Website Fingerprinting using Traffic Analysis...
Transcript of Website Fingerprinting using Traffic Analysis...
![Page 1: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/1.jpg)
Website Fingerprinting using Traffic Analysis
Attacks
Salini S K
![Page 2: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/2.jpg)
What is Traffic Analysis
![Page 3: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/3.jpg)
What is Traffic Analysis
Wiki says……
![Page 4: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/4.jpg)
What is Traffic Analysis
Wiki says…… • Process of intercepting and examining
messages in order to deduce information from patterns in communication.
• Can be performed even when the messages are encrypted.
![Page 5: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/5.jpg)
Why do I care? • Your privacy is compromised
– Attacker knows the site you are visiting
– He knows how long you stay in the same site
• Attacker can poison DNS cache accordingly and you may end up giving your credentials to a malicious site.
![Page 6: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/6.jpg)
Client making request to a webpage
Encrypted
Unaware user
![Page 7: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/7.jpg)
Client making request to a webpage
But not safe Unaware user
![Page 8: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/8.jpg)
Attacker intercepts traffic
![Page 9: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/9.jpg)
Attacker intercepts traffic
Attaaackk…
![Page 10: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/10.jpg)
Attacker intercepts traffic
Can See
•Packet length
•Bandwidth
•Average packets transferred/sec
![Page 11: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/11.jpg)
What will I do?
![Page 12: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/12.jpg)
• Visit different websites and collect traffic traces (Data collection phase)
What will I do?
![Page 13: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/13.jpg)
• Visit different websites and collect traffic traces (Data collection phase)
• Extract features from training dataset (Training phase)
What will I do?
![Page 14: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/14.jpg)
• Visit different websites and collect traffic traces (Data collection phase)
• Extract features and train dataset (Training phase)
• Test on random dataset. (Testing phase)
What will I do?
![Page 15: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/15.jpg)
• Visit different websites and collect traffic traces (Data collection phase)
• Extract features and train dataset (Training phase)
• Test on random dataset. (Testing phase)
Use machine learning
What will I do?
![Page 16: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/16.jpg)
• Visit different websites and collect traffic traces (Data collection phase)
• Extract features and train dataset (Training phase)
• Test on random dataset. (Testing phase)
What will I do?
3 simple(???) steps
![Page 17: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/17.jpg)
Websites fingerprinted…
![Page 18: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/18.jpg)
Step 1
![Page 19: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/19.jpg)
Step 1 • Data collection:
![Page 20: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/20.jpg)
Step 1 • Data collection:
- Used airodump-ng for collecting WPA- encrypted data
- Used Wireshark to filter out traffic from a specific host
![Page 21: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/21.jpg)
Step 2
![Page 22: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/22.jpg)
Step 2 • Feature extraction
![Page 23: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/23.jpg)
Features considered…
• Packet length
• Inter-arrival time
• Upstream Bandwidth
• Downstream Bandwidth
• Average Packets sent/sec
• Average Packets received/sec
![Page 24: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/24.jpg)
Why such features?
![Page 25: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/25.jpg)
Why such features?
- deduced based on trail and error method
![Page 26: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/26.jpg)
Bandwidth distribution for various websites
![Page 27: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/27.jpg)
Distribution of Average packet transferred/sec for various websites
![Page 28: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/28.jpg)
Step 3
![Page 29: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/29.jpg)
Step 3 • Training and Testing
![Page 30: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/30.jpg)
Step 3 • Training and Testing
Used machine learning classifiers
-Naïve Bayes Simple
-Naïve Bayes
-Decision tree
![Page 31: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/31.jpg)
Accuracy of Classification- using various classifiers
Classifier
Naïve Bayes Simple
90% 100% 83% 89% 99%
Naïve Bayes (without SD)
89% 100% 90% 89% 99%
Naïve Bayes (with SD)
99% 100% 99% 100% 100%
Decision tree (Rankers Search)
80% 100% 80% 90% 90%
Decision Tree (Best first Search)
100% 100% 100% 100% 100%
SD- Supervised Discretion
![Page 32: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/32.jpg)
Question:
Can we train the system using the traffic profiles collected from one browser and test it on the traffic profiles collected from some other browser?
![Page 33: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/33.jpg)
Question:
Can we train the system using the traffic profiles collected from one browser and test it on the traffic profiles collected from some other browser?
NOOO…. Coz.,
![Page 34: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/34.jpg)
vs
![Page 35: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/35.jpg)
vs
![Page 36: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/36.jpg)
vs
![Page 37: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/37.jpg)
Then how can this attack be made useful?
![Page 38: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/38.jpg)
Then how can this attack be made useful?
• Use Browser Fingerprinting
![Page 39: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/39.jpg)
Then how can this attack be made useful?
• Use Browser Fingerprinting
Reference :Browser Fingerprinting from Coarse Traffic Summaries : Techiniques and Implications – by Yen et. al.
![Page 40: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/40.jpg)
Limitation and Future Work
• Assumes that user is going to visit only a single website at a time. But in practice, users can visit multiple websites.
• Can be extended to other websites and other browsers by using similar methods.
![Page 41: Website Fingerprinting using Traffic Analysis Attackspages.cs.wisc.edu/~salinisk/642/website_fingerprinting.pdfWebsite Fingerprinting using Traffic Analysis Attacks Salini S K . What](https://reader035.fdocuments.us/reader035/viewer/2022071118/600fb9811b603e09434d5758/html5/thumbnails/41.jpg)
Thank You