Random Segmentation: New Traffic Obfuscation against Packet-Size-Based Side-Channel Attacks

TL;DR

This paper introduces a data-efficient traffic obfuscation method that randomizes packet sizes by splitting TCP segments, effectively reducing device identification accuracy with minimal latency and overhead.

Contribution

It proposes a novel packet size randomization technique that obfuscates traffic patterns without relying on noise addition, improving privacy with lower data overhead.

Findings

Reduces device classification accuracy from 98% to 63%.

Adds less than 21% latency in real-world tests.

Overhead is approximately 5% in packet headers.

Abstract

Despite encryption, the packet size is still visible, enabling observers to infer private information in the Internet of Things (IoT) environment (e.g., IoT device identification). Packet padding obfuscates packet-length characteristics with a high data overhead because it relies on adding noise to the data. This paper proposes a more data-efficient approach that randomizes packet sizes without adding noise. We achieve this by splitting large TCP segments into random-sized chunks; hence, the packet length distribution is obfuscated without adding noise data. Our client-server implementation using TCP sockets demonstrates the feasibility of our approach at the application level. We realize our packet size control by adjusting two local socket-programming parameters. First, we enable the TCP_NODELAY option to send out each packet with our specified length. Second, we downsize the sending buffer to prevent the sender from pushing out more data than can be received, which could disable our control of the packet sizes. We simulate our defense on a network trace of four IoT devices and show a reduction in device classification accuracy from 98% to 63%, close to random guessing. Meanwhile, the real-world data transmission experiments show that the added latency is reasonable, less than 21%, while the added packet header overhead is only about 5%.