Can we overcome this - utdallas.eduswarup.chandra/slides/acsac16_presentation.pdf · Can we...

50
FEARLESS engineering http://hightechforum.org/tag/privacy/ Can we overcome this …

Transcript of Can we overcome this - utdallas.eduswarup.chandra/slides/acsac16_presentation.pdf · Can we...

FEARLESS engineering

http://hightechforum.org/tag/privacy/

Can we overcome this …

FEARLESS engineering

With this?

FEARLESS engineering

Actually …

Tor

FEARLESS engineering

Can we overcome this …

The real question is:

FEARLESS engineering

… using fingerprinting?

UT DALLAS Erik Jonsson School of Engineering & Computer Science

FEARLESS engineering

Khaled Al-Naami Swarup Chandra Ahmad MustafaLatifur Khan Zhiqiang Lin Kevin Hamlen Bhavani

Thuraisingham

Adaptive Encrypted Traffic Fingerprinting

With Bidirectional Dependence

This work is funded by NSF, AFOSR, and NSA.

FEARLESS engineering

Outline

• Attack

• BIND

• Defenses

• Experiments

• Base rate fallacy

• Adaptive Learning

FEARLESS engineering

Outline

FEARLESS engineering

Traffic fingerprinting

FEARLESS engineering

Website Fingerprinting (WFP)

• A Traffic Analysis (TA) attack.

• Threatens web navigation privacy.

• Attackers learn information about a website accessed by the user.

• Website = Fingerprint = Signature

FEARLESS engineering

Website Fingerprinting

• The Goal is to identify the websites

• Can also help identify threats– Bad people

• Can harm certain individuals – Journalists

– Activists

– Bloggers

FEARLESS engineering

WFP Diagram – Tor

FEARLESS engineering

How about mobile apps?

• Apps Fingerprinting

• Threatens apps navigation privacy.

• Attackers learn information about apps accessed by the user.

• App = Fingerprint = Signature

FEARLESS engineering

App Fingerprinting

• Marketing view:– advertisement

– network bandwidth management

– app recommendations

• Adversarial view:– targeted attacks on well-known vulnerable apps

FEARLESS engineering

Apps Fingerprinting

FEARLESS engineering

Encrypted Data

FEARLESS engineering

Outline

FEARLESS engineering

BIND: fingerprinting with BI-directioNal Dependence

BIND

FEARLESS engineering

BIND

Observation is that traffic exchanged in the two directions of a connection depend upon each other.

Therefore, design a new fingerprinting mechanism (BIND)that leverages this sequence dependence.

FEARLESS engineering

FEARLESS engineering

Outline

FEARLESS engineering

Arms Race

Defenders morph packets

AttackersBIND

FEARLESS engineering

Attackers and Defenders – Arms Race

• The competition between attackers and defenders is continually evolving

• Attackers collect the packets and apply ML.

• Defenders morph packets (website A to look like website B)

• The coarser the features, the more resistant

• BIND: coarse-feature approach

FEARLESS engineering

Defenses (DTS – Distribution-Based)

• DTS: Direct Target Sampling– A: Src Webpage B: Target Webpage– DA and DB (Packet Length Distributions)

– For every packet of length i from A sample packet of length j from DB

• if j > i then pad i to j and send

• else send i

• Continue sampling by adding dummy packets until distance L1(A’, B) < 0.3

FEARLESS engineering

Defenses (TM - Distribution-Based)

• TM: Traffic Morphing– Similar to DTS but sample to pad packets using convex optimization (to minimize

padding overhead)

– Y = AXProbabilities to be calc.pmf of target pmf of source

s: packet size

FEARLESS engineering

Defenses (TM - Distribution-Based)

• Continue sampling by adding dummy packets until distance L1(A’, B) < 0.3

FEARLESS engineering

FEARLESS engineering

Outline

FEARLESS engineering

Closed-world scenario

FEARLESS engineering

Open-world scenario

FEARLESS engineering

Closed-world vs Open-world

Item Closed-world Open-world

Set Finite set of websites - Monitored- Non-Monitored

Classification Multi-class (websites) Binary

Goal Predict website Predict if a Monitored or non-Monitored website

Universe -> ∞

M (Finite)

M’(Infinite & Diverse)

http://www.geeksforgeeks.org/getting-started-with-classification/

Closed-worldOpen-world

FEARLESS engineering

Datasets and setup

FEARLESS engineering

Apps dataset collection process

FEARLESS engineering

Summary of previous and proposed approaches

FEARLESS engineering

Closed world – w/o Defenses

Accuracy %

FEARLESS engineering

Open world – w/o Defenses

TPR and FPR %

FEARLESS engineering

Closed world – w/ Traffic Morphing Defense

FEARLESS engineering

Open world – w/ Traffic Morphing/Tamaraw

FEARLESS engineering

Running Time (cw)

FEARLESS engineering

Running Time (ow)

• WKNN and BINDWKNN (> 30 min) – due to weight computations.

• BINDRF (< 60 sec)

• Yet, BINDRF outperformed BINDWKNN (or WKNN)

FEARLESS engineering

Outline

FEARLESS engineering

Base Detection Rate (BDR) – Open-world

actual M -M

classifed

D tp fp -D fn tn

FEARLESS engineering

BDR – prior probability of a targeted client

FEARLESS engineering

Outline

FEARLESS engineering

Adaptive Learning

FEARLESS engineering

Adaptive Learning

FEARLESS engineering

Adaptive Learning

FEARLESS engineering

Conclusion

• A coarse-feature extraction approach (BIND) over encrypted data– Capturing dependences between consecutive packet sequences

• Across multiple domains– HTTPS, Tor, Smartphone Apps

• Closed-world and open-world settings

• The approach is more resilient to defenses

• BDR

• Adaptive Learning

FEARLESS engineering

Future work

• Incremental Learning– Change Point Detection

• Multi-tab browsing– Tor

• New defenses– Work presented represents attacker

– Implementing a more successful defense that BIND can’t evade

FEARLESS engineering

Thank you!Questions?