Detecção de Canvas Fingerprinting em páginas Web baseada em Modelo Vetorial

Elleres, Pablo Augusto da Paz, 92-99351-3031

31 March 2017

Submitted by Divisão de Documentação/BC Biblioteca Central (ddbc@ufam.edu.br) on 2017-08-25T15:51:34Z No. of bitstreams: 2 license_rdf: 0 bytes, checksum: d41d8cd98f00b204e9800998ecf8427e (MD5) Dissertação - Pablo Elleres.pdf: 5489693 bytes, checksum: b9a04e1146c232be81cf39a48ae1634d (MD5) / Approved for entry into archive by Divisão de Documentação/BC Biblioteca Central (ddbc@ufam.edu.br) on 2017-08-25T15:52:08Z (GMT) No. of bitstreams: 2 license_rdf: 0 bytes, checksum: d41d8cd98f00b204e9800998ecf8427e (MD5) Dissertação - Pablo Elleres.pdf: 5489693 bytes, checksum: b9a04e1146c232be81cf39a48ae1634d (MD5) / Made available in DSpace on 2017-08-25T15:52:08Z (GMT). No. of bitstreams: 2 license_rdf: 0 bytes, checksum: d41d8cd98f00b204e9800998ecf8427e (MD5) Dissertação - Pablo Elleres.pdf: 5489693 bytes, checksum: b9a04e1146c232be81cf39a48ae1634d (MD5) Previous issue date: 2017-03-31 / CAPES - Coordenação de Aperfeiçoamento de Pessoal de Nível Superior / Fingerprinting is a technique applied in order to identify or re-identify a User/ device via a set of attributes such as the size of the device’s screen, IP address identification, the versions of the software installed as well as through other existing features in the process Web communication. The technique is known in Nomenclature website fingerprinting and it has been used as a mechanism for marketing/product sales, however, its development aims to serve as a measure security of user authentication. The question is As it is considered a potencial threat to Web privacy, since personal and sensitive data can be captured and used for malicious purposes in various types of attacks and fraud. The point is that it may and should be considered a potential threat to the privacy of users on the Web, since personal and sensitive data can be captured and used for malicious purposes. Currently a technique that uses image rendering, called Canvas fingerprinting, has also been used for the same purposes as the previous one. This work presents a method that uses information retrieval techniques (via vectorial method) to perform the detection of Canvas Fingerprinting scripts in Web pages. The method consists in calculating the similarity between a base with 100 queries from a Canvas Fingerprinting database and a set of web pages labeled as benign and malignant. The result found showed high levels of similarities with a canvas base (97 %), a base of phishing pages (87 %) and a base with DMOZ directory pages (87 %). / Fingerprinting é a técnica aplicada com vistas a identificar ou reidentificar um usuário/dispositivo por intermédio de um conjunto de atributos como: o tamanho da tela do dispositivo, a identificação do endereço IP, as versões dos softwares instalados, assim como por meio de outras características existentes no processo de comunicação daWeb. A técnica é conhecida pela nomenclatura deWebsite fingerprinting e tem sido utilizada como mecanismo de marketing/vendas de produtos, mas pode muito bem ser empregada como medida de segurança na autenticação de usuários. A questão é que ela pode e deve ser considerada uma ameaça potencial a privacidade dos usuários na Web, já que dados pessoais e sigilosos podem ser capturados e empregados para fins maliciosos. Atualmente uma técnica que utiliza renderização de imagens, denominada Canvas fingerprinting, também tem sido utilizada para burlar a privacidade dos usuários de websites. Este trabalho apresenta um método que emprega técnicas de recuperação da informação (via método vetorial), para realizar a detecção de scripts Canvas Fingerpriting em páginas Web. O método consiste em realizar o cálculo da similaridade entre uma base com 100 consultas reconhecidamente ligadas à Canvas Fingerpriting e bases de dados com páginas tidas como benignas e malignas. O resultado encontrado mostrou que níveis altos de similaridades com uma base de Canvas (97%), uma base de páginas phishing (87%) e uma base com páginas do diretório DMOZ (87%).

Website Fingerprinting

Canvas Fingerprinting

Recuperação da Informação

Método Vetorial

Determinando o risco de Fingerprinting em páginas Web

Saraiva, Adriana Rodrigues

04 August 2016

Submitted by Divisão de Documentação/BC Biblioteca Central (ddbc@ufam.edu.br) on 2016-12-16T14:35:12Z No. of bitstreams: 1 Dissertação - Adriana R. Saraiva.pdf: 5916314 bytes, checksum: cf288d2a2930a048c67f43f933ab9524 (MD5) / Approved for entry into archive by Divisão de Documentação/BC Biblioteca Central (ddbc@ufam.edu.br) on 2016-12-16T14:35:35Z (GMT) No. of bitstreams: 1 Dissertação - Adriana R. Saraiva.pdf: 5916314 bytes, checksum: cf288d2a2930a048c67f43f933ab9524 (MD5) / Approved for entry into archive by Divisão de Documentação/BC Biblioteca Central (ddbc@ufam.edu.br) on 2016-12-22T15:21:06Z (GMT) No. of bitstreams: 1 Dissertação - Adriana R. Saraiva.pdf: 5916314 bytes, checksum: cf288d2a2930a048c67f43f933ab9524 (MD5) / Made available in DSpace on 2016-12-22T15:21:06Z (GMT). No. of bitstreams: 1 Dissertação - Adriana R. Saraiva.pdf: 5916314 bytes, checksum: cf288d2a2930a048c67f43f933ab9524 (MD5) Previous issue date: 2016-08-04 / FAPEAM - Fundação de Amparo à Pesquisa do Estado do Amazonas / Fingerprinting techniques are those used to identify (or re-identify) a user or device with a set of attributes (device screen size, versions of installed software, among many others) and other observable characteristics during the communication process. Commonly known by Website fingerprinting, such techniques can be used as a security measure (in user authentication, for example) and as a mechanism for sales / marketing. However, they can also be considered a potential threat to Web users’ privacy, since personal and sensitive data can be captured and used for malicious purposes in various types of attacks and fraud. In this context, this work proposes a methodology to detect fingerprinting artifacts in Web pages and measure the level of severity to user privacy. The results show that although simple, the method is effective to find fingerprinting codes in websites and categorizing them in severity levels. / Técnicas de fingerprinting são aquelas empregadas para identificar (ou reidentificar) um usuário ou um dispositivo através de um conjunto de atributos (tamanho da tela do dispositivo, versões de softwares instalados, entre muitos outros) e outras características observáveis durante o processo de comunicação. Comumente conhecidas por Website fingerprinting, tais técnicas podem ser usadas como medida de segurança (na autenticação de usuários, por exemplo) e como mecanismo para vendas / marketing. Por outro lado, também podem ser consideradas uma ameaça potencial à privacidade Web dos usuários, uma vez que dados pessoais e sigilosos podem ser capturados e empregados para fins maliciosos nos mais variados tipos de ataque e fraudes. Neste contexto, esta dissertação propõe uma metodologia para detectar artefatos (scripts) fingerprinting em páginas Web e mensurar o nível de severidade à privacidade do usuário. Os resultados mostram que embora simples, a metodologia é eficaz ao encontrar códigos fingerprinting nos websites e categorizá-los em níveis de severidade.

Website fingerprinting

Sistema de ratreamento

Técnicas de fingerprinting

Evaluation of a Proposed Traffic-Splitting Defence for Tor : Using Directional Time and Simulation Against TrafficSliver / Utvärdering av ett Flervägsförsvar för Tor : Med Riktad Tid och Simulering mot TrafficSliver

Magnusson, Jonathan

January 2021

Tor is a Privacy-Enhancing Technology based on onion routing which lets its users browse the web anonymously. Even though the traffic is encrypted in multiple layers, traffic analysis can still be used to gather information from meta-data such as time, size, and direction of the traffic. A Website Fingerprinting (WF) attack is characterized by monitoring traffic locally to the user in order to predict the destination website based on the observed patterns. TrafficSliver is a proposed defence against WF attacks which splits the traffic on multiple paths in the Tor network. This way, a local attacker is assumed to only be able to observe a subset of all the user's total traffic. The initial evaluation of TrafficSliver against Deep Fingerprinting (DF), the state-of-the-art WF attack, showed promising results for the defence, reducing the accuracy of DF from over 98% down to less than 7% without adding artificial delays or dummy traffic. In this thesis, we further evaluate TrafficSliver against DF beyond what was done in the original work by De la Cadena et al. by using a richer data representation and finding out whether it is possible to utilize simulated training data to improve the accuracy of the attack. By introducing directional time as a richer data representation and increasing the size of the training dataset using a simulator, the accuracy of DF was improved against TrafficSliver on three different datasets. Against the original dataset provided by the authors of TrafficSliver, the accuracy was initially 7.1% and then improved to 49.9%. The results were confirmed by using two additional datasets with TrafficSliver, where the accuracy was improved from 5.4% to 44.9% and from 9.8% to 37.7%. / Tor är ett personlig-integritetsverktyg baserat på onion routing som låter sina användare anonymnt besöka hemsidor på internet. Även om trafiken är enkrypterad i flera lager, kan trafikanalys användas för att utvinna information från metadata som exempelvis: tid, storlek och riktning av trafik. En Website Fingerprinting (WF)-attack karaktäriseras av att övervaka trafik nära användaren för att sedan avgöra vilken hemsida som besökts utifrån mönster. TrafficSliver är ett föreslaget försvar mot WF-attacker genom att dela upp trafiken på flera vägar genom nätverket. Detta gör att en attackerare antas endast kunna se en delmängd av användarens totala trafik. Den första utvärderingen av TrafficSliver mot Deep Fingerprinting (DF), spjutspetsen inom WF-attacker, visade lovande resultat för försvaret genom att reducera träffsäkerheten av DF från över 98% till mindre än 7% utan att lägga till artificiella fördröjningar eller falsk trafik. I denna uppsats strävar vi att fortsätta utvärderingen av TrafficSliver mot DF utöver vad som redan har gjorts av De la Cadena et al. med en rikare datarepresentation och en undersökning huruvida det går att använda simulerad data för att träna attacker mot försvaret. Genom att introducera riktad tid och öka mängden data för att träna attacken, ökades träffsäkerheten av DF mot TrafficSliver på tre distinkta dataset. Mot det dataset som samlades in av TrafficSliver var träffsäkerheten inledelsevis 7.1% och sedan förbättrad med hjälp av riktad tid och större mängder av simulerad träningsdata till 49.9%. Dessa resultat bekräftades även för två ytterligare dataset med TrafficSliver, där träffsäkerheten blev förbättrad från 5.4% till 44.9% och från 9.8% till 37.7%.

Tor

Website Fingerprinting

Deep Learning

Deep Fingerprinting

Traffic Splitting

TrafficSliver

Computer Sciences

Datavetenskap (datalogi)

The Effect Background Traffic in VPNs has on Website Fingerprinting / Påverkan av bakgrundstrafik i VPN-tunnlar vid mönsterigenkänningsattacker mot webbplatser

Rehnholm, Gustav

January 2023

Tor and VPNs are used by many to be anonymous and circumvent censorship on the Internet. Therefore, traffic analysis attacks that enable adversaries to link users to their online activities are a severe threat. One such attack is Website Fingerprinting (WF), which analyses patterns in the encrypted traffic from and to users to identify website visits. To better understand to which extent WF can identify patterns in VPN traffic, there needs to be a deeper exploration into which extent background traffic in VPNs impacts WF attacks, which is traffic in the stream that the adversary does not wish to classify. This thesis explores how different background traffic types affect WF on VPN traffic. It is done by using existing VPN datasets and combining them into datasets which simulate a VPN tunnel where both foreground and background traffic is sent simultaneously. This is to explore how different kinds of background traffic affect known state-of-the-art WF attacks using Deep Learning (DL). Background traffic does affect DL-based WF attacks, but the impact on accuracy is relatively small compared to the bandwidth overhead: 200 % overhead reduces the accuracy from roughly 95 % to 70 %. WF attacks can be trained without any background traffic, as long as the overhead of the background traffic is smaller than 2 %, without any impact on accuracy. WF attacks can also be trained with background traffic from other applications than what it is tested on, as long as the applications produce similar traffic patterns. For example, traffic from different pre-recorded streaming applications like Netflix and YouTube is similar enough, but not traffic from pre-recorded and live streaming applications such as Twitch. Also, having access to the size of the packets makes WF attacks better than if the size is obscured, making VPNs probably more vulnerable than Tor to WF attacks. Thesis artefacts are available at: https://github.com/gustavRehnholm/wf-vpn-bg / Tor och VPN:er används av många för att ge anonymitet och kringgå censurera i Internet. Därför är trafikanalysattacker som gör det möjligt för angripare att länka användaren till sina onlineaktiviteter ett allvarligt hot. En sådan attack är Website Fingerprinting (WF), som analyserar mönster i den krypterade trafiken mellan användaren och reläet med målet att identifiera webbplatsbesök. För att bättre förstå i vilken ut-sträckning WF kan identifiera mönster i VPN-tunnlar måste det finnas en djupare undersökning i vilken utsträckning bakgrundstrafik i VPN-tunnlar påverkar WF-attacker, trafik i VPN-tuneln som WF-attackeraren inte försöker klassificera. Målet med denna avhandling är att undersöka hur bakgrundstrafik, i olika kombinationer, påverkar WF på VPN-tunnlar. Det görs genom att använda befintliga VPN-datauppsättningar och kombinera dem till datauppsättningar som simulerar en VPN-tunnel där både förgrunds- och bakgrundstrafik skickas samtidigt. Detta är att utforska hur olika typer av bakgrundstrafik påverkar kända WF-attacker med hjälp av djupinlärning. Bakgrundstrafik har en påverkan på djupinlärnings baserade WF-attacker, men påverkan på WF noggrannheten är relativt liten jämfört med overheaden som behövs: 200 %overhead minskar noggrannheten från ungefär 95 % till 70 %. WF-attacker kan tränas utan bakgrundstrafik, så länge bakgrundstrafikens overhead är mindre än 2 %, utan att det påverkar noggrannheten. WF-attacker kan också tränas med bakgrundstrafik från andra applikationer än vad den testas på, så länge applikationerna producerar liknande trafikmönster. Till exempel är trafik från olika förinspelade streamingapplikationer som Netflix och YouTube tillräckligt lik, men inte trafik från förinspelade och livestreamingapplikationer som Twitch. Det är också tydligt att ha tillgång till paketstorlek gör klassificeraren bättre, vilket gör VPN:er förmodligen mer sårbar än Tor. Avhandlingsartefakter finns på följande hemsida: https://github.com/gustavRehnholm/wf-vpn-bg

Website Fingerprinting

Virtual Private Network

Deep Learning

Mönsterigenkänning

Virtuellt Privat Nätverk

Djup Inlärning

Computer Systems

Datorsystem

Practical and Lightweight Defense Against Website Fingerprinting

McGuan, Colman

January 2022

No description available.

Computer Science

Censorship

Cybersecurity

Deep Learning

Machine Learning

Tor

Website Fingerprinting

Impact of fixed-rate fingerprinting defense on cloud gaming experience / Påverkan av fixed-rate fingerprinting försvar på cloud gamingupplevelsen

Thang, Kent, Nyberg, Adam

January 2023

Cloud gaming has emerged as a popular solution to meet the increasing hardware de-mands of modern video games, allowing players with dated or non-sufficient hardwareto access high-quality gaming experiences. However, the growing reliance on cloud ser-vices has led to heightened concerns regarding user privacy and the risk of fingerprintingattacks. In this paper, we investigate the effects of varying send rates on cloud gamingQoS and QoE metrics when applying a fixed-rate fingerprinting defense, BuFLO. Findingsshow that lower send rates impact both client-side and host-side applied defense differ-ently. Based on the results, specific send rates are suggested for maintaining a stable cloudgaming experience. The research offers insights into the trade-offs between security andperformance in cloud gaming and provides recommendations for mitigating fingerprintingattacks. Future work may investigate alternative defenses, device types, and connectionmethods.

cloud gaming

QoE

QoS

proxy

fingerprinting defense

website fingerprinting attack

Media Engineering

Mediateknik

Övrig annan teknik

Towards Realistic Datasets forClassification of VPN Traffic : The Effects of Background Noise on Website Fingerprinting Attacks / Mot realistiska dataset för klassificering av VPN trafik : Effekten av bakgrundsoljud på website fingerprint attacker

Sandquist, Christoffer, Ersson, Jon-Erik

January 2023

Virtual Private Networks (VPNs) is a booming business with significant margins once a solid user base has been established and big VPN providers are putting considerable amounts of money into marketing. However, there exists Website Fingerprinting (WF) attacks that are able to correctly predict which website a user is visiting based on web traffic even though it is going through a VPN tunnel. These attacks are fairly accurate when it comes to closed world scenarios but a problem is that these scenarios are still far away from capturing typical user behaviour.In this thesis, we explore and build tools that can collect VPN traffic from different sources. This traffic can then be combined into more realistic datasets that we evaluate the accuracy of WF attacks on. We hope that these datasets will help us and others better simulate more realistic scenarios.Over the course of the project we developed automation scripts and data processing tools using Bash and Python. Traffic was collected on a server provided by our university using a combination of containerisation, the scripts we developed, Unix tools and Wireshark. After some manual data cleaning we combined our captured traffic together with a provided dataset of web traffic and created a new dataset that we used in order to evaluate the accuracy of three WF attacks.By the end we had collected 1345 capture files of VPN traffic. All of the traffic were collected from the popular livestreaming website twitch.tv. Livestreaming channels were picked from the twitch.tv frontpage and we ended up with 245 unique channels in our dataset. Using our dataset we managed to decrease the accuracy of all three tested WF attacks from 90% down to 47% with a WF attack confidence threshold of0.0 and from 74% down to 17% with a confidence threshold of 0.99. Even though this is a significant decrease in accuracy it comes with a roughly tenfold increase in the number of captured packets for the WF attacker.Thesis artifacts are available at github.com/C-Sand/rds-collect. / Virtual Private Network (VPN) marknaden har växt kraftigt och det finns stora marginaler när en solid användarbas väl har etablerats. Stora VPN-leverantörer lägger dessutom avsevärda summor pengar på marknadsföring. Det finns dock WF-attacker som kan korrekt gissa vilken webbplats en användare besöker baserat på webbtrafik, även om den går genom en VPN-tunnel.Dessa attacker har rätt bra precision när det kommer till scenarier i sluten värld, men problemet är att dessa fortfarande är långt borta från att simulera typiskt användarbeteende.I det här examensarbetet utforskar och bygger vi verktyg som kan samla in VPNtrafik från olika källor. Trafiken kan användas för att kombineras till mera realistiska dataset och sedan användas för att utvärdera träffsäkerheten av WF-attacker. Vi hoppas att dessa dataset kommer att hjälpa oss och andra att bättre simulera verkliga scenarier.Under projektets gång utvecklade vi ett par automatiserings skript och verktyg för databearbetning med hjälp av Bash och Python. Trafik samlades in på en server från vårt universitet med en kombination av containeriseringen, skripten vi utvecklade, Unix-verktyg och Wireshark. Efter en del manuell datarensning kombinerade vi vår infångade trafik tillsammans med det tillhandahållna datasetet med webbtrafik och skapade ett nytt dataset som vi använde för att utvärdera riktigheten av tre WF attacker.Vid slutet hade vi samlat in 1345 filer med VPN-trafik. All trafik samlades in från den populära livestream plattformen twitch.tv. Livestreamingkanaler plockades ut från twitchs förstasida och vi slutade med 245 unika kanaler i vårat dataset. Med hjälp av vårat dataset lyckades vi minska noggrannheten för alla tre testade WF-attacker från 90% ner till 47% med tröskeln på 0,0 och från 74% ner till 17% med en tröskel på 0,99. Även om detta är en betydande minskning av noggrannheten kommer det med en ungefär tiofaldig ökning av antalet paket. I slutändan samlade vi bara trafik från twitch.tv men fick ändå några intressanta resultat och skulle gärna se fortsatt forskning inom detta område.Kod, instruktioner, dataset och andra artefakter finns tillgängliga via github.com/CSand/rds-collect.

Data collection

Website fingerprinting

dataset

traffic analysis

VPN

encrypted traffic

machine learning

deep learning

network measurements

twitch

Datainsamling

Profilering av hemsidor

dataset

trafikanalys

VPN

krypterad trafik

maskininlärning

djupinlärning

nätverksmätningar

twitch

Computer and Information Sciences

Data- och informationsvetenskap