New Approaches to Website Fingerprinting Defenses

TL;DR

This paper develops theoretical bounds on the security-overhead trade-off for website fingerprinting defenses and evaluates an improved scheme, CS-BuFLO, showing it approaches optimal trade-offs more closely than previous defenses.

Contribution

It introduces bounds on security and bandwidth overhead trade-offs and refines and evaluates the CS-BuFLO defense scheme for website fingerprinting.

Findings

CS-BuFLO achieves 6x closer to the lower bound than Tor or SSH.

CS-BuFLO has high overhead, around 2.3-2.8x.

Theoretical bounds enable comparison of different defenses.

Abstract

Website fingerprinting attacks enable an adversary to infer which website a victim is visiting, even if the victim uses an encrypting proxy, such as Tor. Previous work has shown that all proposed defenses against website fingerprinting attacks are ineffective. This paper advances the study of website fingerprinting attacks and defenses in two ways. First, we develop bounds on the trade-off between security and bandwidth overhead that any fingerprinting defense scheme can achieve. This enables us to compare schemes with different security/overhead trade-offs by comparing how close they are to the lower bound. We then refine, implement, and evaluate the Congestion Sensitive BuFLO scheme outlined by Cai, et al. CS-BuFLO, which is based on the provably-secure BuFLO defense proposed by Dyer, et al., was not fully-specified by Cai, et al, but has nonetheless attracted the attention of the Tor developers. Our experiments find that CS-BuFLO has high overhead (around 2.3-2.8x) but can get 6x closer to the bandwidth/security trade-off lower bound than Tor or plain SSH.