Dominik Herrmann
ABSTRACT
Privacy enhancing technologies like OpenSSL, OpenVPN or Tor establish an encrypted tunnel that enables users to hide content and addresses of requested websites from external observers This protection is endangered by local traffic analysis attacks that allow an external, passive attacker between the PET system and the user to uncover the identity of the requested sites. However, existing proposals for such attacks are not practicable yet.
We present a novel method that applies common text mining techniques to the normalised frequency distribution of observable IP packet sizes. Our classifier correctly identifies up to 97% of requests on a sample of 775 sites and over 300,000 real-world traffic dumps recorded over a two-month period. It outperforms previously known methods like Jaccard's classifier and Naïve Bayes that neglect packet frequencies altogether or rely on absolute frequency values, respectively. Our method is system-agnostic: it can be used against any PET without alteration. Closed-world results indicate that many popular single-hop and even multi-hop systems like Tor and JonDonym are vulnerable against this general fingerprinting attack. Furthermore, we discuss important real-world issues, namely false alarms and the influence of the browser cache on accuracy.
- T. G. Abbott, K. J. Lai, M. R. Lieberman, and E. C. Price. Browser-Based Attacks on Tor. In Borisov and Golle {5}, pages 184--199. Google Scholar
Digital Library
- K. Bauer, D. McCoy, D. Grunwald, T. Kohno, and D. Sicker. Low-Resource Routing Attacks Against Tor. In WPES '07: Proceedings of the 2007 ACM workshop on Privacy in electronic society, pages 11--20, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- O. Berthold, H. Federrath, and S. Köpsell. Web MIXes: a system for anonymous and unobservable Internet access. In International workshop on Designing privacy enhancing technologies, pages 115--129, New York, NY, USA, 2001. Springer-Verlag New York, Inc. Google ScholarDigital Library
- G. Bissias, M. Liberatore, D. Jensen, and B. N. Levine. Privacy Vulnerabilities in Encrypted HTTP Streams. In Proc. Privacy Enhancing Technologies Workshop (PET), pages 1--11, May 2005. Google ScholarDigital Library
- N. Borisov and P. Golle, editors. Privacy Enhancing Technologies, 7th International Symposium, PET 2007 Ottawa, Canada, June 20-22, 2007, Revised Selected Papers, volume 4776 of Lecture Notes in Computer Science. Springer, 2007. Google ScholarDigital Library
- D. Chaum. Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. Communications of the ACM, 4(2), February 1981. Google ScholarDigital Library
- H. Cheng and R. Avnur. Traffic Analysis of SSL Encrypted Web Browsing. http://www.cs.berkeley.edu/~daw/teaching/cs261-f98/projects/final-reports/ronathan-heyning.ps.Google Scholar
- S. Coull, M. Collins, C. Wright, F. Monrose, and M. Reiter. On Web Browsing Privacy in Anonymized NetFlows. In Proceedings of the 16th USENIX Security Symposium, Boston, MA, August 2007. Google ScholarDigital Library
- C. Díaz, S. Seys, J. Claessens, and B. Preneel. Towards Measuring Anonymity. In Dingledine and Syverson {11}, pages 54--68.Google Scholar
- R. Dingledine, N. Mathewson, and P. Syverson. Tor: The Second-Generation Onion Router. In SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium, pages 21--21, Berkeley, CA, USA, 2004. USENIX Association. Google ScholarDigital Library
- R. Dingledine and P. F. Syverson, editors. Privacy Enhancing Technologies, Second International Workshop, PET 2002, San Francisco, CA, USA, April 14-15, 2002, Revised Papers, volume 2482 of Lecture Notes in Computer Science. Springer, 2003.Google Scholar
- J. Erman, A. Mahanti, and M. Arlitt. Internet Traffic Identification using Machine Learning. In Proceedings of IEEE Global Telecommunications Conference (GLOBECOM), pages 1--6, San Francisco, CA, USA, November 2006.Google ScholarCross Ref
- R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. RFC 2616 Hypertext Transfer Protocol - HTTP/1.1, June 1999.Google Scholar
- A. Hintz. Fingerprinting Websites Using Traffic Analysis. In Dingledine and Syverson {11}, pages 171--178. Google ScholarDigital Library
- A. Huttunen, B. Swander, V. Volpe, L. DiBurro, and M. Stenberg. RFC 3948 UDP Encapsulation of IPsec ESP Packets, January 2005.Google Scholar
- G. H. John and P. Langley. Estimating Continuous Distributions in Bayesian Classifiers. In P. Besnard and S. Hanks, editors, UAI, pages 338--345. Morgan Kaufmann, 1995. Google ScholarDigital Library
- C. Kiraly, S. Teofili, G. Bianchi, R. L. Cigno, M. Nardelli, and E. Delzeri. Traffic Flow Confidentiality in IPsec: Protocol and Implementation. In Preproceedings Third IFIP/FIDIS Summer School "The Future of Identity in the Information Society", August 2007.Google Scholar
- W. Koehler. An analysis of Web page and Web site constancy and permanence. Journal of the American Society for Information Science, 50(2):162--180, 1999. Google ScholarCross Ref
- W. Koehler. Web Page Change and Persistence -- A Four-Year Longitudinal Study. Journal of the American Society for Information Science and Technology, 53(2):162--171, 2002. Google ScholarDigital Library
- D. Koukis, S. Antonatos, and K. G. Anagnostakis. On the privacy risks of publishing anonymized ip network traces. In H. Leitold and E. P. Markatos, editors, Communications and Multimedia Security, volume 4237 of Lecture Notes in Computer Science, pages 22--32. Springer, 2006. Google ScholarDigital Library
- M. Leech, M. Ganis, Y. Lee, R. Kuris, D. Koblas, and L. Jones. RFC 1928 SOCKS Protocol Version 5, March 1996.Google Scholar
- M. Liberatore and B. N. Levine. Inferring the Source of Encrypted HTTP Connections. In CCS '06: Proceedings of the 13th ACM conference on Computer and communications security, pages 255--263, New York, NY, USA, 2006. ACM Press. Google ScholarDigital Library
- C. D. Manning, P. Raghavan, and H. Schütze. Introduction to Information Retrieval. Cambridge University Press, 2008. Google ScholarDigital Library
- S. Mistry and B. Raman. Quantifying Traffic Analysis of Encrypted Web-Browsing. http://bmrc.berkeley.edu/people/shailen/Classes/SecurityFall98/paper.ps, December 1998.Google Scholar
- A. W. Moore and D. Zuev. Internet Traffic Classification Using Bayesian Analysis Techniques. In SIGMETRICS '05: Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, pages 50--60, New York, NY, USA, 2005. ACM Press. Google ScholarDigital Library
- S. J. Murdoch and G. Danezis. Low-Cost Traffic Analysis of Tor. In SP '05: Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 183--195, Washington, DC, USA, 2005. IEEE Computer Society. Google ScholarDigital Library
- A. Ntoulas, J. Cho, and C. Olston. What's New on the web? The Evolution of the Web from a Search Engine Perspective. In WWW '04: Proceedings of the 13th international conference on World Wide Web, pages 1--12, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
- A. Panchenko and L. Pimenidis. Towards Practical Attacker Classification for Risk Analysis in Anonymous Communication. In Proceedings of Communications and Multimedia Security, 10th IFIP TC-6 TC-11 International Conference, CMS 2006, Heraklion, Crete, Greece, October 19-21, 2006, Proceedings, volume 4237 of Lecture Notes in Computer Science, pages 240--251, 2006. Google ScholarDigital Library
- J.-F. Raymond. Traffic Analysis: Protocols, Attacks, Design Issues, and Open Problems. In International workshop on Designing privacy enhancing technologies, pages 10--29, New York, NY, USA, 2001. Springer-Verlag New York, Inc. Google ScholarDigital Library
- Q. Sun, D. R. Simon, Y.-M. Wang, W. Russell, V. N. Padmanabhan, and L. Qiu. Statistical Identification of Encrypted Web Browsing Traffic. In SP '02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, page 19, Washington, DC, USA, 2002. IEEE Computer Society. Google ScholarDigital Library
- C. J. van Rijsbergen. Information Retrieval. Butterworth, 1979. Google ScholarDigital Library
- P. Warren, C. Boldyreff, and M. Munro. The Evolution of Websites. In IWPC '99: Proceedings of the 7th International Workshop on Program Comprehension, page 178, Washington, DC, USA, 1999. IEEE Computer Society. Google ScholarDigital Library
- R. Wendolsky, D. Herrmann, and H. Federrath. Performance Comparison of Low-Latency Anonymisation Services from a User Perspective. In Borisov and Golle {5}, pages 233--253. Google ScholarDigital Library
- N. Williams, S. Zander, and G. Armitage. A Preliminary Performance Comparison of Five Machine Learning Algorithms for Practical IP Traffic Flow Classification. SIGCOMM Comput. Commun. Rev., 36(5):5--16, 2006. Google ScholarDigital Library
- I. H. Witten and E. Frank. Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems). Morgan Kaufmann, June 2005. Google ScholarDigital Library
- C. Wright, S. Coull, and F. Monrose. Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis. In Proceedings of the 16th Network and Distributed Security Symposium, pages 237--250. IEEE, February 2009.Google Scholar
- T. Ylonen and C. Lonvick. RFC 4254 The Secure Shell (SSH) Connection Protocol, January 2006.Google Scholar
- D. Zuev and A. W. Moore. Traffic Classification Using a Statistical Approach. In C. Dovrolis, editor, PAM, volume 3431 of Lecture Notes in Computer Science, pages 321--324. Springer, 2005. Google ScholarDigital Library
Index Terms
- Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier
Recommendations
Website fingerprinting in onion routing based anonymization networks
WPES '11: Proceedings of the 10th annual ACM workshop on Privacy in the electronic societyLow-latency anonymization networks such as Tor and JAP claim to hide the recipient and the content of communications from a local observer, i.e., an entity that can eavesdrop the traffic between the user and the first anonymization node. Especially ...
TrafficSliver: Fighting Website Fingerprinting Attacks with Traffic Splitting
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications SecurityWebsite fingerprinting (WFP) aims to infer information about the content of encrypted and anonymized connections by observing patterns of data flows based on the size and direction of packets. By collecting traffic traces at a malicious Tor entry node --...
The rise of website fingerprinting on Tor: Analysis on techniques and assumptions
AbstractTor is one of the most popular anonymity networks that allows Internet users to hide their browsing activity. Hiding browsing activity is essential for Internet users to increase their privacy. Only Tor users should know the website ...
Graphical abstractDisplay Omitted
Highlights- We reviewed studies related to WF on Tor which encompass 12 years of research.
- ...
Comments