Advertisement

Website Detection Using Remote Traffic Analysis

  • Xun Gong
  • Nikita Borisov
  • Negar Kiyavash
  • Nabil Schear
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7384)

Abstract

Recent work in traffic analysis has shown that traffic patterns leaked through side channels can be used to recover important semantic information. For instance, attackers can find out which website, or which page on a website, a user is accessing simply by monitoring the packet size distribution. We show that traffic analysis is even a greater threat to privacy than previously thought by introducing a new attack that can be carried out remotely. In particular, we show that, to perform traffic analysis, adversaries do not need to directly observe the traffic patterns. Instead, they can gain sufficient information by sending probes from a far-off vantage point that exploits a queuing side channel in routers.

To demonstrate the threat of such remote traffic analysis, we study a remote website detection attack that works against home broadband users. Because the remotely observed traffic patterns are more noisy than those obtained using previous schemes based on direct local traffic monitoring, we take a dynamic time warping (DTW) based approach to detecting fingerprints from the same website. As a new twist on website fingerprinting, we consider a website detection attack, where the attacker aims to find out whether a user browses a particular web site, and its privacy implications. We show experimentally that, although the success of the attack is highly variable, depending on the target site, for some sites very low error rates. We also show how such website detection can be used to deanonymize message board users.

Keywords

False Negative Rate Packet Size Dynamic Time Warping Side Channel Attack Scenario 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Akella, A., Seshan, S., Shaikh, A.: An empirical evaluation of wide-area Internet bottlenecks. In: Crovella, M. (ed.) 3rd ACM SIGCOMM Conference on Internet Measurement, pp. 101–114. ACM, New York (2003), http://dl.acm.org/citation.cfm?id=948205.948219 CrossRefGoogle Scholar
  2. 2.
    Bissias, G.D., Liberatore, M., Jensen, D., Levine, B.N.: Privacy Vulnerabilities in Encrypted HTTP Streams. In: Danezis, G., Martin, D. (eds.) PET 2005. LNCS, vol. 3856, pp. 1–11. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Chakravarty, S., Stavrou, A., Keromytis, A.D.: Identifying proxy nodes in a Tor anonymization circuit. In: Dipanda, A., Chbeir, R., Yetongnon, K. (eds.) IEEE International Conference on Signal Image Technology and Internet Based Systems, pp. 633–639. IEEE Computer Society, Los Alamitos (2008)CrossRefGoogle Scholar
  4. 4.
    Chen, S., Wang, R., Wang, X., Zhang, K.: Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow. In: Evans, D., Vigna, G. (eds.) IEEE Symposium on Security and Privacy, pp. 191–206. IEEE Computer Society (May 2010), http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5504714
  5. 5.
    Cheng, H., Avnur, R.: Traffic Analysis of SSL Encrypted Web Browsing (1998), http://www.cs.berkeley.edu/~daw/teaching/cs261-f98/projects/final-reports/ronathan-heyning.ps
  6. 6.
    Coull, S.E., Collins, M.P., Wright, C.V., Monrose, F., Reiter, M.K.: On web browsing privacy in anonymized netflows. In: Provos, N. (ed.) 16th USENIX Security Symposium. USENIX Association, Berkeley (2007), http://www.usenix.org/events/sec07/tech/coull.html Google Scholar
  7. 7.
    Danezis, G., Serjantov, A.: Statistical Disclosure or Intersection Attacks on Anonymity Systems. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 293–308. Springer, Heidelberg (2004), http://www.springerlink.com/index/TQLJB3HYBK4RUBLA.pdf CrossRefGoogle Scholar
  8. 8.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. In: Blaze, M. (ed.) USENIX Security Symposium, pp. 303–320. USENIX Association, San Diego (2004), http://portal.acm.org/citation.cfm?id=1251396 Google Scholar
  9. 9.
    Evans, N.S., Dingledine, R., Grothoff, C.: A practical congestion attack on Tor using long paths. In: Monrose, F. (ed.) 18th USENIX Security Symposium, pp. 33–50. USENIX Association (August 2009), http://www.usenix.org/events/sec09/tech/full_papers/evans.pdf
  10. 10.
    Franklin, J., Paxson, V., Perrig, A., Savage, S.: An inquiry into the nature and causes of the wealth of Internet miscreants. In: De Capitani di Vemarcati, S., Syverson, P. (eds.) 14th ACM Conference on Computer and Communications Security, pp. 375–388. ACM, New York (2007), http://dl.acm.org/citation.cfm?id=1315245.1315292 Google Scholar
  11. 11.
    Herrmann, D., Wendolsky, R., Federrath, H.: Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial naïve-Bayes classifier. In: ACM Workshop on Cloud Computing Security, pp. 31–42. ACM, Chicago (2009), http://portal.acm.org/citation.cfm?id=1655013 CrossRefGoogle Scholar
  12. 12.
    Hintz, A.: Fingerprinting Websites Using Traffic Analysis. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 171–178. Springer, Heidelberg (2003), http://www.springerlink.com/index/C4QWE6D608P2CJYV.pdf CrossRefGoogle Scholar
  13. 13.
    Hopper, N., Vasserman, E.Y., Chan-Tin, E.: How much anonymity does network latency leak? In: De Capitani di Vimercati, S., Syverson, P. (eds.) 14th ACM Conference on Computer and Communications Security, pp. 82–91. ACM, New York (2007), http://dl.acm.org/citation.cfm?id=1315245.1315257 CrossRefGoogle Scholar
  14. 14.
    Hopper, N., Vasserman, E., Chan-Tin, E.: How much anonymity does network latency leak? ACM Transactions on Information and System Security 13(2) (2010), http://portal.acm.org/citation.cfm?id=1698753
  15. 15.
    Kadloor, S., Gong, X., Kiyavash, N., Tezcan, T., Borisov, N.: Low-Cost Side Channel Remote Traffic Analysis Attack in Packet Networks. In: Xiao, C., Olivier, J.C. (eds.) 2010 IEEE International Conference on Communications. IEEE (May 2010), http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=5501972
  16. 16.
    Lakshminarayanan, K., Padmanabhan, V.N.: Some findings on the network performance of broadband hosts. In: Crovella, M. (ed.) Proceedings of the 2003 ACM SIGCOMM Conference on Internet Measurement, IMC 2003, pp. 101–114. ACM Press, New York (2003), http://portal.acm.org/citation.cfm?doid=948205.948212 Google Scholar
  17. 17.
    Liberatore, M., Levine, B.N.: Inferring the source of encrypted HTTP connections. In: Wright, R., De Capitani di Vemarcati, S. (eds.) 13th ACM Conference on Computer and Communications Security, pp. 255–263. ACM, New York (2006), http://portal.acm.org/citation.cfm?id=1180437 CrossRefGoogle Scholar
  18. 18.
    Lyon, G.F.: Nmap Network Scanning. Nmap Project (1999)Google Scholar
  19. 19.
    Murdoch, S., Danezis, G.: Low-Cost Traffic Analysis of Tor. In: Paxson, V., Waidner, M. (eds.) 2005 IEEE Symposium on Security and Privacy, pp. 183–195. IEEE Computer Society, Berkeley (2005), http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=1425067 CrossRefGoogle Scholar
  20. 20.
    Prasad, R., Davrolis, C., Murray, M., Claffy, K.: Bandwidth estimation: metrics, measurement techniques, and tools. IEEE Network 17(6), 27–35 (2003), http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=1248658 CrossRefGoogle Scholar
  21. 21.
    Rennhard, M., Plattner, B.: Introducing MorphMix: peer-to-peer based anonymous Internet usage with collusion detection. In: Samarati, P. (ed.) ACM Workshop on Privacy in Electronic Society, pp. 91–102. ACM Press, New York (2002), http://portal.acm.org/citation.cfm?id=644537 CrossRefGoogle Scholar
  22. 22.
    Ribeiro, V., Riedi, R., Baraniuk, R., Navratil, J., Cottrell, L.: pathchirp: Efficient available bandwidth estimation for network paths. In: Passive and Active Measurement Workshop, vol. 4. Citeseer (March 2003)Google Scholar
  23. 23.
    Rizzo, L.: Dummynet: a simple approach to the evaluation of network protocols. ACM SIGCOMM Computer Communication Review 27(1), 31–41 (1997), http://portal.acm.org/citation.cfm?doid=251007.251012 CrossRefGoogle Scholar
  24. 24.
    Sakoe, H., Chiba, S.: Dynamic programming algorithm optimization for spoken word recognition. IEEE Transactions on Acoustics, Speech, and Signal Processing 26(1), 43–49 (1978), http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=1163055 zbMATHCrossRefGoogle Scholar
  25. 25.
    Saponas, T.S., Lester, J., Hartung, C., Agarwal, S., Kohno, T.: Devices that tell on you: Privacy trends in consumer ubiquitous computing. In: Provos, N. (ed.) 16th USENIX Security Symposium, pp. 55–70. USENIX Association (2007), http://portal.acm.org/citation.cfm?id=1362908
  26. 26.
    Shreedhar, M., Varghese, G.: Efficient fair queuing using deficit round-robin. IEEE/ACM Transactions on Networking 4(3), 375–385 (1996), http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=502236 CrossRefGoogle Scholar
  27. 27.
    Song, D.X., Wagner, D., Tian, X.: Timing analysis of keystrokes and SSH timing attacks. In: Wallach, D.S. (ed.) 10th USENIX Security Symposium. USENIX Association (August 2001), http://www.usenix.org/events/sec01/song.html
  28. 28.
    Strauss, J., Katabi, D., Kaashoek, F.: A measurement study of available bandwidth estimation tools. In: Crovella, M. (ed.) 3rd ACM SIGCOMM Conference on Internet Measurement, pp. 39–44. ACM, New York (2003), http://portal.acm.org/citation.cfm?id=948211 CrossRefGoogle Scholar
  29. 29.
    Sun, Q., Simon, D.R., Wang, Y.M., Russell, W., Padmanabhan, V.N., Qiu, L.: Statistical identification of encrypted Web browsing traffic. In: Abadi, M., Bellovin, S.M. (eds.) IEEE Symposium on Security and Privacy, pp. 19–30. IEEE Computer Society (May 2002), http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=1004359
  30. 30.
    Wagner, D., Schneier, B.: Analysis of the SSL 3.0 Protocol. In: Tygar, D. (ed.) USENIX Workshop on Electronic Commerce. USENIX Association (November 1996), http://www.usenix.org/publications/library/proceedings/ec96/wagner.html
  31. 31.
    White, A.M., Matthews, A.R., Snow, K.Z., Monrose, F.: Phonotactic reconstruction of encrypted VoIP conversations: Hookt on Foniks. In: Vigna, G., Jha, S. (eds.) IEEE Symposium on Security and Privacy, pp. 3–18. IEEE Computer Society (May 2011), http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=5958018
  32. 32.
    Wright, C.V., Ballard, L., Coull, S.E., Monrose, F., Masson, G.M.: Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations. In: IEEE Symposium on Security and Privacy, pp. 35–49. IEEE Computer Society, Washington, DC (2008), http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=4531143 Google Scholar
  33. 33.
    Wright, C.V., Ballard, L., Coull, S.E., Monrose, F., Masson, G.M.: Uncovering Spoken Phrases in Encrypted Voice over IP Conversations. ACM Transactions on Information and System Security 13(4), 1–30 (2010), http://doi.acm.org/10.1145/1880022.1880029 CrossRefGoogle Scholar
  34. 34.
    Zhang, K., Wang, X.: Peeping Tom in the neighborhood: Keystroke eavesdropping on multi-user systems. In: Monrose, F. (ed.) 18th USENIX Security Symposium USENIX Security. USENIX Association (August 2009), http://www.usenix.org/events/sec09/tech/full_papers/zhang.pdf
  35. 35.
    Zhu, Y., Bettati, R.: Unmixing Mix Traffic. In: Danezis, G., Martin, D. (eds.) PET 2005. LNCS, vol. 3856, pp. 110–127. Springer, Heidelberg (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Xun Gong
    • 1
  • Nikita Borisov
    • 1
  • Negar Kiyavash
    • 2
  • Nabil Schear
    • 3
  1. 1.Department of Electrical and Computer EngineeringUIUCUSA
  2. 2.Department of Industrial and Enterprise Systems EngineeringUIUCUSA
  3. 3.Department of Computer ScienceUIUCUSA

Personalised recommendations