Advertisement

IUPTIS: Fingerprinting Profile Webpages in a Dynamic and Practical DPI Context

  • Mariano Di MartinoEmail author
  • Pieter Robyns
  • Peter Quax
  • Wim Lamotte
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 372)

Abstract

In this paper, we propose an extended overview of a novel webpage fingerprinting technique ‘IUPTIS’ that allows an adversary to identify webpage profiles in an encrypted HTTPS traffic trace. Our approach works by identifying sequences of image resources, uniquely attributed to each webpage. Assumptions of previous state-of-the-art methods are reduced by developing an approach that does not depend on the browser utilized. Additionally, it outperforms previous methods by allowing webpages to be dynamic in content and permitting a limited number of browser and CDN-cached resources. These easy-to-use properties make it viable to apply our method in DPI frameworks where performance is crucial. With practical experiments on social media platforms such as Pinterest and DeviantArt, we show that IUPTIS is an accurate and robust technique to fingerprint profile webpages in a realistic scenario. To conclude, we propose several defenses that are able to mitigate IUPTIS in privacy-enhanced tools such as Tor.

Keywords

Webpage fingerprinting Social networks Privacy Traffic analysis 

Notes

Acknowledgements

We thank the anonymous reviewers for their insightful feedback.

References

  1. 1.
    Pinterest (2018). https://www.pinterest.com. Accessed 13 Nov 2018
  2. 2.
    Brandwatch: Brandwatch Peer Index (2017). https://www.brandwatch.com/p/peerindex-and-brandwatch. Accessed 14 Oct 2017
  3. 3.
    Brissaud, P.O., Francois, J., Chrisment, I., Cholez, T., Bettan, O.: Passive monitoring of HTTPS service use. In: 14th International Conference on Network and Service Management (CNSM 2018), Rome, Italy , p. 7, November 2018. https://hal.inria.fr/hal-01943936
  4. 4.
    Cai, X., Nithyanand, R., Johnson, R.: CS-BuFLO: a congestion sensitive website fingerprinting defense. In: Proceedings of the 13th Workshop on Privacy in the Electronic Society, WPES 2014, pp. 121–130. ACM, New York (2014).  https://doi.org/10.1145/2665943.2665949
  5. 5.
    Cai, X., Nithyanand, R., Wang, T., Johnson, R., Goldberg, I.: A systematic approach to developing and evaluating website fingerprinting defenses. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 227–238. ACM, New York (2014).  https://doi.org/10.1145/2660267.2660362
  6. 6.
    Cai, X., Zhang, X.C., Joshi, B., Johnson, R.: Touching from a distance: website fingerprinting attacks and defenses. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 605–616. ACM, New York (2012).  https://doi.org/10.1145/2382196.2382260
  7. 7.
    Cao, Y., Li, S., Wijmans, E.: (Cross-)browser fingerprinting via OS and hardware level features. In: NDSS (2017)Google Scholar
  8. 8.
    Cheng, H., Cheng, H., Avnur, R.: Traffic analysis of SSL encrypted web browsing (1998)Google Scholar
  9. 9.
    Cherubin, G.: Bayes, not Naïve: security bounds on website fingerprinting defenses. In: PoPETs, pp. 215–231 (2017)Google Scholar
  10. 10.
    Cherubin, G., Hayes, J., Juarez, M.: Website fingerprinting defenses at the application layer. Proc. Priv. Enhanc. Technol. 2017(2), 186–203 (2017)CrossRefGoogle Scholar
  11. 11.
    Coull, S.E., Collins, M.P., Wright, C.V., Monrose, F., Reiter, M.K.: On web browsing privacy in anonymized NetFlows. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, SS 2007, USENIX Association, Berkeley, CA, USA, pp. 23:1–23:14 (2007). http://dl.acm.org/citation.cfm?id=1362903.1362926
  12. 12.
    Di Martino, M., Robyns, P., Quax, P., Lamotte, W.: Iuptis: a practical, cache-resistant fingerprinting technique for dynamic webpages. In: WEBIST (2018)Google Scholar
  13. 13.
    Dyer, K.P., Coull, S.E., Ristenpart, T., Shrimpton, T.: Peek-a-boo, i still see you: why efficient traffic analysis countermeasures fail. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 332–346. IEEE Computer Society, Washington (2012).  https://doi.org/10.1109/SP.2012.28
  14. 14.
    The Economist: Very personal finance (2012). http://www.economist.com/node/21556263. Accessed 10 Sept 2017
  15. 15.
    Ejeta, T.G., Kim, H.J.: Website fingerprinting attack on psiphon and its forensic analysis. In: Kraetzer, C., Shi, Y.-Q., Dittmann, J., Kim, H.J. (eds.) IWDW 2017. LNCS, vol. 10431, pp. 42–51. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-64185-0_4CrossRefGoogle Scholar
  16. 16.
    Estêvão, F.P.C.: Fingerprinting HTTP/2 web pages (2017)Google Scholar
  17. 17.
    European Commission: Data protection (2018). https://ec.europa.eu/info/law/law-topic/data-protection_en. Accessed 17 June 2018
  18. 18.
    Council of the European Union: Common challenges in combating cybercrime, p. 5 (2017). http://data.consilium.europa.eu/doc/document/ST-7021-2017-INIT/en/pdf
  19. 19.
    Gallagher, S.: Chinese government launches man-in-middle attack against icloud [updated]. Ars Technica (2014). https://arstechnica.com/information-technology/2014/10/chinese-government-launches-man-in-middle-attack-against-icloud/
  20. 20.
    Hayes, J., Danezis, G.: k-fingerprinting: a robust scalable website fingerprinting technique. In: 25th USENIX Security Symposium (USENIX Security 16), USENIX Association, Austin, TX, pp. 1187–1203 (2016)Google Scholar
  21. 21.
    Herrmann, D., Wendolsky, R., Federrath, H.: Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial NaïVe-bayes classifier. In: Proceedings of the 2009 ACM Workshop on Cloud Computing Security, CCSW 2009, pp. 31–42. ACM, New York (2009).  https://doi.org/10.1145/1655008.1655013
  22. 22.
    Husák, M., Čermák, M., Jirsík, T., Čeleda, P.: HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting. EURASIP J. Inf. Secur. 2016(1), 6 (2016).  https://doi.org/10.1186/s13635-016-0030-7CrossRefGoogle Scholar
  23. 23.
    InformAction: Noscript. https://noscript.net/. Accessed 18 Oct 2018
  24. 24.
    Juarez, M., Afroz, S., Acar, G., Diaz, C., Greenstadt, R.: A critical evaluation of website fingerprinting attacks. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 263–274. ACM, New York (2014).  https://doi.org/10.1145/2660267.2660368
  25. 25.
    Juarez, M., Imani, M., Perry, M., Diaz, C., Wright, M.: Toward an efficient website fingerprinting defense. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 27–46. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-45744-4_2CrossRefGoogle Scholar
  26. 26.
    Kwon, A., AlSabah, M., Lazar, D., Dacier, M., Devadas, S.: Circuit fingerprinting attacks: passive deanonymization of tor hidden services. In: 24th USENIX Security Symposium (USENIX Security 15), USENIX Association, Washington, D.C., pp. 287–302 (2015). https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/kwon
  27. 27.
    Liberatore, M., Levine, B.N.: Inferring the source of encrypted HTTP connections. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 255–263. ACM, New York (2006).  https://doi.org/10.1145/1180405.1180437
  28. 28.
    Liu, L., Preoţiuc-Pietro, D., Riahi, Z., Moghaddam, M.E., Ungar, L.: Analyzing personality through social media profile picture choice. In: ICWSM (2016)Google Scholar
  29. 29.
    Lu, L., Chang, E.-C., Chan, M.C.: Website fingerprinting and identification using ordered feature sequences. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 199–214. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-15497-3_13CrossRefGoogle Scholar
  30. 30.
    Luo, X., Zhou, P., Chan, E.W.W., Lee, W., Chang, R.K.C., Perdisci, R.: HTTPOS: sealing information leaks with browser-side obfuscation of encrypted flows. In: Proceedings of the Network and Distributed Systems Symposium (NDSS). The Internet Society (2011). http://hdl.handle.net/10397/50561
  31. 31.
    Miller, B., Huang, L., Joseph, A.D., Tygar, J.D.: I know why you went to the clinic: risks and realization of HTTPS traffic analysis. In: De Cristofaro, E., Murdoch, S.J. (eds.) PETS 2014. LNCS, vol. 8555, pp. 143–163. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-08506-7_8CrossRefGoogle Scholar
  32. 32.
    Morla, R.: Effect of pipelining and multiplexing in estimating HTTP/2.0 web object sizes. ArXiv e-prints (2017)Google Scholar
  33. 33.
    Panchenko, A., et al.: Website fingerprinting at internet scale. In: NDSS (2016)Google Scholar
  34. 34.
    Panchenko, A., Niessen, L., Zinnen, A., Engel, T.: Website fingerprinting in onion routing based anonymization networks. In: Proceedings of the 10th Annual ACM Workshop on Privacy in the Electronic Society, WPES 2011, pp. 103–114. ACM, New York, (2011).  https://doi.org/10.1145/2046556.2046570
  35. 35.
    Perez, S.: Facebook starts pushing its data tracking onavo vpn within its main mobile app (2018). https://techcrunch.com/2018/02/12/facebook-starts-pushing-its-data-tracking-onavo-vpn-within-its-main-mobile-app/
  36. 36.
    Project, T.T.: Tor. https://www.torproject.org. Accessed 17 June 2018
  37. 37.
    Rao, A., Spasojevic, N., Li, Z., Dsouza, T.: Klout score: measuring influence across multiple social networks. In: 2015 IEEE International Conference on Big Data (Big Data), pp. 2282–2289 (2015)Google Scholar
  38. 38.
    Rimmer, V., Preuveneers, D., Juarez, M., Van Goethem, T., Joosen, W.: Automated feature extraction for website fingerprinting through deep learning (2017, to appear)Google Scholar
  39. 39.
    Statcounter: Statcounter Global Stats (2018). http://gs.statcounter.com/. Accessed 06 Nov 2018
  40. 40.
    Sun, Q., Simon, D.R., Wang, Y.M., Russell, W., Padmanabhan, V.N., Qiu, L.: Statistical identification of encrypted web browsing traffic. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, SP 2002, pp. 19–30. IEEE Computer Society, Washington, (2002). http://dl.acm.org/citation.cfm?id=829514.830535
  41. 41.
    Wang, T.: Website fingerprinting: attacks and defenses (Doctoral dissertation), university of Waterloo, Canada (2015)Google Scholar
  42. 42.
    Wang, T., Goldberg, I.: Walkie-talkie: an efficient defense against passive website fingerprinting attacks. In: 26th USENIX Security Symposium (USENIX Security 17), USENIX Association, Vancouver, BC, pp. 1375–1390 (2017). https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/wang-tao
  43. 43.
  44. 44.
    Wijnants, M., Marx, R., Quax, P., Lamotte, W.: HTTP/2 Prioritization and its Impact on Web Performance. In: The Web Conference WWW 2018 (2018)Google Scholar
  45. 45.
    Wright, C.V., Coull, S.E., Monrose, F.: traffic morphing: an efficient defense against statistical traffic analysis. In: Proceedings of the 16th Network and Distributed Security Symposium, pp. 237–250. IEEE (2009)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Hasselt University/tUL - Expertise Center for Digital MediaHasseltBelgium
  2. 2.Hasselt University/tUL/Flanders Make - Expertise Center for Digital MediaHasseltBelgium

Personalised recommendations