website fingerprinting
play

Website Fingerprinting Attacking Popular Privacy Enhancing - PowerPoint PPT Presentation

Oct 03, 2022 •545 likes •901 views

Website Fingerprinting Attacking Popular Privacy Enhancing Technologies with the Multinomial Nave-Bayes Classifier Dominik Herrmann , Hannes Federrath Rolf Wendolsky University of Regensburg, Germany JonDos GmbH Motivation To Whom It May

  2. Website Fingerprinting Attacking Popular Privacy Enhancing Technologies with the Multinomial Naïve-Bayes Classifier Dominik Herrmann , Hannes Federrath Rolf Wendolsky University of Regensburg, Germany JonDos GmbH

  3. Motivation – To Whom It May Concern ‣ Various Privacy Enhancing Technologies (PET) offer protection against eavesdropping ‣ SSH/SSL tunnels and VPNs ‣ multi-hop anonymisation services ‣ Users want protection against malicious ISPs and other users ‣ Criminals want to hide their activities from the authorities

  4. Attack Scenario e.g. VPN, OpenSSH tunnel, Tor, ... destination client tunnel endpoint webservers encrypted traffic attacker Local Administrator Internet Service Provider Law Enforcement Agency … e.g. ISP , local admin, authorities, ...

  5. Overview of Our Fingerprinting Attack ‣ Attacker wants to learn URLs of websites that are requested over an encrypted tunnel by the victim. ‣ Website Fingerprints: Attack exploits characteristic structure of websites. ‣ Attacker: passive, local, external observer PROCEDURE ‣ Set up a database with traffic profiles of all websites of interest (training phase) ‣ Compare observed traffic with all profiles from database to predict likely candidates

  6. Overview of Our Fingerprinting Attack ‣ Attacker wants to learn URLs of websites that are requested over an encrypted tunnel by the victim. ‣ Website Fingerprints: Attack exploits characteristic structure 50 sent by client received by client of websites. 40 ‣ Attacker: passive, local, external observer Frequency 30 PROCEDURE 20 ‣ Set up a database with traffic profiles of all websites of interest 10 (training phase) 0 ‣ Compare observed traffic with all profiles from database to -1500 -1000 -500 0 500 1000 1500 predict likely candidates Packet size [byte]

  7. Overview of Our Fingerprinting Attack ‣ Attacker wants to learn URLs of websites that are requested over an encrypted tunnel by the victim. ‣ Website Fingerprints: Attack exploits characteristic structure of websites. Most PETs are supposed to protect against such harmless attackers! ‣ Attacker: passive, local, external observer PROCEDURE ‣ Set up a database with traffic profiles of all websites of interest (training phase) ‣ Compare observed traffic with all profiles from database to predict likely candidates

  8. Previous works concentrate on OpenSSH and two well-known fingerprinting techniques Operating on file sizes: ‣ Sun et al. (2002) but: file sizes cannot be observed in encrypt ed tunnels! Operating on IP packet sizes: ‣ Bissias et al. (2005): identify only 20% of sites ‣ Liberatore & Levine (2006): identify up to 73% of sites using Jaccard coe ffi cient and Naïve-Bayes classi fi er

  9. Focus of Our Paper Operating on file sizes: ‣ Sun et al. (2002) Can we improve accuracy? but: fi le sizes cannot be observed in encrypted tunnels! What about other PETs? Operating on IP packet sizes: ‣ Bissias et al. (2005): identify only 20% of sites Does it work in practice? ‣ Liberatore & Levine (2006): identify up to 73% of sites using Jaccard coe ffi cient and Naïve-Bayes classi fi er

  10. Agenda Motivation and Scenario Novel Fingerprinting Technique Evaluation Addressing Real-World Issues

  11. Modeling Website Fingerprinting as Supervised Learning Problem class = URLs instance = observed IP packets attribute = packet size attribute value = packet size frequency Example: ‣ class: www.yahoo.com ‣ some instance: -160, 1500, 468, -52, 1500, 1500, -52, 1500 ‣ set representation: (-160, -52, 468, 1500) ‣ vector representation: (1, 2, 1, 4)

  12. Review of Existing Fingerprinting Techniques ‣ Jaccard Coefficient ‣ sim(A, B) = |A ∩ B| / (A ∪ B); sim(A, B) ∈ [0;1] ‣ Operates on set representation of instances ‣ Poor accuracy for padded packets ‣ Naïve Bayes Classi fi er ‣ Estimates probability density function for each packet size ‣ Increased accuracy with Kernel Density Estimation (KDE) ‣ Overfitting if only similar training instances are available

  13. Our Fingerprinting Technique: Multinomial Naïve Bayes (MNB) Classi fi er ‣ Popular classifier in text mining domain (spam detection) ‣ We believe that Website Fingerprinting is a similar problem. ‣ Operates on packet size frequency distribution ‣ Idea: the more often the most important packet sizes of the test instance i appear in traces belonging to class c , the more likely does instance i belong to class c ‣ Low computational complexity

  14. Our Fingerprinting Technique: Transformations to Consider Several optimisations to transform frequency vectors: ‣ TF transformation scale frequencies logarithmically to avoid bias towards classes with many packets with high frequencies 250 6 5 200 4 150 TF 3 100 2 50 1 0 0 −1500 −1000 −500 0 500 1000 1500 −1500 −1000 −500 0 500 1000 1500 packet size [bytes] packet size [bytes]

  15. Our Fingerprinting Technique: Transformations to Consider Several optimisations to transform frequency vectors: ‣ TF transformation scale frequencies logarithmically to avoid bias towards classes with many packets with high frequencies ‣ IDF transformation scale down frequencies of terms that are not characteristic for a class (inverse document frequency)

  16. Our Fingerprinting Technique: Transformations to Consider Several optimisations to transform frequency vectors: ‣ TF transformation scale frequencies logarithmically to avoid bias towards classes with many packets with high frequencies ‣ IDF transformation 70 250 scale down frequencies of terms that are not characteristic 60 200 for a class (inverse document frequency) 50 150 40 IDF 30 100 20 50 10 0 0 −1500 −1000 −500 0 500 1000 1500 −1500 −1000 −500 0 500 1000 1500 packet size [bytes] packet size [bytes]

  17. Our Fingerprinting Technique: Transformations to Consider Several optimisations to transform frequency vectors: ‣ TF transformation scale frequencies logarithmically to avoid bias towards classes with many packets with high frequencies ‣ IDF transformation scale down frequencies of terms that are not characteristic for a class (inverse document frequency) ‣ Cosine normalisation normalise attribute vectors to uniform length (division by Euclidean length of each vector)

  18. Agenda Motivation and Scenario Novel Fingerprinting Technique Evaluation Addressing Real-World Issues

  19. Data Collection Methodology ‣ We obtained real-world traffic dumps from 775 popular domains ‣ Automated Firefox to download each site multiple times ‣ Recorded packet size and direction with tcpdump ‣ 300,000 traffic dumps for various PET systems within two months Dataset will be available at our site for future research: http:/ /www-sec.uni-r.de/website-fingerprinting/

  20. Best Accuracy for TF Transformation and Normalisation Normalisation makes classifier operate on relative packet frequencies Training set size: 1 instance TF IDF TF−IDF none 100% 80% 60% Accuracy 40% 20% 0% raw normalised

  21. More Results for OpenSSH Multinomial Naïve Bayes with TF and normalisation: ‣ Already 90% accuracy for 1 training instance; 94% for 4 instances ‣ No substantial increase for more than 4 training instances ‣ Fingerprints built from frequency distribution of IP packet sizes are very robust against changes to contents of sites. ‣ Accuracy with old fingerprints decreases rather slowly: still over 90% after 17 days Cannot directly compare these results with previous work!

  22. Benchmarking Existing Website Fingerprinting Techniques with Our Sample OpenSSH, 4 training and 4 test instances, delta_t = 6 days ‣ highest accuracy: MNB with TF+normalisation ‣ Naïve Bayes really needs absolute raw normalised TF+normalised packet frequencies 100% ‣ can reproduce good accuracy 80% of Jaccard coefficient from 60% Accuracy previous work 40% NB with KDE and Jaccard perform better than in 20% previous studies; i.e. results not comparable across samples! 0% MNB NB w/KDE Jaccard

  23. Attacking Popular PETs Using the MNB Classi fi er SINGLE HOP SYSTEMS Stunnel OpenSSH Cisco IPSec VPN OpenVPN MULTI HOP SYSTEMS JonDonym ( aka JAP/AN.ON) Tor

  24. Attacking Popular PETs Using the MNB Classi fi er SINGLE HOP SYSTEMS ACCURACY Stunnel 97.6% OpenSSH 96.7% Cisco IPSec VPN 96.2% OpenVPN 94.9% MULTI HOP SYSTEMS JonDonym ( aka JAP/AN.ON) 20.0% Tor 3.0%

  25. Attacking Popular PETs Using the MNB Classi fi er SINGLE HOP SYSTEMS ACCURACY Stunnel 97.6% OpenSSH 96.7% Cisco IPSec VPN 96.2% OpenVPN 94.9% Still way better than random MULTI HOP SYSTEMS guessing; p = 1 / 775 = 0.58% JonDonym ( aka JAP/AN.ON) 20.0% Tor 3.0%

  26. Attacking Popular PETs Using the MNB Classi fi er SINGLE HOP SYSTEMS ACCURACY Stunnel 97.6% OpenSSH 96.7% Cisco IPSec VPN 96.2% OpenVPN 94.9% with 10 guesses MULTI HOP SYSTEMS JonDonym ( aka JAP/AN.ON) 20.0% 47 .5% Tor 3.0% 22.1%

  27. Attacking Popular PETs Using the MNB Classi fi er BEST SINGLE HOP SYSTEMS ACCURACY CLASSIFIER Stunnel 97.6% TF-N OpenSSH 96.7% TF-N Cisco IPSec VPN 96.2% TF-N OpenVPN 94.9% TF-N with 10 guesses MULTI HOP SYSTEMS JonDonym ( aka JAP/AN.ON) 20.0% N 47 .5% Tor 3.0% N 22.1%

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

k -fingerprinting: a Robust Scalable Website Fingerprinting Technique George Danezis Jamie Hayes

k -fingerprinting: a Robust Scalable Website Fingerprinting Technique George Danezis Jamie Hayes

k -fingerprinting: a Robust Scalable Website Fingerprinting Technique George Danezis Jamie Hayes University College London August 12, 2016 1/24 How does website fingerprinting work? - Training Tor network Relay 2 Adversary Relay 1

988 views • 24 slides
Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and

Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and

Tor website fingerprinting Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and HTTP/2 T.T.N. Marks BSc. K.C.N. Halvemaan BSc. University of Amsterdam System and Network Engineering Research Project #1

664 views • 32 slides
Feature Selection in Website Fingerprinting Junhua Yan Advisor: Prof. Jasleen Kaur July 24,

Feature Selection in Website Fingerprinting Junhua Yan Advisor: Prof. Jasleen Kaur July 24,

Feature Selection in Website Fingerprinting Junhua Yan Advisor: Prof. Jasleen Kaur July 24, 2019 1/23 Website Fingerprinting Goal: determine the visited website by inspecting network traffic on client side client web Figure: Attacker

831 views • 59 slides
Bayes, not Nave Security Bounds on Website Fingerprinting Defenses Giovanni Cherubin Privacy

Bayes, not Nave Security Bounds on Website Fingerprinting Defenses Giovanni Cherubin Privacy

Bayes, not Nave Security Bounds on Website Fingerprinting Defenses Giovanni Cherubin Privacy Enhancing Technologies Symposium Minneapolis, Minnesota, USA 19 July, 2017 @gchers Website Fingerprinting (WF) Encrypted Tunnel Victim

400 views • 20 slides
Website Fingerprinting Attacks and Defenses in the Tor Onion Space Marc Juarez imec-COSIC KU

Website Fingerprinting Attacks and Defenses in the Tor Onion Space Marc Juarez imec-COSIC KU

Website Fingerprinting Attacks and Defenses in the Tor Onion Space Marc Juarez imec-COSIC KU Leuven COSIC Seminar - 23rd October 2017, Leuven Introduction Contents of this presentation: - PETS17: Website Fingerprinting Defenses at

658 views • 44 slides
Website Fingerprinting at Internet Scale Andriy Panchenko 1 , Fabian Lanze 1 , Andreas Zinnen 2 ,

Website Fingerprinting at Internet Scale Andriy Panchenko 1 , Fabian Lanze 1 , Andreas Zinnen 2 ,

Website Fingerprinting at Internet Scale Andriy Panchenko 1 , Fabian Lanze 1 , Andreas Zinnen 2 , Martin Henze 3 , Jan Pennekamp 1 , Klaus Wehrle 3 , Thomas Engel 1 1 Interdisciplinary Centre for Security, Reliability and Trust (SnT), Luxembourg 2

567 views • 23 slides
Website fingerprinting on Tor: attacks and defenses Claudia Diaz KU Leuven Joint work with: Marc

Website fingerprinting on Tor: attacks and defenses Claudia Diaz KU Leuven Joint work with: Marc

Website fingerprinting on Tor: attacks and defenses Claudia Diaz KU Leuven Joint work with: Marc Juarez , Sadia Afroz, Gunes Acar, Rachel Greenstadt, Mohsen Imani, Mike Perry, Matthew Wright Post-Snowden Cryptography Workshop Brussels, December

754 views • 52 slides
A Critical Evaluation of Website Fingerprinting Attacks Marc Juarez 1 Sadia Afroz 2 Gunes Acar 1

A Critical Evaluation of Website Fingerprinting Attacks Marc Juarez 1 Sadia Afroz 2 Gunes Acar 1

A Critical Evaluation of Website Fingerprinting Attacks Marc Juarez 1 Sadia Afroz 2 Gunes Acar 1 Claudia Diaz 1 Rachel Greenstadt 3 1 KU Leuven, ESAT/COSIC and iMinds, Leuven, Belgium 2 UC Berkeley, US 3 Drexel University, US CCS 2014, Scottsdale,

687 views • 49 slides
Website Fingerprinting Defenses at the Application Layer Giovanni Cherubin 1 Jamie Hayes 2 Marc

Website Fingerprinting Defenses at the Application Layer Giovanni Cherubin 1 Jamie Hayes 2 Marc

Website Fingerprinting Defenses at the Application Layer Giovanni Cherubin 1 Jamie Hayes 2 Marc Juarez 3 1 Royal Holloway University of London 2 University College London 3 imec-COSIC KU Leuven 19th July 2017, PETS17, Minneapolis, MN, USA

735 views • 17 slides
Website Fingerprinting Defenses at the Application Layer Giovanni Cherubin 1 Jamie Hayes 2 Marc

Website Fingerprinting Defenses at the Application Layer Giovanni Cherubin 1 Jamie Hayes 2 Marc

Website Fingerprinting Defenses at the Application Layer Giovanni Cherubin 1 Jamie Hayes 2 Marc Juarez 3 1 Royal Holloway University of London 2 University College London 3 KU Leuven, ESAT/COSIC and imec (to appear in PoPETS 2017) Talk in the

532 views • 20 slides
CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF

CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF

CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF Fingerprinting Tester https://panopticlick.eff.org 3 Panopticlick Testing 4 IE Brave Fingerprinting Components 5

1.28k views • 78 slides
Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting

Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting

Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting June 28, 2018 1 / 35 Outline What is Acoustic Fingerprinting 1 Fingerprinting for Music Identification 2 Spectrograms 3 History 4 My

743 views • 35 slides
Fingerprinting hardware devices Fingerprinting hardware devices using clock-skewing using

Fingerprinting hardware devices Fingerprinting hardware devices using clock-skewing using

Fingerprinting hardware devices Fingerprinting hardware devices using clock-skewing using clock-skewing Renaud Lifchitz renaud.lifchitz@gmail.com #HES2010 8,9,10 April 2010 Paris, France Presenter's bio French computer security

644 views • 35 slides
Blind Elephant: Web Application Fingerprinting & Vulnerability Inferencing Patrick Thomas

Blind Elephant: Web Application Fingerprinting & Vulnerability Inferencing Patrick Thomas

Blind Elephant: Web Application Fingerprinting & Vulnerability Inferencing Patrick Thomas Qualys 7/28/10 Outline Web Apps & Security Existing Fingerprinting Approaches Static File Approach Observations From A Net Survey

832 views • 69 slides
Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we

Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we

Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we detect BGP IP hijacking by probing the at risk subnets to detect suspect change to hosts and subnets. 2 Intro Fingerprinting Avoiding

795 views • 31 slides
Overview System Security Scanning Security Scanning and Discovery Important Security Web

Overview System Security Scanning Security Scanning and Discovery Important Security Web

Overview System Security Scanning Security Scanning and Discovery Important Security Web Sites Fingerprinting OS FingerPrinting IP Stacks Share Scans Chapter 14 SNMP Vulnerabilities FingerPrinting TCP/IP Services

439 views • 8 slides
Development of Web Applications Principles and Practice Vincent Simonet, 2015-2016 Universit

Development of Web Applications Principles and Practice Vincent Simonet, 2015-2016 Universit

Development of Web Applications Principles and Practice Vincent Simonet, 2015-2016 Universit Pierre et Marie Curie, Master Informatique, Spcialit STL 6 Practical Aspects Vincent Simonet, 2015-2016 Universit Pierre et Marie Curie,

1.07k views • 60 slides
Attacks on DNS D. J. Bernstein University of Illinois at Chicago The Domain Name System

Attacks on DNS D. J. Bernstein University of Illinois at Chicago The Domain Name System

Attacks on DNS D. J. Bernstein University of Illinois at Chicago The Domain Name System cert.org wants to see http://www.lsec.be . Browser at cert.org The web server www.lsec.be has IP address

813 views • 55 slides
CSCI x760 - Computer Networks Spring 2016 Instructor: Prof. Roberto Perdisci perdisci@cs.uga.edu

CSCI x760 - Computer Networks Spring 2016 Instructor: Prof. Roberto Perdisci perdisci@cs.uga.edu

source: computer-networks-webdesign.com CSCI x760 - Computer Networks Spring 2016 Instructor: Prof. Roberto Perdisci perdisci@cs.uga.edu These slides are adapted from the textbook slides by J.F. Kurose and K.W. Ross Chapter 2: Application

955 views • 84 slides
Caching Demystified presented by Aaron Welch and C a c h i n g D e m y s t i f i

Caching Demystified presented by Aaron Welch and C a c h i n g D e m y s t i f i

Caching Demystified presented by Aaron Welch and C a c h i n g D e m y s t i f i e d A a r o n W e l c h C a d r e W e b H o s t i n g What is a cache? A cache is a mechanism that allows you to

607 views • 17 slides
DNS and HTTP Finally, the application layer! We have learned about: Signals being sent on

DNS and HTTP Finally, the application layer! We have learned about: Signals being sent on

DNS and HTTP Finally, the application layer! We have learned about: Signals being sent on wires Frames carried over dumb local networks Packets carried over the entire internet Making communication useably reliable + efficient

708 views • 13 slides
X ways to improve your web application's performance Eduard Tudenhfner adesso AG Why is

X ways to improve your web application's performance Eduard Tudenhfner adesso AG Why is

X ways to improve your web application's performance Eduard Tudenhfner adesso AG Why is performance important? 400 ms delay cause 0.59% drop A page that was 2 seconds slower in searches/user results in a 4.3% drop in revenue/user ( Bing ) (

1.05k views • 45 slides
Offline web applications dont exist anymore Francesco Leardini Consultant

Offline web applications dont exist anymore Francesco Leardini Consultant

Offline web applications dont exist anymore Francesco Leardini Consultant francesco.leardini@trivadis.com @paco_ITA BASLE BERN BRUGG DSSELDORF FRANKFURT A.M. FREIBURG I.BR. GENEVA HAMBURG COPENHAGEN LAUSANNE MUNICH

616 views • 24 slides
SSL Splitting Christopher Lesniewski-Laas and M. Frans Kaashoek { ctl,kaashoek } @mit.edu MIT LCS

SSL Splitting Christopher Lesniewski-Laas and M. Frans Kaashoek { ctl,kaashoek } @mit.edu MIT LCS

SSL Splitting Christopher Lesniewski-Laas and M. Frans Kaashoek { ctl,kaashoek } @mit.edu MIT LCS USENIX Security 2003 p. Bandwidth Offloading Server mypenguin.org (DSL) Mirror mirrors.kernel.org (OC12) Client Client GET

810 views • 34 slides

More recommend