Toward enhancing web privacy on HTTPS traffic: A novel SuperLearner attack model and an efficient defense approach with adversarial examples

Abstract

Web privacy-enhancing technologies have been grown to preserve the users' privacy against sophisticated traffic analysis attacks aimed at inferring sensitive information. An especially concerning form of traffic analysis attacks is website fingerprinting attacks, allowing local eavesdroppers to identify a user's visited websites over encrypted connections. Leveraging recent advances in AI methods and aligned with the principle of adversarial thinking (think like an adversary), our objective is to better understand privacy vulnerabilities of HTTPS traffic against ever-evolving traffic analysis attacks. Therefore, as a novel contribution, we propose an HTTPS website fingerprinting attack model called Super-Learner Attack, an ensemble of base learners to exploit the strengths and diminish the weaknesses of the individual base learners, including LogisticRegression, DecisionTreeClassifier, Gaussian Naive Bayes, KNeighborsClassifier, AdaboostClassifier, BaggingClassifier, RandomForestClassifier, and ExtraTreeClassifier. The SuperLearner aims to learn fusion weights in a data-adaptive manner to obtain the optimal combination of the base learners. The proposed attack attains a high accuracy of over 97% on HTTPS traffic, outperforming existing attack models. Furthermore, responding to the challenge of website fingerprinting attacks and in direct response to the SuperLearner Attacker, we propose HTTPS Obfuscation Defender. This is a novel and highly effective defense strategy rooted in deception. This strategy disrupts classification by skillfully introducing fake packets into real flows, obfuscating patterns, and disrupting classification. Unlike previous methods, our approach leverages adversarial example algorithms originally designed for image analysis, to generate maximal obfuscation in encrypted HTTPS traffic. It generates perturbations for encrypted HTTPS traffic through the utilization of three well-established adversarial example algorithms. Our experimental results demonstrate that HTTPS Obfuscation Defender significantly reduces the accuracy of website fingerprinting from 97.2% to 2.89%, even when an attacker attempts to adapt to the defense and retrain a classifier using defended traffic. Moreover, our proposed defense ensures a minimal impact on time and bandwidth, making it a highly practical and resource-efficient defense approach.