine-grained webpage fingerprinting, which speculates specific webpages on a same website visited by a victim, allows exploiting more user private information, e.g., shopping interests in an online shopping mall. Since webpages from the same website usually have very similar traffic traces that make them indistinguishable, existing solutions may end up with low accuracy. In this paper, we propose FineWP, a novel fine-grained webpage fingerprinting method. We make an observation that the length information of packets in bidirectional client-server interactions can be distinctive features for webpage fingerprinting. The extracted features are then fed into traditional machine learning models to train classifiers, which achieve both high accuracy and low training overhead. We collect two real-world traffic datasets and construct closed- and open-world evaluations to verify the effectiveness of FineWP. The experimental results demonstrate that FineWP is superior to the state-of-the-art methods in terms of accuracy, time complexity and stability.

computer science, theory & methods,engineering, electrical & electronic

Sunghyun Yu,Yoojae Won

DOI: https://doi.org/10.3934/mbe.2023101

Abstract:Privacy protection in computer communication is gaining attention because plaintext transmission without encryption can be eavesdropped on and intercepted. Accordingly, the use of encrypted communication protocols is on the rise, along with the number of cyberattacks exploiting them. Decryption is essential for preventing attacks, but it risks privacy infringement and incurs additional costs. Network fingerprinting techniques are among the best alternatives, but existing techniques are based on information from the TCP/IP stack. They are expected to be less effective because cloud-based and software-defined networks have ambiguous boundaries, and network configurations not dependent on existing IP address schemes increase. Herein, we investigate and analyze the Transport Layer Security (TLS) fingerprinting technique, a technology that can analyze and classify encrypted traffic without decryption while addressing the problems of existing network fingerprinting techniques. Background knowledge and analysis information for each TLS fingerprinting technique is presented herein. We discuss the pros and cons of two groups of techniques, fingerprint collection and artificial intelligence (AI)-based. Regarding fingerprint collection techniques, separate discussions on handshake messages ClientHello/ServerHello, statistics of handshake state transitions, and client responses are provided. For AI-based techniques, discussions on statistical, time series, and graph techniques according to feature engineering are presented. In addition, we discuss hybrid and miscellaneous techniques that combine fingerprint collection with AI techniques. Based on these discussions, we identify the need for a step-by-step analysis and control study of cryptographic traffic to effectively use each technique and present a blueprint.

Sandhya Aneja,Nagender Aneja

2024-10-28

Abstract:Browser fingerprinting is the identification of a browser through the network traffic captured during communication between the browser and server. This can be done using the HTTP protocol, browser extensions, and other methods. This paper discusses browser fingerprinting using the HTTPS over TLS 1.3 protocol. The study observed that different browsers use a different number of messages to communicate with the server, and the length of messages also varies. To conduct the study, a network was set up using a UTM hypervisor with one virtual machine as the server and another as a VM with a different browser. The communication was captured, and it was found that there was a 30\%-35\% dissimilarity in the behavior of different browsers.

Cryptography and Security,Networking and Internet Architecture

Yankang Zhao,Xiaobo Ma,Jianfeng Li,Shui Yu,Wei Li

DOI: https://doi.org/10.1007/978-3-030-02744-5_24

2018-01-01

Abstract:Website fingerprinting has been recognized as a traffic analysis attack against encrypted traffic induced by anonymity networks (e.g., Tor) and encrypted proxies. Recent studies have demonstrated that, leveraging machine learning techniques and numerous side-channel traffic features, website fingerprinting is effective in inferring which website a user is visiting via anonymity networks and encrypted proxies. In this paper, we concentrate on Shadowsocks, an encrypted proxy widely used to evade Internet censorship, and we are interested in to what extent state-of-the-art website fingerprinting techniques can break the privacy of Shadowsocks users in real-world scenarios. By design, Shadowsocks does not deploy any timing-based or packet size-based defenses like Tor. Therefore, we expect that website fingerprinting could achieve better attack performance against Shadowsocks compared to Tor. However, after deploying Shadowsocks with more than 20 active users and collecting 30 GB traces during one month, our observation is counter-intuitive. That is, the attack performance against Shadowsocks is even worse than that against Tor (based on public Tor traces). Motivated by such an observation, we investigate a series of practical factors affecting website fingerprinting, such as data labeling, feature selection, and number of instances per class. Our study reveals that state-of-the-art website fingerprinting techniques may not be effective in real-world scenarios, even in the face of Shadowsocks which does not deploy typical defenses.

Xun Gong,Negar Kiyavash,Nabíl Schear,Nikita Borisov

DOI: https://doi.org/10.48550/arXiv.1109.0097

2011-09-01

Abstract:Recent work in traffic analysis has shown that traffic patterns leaked through side channels can be used to recover important semantic information. For instance, attackers can find out which website, or which page on a website, a user is accessing simply by monitoring the packet size distribution. We show that traffic analysis is even a greater threat to privacy than previously thought by introducing a new attack that can be carried out remotely. In particular, we show that, to perform traffic analysis, adversaries do not need to directly observe the traffic patterns. Instead, they can gain sufficient information by sending probes from a far-off vantage point that exploits a queuing side channel in routers. To demonstrate the threat of such remote traffic analysis, we study a remote website detection attack that works against home broadband users. Because the remotely observed traffic patterns are more noisy than those obtained using previous schemes based on direct local traffic monitoring, we take a dynamic time warping (DTW) based approach to detecting fingerprints from the same website. As a new twist on website fingerprinting, we consider a website detection attack, where the attacker aims to find out whether a user browses a particular web site, and its privacy implications. We show experimentally that, although the success of the attack is highly variable, depending on the target site, for some sites very low error rates. We also show how such website detection can be used to deanonymize message board users.

Cryptography and Security

Anatoly Shusterman,Zohar Avraham,Eliezer Croitoru,Yarden Haskal,Lachlan Kang,Dvir Levi,Yosef Meltser,Prateek Mittal,Yossi Oren,Yuval Yarom

DOI: https://doi.org/10.1109/tdsc.2020.2988369

2020-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Website fingerprinting attacks use statistical analysis on network traffic to compromise user privacy. The classical attack model used to evaluate website fingerprinting attacks assumes an on-path adversary, who observes traffic traveling between the user's computer and the network. In this article we investigate a different attack model, in which the adversary sends JavaScript code to the target user's computer. This code mounts a cache side-channel attack to identify other websites being browsed. Using machine learning techniques to classify traces of cache activity, we achieve high classification accuracy in both the open-world and the closed-world models. Our attack is more resistant than network-based fingerprinting to the effects of response caching, and resilient both to network-based defenses and to side-channel countermeasures. We carry out a real-world evaluation of several aspects of our attack, exploring the impact of the changes in websites and browsers over time, as well as of the attacker's ability to guess the software and hardware configuration of the target user's computer. To protect against cache-based website fingerprinting, new defense mechanisms must be introduced to privacy-sensitive browsers and websites. We investigate one such mechanism, and show that it reduces the effectiveness of the attack and completely eliminates it when used in the Tor Browser.

computer science, information systems, software engineering, hardware & architecture

Nguyen Phong Hoang,Arian Akhavan Niaki,Phillipa Gill,Michalis Polychronakis

DOI: https://doi.org/10.48550/arXiv.2102.08332

2021-06-16

Abstract:Although the security benefits of domain name encryption technologies such as DNS over TLS (DoT), DNS over HTTPS (DoH), and Encrypted Client Hello (ECH) are clear, their positive impact on user privacy is weakened by--the still exposed--IP address information. However, content delivery networks, DNS-based load balancing, co-hosting of different websites on the same server, and IP address churn, all contribute towards making domain-IP mappings unstable, and prevent straightforward IP-based browsing tracking. In this paper, we show that this instability is not a roadblock (assuming a universal DoT/DoH and ECH deployment), by introducing an IP-based website fingerprinting technique that allows a network-level observer to identify at scale the website a user visits. Our technique exploits the complex structure of most websites, which load resources from several domains besides their primary one. Using the generated fingerprints of more than 200K websites studied, we could successfully identify 84% of them when observing solely destination IP addresses. The accuracy rate increases to 92% for popular websites, and 95% for popular and sensitive websites. We also evaluated the robustness of the generated fingerprints over time, and demonstrate that they are still effective at successfully identifying about 70% of the tested websites after two months. We conclude by discussing strategies for website owners and hosting providers towards hindering IP-based website fingerprinting and maximizing the privacy benefits offered by DoT/DoH and ECH.

Cryptography and Security,Networking and Internet Architecture

Alexander Lawall

2024-11-19

Abstract:Browser fingerprinting is a growing technique for identifying and tracking users online without traditional methods like cookies. This paper gives an overview by examining the various fingerprinting techniques and analyzes the entropy and uniqueness of the collected data. The analysis highlights that browser fingerprinting poses a complex challenge from both technical and privacy perspectives, as users often have no control over the collection and use of their data. In addition, it raises significant privacy concerns as users are often tracked without their knowledge or consent.

Cryptography and Security,Artificial Intelligence,Computers and Society

Blerim Rexha,Arbena Musa,Kamer Vishi,Edlira Martiri

2024-09-02

Abstract:Parallel to our physical activities our virtual presence also leaves behind our unique digital fingerprints, while navigating on the Internet. These digital fingerprints have the potential to unveil users' activities encompassing browsing history, utilized applications, and even devices employed during these engagements. Many Internet users tend to use web browsers that provide the highest privacy protection and anonymization such as Tor. The success of such privacy protection depends on the Tor feature to anonymize end-user IP addresses and other metadata that constructs the website fingerprint. In this paper, we show that using the newest machine learning algorithms an attacker can deanonymize Tor traffic by applying such techniques. In our experimental framework, we establish a baseline and comparative reference point using a publicly available dataset from Universidad Del Cauca, Colombia. We capture network packets across 11 days, while users navigate specific web pages, recording data in .pcapng format through the Wireshark network capture tool. Excluding extraneous packets, we employ various machine learning algorithms in our analysis. The results show that the Gradient Boosting Machine algorithm delivers the best outcomes in binary classification, achieving an accuracy of 0.8363. In the realm of multi-class classification, the Random Forest algorithm attains an accuracy of 0.6297.

Cryptography and Security

Alisha Ukani

2023-10-13

Abstract:People are becoming increasingly concerned with their online privacy, especially with how advertising companies track them across websites (a practice called cross-site tracking), as reconstructing a user's browser history can reveal sensitive information. Recent legislation like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act have tried to limit the extent to which third parties perform cross-site tracking, and browsers have also made tracking more difficult by deprecating the most-common tracking mechanism: third-party cookies. However, online advertising companies continue to track users through other mechanisms that do not rely on cookies. This work explores one of these tracking techniques: browser fingerprinting. We detail how browser fingerprinting works, how prevalent it is, and what defenses can mitigate it.

Cryptography and Security

Shuai Li,Huajun Guo,Nicholas Hopper

DOI: https://doi.org/10.48550/arXiv.1710.06080

2019-06-05

Abstract:Tor provides low-latency anonymous and uncensored network access against a local or network adversary. Due to the design choice to minimize traffic overhead (and increase the pool of potential users) Tor allows some information about the client's connections to leak. Attacks using (features extracted from) this information to infer the website a user visits are called Website Fingerprinting (WF) attacks. We develop a methodology and tools to measure the amount of leaked information about a website. We apply this tool to a comprehensive set of features extracted from a large set of websites and WF defense mechanisms, allowing us to make more fine-grained observations about WF attacks and defenses.

Cryptography and Security

Lingling Xu,Wanhua Li,Fangguo Zhang,Rong Cheng,Shaohua Tang

DOI: https://doi.org/10.1109/tifs.2019.2957691

IF: 7.231

2020-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Recently, more and more data have been stored in the cloud with keyword indices so that the data users can make search over the databases. In some of these database applications, the query frequency analysis of keywords is quite important to the optimization of the databases and it is easy to be implemented when the data are not encrypted. However, with the growing demands of data privacy, it is desired that the data should be encrypted before uploaded to the cloud. Searchable encryption has been proposed which enables users to make keyword search over the encrypted data with keyword privacy. In a secure searchable encryption scheme, it is required that the keyword in each query should not be revealed. So it becomes challenging to analyze the query frequency of keywords in an encrypted database which has the pressing need of optimization. In this paper, we first consider this problem and present an efficient solution to it which enables the query frequency analysis of keywords without destroying the privacy of the encrypted data and the identity privacy of data users. We also simulate our solution and show that it is practical to the real applications.

Chuxu Song,Zining Fan,Hao Wang,Richard Martin

2024-07-28

Abstract:Website fingerprinting (WF) attacks identify the websites visited over anonymized connections by analyzing patterns in network traffic flows, such as packet sizes, directions, or interval times using a machine learning classifier. Previous studies showed WF attacks achieve high classification accuracy. However, several issues call into question whether existing WF approaches are realizable in practice and thus motivate a re-exploration. Due to Tor's performance issues and resulting poor browsing experience, the vast majority of users opt for Virtual Private Networking (VPN) despite VPNs weaker privacy protections. Many other past assumptions are increasingly unrealistic as web technology advances. Our work addresses several key limitations of prior art. First, we introduce a new approach that classifies entire websites rather than individual web pages. Site-level classification uses traffic from all site components, including advertisements, multimedia, and single-page applications. Second, our Convolutional Neural Network (CNN) uses only the jitter and size of 500 contiguous packets from any point in a TCP stream, in contrast to prior work requiring heuristics to find page boundaries. Our seamless approach makes eavesdropper attack models realistic. Using traces from a controlled browser, we show our CNN matches observed traffic to a website with over 90% accuracy. We found the training traffic quality is critical as classification accuracy is significantly reduced when the training data lacks variability in network location, performance, and clients' computational capability. We enhanced the base CNN's efficacy using domain adaptation, allowing it to discount irrelevant features, such as network location. Lastly, we evaluate several defensive strategies against seamless WF attacks.

Cryptography and Security

Ishan Karunanayake,Jiaojiao Jiang,Nadeem Ahmed,Sanjay K. Jha

DOI: https://doi.org/10.1109/tifs.2023.3342607

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Amidst the rapid technological advancements of today, privacy and anonymity are facing increasing threats. Tor, one of the most widely used anonymity networks, enables users to browse the Internet without their activities being tracked. Extensive research has been conducted on both attacking and defending the anonymity of Tor users. Website Fingerprinting (WF) is one of the popular de-anonymisation techniques employed against Tor users. This paper presents two novel WF techniques based on Graph Neural Networks (GNNs) to explore two relatively understudied avenues of WF: the fingerprintability of Decentralised Applications (DApps) and the impact of reload traffic on WF. Due to the lack of publicly available datasets for DApp traffic and reload traffic suitable for WF, we collected five new datasets for our experiments. Our findings reveal that GNN-based techniques surpass the performance of state-of-the-art WF techniques when reload traffic is used. Meanwhile, certain high-performing state-of-the-art techniques exhibit a significant reduction in accuracy, more than 40%, when reload traffic is used instead of homepage traffic. Additionally, we identify that DApps are less susceptible to fingerprinting than conventional websites, leading to a 25% decrease in accuracy in some state-of-the-art WF techniques. While confirming prior research findings that GNN-based techniques can outperform existing techniques when accessing DApps via Chrome, we further demonstrate that using Tor to access DApps makes them even more difficult to fingerprint. Finally, we expect our datasets, four of which lack publicly available alternatives, will prove invaluable for future research.

computer science, theory & methods,engineering, electrical & electronic

Vasilios Mavroudis,Jamie Hayes

2023-10-27

Abstract:In webpage fingerprinting, an on-path adversary infers the specific webpage loaded by a victim user by analysing the patterns in the encrypted TLS traffic exchanged between the user's browser and the website's servers. This work studies modern webpage fingerprinting adversaries against the TLS protocol; aiming to shed light on their capabilities and inform potential defences. Despite the importance of this research area (the majority of global Internet users rely on standard web browsing with TLS) and the potential real-life impact, most past works have focused on attacks specific to anonymity networks (e.g., Tor). We introduce a TLS-specific model that: 1) scales to an unprecedented number of target webpages, 2) can accurately classify thousands of classes it never encountered during training, and 3) has low operational costs even in scenarios of frequent page updates. Based on these findings, we then discuss TLS-specific countermeasures and evaluate the effectiveness of the existing padding capabilities provided by TLS 1.3.

Cryptography and Security,Machine Learning

Zhongliu Zhuo,Yang Zhang,Zhi-li Zhang,Xiaosong Zhang,Jingzhong Zhang

DOI: https://doi.org/10.1109/tifs.2017.2762825

IF: 7.231

2017-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Website fingerprinting attacks can reveal the receiver in anonymous networks and cause a potential threat to users’ privacy. Previous studies focus more on identifying individual webpages. They also neglect the hyperlink transition information, because it induces extra “noise” to classify the original webpage. However, it is a common scenario that the users surf a website by clicking hyperlinks on the webpage. In this paper, we propose a website modeling method based on profile hidden Markov model (PHMM) which is widely used in bioinformatics for DNA sequencing analysis. Our technique explicitly accounts for possible hyperlink transitions made by users when fingerprinting a target website, and therefore can work in a more realistic environment than existing methods. Using SSH and Shadowsocks, we collect various data sets and conduct extensive evaluations. We also show that our approach could work both in webpage and website identification in a closed world setting. The experimental results demonstrate that our website fingerprinting is more accurate and robust than existing methods.

Valentino Rizzo,Stefano Traverso,Marco Mellia

DOI: https://doi.org/10.2478/popets-2021-0004

2020-11-09

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract Fueled by advertising companies’ need of accurately tracking users and their online habits, web fingerprinting practice has grown in recent years, with severe implications for users’ privacy. In this paper, we design, engineer and evaluate a methodology which combines the analysis of JavaScript code and machine learning for the automatic detection of web fingerprinters. We apply our methodology on a dataset of more than 400, 000 JavaScript files accessed by about 1, 000 volunteers during a one-month long experiment to observe adoption of fingerprinting in a real scenario. We compare approaches based on both static and dynamic code analysis to automatically detect fingerprinters and show they provide different angles complementing each other. This demonstrates that studies based on either static or dynamic code analysis provide partial view on actual fingerprinting usage in the web. To the best of our knowledge we are the first to perform this comparison with respect to fingerprinting. Our approach achieves 94% accuracy in small decision time. With this we spot more than 840 fingerprinting services, of which 695 are unknown to popular tracker blockers. These include new actual trackers as well as services which use fingerprinting for purposes other than tracking, such as anti-fraud and bot recognition.

Yuwen Qian,Guodong Huang,Chuan Ma,Ming Ding,Long Yuan,Zi Chen,Kai Wang

DOI: https://doi.org/10.1109/tifs.2024.3432404

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The act of website fingerprinting, which involves monitoring traffic features to infer private user information, has attracted much attention in the research community recently. While previous studies primarily focused on classifying fingerprint information using clean traffic data, it remains a challenging task to apply fingerprinting to noisy traffic data or evade defensive measures. This work aims to address the challenges associated with website fingerprinting attacks and defense strategies in the presence of noise. Specifically, we introduce two novel attack methods: filter-assisted attack and augmentation-assisted attack. The first attack method leverages packet size distribution to effectively filter out noise, while the second one trains a classification model by incorporating artificial noise. Compared with the traditional website fingerprinting attacks, these proposed attack methods demonstrate superior resilience to noise and exceptional evasion capabilities against defensive measures (e.g., random packet defense, Walkie-Talkie, WTF-PAD, etc.). In parallel, we propose a list-assisted defense strategy that strikes a balance between defense performance and network overhead. This defense mechanism offers effective protection against website fingerprinting attacks while minimizing the impact on network performance. In our experiments, we employ a comprehensive dataset encompassing TCP/IP traffic with packet size information collected from three prominent web browsers, as well as Tor cell traffic without packet size information obtained from a Tor browser. We thoroughly evaluate our proposed methods in both closed-world and open-world scenarios. Our experimental results shed valuable insights into the influence of noise and the efficacy of different attack and defense approaches on website fingerprinting.