RegulaTOR: A Powerful Website Fingerprinting Defense

Website Fingerprinting (WF) attacks are used by passive, local attackers to determine the destination of encrypted internet traffic by comparing the sequences of packets sent to and received by the user to a previously recorded data set. As a result, WF attacks are of particular concern to privacy-enhancing technologies such as Tor. In response, a variety of WF defenses have been developed, though they tend to incur a high bandwidth and latency overhead or require additional infrastructure, making them difficult to implement in practice. Some lighter-weight defenses have been presented as well; still, they attain only moderate effectiveness against recently published WF attacks. In this paper, we aim to present a realistic and novel defense, Regulator, that demonstrates improved overhead and high effectiveness against current WF attacks. In the closed-world setting, this defense reduces the accuracy of the state-of-the-art attack, Tik-Tok, against lightweight defenses from 66% to 22.9%. To achieve this performance, it requires minimal added latency and a bandwidth overhead 38.1% less than the leading lightweight defense. In the open-world setting, Regulator limits a precision-tuned Tik-Tok attack to an F-score of .087, compared to .625 for the best comparable lightweight defense.

[1]  George Danezis,et al.  k-fingerprinting: A Robust Scalable Website Fingerprinting Technique , 2015, USENIX Security Symposium.

[2]  Brijesh Joshi,et al.  Touching from a distance: website fingerprinting attacks and defenses , 2012, CCS.

[3]  Jiajun Gong,et al.  Zero-delay Lightweight Defenses against Website Fingerprinting , 2020, USENIX Security Symposium.

[4]  Charles V. Wright,et al.  Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis , 2009, NDSS.

[5]  Nicholas Hopper,et al.  p1-FP: Extraction, Classification, and Prediction of Website Fingerprints with Deep Learning , 2019, Proc. Priv. Enhancing Technol..

[6]  Mohammad Saidur Rahman,et al.  Tik-Tok: The Utility of Packet Timing in Website Fingerprinting Attacks , 2019, Proc. Priv. Enhancing Technol..

[7]  Xiang Cai,et al.  CS-BuFLO: A Congestion Sensitive Website Fingerprinting Defense , 2014, WPES.

[8]  Tao Wang,et al.  Effective Attacks and Provable Defenses for Website Fingerprinting , 2014, USENIX Security Symposium.

[9]  Shuai Li,et al.  Measuring Information Leakage in Website Fingerprinting Attacks and Defenses , 2017, CCS.

[10]  Tao Wang,et al.  Improved website fingerprinting on Tor , 2013, WPES.

[11]  Klaus Wehrle,et al.  Website Fingerprinting at Internet Scale , 2016, NDSS.

[12]  Mike Perry,et al.  WTF-PAD: Toward an Efficient Website Fingerprinting Defense for Tor , 2015, ArXiv.

[13]  Xiang Cai,et al.  Glove: A Bespoke Website Fingerprinting Defense , 2014, WPES.

[14]  Tao Wang,et al.  A Systematic Approach to Developing and Evaluating Website Fingerprinting Defenses , 2014, CCS.

[15]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[16]  Claudia Díaz,et al.  Inside Job: Applying Traffic Analysis to Measure Tor from Within , 2018, NDSS.

[17]  Thomas Engel,et al.  Website fingerprinting in onion routing based anonymization networks , 2011, WPES.

[18]  Rachel Greenstadt,et al.  A Critical Evaluation of Website Fingerprinting Attacks , 2014, CCS.

[19]  Vitaly Shmatikov,et al.  Timing Analysis in Low-Latency Mix Networks: Attacks and Defenses , 2006, ESORICS.

[20]  Thomas Ristenpart,et al.  Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail , 2012, 2012 IEEE Symposium on Security and Privacy.

[21]  Srinivas Devadas,et al.  Var-CNN: A Data-Efficient Website Fingerprinting Attack Based on Deep Learning , 2018, Proc. Priv. Enhancing Technol..

[22]  Andrew Hintz,et al.  Fingerprinting Websites Using Traffic Analysis , 2002, Privacy Enhancing Technologies.

[23]  Hannes Federrath,et al.  Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier , 2009, CCSW '09.

[24]  Tao Wang,et al.  Walkie-Talkie: An Efficient Defense Against Passive Website Fingerprinting Attacks , 2017, USENIX Security Symposium.

[25]  Mohsen Imani,et al.  Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning , 2018, CCS.

[26]  Xiapu Luo,et al.  HTTPOS: Sealing Information Leaks with Browser-side Obfuscation of Encrypted Flows , 2011, NDSS.