Poster: Evaluating Security Metrics for Website Fingerprinting

The website fingerprinting attack allows a low-resource attacker to compromise the privacy guarantees provided by privacy enhancing tools such as Tor. In response, researchers have proposed defenses aimed at confusing the classification tools used by attackers. As new, more powerful attacks are frequently developed, raw attack accuracy has proven inadequate as the sole metric used to evaluate these defenses. In response, two security metrics have been proposed that allow for evaluating defenses based on hand-crafted features often used in attacks. Recent state-of-the-art attacks, however, use deep learning models capable of automatically learning abstract feature representations, and thus the proposed metrics fall short once again. In this study we examine two security metrics and (1) show how these methods can be extended to evaluate deep learning-based website fingerprinting attacks, and (2) compare the security metrics and identify their shortcomings.

[1]  Tao Wang,et al.  Effective Attacks and Provable Defenses for Website Fingerprinting , 2014, USENIX Security Symposium.

[2]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[3]  Shigeki Goto,et al.  Fingerprinting Attack on Tor Anonymity using Deep Learning , 2016 .

[4]  Tao Wang,et al.  A Systematic Approach to Developing and Evaluating Website Fingerprinting Defenses , 2014, CCS.

[5]  Klaus Wehrle,et al.  Website Fingerprinting at Internet Scale , 2016, NDSS.

[6]  Thomas Ristenpart,et al.  Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail , 2012, 2012 IEEE Symposium on Security and Privacy.

[7]  Srinivas Devadas,et al.  Var-CNN: A Data-Efficient Website Fingerprinting Attack Based on Deep Learning , 2018, Proc. Priv. Enhancing Technol..

[8]  Micah Sherr,et al.  Understanding Tor Usage with Privacy-Preserving Measurement , 2018, Internet Measurement Conference.

[9]  Giovanni Cherubin Bayes, not Naïve: Security Bounds on Website Fingerprinting Defenses , 2017, Proc. Priv. Enhancing Technol..

[10]  Tao Wang,et al.  Walkie-Talkie: An Efficient Defense Against Passive Website Fingerprinting Attacks , 2017, USENIX Security Symposium.

[11]  Shuai Li,et al.  Measuring Information Leakage in Website Fingerprinting Attacks and Defenses , 2017, CCS.

[12]  Mohsen Imani,et al.  Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning , 2018, CCS.

[13]  George Danezis,et al.  k-fingerprinting: A Robust Scalable Website Fingerprinting Technique , 2015, USENIX Security Symposium.

[14]  Tao Wang,et al.  Improved website fingerprinting on Tor , 2013, WPES.

[15]  Wouter Joosen,et al.  Automated Website Fingerprinting through Deep Learning , 2017, NDSS.

[16]  Mike Perry,et al.  Toward an Efficient Website Fingerprinting Defense , 2015, ESORICS.

[17]  Mohammad Saidur Rahman,et al.  Tik-Tok: The Utility of Packet Timing in Website Fingerprinting Attacks , 2019, Proc. Priv. Enhancing Technol..

[18]  Xiang Cai,et al.  CS-BuFLO: A Congestion Sensitive Website Fingerprinting Defense , 2014, WPES.