Open Access Issue
An Online Website Fingerprinting Defense Based on the Non-Targeted Adversarial Patch
Tsinghua Science and Technology 2023, 28 (6): 1148-1159
Published: 28 July 2023

Website Fingerprinting (WF) attacks can extract side channel information from encrypted traffic to form a fingerprint that identifies the victim’s destination website, even if traffic is sophisticatedly anonymized by Tor. Many offline defenses have been proposed and claimed to have achieved good effectiveness. However, such work is more of a theoretical optimization study than a technology that can be applied to real-time traffic in the practical scenario. Because defenders generate optimized defense schemes only if the complete traffic traces are obtained. The practicality and effectiveness are doubtful. In this paper, we provide an in-depth analysis of the difficulties faced in porting existing offline defenses to the online scenarios. And then the online WF defense based on the non-targeted adversarial patch is proposed. To reduce the overhead, we use the Gradient-weighted Class Activation Mapping (Grad-CAM) algorithm to identify critical segments that have high contribution to the classification. In addition, we optimize the adversarial patch generation process by splitting patches and limiting the values, so that the pre-trained patches can be injected and discarded in real-time traffic. Extensive experiments are carried out to evaluate the effectiveness of our defense. When bandwidth overhead is set to 20%, the accuracies of the two state-of-the-art attacks, DF and Var-CNN, drop to 10.83% and 15.49%, respectively. Furthermore, we implement the real-time patch traffic injection based on WFPadTools framework in the online scenario, and achieve a defense accuracy of 95.50% with 12.57% time overhead.

total 1