traffic analysis and website fingerprinting (without...
TRANSCRIPT
Research Center for Cyber Intelligence and information Security
CIS SapienzaResearch Center for Cyber Intelligence
and information Security
CIS Sapienza
TrafficAnalysisandWebsiteFingerprintingSeminarsinDistributedSystems2015/2016March,18° 2016
Dr.GiuseppeLaurenza [email protected]
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline(1/2)
• TrafficAnalysis– Introduction– AttackerModel
• PracticalExample1:TAonAndroidDevices– Introduction– Attack1:DiscoverUser’s Actions– Attack2:DiscoverUser’s Apps
18/03/2016 2
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline(2/2)
• PracticalExample2:WebsiteFingerprinting– Introduction– AttackerModel– Attack1:UniquePacketLengths– Defense1:Torv2– Attack2:Wa-kNN– Defense2:Decoy– OpenProblem
• FinalProjects
18/03/2016 3
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• TrafficAnalysis– Introduction– AttackerModel
• PracticalExample1:TAonAndroidDevices– Introduction– Attack1:DiscoverUser’s Actions– Attack2:DiscoverUser’s Apps
18/03/2016 4
Research Center for Cyber Intelligence and information Security
CIS Sapienza
TrafficAnalysis(1/3)
• It istheprocessofinterceptingandexaminingmessagesinorderto deduceinformationfrompatterns in communication.
• Itcanbeperformedevenwhenthemessagesare encrypted andcannotbe decrypted.
18/03/2016 5
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Traffic Analysis(2/3)
• Ingeneral,thegreaterthenumberofmessagesobserved,oreveninterceptedandstored,themorecanbeinferredfromthetraffic.
• Attackerscanhavedifferentinterests,likewhocommunicateswithwhomandwhathehasdone(e.g.whoistheauthorofacertainprotestblog).
18/03/2016 6
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Traffic Analysis(3/3)
• TrafficAnalysiscanbeseenasa“ClassificationProblem”:– Traffictracesaretheobjectstoclassify;– Thedifferentinformationthattheattackerswanttoknowaretheclasses.
18/03/2016 7
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• TrafficAnalysis– Introduction– AttackerModel
• PracticalExample1:TAonAndroidDevices– Introduction– Attack1:DiscoverUser’s Actions– Attack2:DiscoverUser’s Apps
18/03/2016 8
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Alice Bob
NETWORK
AttackerModel
• Clearorencryptedtraffic
18/03/2016 9
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Alice Bob
Attacker
RouterTappedbyAttacker
NETWORK
AttackerModel
• Clearorencryptedtraffic• Attackercomponents
18/03/2016 10
Research Center for Cyber Intelligence and information Security
CIS Sapienza
PatternExample
• Frequentcommunicationscandenoteplanning.
• Rapidandshortcommunicationscandenotenegotiations(e.g.threeway handshaking).
• Timingofconnectionscanallowcorrelationbetweeneventsandpeople.
• DifferentLocationofconnectionscandenotefearofinterception.
18/03/2016 11
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• TrafficAnalysis– Introduction– AttackerModel
• PracticalExample1:TAonAndroidDevices– Introduction– Attack1:DiscoverUser’s Actions– Attack2:DiscoverUser’s Apps
18/03/2016 12
Research Center for Cyber Intelligence and information Security
CIS Sapienza
PracticalExample1:TrafficAnalysisonAndroidDevices*
18/03/2016 13
PairofIPaddressesandports
*WorksmadebySPRITZ(Security&PrivacyResearchGroup)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
PracticalExample1:TrafficAnalysisonAndroidDevices
Assumptions:• AnAttackercaninterceptalltrafficgeneratedbyanandroiddevice.
• Trafficisencrypted,sopayloadinspectionisnotpossible.
18/03/2016 14
Research Center for Cyber Intelligence and information Security
CIS Sapienza
PracticalExample1:TrafficAnalysisonAndroidDevices
WithTrafficAnalysisanattackercanobserve:• Packetlengths;• Packetdirections;• Packettimings.Then,usingthesefeatures,hecanclassifynewtraffictraces.
18/03/2016 15
Research Center for Cyber Intelligence and information Security
CIS Sapienza
TAonAndroid:AnalysisSchema
18/03/2016
LabeledNetworkFlows TrainingPhase Model
16
Classifier
Research Center for Cyber Intelligence and information Security
CIS Sapienza
TAonAndroid:AnalysisSchema
18/03/2016
LabeledNetworkFlows TrainingPhaseInterceptedNetworkFlows
Model
LabeledFlows
17
Classifier
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• TrafficAnalysis– Introduction– AttackerModel
• PracticalExample1:TAonAndroidDevices– Introduction– Attack1:DiscoverUser’s Actions– Attack2:DiscoverUser’s Apps
18/03/2016 18
Research Center for Cyber Intelligence and information Security
CIS Sapienza
TAonAndroid#1:DiscoverUser’sActions
18/03/2016 19
Research Center for Cyber Intelligence and information Security
CIS Sapienza
TAonAndroid#1:DiscoverUser’sActions
18/03/2016 20
Research Center for Cyber Intelligence and information Security
CIS Sapienza
TAonAndroid#1:Results
18/03/2016 21
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• TrafficAnalysis– Introduction– AttackerModel
• PracticalExample1:TAonAndroidDevices– Introduction– Attack1:DiscoverUser’s Actions– Attack2:DiscoverUser’s Apps
18/03/2016 22
Research Center for Cyber Intelligence and information Security
CIS Sapienza
TAonAndroid#2:DiscoverUser’sApps
• UsingTAispossibletodiscoverwhichappsareinstalledonaparticulardevice.
• DuetoContentDeliveryNetwork(CDN)andProxy,itisnomorepossibletorelayonIPaddressestorecognizethesoftware,sotheattackershavetoanalyzeNetworkFlows.
18/03/2016 23
Research Center for Cyber Intelligence and information Security
CIS Sapienza
TAonAndroid#2:Approaches
Contietal.proposedthreedifferentapproachesinordertoclassifyapps:• Perflowlengthclassification:– Thisapproachusesaclassifierforeachlength;– Thefeaturesarethelengthsofthepackets;– Ithasn’tanyresiliencytoout-of-orderpacketsbecauseitincorrectlyassignsfeaturesonswappedpackets.
– Itisveryfast.
18/03/2016 24
Research Center for Cyber Intelligence and information Security
CIS Sapienza
TAonAndroid#2:Approaches
• LargeMulti-classclassification:– Itusesstatisticalfeaturesderivedfromthenetworkflows;
– Itworksonasetofapps;– Ithasanhighaccuracyandout-of-orderpacketsresiliency,butitisslowerthanotherapproaches.
18/03/2016 25
Research Center for Cyber Intelligence and information Security
CIS Sapienza
TAonAndroid#2:Approaches
• PerAppclassification:– SimilarlytotheMulti-classclassification,alsothisapproachusesstatisticalfeatures;
– ItusesaBinaryClassifier foreachapp,soitsnumberisequaltothenumberofmonitoredapps;
– Eachclassifierchecksiftheanalyzedflowappertainstoitsapp.
18/03/2016 26
Research Center for Cyber Intelligence and information Security
CIS Sapienza
TAonAndroid#2:Results
18/03/2016 27
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline(2/2)
• PracticalExample2:WebsiteFingerprinting– Introduction– AttackerModel– Attack1:UniquePacketLengths– Defense1:Torv2– Attack2:Wa-kNN– Defense2:Decoy– OpenProblem
• FinalProjects
18/03/2016 28
Research Center for Cyber Intelligence and information Security
CIS Sapienza
PracticalExample2:WebsiteFingerprinting
• Itreferstothesetoftechniquesthatseektorecognizeclients’destinationwebpages.
• Allthesetechniquesarebasedonapassiveobservationofthecommunicationtraffic.
18/03/2016 29
Research Center for Cyber Intelligence and information Security
CIS Sapienza
PracticalExample2:WebsiteFingerprinting
• Currentdefenses(likeTor)failtosomeadvancedattacks.
• Advanceddefensesthatreducevulnerabilitiesfortheseclassofattack,areverybandwidth/timeconsuming.
18/03/2016 30
Research Center for Cyber Intelligence and information Security
CIS Sapienza
AttackinPractice
• TheproblemofrecognizingvisitedWebpages/sitesisaclassificationproblem;anattacker:– collectstracesfromnavigationtositeshewantstomonitorandbuildsamodelofthesesites;
– interceptstarget’snetworktracesandtriestoclassifythemwithpreviouslybuiltmodel.
18/03/2016 31
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• PracticalExample2:WebsiteFingerprinting– Introduction– AttackerModel– Attack1:UniquePacketLengths– Defense1:Torv2– Attack2:Wa-kNN– Defense2:Decoy– OpenProblem
• FinalProjects
18/03/2016 32
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Client DestinationSite
NETWORK
WFAttackerModel
• Clearorencryptedtraffic
18/03/2016 33
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Client DestinationSite
Attacker
RouterTappedbyAttacker
PassiveSniffingOfNetwork
Trace
NETWORK
WFAttackerModel
• Clearorencryptedtraffic• Attackercomponents
18/03/2016 34
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Client DestinationSite
Attacker
RouterTappedbyAttacker
AnonymizationSystem
PassiveSniffingOfNetwork
Trace
NETWORK
WFAttackerModel
• Clearorencryptedtraffic• Obscuredtraffic(hidden
destinationsite)• Attackercomponents
18/03/2016 35
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Client DestinationSite
Attacker
RouterTappedbyAttacker
AnonymizationSystem
WebsiteFingerprinting
Attack
NETWORK
WFAttackerModel
• Clearorencryptedtraffic• Obscuredtraffic(hidden
destinationsite)• Attackercomponents
18/03/2016 36
Research Center for Cyber Intelligence and information Security
CIS Sapienza
WhatdoesanAttackerwant:
• Hewantstoknowtherealsitevisitedbytheclientinorderto:– Blockingspecificcensoredwebpagetrafficpatterns,whilestillleavingtherestoftheTor-liketrafficunmolested;
– Identifyingalloftheusersthatvisitasmall,specificsetoftargetedpages;
– Recognizingeverysinglewebpageauservisits.
18/03/2016 37
Research Center for Cyber Intelligence and information Security
CIS Sapienza
WhatdoesanAttackerknow:ClosedWorldScenario
• Inthisscenariothetargetvisitsonlyaknownsetofwebsites;
• Theattackerhasanupdateddatasetofobfuscatednetworktracesobtainedfromthosewebpages.
18/03/2016 38
Research Center for Cyber Intelligence and information Security
CIS Sapienza
WhatdoesanAttackerknow:OpenWorldScenario
• Inthisscenariothetargetcanvisitanywebsitehewants;
• Theattackerhasanupdateddatasetofobfuscatednetworktracesobtainedfromsiteshewantstomonitor.
18/03/2016 39
Research Center for Cyber Intelligence and information Security
CIS Sapienza
WhatdoesanAttackerknow:OpenvsClosedWorld
• Closedworldscenarioisnotarealisticscenario:– Therearebillionofbillionofwebpages,itisnotfeasibletomonitorallofthem.
• Itisusedonlyfortheoreticalinterest,suchaswhencomparingclassifiers.
18/03/2016 40
Research Center for Cyber Intelligence and information Security
CIS Sapienza
WhatdoesanAttackerknow:OpenvsClosedWorld
• SoincaseofClosedworld,theattackerhasonlytorecognizewhichofthemonitoredpagethetargetisvisiting;
• Instead,inOpenworld,hehastodetectiftargetvisitedamonitoredwebsiteand,incaseofapositiveresult,whichpagewas.
18/03/2016 41
Research Center for Cyber Intelligence and information Security
CIS Sapienza
WhatdoesanAttackerassume:(1/3)
• Heknowsallobfuscatednetworktracesoftheusersinordertoperformanofflineanalysis;
• Heassumesthatheknowsthedefensesusedbythetarget;
• Hecanextractfromanetworktracethepacketsregardingaparticularnavigation;
• Hecanclean thetracefromnoise.
18/03/2016 42
Research Center for Cyber Intelligence and information Security
CIS Sapienza
WhatdoesanAttackerassume:(2/3)Thepreviousassumptionsarerealisticenough:• Obtainingthetracesiseasybytappingarouterinthenetworkpath;
• Byanalyzingthetracesitispossibletodetectwhichfeatures arehiddenbyaclient,soitispossibletounderstandwhichkindofapproachtousefortheattack;
• Therearedifferentresearchesthatdemonstratethepossibilityof“loadingpage”extractionwithenoughaccuracy;
18/03/2016 43
Research Center for Cyber Intelligence and information Security
CIS Sapienza
WhatdoesanAttackerassume:(3/3)
• Similarlytothepreviouspoint,therearesomeresearchesthatanalyzethenoise problemanddemonstratethat:– Ifthenoiseisunderacertainthresholditisalwaysdetectable;
– SuchthresholdissohighthatthenoiseneededtoavoidWFwouldcauseagreatbandwidthoverhead.
18/03/2016 44
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• PracticalExample2:WebsiteFingerprinting– Introduction– AttackerModel– Attack1:UniquePacketLengths– Defense1:Torv2– Attack2:Wa-kNN– Defense2:Decoy– OpenProblem
• FinalProjects
18/03/2016 45
Research Center for Cyber Intelligence and information Security
CIS Sapienza
WebsiteFingerprintinginAction:UniquePacketLengthAttacks*
• Liberatore andLevine(2006)publishedtwoattacksthatuseuniquepacketlengthsinordertoclassifyawebpage:– ThelengthofsentpacketsisalwaysequaltotheMaximumTransmissionUnit(MTU);
– PacketswithshorterlengthsaretheremaindersofobjectslengthsmodulotheMTU.
18/03/2016
*MarcLiberatoreandBrianLevine.Inferring theSourceofEncryptedHTTPConnections.(2006)
46
Research Center for Cyber Intelligence and information Security
CIS Sapienza
WebsiteFingerprintinginAction:UniquePacketLengthAttacks
Thedifferencebetweentheirattacksistheclassifierapproach:• Jaccard Distance:– 𝑃" =setofuniquepacketlengthsofthesample;– 𝐶" =setofuniquepacketlengthsoftheClass;
– 𝐽 𝑃", 𝐶" = ()∩+)()∪+)
18/03/2016 47
Research Center for Cyber Intelligence and information Security
CIS Sapienza
WebsiteFingerprintinginAction:UniquePacketLengthAttacks
• NaïveBayes:– 𝑃 =setof<length,frequency>couplesofsample;– C=setof<length,frequency>couplesoftheclass;– 𝑓".|0=frequencyofthelength𝑙 inset;
– 𝑝 𝑃 ∈ 𝐶 = ∏ 𝑝 𝑓". ∈ 𝑓"0∀"∈ (
Inbothcasestheyselecttheclasswithhighervalue.
18/03/2016 48
Research Center for Cyber Intelligence and information Security
CIS Sapienza
WebsiteFingerprintinginAction:UniquePacketLengthAttacks
18/03/2016 49
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• PracticalExample2:WebsiteFingerprinting– Introduction– AttackerModel– Attack1:UniquePacketLengths– Defense1:Torv2– Attack2:Wa-kNN– Defense2:Decoy– OpenProblem
• FinalProjects
18/03/2016 50
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Countermeasure#1:Torv2*
• Previousattackreliesonthesetofuniquepacketslengths,soanonymization systemsstartedtousepadding;
• OneofthemostfamousanonymizationsystemisTorthat,beingawareofthatclassofattacks,addsthetransformationofallpacketstoafixedsize.
18/03/2016*https://www.torproject.org/
51
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Countermeasure#1:Torv2
• TheOnionRouter(Tor)isanopennetworkthattriestodefendusersagainsttrafficanalysis;
• Itallowstheobfuscationofclienttrafficusingadistributed,anonymousnetworkinwhichanewpathisgeneratedeverytimetheclientusesthenetwork.
18/03/2016 52
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Countermeasure#1:Torv2
18/03/2016 53
Picturestakenfromhttps://www.torproject.org/
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Countermeasure#1:Torv2
18/03/2016 54
Picturestakenfromhttps://www.torproject.org/
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Countermeasure#1:Torv2
18/03/2016 55
Picturestakenfromhttps://www.torproject.org/
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• PracticalExample2:WebsiteFingerprinting– Introduction– AttackerModel– Attack1:UniquePacketLengths– Defense1:Torv2– Attack2:Wa-kNN– Defense2:Decoy– OpenProblem
• FinalProjects
18/03/2016 56
Research Center for Cyber Intelligence and information Security
CIS Sapienza
WebsiteFingerprintinginAction:Wa-kNN*
• DefenseslikeTorovercomemanyWFattacksbyhidingmanyfeaturesusefulfortheclassification;
• Butin2014Wangetal.presentedWa-kNN,anattackthatisconsideredthestateoftheartofWebsiteFingerprintingAttacks.
18/03/2016
*Wang,Tao,etal.“Effective AttacksandProvable DefensesforWebsiteFingerprinting” (2014)
57
Research Center for Cyber Intelligence and information Security
CIS Sapienza
WebsiteFingerprintinginAction:Wa-kNN
• Wa-kNNisbasedonak-NearestNeighborsclassifierappliedonalargefeaturesetwithweightadjustment;
• k-NNclassifierisoneofthesimplestsupervisedmachinelearningalgorithm.
18/03/2016 58
Research Center for Cyber Intelligence and information Security
CIS Sapienza
k-NearestNeighbors
• Itassumesthatallinstancesarepointsinan-dimensionalspace;
• Adistancemeasureisneededtodeterminethe“closeness” ofinstances;
• Itclassifiesaninstancebyfindingitsk nearestneighborsandpickingthemostpopularclassamongthem.
18/03/2016 59
Research Center for Cyber Intelligence and information Security
CIS Sapienza
k-NearestNeighbors
• SupposeStrain={P1,P2,…} isthetrainingsetandPtest isthepointthathastobetested:
– TheclassifiercomputesthedistanceD(Ptest,Ptrain)foreachPtrain∈ Strain
– ThanitassignsaclasstoPtest basedontheclassesofthek closesttrainingpoints.
18/03/2016 60
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Weightedk-NearestNeighbors
• Itispossibletoaddweights tothedifferentdimensions;
• Inthiswaydimensionsthatareconsideredmoreusefulforclassificationsbecomemoreimportant.
18/03/2016 61
Research Center for Cyber Intelligence and information Security
CIS Sapienza
WebsiteFingerprintinginAction:Wa-kNN
• Itusesfeaturesofpacketsequencesasdimensions forthespaceoftheclassifier.
• Eachfeatureisafunctionf whichtakesasinputasequenceP andcomputesf(P).
18/03/2016 62
Research Center for Cyber Intelligence and information Security
CIS Sapienza
WebsiteFingerprintinginAction:Wa-kNN
• Usingfi astheith-featureandwi asitsweight,thedistancebetweentwosequencePandP’ is:
𝑑 𝑃, 𝑃7 = 8 𝑤: 𝑓: 𝑃 − 𝑓: 𝑃′=>:> ?
• TheweightiscomputedwiththeirWeightLearningbyLocallyCollapsingClasses(WLLCC),anewweightlearningprocessdesignedspecificallyforthisattack.
18/03/2016 63
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Wa-kNN– FeatureSet#offeatures Description
4 General Features:Totaltransmissionsizeandtimeandnumberofingoingandoutgoing packets.
3001 Packet LengthFeatures:eachofthemrepresentsadifferentpacketsizeinbothdirection, itvalues1ifthereisapacketwiththatlength.
500 Positionofthefirst500outgoing packets.
500 Difference inpositionbetweenthefirst500outgoing packetsandthenextoutgoing packet.
100 Numberofoutgoing packetinthefirst100non-overlapping windowsofsize30 produced dividing thesequence.
3 Sizeofthelongestburst,numberofburstsandmeansize.
6 Numberofburstslonger than2,5,10, 15,20and50respectively.
100 Length ofthefirst100burst.
10 Directionofthefirst10packets.
2 Meanandstandarddeviationoftheinter-packettimes.
18/03/2016 64
Research Center for Cyber Intelligence and information Security
CIS Sapienza18/03/2016 65
WebsiteFingerprintinginAction:Wa-kNN
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• PracticalExample2:WebsiteFingerprinting– Introduction– AttackerModel– Attack1:UniquePacketLengths– Defense1:Torv2– Attack2:Wa-kNN– Defense2:Decoy– OpenProblem
• FinalProjects
18/03/2016 66
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Countermeasure#2:Decoy*
• Asitisvisiblewiththepreviousattack,obfuscationofpacketlengthsisnotenoughtoprotectagainstadvancedattacks.
• Researcherstriedtodesignothercountermeasuresthatcanobfuscateotherfeaturesofthetraffictraces.
• OneofthemosteffectiveisthesocalledDecoy.
18/03/2016
*Panchenko,Andriy,etal."Websitefingerprinting inonion routingbasedanonymizationnetworks.”(2011)67
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Countermeasure#2:Decoy
Panchenko etal.proposedDecoy:• AsimpledefenseusingbackgroundnoisetodefeatWebsiteFingerprintingAttacks.
• UnderDecoy,whenevertheclientvisitsapage,italsoloadsadecoypagesimultaneously.
• Therefore,theattackercannotdistinguishbetweentherealanddecoypages.
18/03/2016 68
Research Center for Cyber Intelligence and information Security
CIS Sapienza
CountermeasuresvsWa-kNNDefense AccuracyofWa-kNN
TOR 0,85 ± 0,04Decoy 0,30 ± 0,06
• Itiseasytoguesswhatisthedisadvantageofthissolution:therequiredbandwidth– Ifaclienthastoloadasecondpageeverytimeitaccessestoasite,itloadsdoubledata;
– Experimentalmeasuresquantifyanoverheadof130% ±20%.
18/03/2016 69
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• PracticalExample2:WebsiteFingerprinting– Introduction– AttackerModel– Attack1:UniquePacketLengths– Defense1:Torv2– Attack2:Wa-kNN– Defense2:Decoy– OpenProblem
• FinalProjects
18/03/2016 70
Research Center for Cyber Intelligence and information Security
CIS Sapienza
WebsiteFingerprinting:OpenProblems– AttackSide
• Duetothetrainingphaseoftheusedclassificationalgorithms,thesetoflabeledtracesmustbeoftenupdated;
• Experimentalanalysisdemonstratedthatadatasetcanbeconsidervalidforonly15days;
• Soattacksalgorithmshavetoconsiderthatthetrainingtimecan’tbetoolonginordertoavoidaninvalidationofthemodeljustbuilt.
18/03/2016 71
Research Center for Cyber Intelligence and information Security
CIS Sapienza
WebsiteFingerprinting:OpenProblems– DefenseSide
• Anonymizationsystemshavetolimitbandwidthforusersinordertocorrectlymaintainalltherequestedconnections;
• Souserscan’tloadtoomuchdataineachconnection;
• Thisfactisagreatproblemforadvanceddefensesbecausetheyrequiredahugeoverheadtocorrectlyprotectusersanonymity.
18/03/2016 72
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline
• PracticalExample2:WebsiteFingerprinting– Introduction– AttackerModel– Attack1:UniquePacketLengths– Defense1:Torv2– Attack2:Wa-kNN– Defense2:Decoy– OpenProblem
• FinalProjects
18/03/2016 73
Research Center for Cyber Intelligence and information Security
CIS Sapienza
TrafficAnalysisandWebsiteFingerprinting:FinalProjects
TrafficAnalysisonAndroid:• Wehaveseenhowitispossibletodiscovermany
informationaboutanAndroidsmartphone.• ThesameattackswereusedintheDesktopworldmany
yearsago.• Soitcanbeinterestingtoevaluatehowananonymization
systemdesignedmainlyfordesktopcanlimitstheeffectivenessofthesemenaces.
• Theprojectconsistsofinstallingandconfiguringanobfuscationsystemonasmartphone(likeTor)andtryingtoovercomethissystemusingpreviousdescribedattacks.
18/03/2016 74
Research Center for Cyber Intelligence and information Security
CIS Sapienza
TrafficAnalysisandWebsiteFingerprinting:FinalProjects
WebsiteFingerprinting:• Wehaveseenhowthecurrentstateoftheartattackcan’t
overcomesomeheavydefenseslikeDecoy.• Buttherearedifferentclassifieralgorithmsthatcanfitbetterthe
setoffeaturesusedinthisattackandmoreoverthissetissohugethatitcanbeacauseofdegradationofaccuracyifitisimproperlyused.
• Soitcanbeinterestingtoevaluatehowadifferentclassifierortheuseofsomedifferentfeaturesselectionalgorithmscaninfluencetheaccuracyofthisattackandtherobustnessofcurrentdefenses.
• TheprojectconsistsofimplementingsomeclassifiersandsomefeatureselectionalgorithmsforaWebsiteFingerprintingAttackandevaluatingtheirimpactonsomestrongdefenses.
18/03/2016 75