logo

Security and Communication Networks

PDF
Security and Communication Networks / 2022 / Article

Research Article | Open Access

Volume 2022 |Article ID 7330465 | https://doi.org/10.1155/2022/7330465

Renzhi Tang, Guowei Shen, Chun Guo, Yunhe Cui, "SAD: Website Fingerprinting Defense Based on Adversarial Examples", Security and Communication Networks, vol. 2022, Article ID 7330465, 12 pages, 2022. https://doi.org/10.1155/2022/7330465

SAD: Website Fingerprinting Defense Based on Adversarial Examples

Renzhi Tang ,1 Guowei Shen ,1 Chun Guo ,1 and Yunhe Cui 1

1State Key Laboratory of Public Big Data, College of Computer Science and Technology, Guizhou University, Guiyang, China

Academic Editor: Mamoun Alazab
Received12 Jan 2022
Revised20 Feb 2022
Accepted26 Feb 2022
Published07 Apr 2022

Abstract

Website fingerprinting (WF) attacks can infer website names from encrypted network traffic when the victim is browsing the website. Inherent defenses of anonymous communication systems such as The Onion Router(Tor) cannot compete with current WF attacks. The state-of-the-art attack based on deep learning can gain over 98% accuracy in Tor. Most of the defenses have excellent defensive capabilities, but it will bring a relatively high bandwidth overhead, which will seriously affect the user’s network experience. And some defense methods have less impact on the latest website fingerprinting attacks. Defense-based adversarial examples have excellent defense capabilities and low bandwidth overhead, but they need to get the complete website traffic to generate defense data, which is obviously impractical. In this article, based on adversarial examples, we propose segmented adversary defense (SAD) for deep learning-based WF attacks. In SAD, sequence data are divided into multiple segments to ensure that SAD is feasible in real scenarios. Then, the adversarial examples for each segment of data can be generated by SAD. Finally, dummy packets are inserted after each segment original data. We also found that setting different head rates, that is, end points for the segments, will get better results. Experimentally, our results show that SAD can effectively reduce the accuracy of WF attacks. The technique drops the accuracy of the state-of-the-art attack hardened from 96% to 3% while incurring only 40% bandwidth overhead. Compared with the existing proposed defense named Deep Fingerprinting Defender (DFD), the defense effect of SAD is better under the same bandwidth overhead.

1. Introduction

Anonymous communication system can protect the users’ information through data encryption and multi-hop proxy. The Onion Router (Tor) [1

  1. R. Dingledine, N. Nick, and S. Paul, Tor: The Second-Generation Onion Router, Naval Research Lab, Washington, DC, USA, 2004. View at: Publisher Site
See in References
], a kind of anonymous communication software, is widely used worldwide. However, inherent defense of Tor is difficult against WF attacks. In WF attacks, encrypted traffic is collected by the WF attacker between the client and guard node of Tor. Then, the website name can be inferred from the traffic obtained by attackers. It is the goal of the defense model that reduces the accuracy of WF attacks Many hackers carry out network attacks through Tor. We need some tools or technologies to take computer forensics for these illegal acts [2
  1. A. R. Javed, W. Ahmed, M. Alazab, Z. Jalil, K. Kifayat, and T. R. Gadekallu, “A Comprehensive Survey on Computer Forensics: State-Of-The-Art, Tools, Techniques, Challenges, and Future Directions.,” IEEE Access, vol. 10, 2022. View at: Publisher Site | Google Scholar
See in References
]. WF attack is also a computer forensics technology for Tor.

In the past, the attacker extracts a variety of packets level features from encrypted traffic, such as number, order, direction, and unique length, and then uses machine learning for classification [3

  1. T. Wang, X. Cai, R. Nithyanand, R. Johnson, and I. Goldberg, “Effective attacks and provable defenses for website fingerprinting,” Proceedings of the USENIX Security Symposium, USENIX Association, San Diego, CA, USA, pp. 143–157, August 2014. View at: Google Scholar
See in References
5
  1. J. Hayes and G. Danezis, “k-fingerprinting: A robust scalable website fingerprinting technique,” Proceedings of the 25th {USENIX} Security Symposium ({USENIX} Security 16), Austin, TX, USA, pp. 1187–1203, August 2014. View at: Google Scholar
See in References
]. In recent years, deep learning has been recognized in various fields such as image classification [6
  1. A. Krizhevsky, I. Sutskever, and G. E. Hinton, “Imagenet classification with deep convolutional neural networks,” Advances in Neural Information Processing Systems, vol. 25, pp. 1097–1105, 2012. View at: Google Scholar
See in References
] and speech recognition [7
  1. G. Hinton, L. Deng, D. Yu et al., “Deep neural networks for acoustic modeling in speech recognition: the shared views of four research groups,” IEEE Signal Processing Magazine, vol. 29, no. 6, pp. 82–97, 2012. View at: Publisher Site | Google Scholar
See in References
]. Similarly, it is widely used in the field of computer security [8
  1. S. Agrawal, S. Sarkar, O. Aouedi et al., Federated Learning for Intrusion Detection System: Concepts, Challenges and Future Directions, 2021, https://arxiv.org/abs/2106.09527.
See in References
]. Different from traditional machine learning, automatic extraction of features from original data is one of the advantages of deep learning. WF attacks based on deep learning have been proposed such as Automated Website Fingerprinting (AWF) [9
  1. V. Rimmer, D. Preuveneers, M. Juarez, T. Van Goethem, and W. Joosen, “Automated Website Fingerprinting through Deep Learning,” 2017, arXiv preprint arXiv:1708.06376. View at: Google Scholar
See in References
], Var-CNN [10
  1. S. Bhat, D. Lu, A. Kwon, and S. Devadas, “Var-cnn: A Data-Efficient Website Fingerprinting Attack Based on Deep Learning,” Proceedings on Privacy Enhancing Technologies, vol. 2019, no. 4, pp. 292–310, 2019. View at: Publisher Site | Google Scholar
See in References
], and Deep Fingerprinting (DF) [11
  1. P. Sirinam, M. Imani, M. Juarez, and M. Wright, “Deep fingerprinting: undermining website fingerprinting defenses with deep learning,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1928–1943, Toronto, Canada, October 2018. View at: Google Scholar
See in References
]. DF can gain more than 98% accuracy only using the direction sequence of traffic.

In the meantime, some WF defenses have been proposed such as WTF-PAD [12

  1. M. Juarez, M. Imani, M. Perry, C. Diaz, and M. Wright, “Toward an efficient website fingerprinting defense,” European Symposium on Research in Computer Security, Springer, NY, USA, pp. 27–46, 2016. View at: Publisher Site | Google Scholar
See in References
], walkie-talkie (W-T) [13
  1. T. Wang and I. Goldberg, “Walkie-talkie: an efficient defense against passive website fingerprinting attacks,” 26th {USENIX} Security Symposium ({USENIX} Security 17), USENIX Association, Vancouver, Canada, pp. 1375–1390, 2017. View at: Google Scholar
See in References
], and Deep Fingerprinting Defender (DFD) [14
  1. A. Abusnaina, R. Jang, A. Khormali, D. Nyang, and D. Mohaisen, “Dfd: adversarial learning-based approach to defend against website fingerprinting,” in Proceedings of the IEEE INFOCOM 2020-IEEE Conference on Computer Communications, pp. 2459–2468, IEEE, Toronto, ON, Canada, July 2020. View at: Publisher Site | Google Scholar
See in References
]. In addition, researchers have found that deep learning models are vulnerable to adversarial examples [15
  1. I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” 2014, https://arxiv.org/abs/1412.6572. View at: Google Scholar
See in References
]. It can make a classifier based on deep learning misclassification [1
  1. R. Dingledine, N. Nick, and S. Paul, Tor: The Second-Generation Onion Router, Naval Research Lab, Washington, DC, USA, 2004. View at: Publisher Site
See in References
]. Therefore, some WF defenses based on adversarial examples are proposed such as WF-GAN [16
  1. C. Hou, G. Gou, J. Shi, P. Fu, and G. Xiong, “Wf-gan: fighting back against website fingerprinting attack using adversarial learning,” in Proceedings of the 2020IEEE Symposium on Computers and Communications (ISCC), pp. 1–7, IEEE, Rennes, France, July 2020. View at: Publisher Site | Google Scholar
See in References
] and Mockingbird [17
  1. M. S. Rahman, M. Imani, N. Mathews, and M. Wright, “Mockingbird: defending against deep-learning-based website fingerprinting attacks with adversarial traces,” IEEE Transactions on Information Forensics and Security, vol. 16, pp. 1594–1609, 2020. View at: Google Scholar
See in References
]. But, WTF-PAD, W-T, and DFD have expired defense capability and suboptimal bandwidth overhead. WF-GAN and Mockingbird are the most recently proposed WF defense, which is based on adversarial examples. They have excellent defensive capabilities and low bandwidth overhead. But it can only use the complete traffic of the website to generate the corresponding defense data. The situation is unrealistic.

In order to achieve excellent defensive performance, low bandwidth overhead, and availability in real-time traffic, we propose SAD based on adversarial examples and head rate. SAD consists of two components: an adversarial examples generation model and a WF attack model-based deep learning. The former can generate adversarial examples according to the direction sequence of flow. The attack model is an adversary of the generated model similar to GAN [18

  1. I. Goodfellow, J. Pouget-Abadie, M. Mirza et al., “Generative adversarial nets,” Advances in Neural Information Processing Systems, vol. 27, 2014. View at: Google Scholar
See in References
]. The experiments show that SAD effectively reduces the attack success accuracy of DF, Var-CNN, and AWF attack models with slight bandwidth overhead. SAD has excellent defense capabilities whether facing unknown attack or adversarial training. The main contributions of this article are as follows:(1)This article proposes a WF defense, named SAD, using segmented processing with head rate and adversarial examples. Compared with some previous studies, SAD does not require global traffic sequence information when generating adversarial examples. Therefore, it can apply in live traffic.(2)SAD can be easily generated adversarial examples for different attack models based on deep learning. The input and output of SAD are the original direction sequence data rather than burst-based data. This is the same data format required by the attack model.(3)SAD can effectively reduce the attack success rate, even facing adversarial training or unknown attack. In particular, we obtain better results with head rate at low bandwidth overhead. For the three existing WF attack models, DF, Var-CNN, and AWF, SAD can reduce these attack success rates from 96% to 1%. Compared with DFD, we have better defense whether in open-world or close-world.

2.1. Website Fingerprinting Attack

WF attacks initially required manual feature extraction. Instead, deep learning models based convolutional neural network (CNN) are now mainly used, as it only requires packet direction information. Table 1 shows simple information about website fingerprinting attacks, which are recognized by researchers.

AttackClassifierFeaturesWeakness
K-NN [3
  1. T. Wang, X. Cai, R. Nithyanand, R. Johnson, and I. Goldberg, “Effective attacks and provable defenses for website fingerprinting,” Proceedings of the USENIX Security Symposium, USENIX Association, San Diego, CA, USA, pp. 143–157, August 2014. View at: Google Scholar
See in References
]		K-nearest neighborsThe number of incoming packets, the number of outgoing packets, the sum of incoming packet sizes, the sum of outgoing packet sizes, etc.Manual feature extraction from network traffic.
CUMUL [4
  1. A. Panchenko, F. Lanze, J. Pennekamp et al., “Website fingerprinting at internet scale,” NDSS, 2016. View at: Publisher Site | Google Scholar
See in References
]		SVM
K-FP [5
  1. J. Hayes and G. Danezis, “k-fingerprinting: A robust scalable website fingerprinting technique,” Proceedings of the 25th {USENIX} Security Symposium ({USENIX} Security 16), Austin, TX, USA, pp. 1187–1203, August 2014. View at: Google Scholar
See in References
]		Random forests
AWF [9
  1. V. Rimmer, D. Preuveneers, M. Juarez, T. Van Goethem, and W. Joosen, “Automated Website Fingerprinting through Deep Learning,” 2017, arXiv preprint arXiv:1708.06376. View at: Google Scholar
See in References
]		CNNDirection sequence of Tor cellsRequires large amounts of training data.
Var-CNN [10
  1. S. Bhat, D. Lu, A. Kwon, and S. Devadas, “Var-cnn: A Data-Efficient Website Fingerprinting Attack Based on Deep Learning,” Proceedings on Privacy Enhancing Technologies, vol. 2019, no. 4, pp. 292–310, 2019. View at: Publisher Site | Google Scholar
See in References
]
DF [11
  1. P. Sirinam, M. Imani, M. Juarez, and M. Wright, “Deep fingerprinting: undermining website fingerprinting defenses with deep learning,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1928–1943, Toronto, Canada, October 2018. View at: Google Scholar
See in References
]
Table 1 
WF attacks based on traditional machine learning or deep learning.

Herrmann et al. [19

  1. D. Herrmann, R. Wendolsky, and H. Federrath, “Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier,” in Proceedings of the 2009 ACM workshop on Cloud computing security, pp. 31–42, Chicago, IL, USA, November 2009. View at: Publisher Site | Google Scholar
See in References
] first applied the WF attack on Tor in 2009, but the accuracy was only 3% in close-world. In 2011, Panchenko et al. [20
  1. A. Panchenko, L. Niessen, A. Zinnen, and T. Engel, “Website fingerprinting in onion routing based anonymization networks,” in Proceedings of the 10th annual ACM workshop on Privacy in the electronic society, pp. 103–114, Chicago, IL, USA, October 2011. View at: Publisher Site | Google Scholar
See in References
] proposed a WF attack based on support vector machines (SVMs). It improves the accuracy of WF attacks. But, the computational cost of these WF attack classifiers is too high and not practical. With the development of computers, researchers have proposed more effective attacks. In 2014, the K-nearest neighbors (K-NN) classifier was proposed by Wang et al. [3
  1. T. Wang, X. Cai, R. Nithyanand, R. Johnson, and I. Goldberg, “Effective attacks and provable defenses for website fingerprinting,” Proceedings of the USENIX Security Symposium, USENIX Association, San Diego, CA, USA, pp. 143–157, August 2014. View at: Google Scholar
See in References
]. The attack achieved a higher accuracy with shorter training time and test time. In addition, Panchenko et al. [4
  1. A. Panchenko, F. Lanze, J. Pennekamp et al., “Website fingerprinting at internet scale,” NDSS, 2016. View at: Publisher Site | Google Scholar
See in References
] used the cumulative sum of packet lengths as features and SVM as a classifier, called CUMUL, which achieved good results in close-world. Hayes et al. [5
  1. J. Hayes and G. Danezis, “k-fingerprinting: A robust scalable website fingerprinting technique,” Proceedings of the 25th {USENIX} Security Symposium ({USENIX} Security 16), Austin, TX, USA, pp. 1187–1203, August 2014. View at: Google Scholar
See in References
] proposed a new website fingerprinting attack K-fingerprinting (K-FP) based on random forest. K-FP achieved 91% accuracy in a closed-world setting. These methods are all based on traditional machine learning. What they have in common is that they require manual feature extraction, which is directly related to the accuracy rate. The previous work was more on how to extract more representative features.

With the successful application of deep learning in other fields, many researchers are using it for website fingerprinting attacks. The obvious benefit is that it does not require manual feature extraction. To skip the process that manually extracting features, Rimmer et al. [9

  1. V. Rimmer, D. Preuveneers, M. Juarez, T. Van Goethem, and W. Joosen, “Automated Website Fingerprinting through Deep Learning,” 2017, arXiv preprint arXiv:1708.06376. View at: Google Scholar
See in References
] proposed a deep learning-based WF attack AWF. They collected a lot of training data and tried to use three different neural network structures, Stacked Denoising Autoencoder (SDAE), CNN, and Long Short-Term Memory (LSTM). The experimental results show that the model-based CNN can obtain the highest accuracy of over 96%. Sanjit [10
  1. S. Bhat, D. Lu, A. Kwon, and S. Devadas, “Var-cnn: A Data-Efficient Website Fingerprinting Attack Based on Deep Learning,” Proceedings on Privacy Enhancing Technologies, vol. 2019, no. 4, pp. 292–310, 2019. View at: Publisher Site | Google Scholar
See in References
] proposed Var-CNN based on ResNets [21
  1. K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” in Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 770–778, Las Vegas, NV, USA, June 2016. View at: Publisher Site | Google Scholar
See in References
] deep learning. It has a better recognition effect when the amount of training data is small, especially in close-world. Sirinam et al. [11
  1. P. Sirinam, M. Imani, M. Juarez, and M. Wright, “Deep fingerprinting: undermining website fingerprinting defenses with deep learning,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1928–1943, Toronto, Canada, October 2018. View at: Google Scholar
See in References
] proposed DF, which is based on CNN. The model has reached a high level of attack ability in both close-world and open-world. The above three deep learning-based models for WF attacks require a very simple form of data (packet direction), but it requires more training data compared to traditional machine learning.

2.2. Website Fingerprinting Defense

WF defense against WF attacks by inserting dummy packets. The approach brings bandwidth overhead. Tor’s bandwidth resources are precious. Researchers have been focusing on reducing bandwidth overhead and improving defensive capabilities. Different methods have different insertion rules, but they can be broadly sourced in two ways: generated by the authors based on their own expertise, and utilized to generate insertion rules from attack methods, as shown in Table 2.

DefenseDefensive RulesWeakness
BuFLO [22
  1. K. P. Dyer, S. E. Coull, T. Ristenpart, and T. Shrimpton, “Peek-a-boo, i still see you: why efficient traffic analysis countermeasures fail,” in Proceedings of the 2012 IEEE Symposium on Security and Privacy, pp. 332–346, IEEE, San Francisco, CA, USA, May 2012. View at: Publisher Site | Google Scholar
See in References
]		Authors’ predetermined insertion rules, such as inserting dummy packets regularly.Large bandwidth overhead or poor defense against current WF attacks.
Tamaraw [23
  1. X. Cai, R. Nithyanand, T. Wang, R. Johnson, and I. Goldberg, “A systematic approach to developing and evaluating website fingerprinting defenses,” in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 227–238, NY, USA, November 2014. View at: Publisher Site | Google Scholar
See in References
]
CS-BuFLO [24
  1. X. Cai, R. Nithyanand, and R. Johnson, “Cs-buflo: a congestion sensitive website fingerprinting defense,” in Proceedings of the 13th Workshop on Privacy in the Electronic Society, pp. 121–130, Scottsdale, AZ, USA, November 2014. View at: Publisher Site | Google Scholar
See in References
]
WTF-PAD [3
  1. T. Wang, X. Cai, R. Nithyanand, R. Johnson, and I. Goldberg, “Effective attacks and provable defenses for website fingerprinting,” Proceedings of the USENIX Security Symposium, USENIX Association, San Diego, CA, USA, pp. 143–157, August 2014. View at: Google Scholar
See in References
]
W-T [13
  1. T. Wang and I. Goldberg, “Walkie-talkie: an efficient defense against passive website fingerprinting attacks,” 26th {USENIX} Security Symposium ({USENIX} Security 17), USENIX Association, Vancouver, Canada, pp. 1375–1390, 2017. View at: Google Scholar
See in References
]
DFD [14
  1. A. Abusnaina, R. Jang, A. Khormali, D. Nyang, and D. Mohaisen, “Dfd: adversarial learning-based approach to defend against website fingerprinting,” in Proceedings of the IEEE INFOCOM 2020-IEEE Conference on Computer Communications, pp. 2459–2468, IEEE, Toronto, ON, Canada, July 2020. View at: Publisher Site | Google Scholar
See in References
]
WF-GAN [16
  1. C. Hou, G. Gou, J. Shi, P. Fu, and G. Xiong, “Wf-gan: fighting back against website fingerprinting attack using adversarial learning,” in Proceedings of the 2020IEEE Symposium on Computers and Communications (ISCC), pp. 1–7, IEEE, Rennes, France, July 2020. View at: Publisher Site | Google Scholar
See in References
]		Insertion rules learned against website fingerprinting attacksDifficult to apply to practical scenarios. But it has low bandwidth overhead
Mockingbird [17
  1. M. S. Rahman, M. Imani, N. Mathews, and M. Wright, “Mockingbird: defending against deep-learning-based website fingerprinting attacks with adversarial traces,” IEEE Transactions on Information Forensics and Security, vol. 16, pp. 1594–1609, 2020. View at: Google Scholar
See in References
]
Table 2 
Differences in the rules for inserting dummy packets for WF defense.

Buffered Fixed-Length Obfuscation (BuFLO) [22

  1. K. P. Dyer, S. E. Coull, T. Ristenpart, and T. Shrimpton, “Peek-a-boo, i still see you: why efficient traffic analysis countermeasures fail,” in Proceedings of the 2012 IEEE Symposium on Security and Privacy, pp. 332–346, IEEE, San Francisco, CA, USA, May 2012. View at: Publisher Site | Google Scholar
See in References
] sends packets of a fixed size at fixed intervals, using dummy packets to both fill in and (potentially) extend the transmission. But, it brings unreasonable bandwidth overhead. Tamaraw [23
  1. X. Cai, R. Nithyanand, T. Wang, R. Johnson, and I. Goldberg, “A systematic approach to developing and evaluating website fingerprinting defenses,” in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 227–238, NY, USA, November 2014. View at: Publisher Site | Google Scholar
See in References
] and CS-BuFLO [24
  1. X. Cai, R. Nithyanand, and R. Johnson, “Cs-buflo: a congestion sensitive website fingerprinting defense,” in Proceedings of the 13th Workshop on Privacy in the Electronic Society, pp. 121–130, Scottsdale, AZ, USA, November 2014. View at: Publisher Site | Google Scholar
See in References
] extend BuFLO. The difference is that the download and upload rates can be set to different rates. But their bandwidth overhead exceeds 100%. WTF-PAD was proposed by Juarez et al. [3
  1. T. Wang, X. Cai, R. Nithyanand, R. Johnson, and I. Goldberg, “Effective attacks and provable defenses for website fingerprinting,” Proceedings of the USENIX Security Symposium, USENIX Association, San Diego, CA, USA, pp. 143–157, August 2014. View at: Google Scholar
See in References
]. The defense attempts to fill a large time gap between two data packets. Whenever the gap is large, WTF-PAD will send a series of dummy packets. It reduces the accuracy of K-NN attacks. However, WTF-PAD was defeated by the WF attack DF. Walkie-talkie (W-T) [13
  1. T. Wang and I. Goldberg, “Walkie-talkie: an efficient defense against passive website fingerprinting attacks,” 26th {USENIX} Security Symposium ({USENIX} Security 17), USENIX Association, Vancouver, Canada, pp. 1375–1390, 2017. View at: Google Scholar
See in References
] makes the attack success rate of DF only 49.7% with 31% bandwidth overhead. W-T changed the communication mode of both parties from full duplex to half duplex. The change affects the user’s network experience. For WF attacks based on deep learning, some researchers proposed WF defense based on adversarial examples, WF-GAN [16
  1. C. Hou, G. Gou, J. Shi, P. Fu, and G. Xiong, “Wf-gan: fighting back against website fingerprinting attack using adversarial learning,” in Proceedings of the 2020IEEE Symposium on Computers and Communications (ISCC), pp. 1–7, IEEE, Rennes, France, July 2020. View at: Publisher Site | Google Scholar
See in References
] and Mockingbird [17
  1. M. S. Rahman, M. Imani, N. Mathews, and M. Wright, “Mockingbird: defending against deep-learning-based website fingerprinting attacks with adversarial traces,” IEEE Transactions on Information Forensics and Security, vol. 16, pp. 1594–1609, 2020. View at: Google Scholar
See in References
]. They have excellent performance, but they are difficult to be applied in live traffic due to the requirements of model input data.

The latest defense method (DFD) [14

  1. A. Abusnaina, R. Jang, A. Khormali, D. Nyang, and D. Mohaisen, “Dfd: adversarial learning-based approach to defend against website fingerprinting,” in Proceedings of the IEEE INFOCOM 2020-IEEE Conference on Computer Communications, pp. 2459–2468, IEEE, Toronto, ON, Canada, July 2020. View at: Publisher Site | Google Scholar
See in References
] injects a dummy burst sequence according to the previous burst sequence in the real-time traffic. When the injection method is the server-side injection method, the attack success rate using CNN as the attack model is reduced from 99.93% to 5% with 85.56% bandwidth overhead. However, it did not test the existing WF attacks. In addition, the DFD cannot stably insert dummy packets. In some cases, the number of inserted dummy packets is small. When bandwidth overhead is small, the expected defense effect cannot be achieved.

3. Preliminary

3.1. Threat Model

Tor protects browsing website information of the user through data encryption and multi-hop proxy. Its working principle is shown in Figure 1. In general, the user randomly selects three relay nodes, guard node, middle node, and exit node, from global active relay nodes. These selected nodes will form a communication link. All traffic will be encrypted when through the link. The purpose of the WF attacker is to obtain the website name visited by users from encrypted traffic.


Figure 1 
WF attack mode.

To be specific, the attacker monitors and saves traffic between the guard node and user. Then, the attacker uses the traffic to infer the website name using deep learning. The attacker generally needs the direction sequence of traffic packet. The outgoing (client to server) and incoming (server to client) packets are represented as and , respectively. For a piece of data, the total number of −1 and 1 is the effective length of the data. However, the attacker did not own all the data of the website. We mark target websites as monitored sites and other sites as unmonitored sites. To this end, WF attack and WF defense are evaluated in two different experimental environments: close-world and open-world. Close-world means that users can only access monitored websites. The open-world is closer to the real scene than the close-world. It allows the user to access any website.

3.2. Defense Model

The goal of the defender is to reduce the accuracy of WF attacks. One of the best ways to reduce the accuracy of WF attack is to change the input data of WF attack model. For this, there are two operations: inserting dummy packets and delay packets. Delayed packets have a greater negative impact on the network than inserting dummy packets; the latter usually is adopted by WF defense. In addition, there are two scenarios for WF defense: black-box or white-box. Black-box means that the structure and parameters of the WF attack model are unknown. We only know the correspondence between the input and output of the model. White-box means that the structure and parameter information of the attack model can be obtained. We can interact deeply with the attack model.

3.3. Adversarial Examples

Adversarial examples are carefully designed input data for deep learning model, which will cause the model to output incorrect prediction results. It was first discovered by the research in the field of image classification [25

  1. C. Szegedy, W. Zaremba, I. Sutskever et al., “Intriguing Properties of Neural Networks,” 2013, https://arxiv.org/abs/1312.6199. View at: Google Scholar
See in References
]. Fast Gradient Sign Method (FGSM) [15
  1. I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” 2014, https://arxiv.org/abs/1412.6572. View at: Google Scholar
See in References
] is a classic adversarial examples generation method based on gradient. It can be expressed as , is adversarial examples, is the parameter of deep learning model, is the input of the model, is the correct category for , is loss function, is the gradient of the loss function with respect to , and is super parameter. The WF defense generates adversarial examples, which is similar to FGSM. WF-GAN [16
  1. C. Hou, G. Gou, J. Shi, P. Fu, and G. Xiong, “Wf-gan: fighting back against website fingerprinting attack using adversarial learning,” in Proceedings of the 2020IEEE Symposium on Computers and Communications (ISCC), pp. 1–7, IEEE, Rennes, France, July 2020. View at: Publisher Site | Google Scholar
See in References
] and Mockingbird [17
  1. M. S. Rahman, M. Imani, N. Mathews, and M. Wright, “Mockingbird: defending against deep-learning-based website fingerprinting attacks with adversarial traces,” IEEE Transactions on Information Forensics and Security, vol. 16, pp. 1594–1609, 2020. View at: Google Scholar
See in References
] modify burst-based features to generate adversarial examples. Due to the practical significance of the feature, the feature value can only increase but not decrease. Adversarial examples can be expressed as , where is burst sequence of original flow and is perturbation size and nonnegative number that means cannot drop packet.

4. Defense Design

In this section, we present the design details of SAD, that is,, method of processing data, detailed design of deep learning model, and the process of training the model.

Figure 2 represents the overall process of SAD. is a sequence of the segment of different lengths of flow, is the dummy packets being inserted, and adversarial examples are the output of SAD. The means that we only generate adversarial examples for the first percent of each data item. We define , where is sequence data , is effective length of , and is the number of tagged data in .


Figure 2 
SAD defense process.
4.1. SAD Model Design
4.1.1. Effective Length Alignment at

We do this to train the model quickly, even if the effective length of each data is different. In Algorithm 1, we describe the detailed processing; that is, each element of the data is shifted to the right by a different distance for the entire dataset. Finally, we have a uniform stop segmentation point. This is the key to speed up the model training.

(i)Input: a batch sequence flow data: ; head rate:
(ii) predefined maximum flow length// usually it is 5000
(iii) floor(hr∗ml)// global end index
(iv)forfBFdo
(v)el effective length of f // number of non-filled values
(vi) // the length of the current flow to be processed
(vii)hrlel∗hr
(viii)stepgei - hrl// number of steps to move backward
(ix) // all elements of move to the right times
(x)f moveToRight(f, step)
(xi)end
Algorithm 1 
Batch data effective length alignment at .
4.1.2. Sequence Data Segmentation

In the existing public dataset, each piece of data is a packet direction sequence generated during the complete access process of a certain website. We do this to simulate the real packet transmission. Similarly, we describe in detail in Algorithm 2. The segmentation refers to cutting the sequence into different lengths according to different segmented packet numbers . SPN set consists of several different . The segmented adversarial examples is inserted after each segment of original packets until the . Finally, the segmented sequence and the segmented adversarial examples are sequentially connected to form complete adversarial examples.

4.1.3. Generating Adversarial Examples

SAD contains multiple submodels with similar structures, the generation of adversarial examples is shown in Figure 3. The number of submodels is equal to the number of preset elements. In other words, each submodel has a corresponding as the input feature dimension size. The submodel structure is a simple multilayer fully connected neural network. Its activation function is , as in formula (1). In order to shorten the model training time and improve the robustness of the model, and are used. The input to the submodel is a segment of sequence data. The features dimension of the submodel output is for strictly control the bandwidth overhead, where is segment injection rate and is head rate. Although we take this means, the actual bandwidth overhead is a little bit smaller than the preset one. We tend to drop the last segment to ensure that the adversarial examples is valid. Significantly, the output of the submodel only contains or . We applied and to the model output, as shown in formula (1). Finally, the output of the submodel represents the direction of dummy packets. The main function of the submodel is to generate adversarial examples corresponding to the segmented sequence. The output of multiple submodels is spliced with segmented sequence to generate complete adversarial examples, and the process is shown in Algorithm 2:


Figure 3 
SAD generates adversarial examples.
(i)Input: a batch flow sequence: ; submodel set: ; segment packet number set: ; head rate:
(ii)Output: Adversarial examples:
(iii) predefined maximum flow length// Usually it is 5000
(iv) floor(hr∗ml)// global end index
(v) 0// split point index
(vi) a empty list// store final results
(vii)whileTruedo
(viii) randomChoice(spns)// random choice a element from
(ix)ifspn+sigeithen
(x)  break
(xi)end
(xii)csdbf[:,spi:spi+spn]// select the data of the current segment
(xiii)res.append(css)
(xiv)sm choiceSubmodel(spn)// select submodel according
(xv) // output segment adversarial examples according
(xvi)saesm(csd)
(xvii)sae Sign(sae)
(xviii)spispi+spn
(xix) all value of reset to 0 if effective length is 0
(xx)res.append(sae)
(xxi)end
(xxii) sequential splicing of elements of
(xxiii) clear elements in that have a valueof 0
(xxiii) fill each data length to at the end
Algorithm 2 
SAD generate adversarial examples.

The input dimension size of the submodel in the corresponds to the elements one-to-one. First, we randomly select from . Second, we choose the corresponding submodel that input dimension size is . Finally, the subsequence is selected from and input into the selected submodel to obtain the output . In other words, the first segmented sequence is put into the submodel to get output . The input of the submodel selected for the second time is , and the corresponding output is . By analogy, the input of the submodel is , and the output is . Finally, the adversarial examples generated by all submodels are spliced with the segmented sequence to generate adversarial examples , in the form of .

4.1.4. SAD Model Training

First, SAD outputs the adversarial examples according to the original data. Then, will be generated when the adversarial examples are fed to the attack model, and the loss function is . The difference is that our goal is to make the loss larger. Moreover, we only update the parameters of SAD. In this way, the accuracy of the attack model will decrease with adversarial sample generated by SAD. The attack model can be any WF attack model based on deep learning. Significantly, we use to map the SAD output to or . But this function is not diversified, the input gradient of as the output gradient.

5. Experiment and Analysis

5.1. Dataset

In this article, the experimental dataset is collected by Sirinam et al. [11

  1. P. Sirinam, M. Imani, M. Juarez, and M. Wright, “Deep fingerprinting: undermining website fingerprinting defenses with deep learning,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1928–1943, Toronto, Canada, October 2018. View at: Google Scholar
See in References
], which uses tor-browser-crawler [26
  1. M. Juarez, S. Afroz, G. Acar, C. Diaz, and R. Greenstadt, “A critical evaluation of website fingerprinting attacks,” in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 263–274, Scottsdale, AZ, USA, November 2014. View at: Publisher Site | Google Scholar
See in References
] to simulate the process of users visiting the website.

5.1.1. Plain Data

They visited Alexa 100 sites in the close-world; each website was visited 1250 times. Next, they only store the data for at least 1000 valid visits after filtering out the invalid data. In the final result, 95 websites are stored. In the open-world, they visited 50000 Alexa websites, excluding the 100 websites in the close-world dataset. Finally, they got 40716 unmonitored website traffic data after filtering invalid data.

5.1.2. DFD Data

In order to evaluate the defense performance of DFD and compare it with SAD, plain data are used to generate defense data using and injection with 100% client injection according to the algorithm in DFD. The average bandwidth overhead range of these defense data is .

5.1.3. W-T and WTF-PAD Data

For WTF-PAD, Sirinam et al. [11

  1. P. Sirinam, M. Imani, M. Juarez, and M. Wright, “Deep fingerprinting: undermining website fingerprinting defenses with deep learning,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1928–1943, Toronto, Canada, October 2018. View at: Google Scholar
See in References
] protect traces by padding them according to the defense protocols, using the scripts and simulators provided by Juarez et al. [12
  1. M. Juarez, M. Imani, M. Perry, C. Diaz, and M. Wright, “Toward an efficient website fingerprinting defense,” European Symposium on Research in Computer Security, Springer, NY, USA, pp. 27–46, 2016. View at: Publisher Site | Google Scholar
See in References
]. For W-T, Sirinam et al. [11
  1. P. Sirinam, M. Imani, M. Juarez, and M. Wright, “Deep fingerprinting: undermining website fingerprinting defenses with deep learning,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1928–1943, Toronto, Canada, October 2018. View at: Google Scholar
See in References
] performed a new crawl with a Tor Browser in half-duplex mode. They collected datasets of size similar to the plain data. W-T requires padding the bursts in the half-duplex traces, so they followed the mold padding strategy as described in the W-T paper [13
  1. T. Wang and I. Goldberg, “Walkie-talkie: an efficient defense against passive website fingerprinting attacks,” 26th {USENIX} Security Symposium ({USENIX} Security 17), USENIX Association, Vancouver, Canada, pp. 1375–1390, 2017. View at: Google Scholar
See in References
].

5.1.4. Data Representation

These traffic can be expressed as a sequence of (, , ), where means outgoing(incoming) packet. On this foundation, Sirinam et al. [11

  1. P. Sirinam, M. Imani, M. Juarez, and M. Wright, “Deep fingerprinting: undermining website fingerprinting defenses with deep learning,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1928–1943, Toronto, Canada, October 2018. View at: Google Scholar
See in References
] showed that using packet length does not get an attractive improvement in the accuracy of the attack. Therefore, all data are represented by a sequence of packet directions. The sequence contains only and .

5.2. Performance Index

We define three performance index: attack success rate , defense success rate , and bandwidth overhead , respectively, , , , where is the number of browsing records contained in the dataset, is the number of data correctly identified by the WF attack model, is the number of error identification of the WF attack model, is the number of inserted dummy packets, and is the number of valid packets of the source data.

5.3. Result and Discussion
5.3.1. WF Attack Model Evaluation in Different Sequence Lengths

Deep learning-based WF attacks use the direction sequence of flow as input data. The strategy adopted by WF defense is to insert dummy packets into normal traffic. The most obvious change brought by this strategy is that the effective length of the sequence becomes longer. In previous WF attacks based on deep learning, the length was usually set to 5000. If the length is less than 5000, fill it with 0; if it exceeds, it will be truncated directly. To obtain a credible result, we trained multiple models on different sequence lengths, even if the effective data are the same. Considering bandwidth overhead and sequence length . In this experiment, three WF attack models, DF, Var-CNN, and AWF, are used in both close-world and open-world.

It can be seen from Figure 4 that in close-world, different sequence lengths have stable . When the sequence length is 7500, of DF reaches the highest, 98.14%. When the sequence is 7000, of Var-CNN reaches the highest, 97.56%, which is in line with the ability performance in original paper. In open-world, of Var-CNN, AWF, and DF reaches the highest, 96.39%, 91.28%, and 96.04%, respectively. In comparison, DF and Var-CNN are relatively stable. Therefore, in the subsequent experiments related to AWF, except AWF in open-world is between 96% and 97%. Finally, we can consider that the performance of the three attack models is stable in the current sequence length range. Appending meaningless data at the end of the sequence to proceed does not reduce the capability of the model. These three attack models are stable in accuracy over different sequence lengths. The padding sequences do not affect the attack models much. This ensures that the results of subsequent experiments are not affected by the length of the input data.


Figure 4 
Evaluation of website fingerprint attack model based on deep learning.
5.3.2. Defense Model Evaluation in Different Bandwidth Overheads

In this experiment, segment packet number and bandwidth overhead . Because different combinations of segment injection rate and head rate will bring the same real bandwidth overhead, here we have chosen the best result. In different environments, the relationship between and is shown in Figure 5. The solid line represents the data of this experiment. It can be seen from Figure 5 that DSR has been significantly improved with the increase of . In close-world, DSR for three attack models is above 90% when is 30%. DSR is close to saturation when is 40%. Although of the three attack models in this experiment is 96%, there are differences in the defense capabilities of SAD for the three. With the same , in open-world is higher. It can be seen that it is more beneficial to the attacker in close-world. It is more beneficial to the defender in open-world. In addition, cannot be significantly increased when reaches a threshold. In practice, we can ignore unmonitored website and only confuse monitoring websites. This can save computing costs. In open-world, the attacker marks the unmonitored sites as additional tags, which appear only once in the experimental data. When the defender obfuscates only the commonly used sites, the attacker’s traffic classification for the targeted sites results in either other targeted sites or unmonitored sites. In this way, the attacker is also unable to deduce valid information from the results.


Figure 5 
SAD defense effect.
5.3.3. Different Combinations of Segment Injection Rate and Head Rate

In our design, the actual bandwidth overhead is determined by both the segmented injection rate and head rate. Therefore, the DSR may also be different for the same bandwidth overhead. In Table 3, we explore this situation in detail. In this experiment, segment injection rate , head rate , and . In the table, we have marked (bold) the largest with the same bandwidth overhead and .

DSRHR0.100.200.300.400.500.600.700.800.901.0
SIR
0.050.36
0.100.410.460.470.520.560.56
0.150.450.540.580.610.660.700.71
0.200.470.560.620.660.720.780.770.82
0.25-0.360.520.610.710.740.770.820.840.88
0.300.390.580.680.750.800.840.890.890.91
0.350.440.620.750.810.840.880.910.910.94
0.400.460.670.780.840.880.910.940.930.96
0.450.510.690.820.890.920.930.950.950.97
0.500.230.540.740.860.910.940.950.960.960.98
0.550.240.570.780.870.930.950.960.970.970.98
0.600.240.590.810.900.940.960.960.970.970.98
0.650.260.620.820.900.950.960.970.980.980.98
0.700.260.640.830.910.950.970.970.980.980.99
0.750.270.650.850.930.960.970.980.980.98
0.800.270.660.870.940.970.980.980.98
0.850.280.670.870.940.960.960.980.98
0.900.290.710.900.940.960.970.98
0.950.300.730.890.940.970.980.98
1.000.330.740.900.950.970.980.98
Table 3 
Different combinations of the head rate and the segment injection rate.

The greater is seen where the head rate is smaller. It means that a large amount of injection in the early stages of network traffic transmission will have better results for defense. According to the general flow, SAD inserts a fixed percentage of dummy packets based on the length of each segment, that is, . In Table 3, when and (); that is, each segment will be processed. However, when and (). The reason for such a large gap at the same bandwidth overhead is that dummy packets that should have been inserted at the back are inserted at the front. A web page contains many different files. When a browser loads a web page, the files are downloaded in a relatively fixed order; for example, html files are always loaded first. This means that the first segment of web traffic contains more unique packet patterns. So we speculate that the deep learning model pays more attention to the front part of the data. And our behavior causes more drastic perturbation to the data in the forward part. On the other hand, in a real scenario loading two pages sequentially, it is difficult for an attacker to separate the first page from the second page from the mix. The approach in [27

  1. Y. Xu, T. Wang, Q. Li, Q. Gong, Y. Chen, and Y. Jiang, “A multi-tab website fingerprinting attack,” in Proceedings of the 34th Annual Computer Security Applications Conference, pp. 327–341, San Juan, PR, USA, December 2018. View at: Publisher Site | Google Scholar
See in References
] will be to extract only the traffic that contains the first page. This traffic is used to infer the name of the site on the first page. SAD may get even better results by adding more dummy packages to the first half of the segment.

5.3.4. Compared with DFD

We use the algorithm that injecting dummy packets proposed by DFD to generate defense data. These defensive data contain only monitored websites. In open-world, the training data of the attack model contains both unmonitored and monitored dataset. Then, we calculate the average of bandwidth overhead based on the defense data and DF is selected as the attack model. The results are shown in Figure 5, dashed lines. It is obvious that SAD is superior to DFD in all conditions of this experiment.

The performance of the DFD is somewhat different from the results expressed in the original paper. In DFD, the attack model being detected is not the latest AWF, Var-CNN, and DF, but is created by itself, although its CNN-based attack model can reach the same level of accuracy as DF. On the other hand, the valid length of the obfuscated data was not increased during testing, and the model input length was set to 5000, which can lead to the loss of valid data in some data back segments. In SAD, all data will be retained.

5.3.5. Adversary Training

Attackers can obtain defense data when the defense is public. In response to this situation, SAD can adjust bandwidth overhead to slow down the decline of DSR. We simulate the situation in this experiment. First, we train the DF attack model on the defense dataset until ASR reaches 90%. Then, the attack model will verify the effectiveness of multiple adversarial examples. When the defense data sequence and the input feature dimension of the attack model are not the same, if it is not enough, it is filled with 0, and if it is too long, it will be directly truncated. Furthermore, WTF-PAD and W-T are the most recognized defense methods, so we have conducted experiments using them as well, and the result is shown in Table 4.

DefensesOverheadaccuracy of DF
WTF-PAD64%0.905 1
W-T31%0.493 8
Table 4 
Adversary training in WTF-PAD and W-T.

In Figure 6, when DF uses the adversarial examples generated by SAD for training, its can still reach more than 90% with the same bandwidth overhead. The greater the gap between bandwidth overhead setting of defender and attacker, the higher . Therefore, SAD has excellent defense ability against the WF attack model after adversary training. Although deep learning can automatically extract features, it requires that the dimensional size of the training and test data be the same. Defenders can employ a variety of bandwidth overheads to increase the difficulty for attackers. But, it can be seen from Table 4 that WTF-PAD and W-T have different defense abilities in the face of confrontation training, and W-T is better. WTF-PAD uses dummy packets filled according to a certain rule. W-T is to try to convert traces to another traces that already exist. SAD is almost ineffective against adversarial training, although excellent defense can be obtained by modifying the bandwidth overhead. The WF attack model can still extract the relevant features. W-T modifies the original full-duplex communication. It tries to fit already existing traces when inserting dummy packets.


Figure 6 
Adversarial training attack models face defense data with different bandwidth overheads.
5.3.6. Black-Box Defense

The purpose of this experiment is to evaluate the robustness of SAD against unknown attack models. Unlike experiments (2)-(5), this experiment is a black-box defense. In the process of training and testing, three WF attack models can be selected, one of which is selected as the training model of SAD, and the other two is used as the test model.

In Figure 7, the dotted line and solid line represent DSR under the white-box and black-box, respectively. The black-box defense did not cause the SAD’s defense performance to fluctuate too much. As far as we know, the deep learning model is transferable. The three models in this experiment are the three most commonly used WF attack models, which have higher performance than other attack models and do not require manual feature extraction. Reference [9

  1. V. Rimmer, D. Preuveneers, M. Juarez, T. Van Goethem, and W. Joosen, “Automated Website Fingerprinting through Deep Learning,” 2017, arXiv preprint arXiv:1708.06376. View at: Google Scholar
See in References
] has compared the models of SDAE, CNN, and LSTM structures. The experiments show that the model based on CNN structure achieves the best results. The basic structure of AWF, Var-CNN, and DF is CNN. We speculate that the features automatically extracted by the three models are similar, but the regions of focus are different. This leads to better results for black boxes at low bandwidth overhead. Although SAD is optimized based on only one attack model, it remains valid for other unknown models.


Figure 7 
SAD defense success rate in black-box defense mode.

6. Limitations and Future Work

There are still many limitations to SAD. Our ultimate goal is to deploy SAD in real-world scenarios. However, we have to consider how long it takes to generate the adversarial examples. We counted the time spent by SAD to generate the adversarial examples; the information is presented in Table 5. SAD generates a segment of adversarial examples in less than 2 milliseconds. It takes about 200 milliseconds for a complete trace, that is, the number of times SAD generates adversarial data , and the time complexity is . As far as we know, it takes 1 to 2 seconds to load a simple search engine home page. On the face of it, the SAD time overhead is reasonable. In fact, our results are obtained with the GPU in use. It takes 1 to 2 minutes to generate a piece of adversarial examples under the same conditions, with only CPU. This will seriously affect the web browsing. WTF-PAD, W-T, and DFD do not have such troubles because they do not use deep learning. According to the current development of deep learning, in order to get faster speed on the CPU, it is necessary to reduce the complexity of the model. So in the subsequent work, we can start from two aspects: reduce the model complexity and maintain the performance, and use nondeep learning methods to achieve the same purpose.

Bandwidth OverheadSegment data generationAvg. segmentComplete data generation
MaxminMeanStdMaxminMeanStd
0.17.631.661.880.2193.64205.19162.84184.679.39
0.26.141.671.860.1893.77216.87155.31182.2611.30
0.38.291.661.850.1892.86202.50157.09179.857.98
0.47.421.661.840.1893.28196.94159.27179.658.80
0.58.101.661.890.3394.32242.65161.43186.9214.32
0.67.811.651.850.2093.32203.19160.22181.379.35
0.77.921.661.890.3493.27230.50160.94184.3814.41
Table 5 
SAD generates data time statistics. Segment data generate: generating a segment of data; avg. segment: average number of data segments; complete data generate: SAD generates completed adversarial examples. The unit of data is milliseconds.

Adversarial examples can reduce the classification performance of the deep learning classifier. SAD is a model that can generate adversarial examples. We can assume that SAD transforms trace into another class. Ilyas et al. [28

  1. A. Ilyas, S. Santurkar, D. Tsipras, L. Engstrom, B. Tran, and A. Madry, “Adversarial examples are not bugs, they are features,” Advances in Neural Information Processing Systems, vol. 32, 2019. View at: Google Scholar
See in References
] demonstrate that adversarial examples can be directly attributed to the presence of nonrobust features: features (derived from patterns in the data distribution) that are highly predictive, yet brittle and (thus) incomprehensible to humans. But this transformation can be recognized by the model. Using the adversarial samples as the training data for the model, the model can extract nonrobust features as the basis for classification. However, deep learning-based classifiers have a maximum accuracy of only 50% on data generated by W-T. Currently, SAD has no such capability. Our future work is to make SAD have W-T’s better ability to face the adversarial training.

7. Conclusion

In this article, we proposed a novel website fingerprinting defense, called Segment Adversarial Defense, against deep learning-based WF attacks. SAD can perform segmentation processing on live traffic and injects dummy packets after each segment to complete the defense. At the same time, we can limit the range of segmentation to get more diverse adversarial examples. By this, SAD can flexibly tune the actual bandwidth overhead. The operation effectively balances the defense success rate and bandwidth overhead. In addition, SAD can deal with adversarial training and black-box defense. The experimental results show that in a close-world and open-world, the SAD defense success rate can reach up to 99%. It only needs 30% bandwidth overhead to achieve 90% defensive success rate. Remarkably, it is possible to get over 40% with only 5% bandwidth overhead. In summary, SAD can effectively against WF attacks based on deep learning.

Data Availability

The dataset used to support the findings of this study can be found according to the prompt in “https://github.com/deep-fingerprinting/df”. The dataset belongs to Sirinam et al.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This research was funded by the National Natural Science Foundation of China (no. 62062022).

References

  1. R. Dingledine, N. Nick, and S. Paul, Tor: The Second-Generation Onion Router, Naval Research Lab, Washington, DC, USA, 2004. View at: Publisher Site
  2. A. R. Javed, W. Ahmed, M. Alazab, Z. Jalil, K. Kifayat, and T. R. Gadekallu, “A Comprehensive Survey on Computer Forensics: State-Of-The-Art, Tools, Techniques, Challenges, and Future Directions.,” IEEE Access, vol. 10, 2022. View at: Publisher Site | Google Scholar
  3. T. Wang, X. Cai, R. Nithyanand, R. Johnson, and I. Goldberg, “Effective attacks and provable defenses for website fingerprinting,” Proceedings of the USENIX Security Symposium, USENIX Association, San Diego, CA, USA, pp. 143–157, August 2014. View at: Google Scholar
  4. A. Panchenko, F. Lanze, J. Pennekamp et al., “Website fingerprinting at internet scale,” NDSS, 2016. View at: Publisher Site | Google Scholar
  5. J. Hayes and G. Danezis, “k-fingerprinting: A robust scalable website fingerprinting technique,” Proceedings of the 25th {USENIX} Security Symposium ({USENIX} Security 16), Austin, TX, USA, pp. 1187–1203, August 2014. View at: Google Scholar
  6. A. Krizhevsky, I. Sutskever, and G. E. Hinton, “Imagenet classification with deep convolutional neural networks,” Advances in Neural Information Processing Systems, vol. 25, pp. 1097–1105, 2012. View at: Google Scholar
  7. G. Hinton, L. Deng, D. Yu et al., “Deep neural networks for acoustic modeling in speech recognition: the shared views of four research groups,” IEEE Signal Processing Magazine, vol. 29, no. 6, pp. 82–97, 2012. View at: Publisher Site | Google Scholar
  8. S. Agrawal, S. Sarkar, O. Aouedi et al., Federated Learning for Intrusion Detection System: Concepts, Challenges and Future Directions, 2021, https://arxiv.org/abs/2106.09527.
  9. V. Rimmer, D. Preuveneers, M. Juarez, T. Van Goethem, and W. Joosen, “Automated Website Fingerprinting through Deep Learning,” 2017, arXiv preprint arXiv:1708.06376. View at: Google Scholar
  10. S. Bhat, D. Lu, A. Kwon, and S. Devadas, “Var-cnn: A Data-Efficient Website Fingerprinting Attack Based on Deep Learning,” Proceedings on Privacy Enhancing Technologies, vol. 2019, no. 4, pp. 292–310, 2019. View at: Publisher Site | Google Scholar
  11. P. Sirinam, M. Imani, M. Juarez, and M. Wright, “Deep fingerprinting: undermining website fingerprinting defenses with deep learning,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1928–1943, Toronto, Canada, October 2018. View at: Google Scholar
  12. M. Juarez, M. Imani, M. Perry, C. Diaz, and M. Wright, “Toward an efficient website fingerprinting defense,” European Symposium on Research in Computer Security, Springer, NY, USA, pp. 27–46, 2016. View at: Publisher Site | Google Scholar
  13. T. Wang and I. Goldberg, “Walkie-talkie: an efficient defense against passive website fingerprinting attacks,” 26th {USENIX} Security Symposium ({USENIX} Security 17), USENIX Association, Vancouver, Canada, pp. 1375–1390, 2017. View at: Google Scholar
  14. A. Abusnaina, R. Jang, A. Khormali, D. Nyang, and D. Mohaisen, “Dfd: adversarial learning-based approach to defend against website fingerprinting,” in Proceedings of the IEEE INFOCOM 2020-IEEE Conference on Computer Communications, pp. 2459–2468, IEEE, Toronto, ON, Canada, July 2020. View at: Publisher Site | Google Scholar
  15. I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” 2014, https://arxiv.org/abs/1412.6572. View at: Google Scholar
  16. C. Hou, G. Gou, J. Shi, P. Fu, and G. Xiong, “Wf-gan: fighting back against website fingerprinting attack using adversarial learning,” in Proceedings of the 2020IEEE Symposium on Computers and Communications (ISCC), pp. 1–7, IEEE, Rennes, France, July 2020. View at: Publisher Site | Google Scholar
  17. M. S. Rahman, M. Imani, N. Mathews, and M. Wright, “Mockingbird: defending against deep-learning-based website fingerprinting attacks with adversarial traces,” IEEE Transactions on Information Forensics and Security, vol. 16, pp. 1594–1609, 2020. View at: Google Scholar
  18. I. Goodfellow, J. Pouget-Abadie, M. Mirza et al., “Generative adversarial nets,” Advances in Neural Information Processing Systems, vol. 27, 2014. View at: Google Scholar
  19. D. Herrmann, R. Wendolsky, and H. Federrath, “Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier,” in Proceedings of the 2009 ACM workshop on Cloud computing security, pp. 31–42, Chicago, IL, USA, November 2009. View at: Publisher Site | Google Scholar
  20. A. Panchenko, L. Niessen, A. Zinnen, and T. Engel, “Website fingerprinting in onion routing based anonymization networks,” in Proceedings of the 10th annual ACM workshop on Privacy in the electronic society, pp. 103–114, Chicago, IL, USA, October 2011. View at: Publisher Site | Google Scholar
  21. K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” in Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 770–778, Las Vegas, NV, USA, June 2016. View at: Publisher Site | Google Scholar
  22. K. P. Dyer, S. E. Coull, T. Ristenpart, and T. Shrimpton, “Peek-a-boo, i still see you: why efficient traffic analysis countermeasures fail,” in Proceedings of the 2012 IEEE Symposium on Security and Privacy, pp. 332–346, IEEE, San Francisco, CA, USA, May 2012. View at: Publisher Site | Google Scholar
  23. X. Cai, R. Nithyanand, T. Wang, R. Johnson, and I. Goldberg, “A systematic approach to developing and evaluating website fingerprinting defenses,” in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 227–238, NY, USA, November 2014. View at: Publisher Site | Google Scholar
  24. X. Cai, R. Nithyanand, and R. Johnson, “Cs-buflo: a congestion sensitive website fingerprinting defense,” in Proceedings of the 13th Workshop on Privacy in the Electronic Society, pp. 121–130, Scottsdale, AZ, USA, November 2014. View at: Publisher Site | Google Scholar
  25. C. Szegedy, W. Zaremba, I. Sutskever et al., “Intriguing Properties of Neural Networks,” 2013, https://arxiv.org/abs/1312.6199. View at: Google Scholar
  26. M. Juarez, S. Afroz, G. Acar, C. Diaz, and R. Greenstadt, “A critical evaluation of website fingerprinting attacks,” in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 263–274, Scottsdale, AZ, USA, November 2014. View at: Publisher Site | Google Scholar
  27. Y. Xu, T. Wang, Q. Li, Q. Gong, Y. Chen, and Y. Jiang, “A multi-tab website fingerprinting attack,” in Proceedings of the 34th Annual Computer Security Applications Conference, pp. 327–341, San Juan, PR, USA, December 2018. View at: Publisher Site | Google Scholar
  28. A. Ilyas, S. Santurkar, D. Tsipras, L. Engstrom, B. Tran, and A. Madry, “Adversarial examples are not bugs, they are features,” Advances in Neural Information Processing Systems, vol. 32, 2019. View at: Google Scholar

Copyright © 2022 Renzhi Tang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Related articles

No related content is available yet for this article.

More related articles

No related content is available yet for this article.

More related articles

PF : Website Fingerprinting Attack Using Probabilistic Topic Model Hongcheng Zou | Ziling Wei | ... | Na Zhao 19 October 2021 hindawi.com Abstract Website fingerprinting (WFP) attack enables identifying the websites a user is browsing even under the protecti… Deep Nearest Neighbor Website Fingerprinting Attack Technology Maohua Guo | Jinlong Fei | Yitong Meng 15 July 2021 hindawi.com Abstract By website fingerprinting (WF) technologies, local listeners are enabled to track the specific website visited … Lightweight Statistical Approach towards TCP SYN Flood DDoS Attack Detection and Mitigation in SDN Environment Sehrish Batool | Farrukh Zeeshan Khan | ... | Muhammad Ahsan Raza 25 January 2022 hindawi.com Research Article | Open Access Sehrish Batool, Farrukh Zeeshan Khan, Syed Qaiser Ali Shah, Muneer Ahmed, Roobaea Alroobaea, Abdullah M. A Survey on Adversarial Attack in the Age of Artificial Intelligence Zixiao Kong | Jingfeng Xue | ... | Feng Li 22 June 2021 hindawi.com Abstract With the rapid evolution of the Internet, the application of artificial intelligence fields is more and more ex… All-Packets-Based Multi-Rate DDoS Attack Detection Method in ISP Layer Xinqian Liu | Jiadong Ren | ... | Zhangqi Zheng 6 May 2022 hindawi.com Research Article | Open Access Xinqian Liu, Jiadong Ren, Haitao He, Bing Zhang, Qian Wang, Zhangqi Zheng, "All-Packets-B… Eclipse Attack Detection for Blockchain Network Layer Based on Deep Feature Extraction Qianyi Dai | Bin Zhang | Shuqin Dong 13 April 2022 hindawi.com Research Article | Open Access Qianyi Dai, Bin Zhang, Shuqin Dong, "Eclipse Attack Detection for Blockchain Network Laye…
PDF Download Citation Citation
Download other formatsMore
ePub
XML
Order printed copiesOrder
Views63
Downloads160

Related articles

Website Fingerprinting Attacks Based on Homology Analysis Maohua Guo | Jinlong Fei 4 October 2021 hindawi.com Research Article | Open Access Maohua Guo, Jinlong Fei, "Website Fingerprinting Attacks Based on Homology Analysis", Sec… Defending against Deep-Learning-Based Flow Correlation Attacks with Adversarial Examples Ziwei Zhang | Dengpan Ye 27 March 2022 hindawi.com Research Article | Open Access Ziwei Zhang, Dengpan Ye, "Defending against Deep-Learning-Based Flow Correlation Attacks … Prevention Techniques against Distributed Denial of Service Attacks in Heterogeneous Networks: A Systematic Review Ammarah Cheema | Moeenuddin Tariq | ... | Muhammad Anwar 20 May 2022 hindawi.com Review Article | Open Access Ammarah Cheema, Moeenuddin Tariq, Adnan Hafiz, Muhammad Murad Khan, Fahad Ahmad, Muhammad A… PF : Website Fingerprinting Attack Using Probabilistic Topic Model Hongcheng Zou | Ziling Wei | ... | Na Zhao 19 October 2021 hindawi.com Abstract Website fingerprinting (WFP) attack enables identifying the websites a user is browsing even under the protecti… Deep Nearest Neighbor Website Fingerprinting Attack Technology Maohua Guo | Jinlong Fei | Yitong Meng 15 July 2021 hindawi.com Abstract By website fingerprinting (WF) technologies, local listeners are enabled to track the specific website visited … Lightweight Statistical Approach towards TCP SYN Flood DDoS Attack Detection and Mitigation in SDN Environment Sehrish Batool | Farrukh Zeeshan Khan | ... | Muhammad Ahsan Raza 25 January 2022 hindawi.com Research Article | Open Access Sehrish Batool, Farrukh Zeeshan Khan, Syed Qaiser Ali Shah, Muneer Ahmed, Roobaea Alroobaea, Abdullah M.

Article of the Year Award: Outstanding research contributions of 2021, as selected by our Chief Editors. Read the winning articles.