TSA-WF: Exploring the Effectiveness of Time Series Analysis for Website Fingerprinting

TL;DR

This paper investigates the use of classical time series analysis techniques for website fingerprinting, demonstrating comparable accuracy in single-tab scenarios and potential for pinpointing website visit times in multi-tab traces.

Contribution

Introduces TSA-WF, a novel pipeline that leverages time series analysis to improve website fingerprinting, especially for timing estimation within network traces.

Findings

TSA-WF achieves accuracy comparable to existing attacks in single-tab scenarios.

TSA-WF can identify the approximate timing of website visits in multi-tab traces.

The approach remains effective even against certain WF defenses.

Abstract

Website fingerprinting (WF) is a technique that allows an eavesdropper to determine the website a target user is accessing by inspecting the metadata associated with the packets she exchanges via some encrypted tunnel, e.g., Tor. Recent WF attacks built using machine learning (and deep learning) process and summarize trace metadata during their feature extraction phases. This methodology leads to predictions that lack information about the instant at which a given website is detected within a (potentially large) network trace comprised of multiple sequential website accesses -- a setting known as \textit{multi-tab} WF. In this paper, we explore whether classical time series analysis techniques can be effective in the WF setting. Specifically, we introduce TSA-WF, a pipeline designed to closely preserve network traces' timing and direction characteristics, which enables the exploration of algorithms designed to measure time series similarity in the WF context. Our evaluation with Tor traces reveals that TSA-WF achieves a comparable accuracy to existing WF attacks in scenarios where website accesses can be easily singled-out from a given trace (i.e., the \textit{single-tab} WF setting), even when shielded by specially designed WF defenses. Finally, while TSA-WF did not outperform existing attacks in the multi-tab setting, we show how TSA-WF can help pinpoint the approximate instant at which a given website of interest is visited within a multi-tab trace.\footnote{This preprint has not undergone any post-submission improvements or corrections. The Version of Record of this contribution is published in the Proceedings of the 20th International Conference on Availability, Reliability and Security (ARES 2025)}