Patch-based Defenses against Web Fingerprinting Attacks

Abstract

Anonymity systems like Tor are vulnerable to Website Fingerprinting (WF) attacks, where a local passive eavesdropper infers the victim's activity. WF attacks based on deep learning classifiers have successfully overcome numerous defenses. While recent defenses leveraging adversarial examples offer promise, these adversarial examples can only be computed after the network session has concluded, thus offering users little protection in practical settings. We propose Dolos, a system that modifies user network traffic in real time to successfully evade WF attacks. Dolos injects dummy packets into traffic traces by computing input-agnostic adversarial patches that disrupt the deep learning classifiers used in WF attacks. Patches are then applied to alter and protect user traffic in real time. Importantly, these patches are parameterized by a user-side secret, ensuring that attackers cannot use adversarial training to defeat Dolos. We experimentally demonstrate that Dolos provides >94% protection against state-of-the-art WF attacks under a variety of settings, including adaptive countermeasures. Dolos outperforms prior defenses both in terms of higher protection performance as well as lower bandwidth overhead. Finally, we show that Dolos is provably robust to any attack under specific, but realistic, assumptions on the setting in which the defense is deployed.