traffic analysis and website fingerprinting (without...

Research Center for Cyber Intelligence and information Security

CIS SapienzaResearch Center for Cyber Intelligence

and information Security

CIS Sapienza

TrafficAnalysisandWebsiteFingerprintingSeminarsinDistributedSystems2015/2016March,18° 2016

Dr.GiuseppeLaurenza [email protected]


CIS Sapienza

Outline(1/2)

• TrafficAnalysis– Introduction– AttackerModel

• PracticalExample1:TAonAndroidDevices– Introduction– Attack1:DiscoverUser’s Actions– Attack2:DiscoverUser’s Apps

18/03/2016 2


CIS Sapienza

Outline(2/2)

• PracticalExample2:WebsiteFingerprinting– Introduction– AttackerModel– Attack1:UniquePacketLengths– Defense1:Torv2– Attack2:Wa-kNN– Defense2:Decoy– OpenProblem

• FinalProjects

18/03/2016 3


CIS Sapienza

Outline



18/03/2016 4


CIS Sapienza

TrafficAnalysis(1/3)

• It istheprocessofinterceptingandexaminingmessagesinorderto deduceinformationfrompatterns in communication.

• Itcanbeperformedevenwhenthemessagesare encrypted andcannotbe decrypted.

18/03/2016 5


CIS Sapienza

Traffic Analysis(2/3)

• Ingeneral,thegreaterthenumberofmessagesobserved,oreveninterceptedandstored,themorecanbeinferredfromthetraffic.

• Attackerscanhavedifferentinterests,likewhocommunicateswithwhomandwhathehasdone(e.g.whoistheauthorofacertainprotestblog).

18/03/2016 6


CIS Sapienza

Traffic Analysis(3/3)

• TrafficAnalysiscanbeseenasa“ClassificationProblem”:– Traffictracesaretheobjectstoclassify;– Thedifferentinformationthattheattackerswanttoknowaretheclasses.

18/03/2016 7


CIS Sapienza

Outline



18/03/2016 8


CIS Sapienza

Alice Bob

NETWORK

AttackerModel

• Clearorencryptedtraffic

18/03/2016 9


CIS Sapienza

Alice Bob

Attacker

RouterTappedbyAttacker

NETWORK

AttackerModel

• Clearorencryptedtraffic• Attackercomponents

18/03/2016 10


CIS Sapienza

PatternExample

• Frequentcommunicationscandenoteplanning.

• Rapidandshortcommunicationscandenotenegotiations(e.g.threeway handshaking).

• Timingofconnectionscanallowcorrelationbetweeneventsandpeople.

• DifferentLocationofconnectionscandenotefearofinterception.

18/03/2016 11


CIS Sapienza

Outline



18/03/2016 12


CIS Sapienza

PracticalExample1:TrafficAnalysisonAndroidDevices*

18/03/2016 13

PairofIPaddressesandports

*WorksmadebySPRITZ(Security&PrivacyResearchGroup)


CIS Sapienza

PracticalExample1:TrafficAnalysisonAndroidDevices

Assumptions:• AnAttackercaninterceptalltrafficgeneratedbyanandroiddevice.

• Trafficisencrypted,sopayloadinspectionisnotpossible.

18/03/2016 14


CIS Sapienza

PracticalExample1:TrafficAnalysisonAndroidDevices

WithTrafficAnalysisanattackercanobserve:• Packetlengths;• Packetdirections;• Packettimings.Then,usingthesefeatures,hecanclassifynewtraffictraces.

18/03/2016 15


CIS Sapienza

TAonAndroid:AnalysisSchema

18/03/2016

LabeledNetworkFlows TrainingPhase Model

16

Classifier


CIS Sapienza

TAonAndroid:AnalysisSchema

18/03/2016

LabeledNetworkFlows TrainingPhaseInterceptedNetworkFlows

Model

LabeledFlows

17

Classifier


CIS Sapienza

Outline



18/03/2016 18


CIS Sapienza

TAonAndroid#1:DiscoverUser’sActions

18/03/2016 19


CIS Sapienza

TAonAndroid#1:DiscoverUser’sActions

18/03/2016 20


CIS Sapienza

TAonAndroid#1:Results

18/03/2016 21


CIS Sapienza

Outline



18/03/2016 22


CIS Sapienza

TAonAndroid#2:DiscoverUser’sApps

• UsingTAispossibletodiscoverwhichappsareinstalledonaparticulardevice.

• DuetoContentDeliveryNetwork(CDN)andProxy,itisnomorepossibletorelayonIPaddressestorecognizethesoftware,sotheattackershavetoanalyzeNetworkFlows.

18/03/2016 23


CIS Sapienza

TAonAndroid#2:Approaches

Contietal.proposedthreedifferentapproachesinordertoclassifyapps:• Perflowlengthclassification:– Thisapproachusesaclassifierforeachlength;– Thefeaturesarethelengthsofthepackets;– Ithasn’tanyresiliencytoout-of-orderpacketsbecauseitincorrectlyassignsfeaturesonswappedpackets.

– Itisveryfast.

18/03/2016 24


CIS Sapienza


• LargeMulti-classclassification:– Itusesstatisticalfeaturesderivedfromthenetworkflows;

– Itworksonasetofapps;– Ithasanhighaccuracyandout-of-orderpacketsresiliency,butitisslowerthanotherapproaches.

18/03/2016 25


CIS Sapienza


• PerAppclassification:– SimilarlytotheMulti-classclassification,alsothisapproachusesstatisticalfeatures;

– ItusesaBinaryClassifier foreachapp,soitsnumberisequaltothenumberofmonitoredapps;

– Eachclassifierchecksiftheanalyzedflowappertainstoitsapp.

18/03/2016 26


CIS Sapienza

TAonAndroid#2:Results

18/03/2016 27


CIS Sapienza

Outline(2/2)


• FinalProjects

18/03/2016 28


CIS Sapienza

PracticalExample2:WebsiteFingerprinting

• Itreferstothesetoftechniquesthatseektorecognizeclients’destinationwebpages.

• Allthesetechniquesarebasedonapassiveobservationofthecommunicationtraffic.

18/03/2016 29


CIS Sapienza

PracticalExample2:WebsiteFingerprinting

• Currentdefenses(likeTor)failtosomeadvancedattacks.

• Advanceddefensesthatreducevulnerabilitiesfortheseclassofattack,areverybandwidth/timeconsuming.

18/03/2016 30


CIS Sapienza

AttackinPractice

• TheproblemofrecognizingvisitedWebpages/sitesisaclassificationproblem;anattacker:– collectstracesfromnavigationtositeshewantstomonitorandbuildsamodelofthesesites;

– interceptstarget’snetworktracesandtriestoclassifythemwithpreviouslybuiltmodel.

18/03/2016 31


CIS Sapienza

Outline


• FinalProjects

18/03/2016 32


CIS Sapienza

Client DestinationSite

NETWORK

WFAttackerModel

• Clearorencryptedtraffic

18/03/2016 33


CIS Sapienza


Attacker


PassiveSniffingOfNetwork

Trace

NETWORK

WFAttackerModel

• Clearorencryptedtraffic• Attackercomponents

18/03/2016 34


CIS Sapienza


Attacker


AnonymizationSystem

PassiveSniffingOfNetwork

Trace

NETWORK

WFAttackerModel

• Clearorencryptedtraffic• Obscuredtraffic(hidden

destinationsite)• Attackercomponents

18/03/2016 35


CIS Sapienza


Attacker


AnonymizationSystem

WebsiteFingerprinting

Attack

NETWORK

WFAttackerModel

• Clearorencryptedtraffic• Obscuredtraffic(hidden

destinationsite)• Attackercomponents

18/03/2016 36


CIS Sapienza

WhatdoesanAttackerwant:

• Hewantstoknowtherealsitevisitedbytheclientinorderto:– Blockingspecificcensoredwebpagetrafficpatterns,whilestillleavingtherestoftheTor-liketrafficunmolested;

– Identifyingalloftheusersthatvisitasmall,specificsetoftargetedpages;

– Recognizingeverysinglewebpageauservisits.

18/03/2016 37


CIS Sapienza

WhatdoesanAttackerknow:ClosedWorldScenario

• Inthisscenariothetargetvisitsonlyaknownsetofwebsites;

• Theattackerhasanupdateddatasetofobfuscatednetworktracesobtainedfromthosewebpages.

18/03/2016 38


CIS Sapienza

WhatdoesanAttackerknow:OpenWorldScenario

• Inthisscenariothetargetcanvisitanywebsitehewants;

• Theattackerhasanupdateddatasetofobfuscatednetworktracesobtainedfromsiteshewantstomonitor.

18/03/2016 39


CIS Sapienza

WhatdoesanAttackerknow:OpenvsClosedWorld

• Closedworldscenarioisnotarealisticscenario:– Therearebillionofbillionofwebpages,itisnotfeasibletomonitorallofthem.

• Itisusedonlyfortheoreticalinterest,suchaswhencomparingclassifiers.

18/03/2016 40


CIS Sapienza

WhatdoesanAttackerknow:OpenvsClosedWorld

• SoincaseofClosedworld,theattackerhasonlytorecognizewhichofthemonitoredpagethetargetisvisiting;

• Instead,inOpenworld,hehastodetectiftargetvisitedamonitoredwebsiteand,incaseofapositiveresult,whichpagewas.

18/03/2016 41


CIS Sapienza

WhatdoesanAttackerassume:(1/3)

• Heknowsallobfuscatednetworktracesoftheusersinordertoperformanofflineanalysis;

• Heassumesthatheknowsthedefensesusedbythetarget;

• Hecanextractfromanetworktracethepacketsregardingaparticularnavigation;

• Hecanclean thetracefromnoise.

18/03/2016 42


CIS Sapienza

WhatdoesanAttackerassume:(2/3)Thepreviousassumptionsarerealisticenough:• Obtainingthetracesiseasybytappingarouterinthenetworkpath;

• Byanalyzingthetracesitispossibletodetectwhichfeatures arehiddenbyaclient,soitispossibletounderstandwhichkindofapproachtousefortheattack;

• Therearedifferentresearchesthatdemonstratethepossibilityof“loadingpage”extractionwithenoughaccuracy;

18/03/2016 43


CIS Sapienza

WhatdoesanAttackerassume:(3/3)

• Similarlytothepreviouspoint,therearesomeresearchesthatanalyzethenoise problemanddemonstratethat:– Ifthenoiseisunderacertainthresholditisalwaysdetectable;

– SuchthresholdissohighthatthenoiseneededtoavoidWFwouldcauseagreatbandwidthoverhead.

18/03/2016 44


CIS Sapienza

Outline


• FinalProjects

18/03/2016 45


CIS Sapienza

WebsiteFingerprintinginAction:UniquePacketLengthAttacks*

• Liberatore andLevine(2006)publishedtwoattacksthatuseuniquepacketlengthsinordertoclassifyawebpage:– ThelengthofsentpacketsisalwaysequaltotheMaximumTransmissionUnit(MTU);

– PacketswithshorterlengthsaretheremaindersofobjectslengthsmodulotheMTU.

18/03/2016

*MarcLiberatoreandBrianLevine.Inferring theSourceofEncryptedHTTPConnections.(2006)

46


CIS Sapienza

WebsiteFingerprintinginAction:UniquePacketLengthAttacks

Thedifferencebetweentheirattacksistheclassifierapproach:• Jaccard Distance:– 𝑃" =setofuniquepacketlengthsofthesample;– 𝐶" =setofuniquepacketlengthsoftheClass;

– 𝐽 𝑃", 𝐶" = ()∩+)()∪+)

18/03/2016 47


CIS Sapienza


• NaïveBayes:– 𝑃 =setof<length,frequency>couplesofsample;– C=setof<length,frequency>couplesoftheclass;– 𝑓".|0=frequencyofthelength𝑙 inset;

– 𝑝 𝑃 ∈ 𝐶 = ∏ 𝑝 𝑓". ∈ 𝑓"0∀"∈ (

Inbothcasestheyselecttheclasswithhighervalue.

18/03/2016 48


CIS Sapienza


18/03/2016 49


CIS Sapienza

Outline


• FinalProjects

18/03/2016 50


CIS Sapienza

Countermeasure#1:Torv2*

• Previousattackreliesonthesetofuniquepacketslengths,soanonymization systemsstartedtousepadding;

• OneofthemostfamousanonymizationsystemisTorthat,beingawareofthatclassofattacks,addsthetransformationofallpacketstoafixedsize.

18/03/2016*https://www.torproject.org/

51


CIS Sapienza

Countermeasure#1:Torv2

• TheOnionRouter(Tor)isanopennetworkthattriestodefendusersagainsttrafficanalysis;

• Itallowstheobfuscationofclienttrafficusingadistributed,anonymousnetworkinwhichanewpathisgeneratedeverytimetheclientusesthenetwork.

18/03/2016 52


CIS Sapienza


18/03/2016 53

Picturestakenfromhttps://www.torproject.org/


CIS Sapienza


18/03/2016 54



CIS Sapienza


18/03/2016 55



CIS Sapienza

Outline


• FinalProjects

18/03/2016 56


CIS Sapienza

WebsiteFingerprintinginAction:Wa-kNN*

• DefenseslikeTorovercomemanyWFattacksbyhidingmanyfeaturesusefulfortheclassification;

• Butin2014Wangetal.presentedWa-kNN,anattackthatisconsideredthestateoftheartofWebsiteFingerprintingAttacks.

18/03/2016

*Wang,Tao,etal.“Effective AttacksandProvable DefensesforWebsiteFingerprinting” (2014)

57


CIS Sapienza

WebsiteFingerprintinginAction:Wa-kNN

• Wa-kNNisbasedonak-NearestNeighborsclassifierappliedonalargefeaturesetwithweightadjustment;

• k-NNclassifierisoneofthesimplestsupervisedmachinelearningalgorithm.

18/03/2016 58


CIS Sapienza

k-NearestNeighbors

• Itassumesthatallinstancesarepointsinan-dimensionalspace;

• Adistancemeasureisneededtodeterminethe“closeness” ofinstances;

• Itclassifiesaninstancebyfindingitsk nearestneighborsandpickingthemostpopularclassamongthem.

18/03/2016 59


CIS Sapienza

k-NearestNeighbors

• SupposeStrain={P1,P2,…} isthetrainingsetandPtest isthepointthathastobetested:

– TheclassifiercomputesthedistanceD(Ptest,Ptrain)foreachPtrain∈ Strain

– ThanitassignsaclasstoPtest basedontheclassesofthek closesttrainingpoints.

18/03/2016 60


CIS Sapienza

Weightedk-NearestNeighbors

• Itispossibletoaddweights tothedifferentdimensions;

• Inthiswaydimensionsthatareconsideredmoreusefulforclassificationsbecomemoreimportant.

18/03/2016 61


CIS Sapienza


• Itusesfeaturesofpacketsequencesasdimensions forthespaceoftheclassifier.

• Eachfeatureisafunctionf whichtakesasinputasequenceP andcomputesf(P).

18/03/2016 62


CIS Sapienza


• Usingfi astheith-featureandwi asitsweight,thedistancebetweentwosequencePandP’ is:

𝑑 𝑃, 𝑃7 = 8 𝑤: 𝑓: 𝑃 − 𝑓: 𝑃′=>:> ?

• TheweightiscomputedwiththeirWeightLearningbyLocallyCollapsingClasses(WLLCC),anewweightlearningprocessdesignedspecificallyforthisattack.

18/03/2016 63


CIS Sapienza

Wa-kNN– FeatureSet#offeatures Description

4 General Features:Totaltransmissionsizeandtimeandnumberofingoingandoutgoing packets.

3001 Packet LengthFeatures:eachofthemrepresentsadifferentpacketsizeinbothdirection, itvalues1ifthereisapacketwiththatlength.

500 Positionofthefirst500outgoing packets.

500 Difference inpositionbetweenthefirst500outgoing packetsandthenextoutgoing packet.

100 Numberofoutgoing packetinthefirst100non-overlapping windowsofsize30 produced dividing thesequence.

3 Sizeofthelongestburst,numberofburstsandmeansize.

6 Numberofburstslonger than2,5,10, 15,20and50respectively.

100 Length ofthefirst100burst.

10 Directionofthefirst10packets.

2 Meanandstandarddeviationoftheinter-packettimes.

18/03/2016 64


CIS Sapienza18/03/2016 65



CIS Sapienza

Outline


• FinalProjects

18/03/2016 66


CIS Sapienza

Countermeasure#2:Decoy*

• Asitisvisiblewiththepreviousattack,obfuscationofpacketlengthsisnotenoughtoprotectagainstadvancedattacks.

• Researcherstriedtodesignothercountermeasuresthatcanobfuscateotherfeaturesofthetraffictraces.

• OneofthemosteffectiveisthesocalledDecoy.

18/03/2016

*Panchenko,Andriy,etal."Websitefingerprinting inonion routingbasedanonymizationnetworks.”(2011)67


CIS Sapienza

Countermeasure#2:Decoy

Panchenko etal.proposedDecoy:• AsimpledefenseusingbackgroundnoisetodefeatWebsiteFingerprintingAttacks.

• UnderDecoy,whenevertheclientvisitsapage,italsoloadsadecoypagesimultaneously.

• Therefore,theattackercannotdistinguishbetweentherealanddecoypages.

18/03/2016 68


CIS Sapienza

CountermeasuresvsWa-kNNDefense AccuracyofWa-kNN

TOR 0,85 ± 0,04Decoy 0,30 ± 0,06

• Itiseasytoguesswhatisthedisadvantageofthissolution:therequiredbandwidth– Ifaclienthastoloadasecondpageeverytimeitaccessestoasite,itloadsdoubledata;

– Experimentalmeasuresquantifyanoverheadof130% ±20%.

18/03/2016 69


CIS Sapienza

Outline


• FinalProjects

18/03/2016 70


CIS Sapienza

WebsiteFingerprinting:OpenProblems– AttackSide

• Duetothetrainingphaseoftheusedclassificationalgorithms,thesetoflabeledtracesmustbeoftenupdated;

• Experimentalanalysisdemonstratedthatadatasetcanbeconsidervalidforonly15days;

• Soattacksalgorithmshavetoconsiderthatthetrainingtimecan’tbetoolonginordertoavoidaninvalidationofthemodeljustbuilt.

18/03/2016 71


CIS Sapienza

WebsiteFingerprinting:OpenProblems– DefenseSide

• Anonymizationsystemshavetolimitbandwidthforusersinordertocorrectlymaintainalltherequestedconnections;

• Souserscan’tloadtoomuchdataineachconnection;

• Thisfactisagreatproblemforadvanceddefensesbecausetheyrequiredahugeoverheadtocorrectlyprotectusersanonymity.

18/03/2016 72


CIS Sapienza

Outline


• FinalProjects

18/03/2016 73


CIS Sapienza

TrafficAnalysisandWebsiteFingerprinting:FinalProjects

TrafficAnalysisonAndroid:• Wehaveseenhowitispossibletodiscovermany

informationaboutanAndroidsmartphone.• ThesameattackswereusedintheDesktopworldmany

yearsago.• Soitcanbeinterestingtoevaluatehowananonymization

systemdesignedmainlyfordesktopcanlimitstheeffectivenessofthesemenaces.

• Theprojectconsistsofinstallingandconfiguringanobfuscationsystemonasmartphone(likeTor)andtryingtoovercomethissystemusingpreviousdescribedattacks.

18/03/2016 74


CIS Sapienza

TrafficAnalysisandWebsiteFingerprinting:FinalProjects

WebsiteFingerprinting:• Wehaveseenhowthecurrentstateoftheartattackcan’t

overcomesomeheavydefenseslikeDecoy.• Buttherearedifferentclassifieralgorithmsthatcanfitbetterthe

setoffeaturesusedinthisattackandmoreoverthissetissohugethatitcanbeacauseofdegradationofaccuracyifitisimproperlyused.

• Soitcanbeinterestingtoevaluatehowadifferentclassifierortheuseofsomedifferentfeaturesselectionalgorithmscaninfluencetheaccuracyofthisattackandtherobustnessofcurrentdefenses.

• TheprojectconsistsofimplementingsomeclassifiersandsomefeatureselectionalgorithmsforaWebsiteFingerprintingAttackandevaluatingtheirimpactonsomestrongdefenses.

18/03/2016 75

traffic analysis and website fingerprinting (without...

Documents