Can we overcome this - · Can we overcome this ... •

download Can we overcome this -  · Can we overcome this ... •

of 50

  • date post

    30-Jun-2018
  • Category

    Documents

  • view

    215
  • download

    0

Embed Size (px)

Transcript of Can we overcome this - · Can we overcome this ... •

  • FEARLESS engineering

    http://hightechforum.org/tag/privacy/

    Can we overcome this

  • FEARLESS engineering

    With this?

  • FEARLESS engineering

    Actually

    Tor

  • FEARLESS engineering

    Can we overcome this

    The real question is:

  • FEARLESS engineering

    using fingerprinting?

  • UT DALLAS Erik Jonsson School of Engineering & Computer Science

    FEARLESS engineering

    Khaled Al-Naami Swarup Chandra Ahmad MustafaLatifur Khan Zhiqiang Lin Kevin Hamlen Bhavani

    Thuraisingham

    Adaptive Encrypted Traffic Fingerprinting

    With Bidirectional Dependence

    This work is funded by NSF, AFOSR, and NSA.

  • FEARLESS engineering

    Outline

    Attack BIND Defenses Experiments Base rate fallacy Adaptive Learning

  • FEARLESS engineering

    Outline

  • FEARLESS engineering

    Traffic fingerprinting

  • FEARLESS engineering

    Website Fingerprinting (WFP)

    A Traffic Analysis (TA) attack.

    Threatens web navigation privacy.

    Attackers learn information about a website accessed by the user.

    Website = Fingerprint = Signature

  • FEARLESS engineering

    Website Fingerprinting

    The Goal is to identify the websites

    Can also help identify threats Bad people

    Can harm certain individuals Journalists Activists Bloggers

  • FEARLESS engineering

    WFP Diagram Tor

  • FEARLESS engineering

    How about mobile apps?

    Apps Fingerprinting

    Threatens apps navigation privacy.

    Attackers learn information about apps accessed by the user.

    App = Fingerprint = Signature

  • FEARLESS engineering

    App Fingerprinting

    Marketing view: advertisement network bandwidth management app recommendations

    Adversarial view: targeted attacks on well-known vulnerable apps

  • FEARLESS engineering

    Apps Fingerprinting

  • FEARLESS engineering

    Encrypted Data

  • FEARLESS engineering

    Outline

  • FEARLESS engineering

    BIND: fingerprinting with BI-directioNal Dependence

    BIND

  • FEARLESS engineering

    BIND

    Observation is that traffic exchanged in the two directions of a connection depend upon each other.

    Therefore, design a new fingerprinting mechanism (BIND)that leverages this sequence dependence.

  • FEARLESS engineering

  • FEARLESS engineering

    Outline

  • FEARLESS engineering

    Arms Race

    Defenders morph packets

    AttackersBIND

  • FEARLESS engineering

    Attackers and Defenders Arms Race

    The competition between attackers and defenders is continually evolving

    Attackers collect the packets and apply ML. Defenders morph packets (website A to look like

    website B) The coarser the features, the more resistant BIND: coarse-feature approach

  • FEARLESS engineering

    Defenses (DTS Distribution-Based)

    DTS: Direct Target Sampling A: Src Webpage B: Target Webpage DA and DB (Packet Length Distributions) For every packet of length i from A sample packet of length j

    from DB if j > i then pad i to j and send else send i

    Continue sampling by adding dummy packets until distance L1(A, B) < 0.3

  • FEARLESS engineering

    Defenses (TM - Distribution-Based)

    TM: Traffic Morphing Similar to DTS but sample to pad packets using convex optimization (to minimize

    padding overhead)

    Y = AXProbabilities to be calc.pmf of target pmf of source

    s: packet size

  • FEARLESS engineering

    Defenses (TM - Distribution-Based)

    Continue sampling by adding dummy packets until distance L1(A, B) < 0.3

  • FEARLESS engineering

  • FEARLESS engineering

    Outline

  • FEARLESS engineering

    Closed-world scenario

  • FEARLESS engineering

    Open-world scenario

  • FEARLESS engineering

    Closed-world vs Open-world

    Item Closed-world Open-worldSet Finite set of websites - Monitored

    - Non-Monitored

    Classification Multi-class (websites) Binary

    Goal Predict website Predict if a Monitored or non-Monitored website

    Universe ->

    M (Finite)M(Infinite & Diverse)

    http://www.geeksforgeeks.org/getting-started-with-classification/

    Closed-worldOpen-world

  • FEARLESS engineering

    Datasets and setup

  • FEARLESS engineering

    Apps dataset collection process

  • FEARLESS engineering

    Summary of previous and proposed approaches

  • FEARLESS engineering

    Closed world w/o Defenses

    Accuracy %

  • FEARLESS engineering

    Open world w/o Defenses

    TPR and FPR %

  • FEARLESS engineering

    Closed world w/ Traffic Morphing Defense

  • FEARLESS engineering

    Open world w/ Traffic Morphing/Tamaraw

  • FEARLESS engineering

    Running Time (cw)

  • FEARLESS engineering

    Running Time (ow)

    WKNN and BINDWKNN (> 30 min) due to weight computations.

    BINDRF (< 60 sec)

    Yet, BINDRF outperformed BINDWKNN (or WKNN)

  • FEARLESS engineering

    Outline

  • FEARLESS engineering

    Base Detection Rate (BDR) Open-world

    actual M -M

    classifed

    D tp fp -D fn tn

  • FEARLESS engineering

    BDR prior probability of a targeted client

  • FEARLESS engineering

    Outline

  • FEARLESS engineering

    Adaptive Learning

  • FEARLESS engineering

    Adaptive Learning

  • FEARLESS engineering

    Adaptive Learning

  • FEARLESS engineering

    Conclusion

    A coarse-feature extraction approach (BIND) over encrypted data Capturing dependences between consecutive packet sequences

    Across multiple domains HTTPS, Tor, Smartphone Apps

    Closed-world and open-world settings

    The approach is more resilient to defenses

    BDR

    Adaptive Learning

  • FEARLESS engineering

    Future work

    Incremental Learning Change Point Detection

    Multi-tab browsing Tor

    New defenses Work presented represents attacker Implementing a more successful defense that BIND cant evade

  • FEARLESS engineering

    Thank you!Questions?

    PowerPoint PresentationSlide 2Actually Slide 4Slide 5Adaptive Encrypted Traffic Fingerprinting With Bidirectional DependenceOutlineSlide 8Traffic fingerprintingWebsite Fingerprinting (WFP)Website FingerprintingWFP Diagram TorHow about mobile apps?App FingerprintingApps FingerprintingEncrypted DataSlide 17BIND: fingerprinting with BI-directioNal DependenceBINDSlide 20Slide 21Arms RaceAttackers and Defenders Arms RaceDefenses (DTS Distribution-Based)Defenses (TM - Distribution-Based)Slide 26Slide 27Slide 28Closed-world scenarioOpen-world scenarioClosed-world vs Open-worldDatasets and setupApps dataset collection processSummary of previous and proposed approachesClosed world w/o DefensesOpen world w/o DefensesClosed world w/ Traffic Morphing DefenseOpen world w/ Traffic Morphing/TamarawRunning Time (cw)Running Time (ow)Slide 41Base Detection Rate (BDR) Open-worldBDR prior probability of a targeted clientSlide 44Adaptive LearningSlide 46Slide 47ConclusionFuture workSlide 50