Effective website fingerprinting attack based on the first packet direction only

Abstract

Tor is an anonymity protocol that utilizes multi-layers onion encryption to protect the privacy and anonymity of clients during crawling websites. However, Tor is vulnerable to website fingerprinting attacks in that the adversary analyzes the transferred traffic patterns passively and detects visited websites without decryption. The core of fingerprinting attacks depends on flow-based network information such as packet direction information that cannot be concealed using encryption. In the real world, the packet streams observed during a website fetch may be affected by network events like changes in download rate, queuing, retransmission, and packet loss. In this paper, we propose a correlation-based website fingerprinting attack based on only the packet direction information as a set of observations of random variables with an unknown probability distribution. In the proposed attack, instead of the whole of the traffic instances for each website, only the first fraction of transmitted packets are used for fingerprinting. The main focus of the proposed attack is on the preprocessing and classification parts and aims to evaluate the importance of direction information in website detection and mitigate the adverse effects of unpredicted network noises in attack performance. The preprocessing phase preprocesses background noises and unpredicted network events that a real-world adversary may confront. The CorrClassifier model is designed as a prototype of a classifier tailored to the attack conditions to calculate the similarity distance of observed traffic patterns to detect visited websites and reduce the complexity of the attack using a low-dimension correlation method. Preprocessing the noises before feeding them to the classifier helps the accuracy keep up more robustly while the polarity of the target website grows gradually because of the unexpected network conditions. Experiments in a closed-world setting indicate the effectiveness of the proposed method in detecting the targeted websites with 95% accuracy using only the first fraction of direction information.