Toward an Efficient Website Fingerprinting Defense

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9878)


Website Fingerprinting attacks enable a passive eavesdropper to recover the user’s otherwise anonymized web browsing activity by matching the observed traffic with prerecorded web traffic templates. The defenses that have been proposed to counter these attacks are impractical for deployment in real-world systems due to their high cost in terms of added delay and bandwidth overhead. Further, these defenses have been designed to counter attacks that, despite their high success rates, have been criticized for assuming unrealistic attack conditions in the evaluation setting. In this paper, we propose a novel, lightweight defense based on Adaptive Padding that provides a sufficient level of security against website fingerprinting, particularly in realistic evaluation conditions. In a closed-world setting, this defense reduces the accuracy of the state-of-the-art attack from 91 % to 20 %, while introducing zero latency overhead and less than 60 % bandwidth overhead. In an open-world, the attack precision is just 1 % and drops further as the number of sites grows.


Privacy Anonymous communications Website Fingerprinting 



A special acknowledgement to Gunes Acar, Ero Balsa, Filipe Beato and Stijpan Picek for reviewing the draft version of the paper. We appreciate the interesting discussions with Yawning Angel, Rishab Nithyanand, Jamie Hayes, Giovanni Cherubin, Tao Wang, Oscar Reparaz and Iraklis Symeonidis that helped developing this paper. This material is based upon work supported by the National Science Foundation under Grants No. CNS-1423163 and CNS-0954133 and the European Commission through H2020-DS-2014-653497 PANORAMIX and H2020-ICT-2014-644371 WITDOM. Marc Juarez is funded by a PhD fellowship of the Fund for Scientific Research - Flanders (FWO).

Supplementary material


  1. 1.
    Alexa. Alexa Top 500 Global Site (2015).
  2. 2.
    Cai, X., Nithyanand, R., Johnson, R.-B.: A congestion sensitive website fingerprinting defense. In: Workshop on Privacy in the Electronic Society (WPES), pp. 121–130. ACM (2014)Google Scholar
  3. 3.
    Cai, X., Nithyanand, R., Johnson, R.: Glove: A bespoke website fingerprinting defense. In: Workshop on Privacy in the Electronic Society (WPES), pp. 131–134. ACM (2014)Google Scholar
  4. 4.
    Cai, X., Nithyanand, R., Wang, T., Johnson, R., Goldberg, I.: A systematic approach to developing and evaluating website fingerprinting defenses. In: ACM Conference on Computer and Communications Security (CCS), pp. 227–238. ACM (2014)Google Scholar
  5. 5.
    Cai, X., Zhang, X.C., Joshi, B., Johnson, R.: Touching from a distance: website fingerprinting attacks and defenses. In: ACM Conference on Computer and Communications Security (CCS), pp. 605–616 (2012)Google Scholar
  6. 6.
    Davis, J., Goadrich, M.: The relationship between precision-recall and ROC curves. In: Proceedings of the 23rd international conference on Machine learning, pp. 233–240. ACM (2006)Google Scholar
  7. 7.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. In: USENIX Security Symposium. USENIX Association (2004)Google Scholar
  8. 8.
    Dyer, K.P., Coull, S.E., Ristenpart, T., Shrimpton, T.: Peek-a-boo still see you i: why efficient traffic analysis countermeasures fail. In: IEEE Symposium on Security and Privacy (S&P), pp. 332–346. IEEE (2012)Google Scholar
  9. 9.
    Herrmann, D., Wendolsky, R., Federrath, H.: Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial Naïve-Bayes classifier. In: ACM Workshop on Cloud Computing Security, pp. 31–42. ACM (2009)Google Scholar
  10. 10.
    Hintz, A.: Fingerprinting websites using traffic analysis. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 171–178. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Juarez, M., Afroz, S., Acar, G., Diaz, C., Greenstadt, R.: A critical analysis of website fingerprinting attacks. In: ACM Conference on Computer and Communications Security (CCS), pp. 263–274. ACM (2014)Google Scholar
  12. 12.
    Lu, L., Chang, E.-C., Chan, M.C.: Website fingerprinting and identification using ordered feature sequences. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 199–214. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  13. 13.
    Luo, X., Zhou, P., Chan, E., Lee, W.: Sealing information leaks with browser-side obfuscation of encrypted flows. In: Network & Distributed System Security Symposium (NDSS). IEEE Computer Society (2011)Google Scholar
  14. 14.
    McCoy, D., Bauer, K., Grunwald, D., Kohno, T., Sicker, D.C.: Shining light in dark places: understanding the Tor network. In: Borisov, N., Goldberg, I. (eds.) PETS 2008. LNCS, vol. 5134, pp. 63–76. Springer, Heidelberg (2008)Google Scholar
  15. 15.
    Miller, B., Huang, L., Joseph, A.D., Tygar, J.D.: I know why you went to the clinic: risks and realization of HTTPS traffic analysis. In: De Cristofaro, E., Murdoch, S.J. (eds.) PETS 2014. LNCS, vol. 8555, pp. 143–163. Springer, Heidelberg (2014)Google Scholar
  16. 16.
    Panchenko, A., Lanze, F., Zinnen, A., Henze, M., Pennekamp, J., Wehrle, K., Engel, T.: Website fingerprinting at internet scale. In: Network & Distributed System Security Symposium (NDSS). IEEE Computer Society (2016)Google Scholar
  17. 17.
    Panchenko, A., Niessen, L., Zinnen, A., Engel, T.: Website fingerprinting in onion routing based anonymization networks. In: ACM Workshop on Privacy in the Electronic Society (WPES), pp. 103–114. ACM (2011)Google Scholar
  18. 18.
    Wang, M.-H.: Timing analysis in low-latency mix networks: attacks and defenses. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 18–33. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  19. 19.
    Sun, Q., Simon, D. R., Wang, Y.M.: Statistical identification of encrypted web browsing traffic. In: IEEE Symposium on Security and Privacy (S&P), pp. 19–30. IEEE (2002)Google Scholar
  20. 20.
    The Tor project. Users statistics. Accessed 20 July 2015
  21. 21.
    The Tor project. Pluggable Transports (2012). Tor spec: Accessed 15 December 2015
  22. 22.
    Wang, T.: Website fingerprinting: attacks and defenses. PhD thesis, University of Waterloo (2016)Google Scholar
  23. 23.
    Wang, T., Cai, X., Nithyanand, R., Johnson, R., Goldberg, I.: Effective attacks and provable defenses for website fingerprinting. In: USENIX Security Symposium, pp. 143–157. USENIX Association (2014)Google Scholar
  24. 24.
    Wang, T., Goldberg, I.: Improved website fingerprinting on Tor. In: ACM Workshop on Privacy in the Electronic Society (WPES), pp. 201–212. ACM (2013)Google Scholar
  25. 25.
    Wright, C.V., Coull, S.E., Monrose, F.: Traffic morphing: An efficient defense against statistical traffic analysis. In: Network & Distributed System Security Symposium (NDSS) (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.KU Leuven, ESAT/COSIC and iMindsLeuvenBelgium
  2. 2.The University of Texas at ArlingtonArlingtonUSA
  3. 3.The Tor ProjectSeattleUSA

Personalised recommendations