TrapFlow: Controllable Website Fingerprinting Defense via Dynamic Backdoor Learning

TL;DR

TrapFlow is a novel website fingerprinting defense that uses dynamic backdoor learning to cause misclassification in attacker models, significantly reducing attack accuracy with manageable overhead and robustness against adaptive adversaries.

Contribution

The paper introduces TrapFlow, a controllable backdoor-based defense that effectively disrupts website fingerprinting attacks by injecting crafted triggers into traffic patterns.

Findings

Reduces RF attack accuracy from 99% to 6%.

Achieves this with 74% data overhead.

Outperforms state-of-the-art defenses in effectiveness and overhead.

Abstract

Website fingerprinting (WF) attacks, which covertly monitor user communications to identify the web pages they visit, pose a serious threat to user privacy. Existing WF defenses attempt to reduce attack accuracy by disrupting traffic patterns, but attackers can retrain their models to adapt, making these defenses ineffective. Meanwhile, their high overhead limits deployability. To overcome these limitations, we introduce a novel controllable website fingerprinting defense called TrapFlow based on backdoor learning. TrapFlow exploits the tendency of neural networks to memorize subtle patterns by injecting crafted trigger sequences into targeted website traffic, causing the attacker model to build incorrect associations during training. If the attacker attempts to adapt by training on such noisy data, TrapFlow ensures that the model internalizes the trigger as a dominant feature, leading to widespread misclassification across unrelated websites. Conversely, if the attacker ignores these patterns and trains only on clean data, the trigger behaves as an adversarial patch at inference time, causing model misclassification. To achieve this dual effect, we optimize the trigger using a Fast Levenshtein like distance to maximize both its learnability and its distinctiveness from normal traffic. Experiments show that TrapFlow significantly reduces the accuracy of the RF attack from 99 percent to 6 percent with 74 percent data overhead. This compares favorably against two state of the art defenses: FRONT reduces accuracy by only 2 percent at a similar overhead, while Palette achieves 32 percent accuracy but with 48 percent more overhead. We further validate the practicality of our method in a real Tor network environment.