| Website fingerprinting attacks enable an adversary to infer which website a victim is visiting, even if the victim uses an encrypting proxy, such as Tor. As a result, researchers have proposed several defenses, most of which focus mainly on hiding packet size information. For example, Tor packs all data into 512-byte cells. Other packet padding schemes include padding to 2k bytes, or padding all packets to MTU. In 2009, Wright, et al., proposed traffic morphing, which alters the size of the packets transmitted so that the packet size distribution appears to be from a different web page. Recently researchers proposed several application-level defenses against traffic analysis attacks, including HTTPOS and randomized pipelining over Tor.;We present a novel web page fingerprinting attack DLSVM, that is able to defeat these defenses. Regardless of the defense scheme, our attack was able to guess which of 100 web pages a victim was visiting at least 50% of the time and, with some defenses, over 90% of the time. Our attack is based on a simple model of network behavior and out-performs previously proposed ad hoc attacks. We then build a web site fingerprinting attack that is able to identify whether a victim is visiting a particular web site with over 90% accuracy in our experiments.;Our results have shown that all these defenses are ineffective, and strongly suggest that ad hoc defenses against traffic analysis are not likely to succeed. Therefore, we develop a theoretical model of website fingerprinting attacks and defenses and use it to prove several results. First, we develop bounds on the trade-off between overhead and security that any fingerprinting defense can achieve. This enables us to compare schemes with different overhead/security trade-offs by comparing how close they are to optimal. We then propose, implement, and evaluate a new defense scheme, which we call Congestion-Sensitive BuFLO, based on the BuFLO defense proposed by Dyer, et al. Our experiments find that Congestion-Sensitive BuFLO has high overhead (around 2.3-2.8x) but can get 6x closer to the overhead/security trade-off lower bound than Tor or plain SSH.;Lastly, our theoretical analysis suggests that the reason website fingerprinting defenses are expensive is not because websites are so different; it is because defenses lack the knowledge of where to put cover traffic, so they have to put it everywhere. We propose a provably secure defense Glove, and demonstrate that this defense can defeat an ideal attacker while providing better overhead/security trade-off than previously proposed defenses. |
