Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Red Pill and Blue Pill: Controllable Website Fingerprinting Defense via Dynamic Backdoor Learning

Siyuan Liang, Jiajun Gong, Tianmeng Fang, Aishan Liu, Tao Wang, Xianglong Liu, Xiaochun Cao, Dacheng Tao, Chang Ee-Chien

TL;DR

Controllable Website Fingerprint Defense is introduced, a novel defense perspective based on backdoor learning that injects only incoming packets on the server side into the target web page's traffic, keeping overhead low while effectively poisoning the attacker's model during training.

Abstract

Website fingerprint (WF) attacks, which covertly monitor user communications to identify the web pages they visit, pose a serious threat to user privacy. Existing WF defenses attempt to reduce the attacker's accuracy by disrupting unique traffic patterns; however, they often suffer from the trade-off between overhead and effectiveness, resulting in less usefulness in practice. To overcome this limitation, we introduce Controllable Website Fingerprint Defense (CWFD), a novel defense perspective based on backdoor learning. CWFD exploits backdoor vulnerabilities in neural networks to directly control the attacker's model by designing trigger patterns based on network traffic. Specifically, CWFD injects only incoming packets on the server side into the target web page's traffic, keeping overhead low while effectively poisoning the attacker's model during training. During inference, the defender can influence the attacker's model through a 'red pill, blue pill' choice: traces with the trigger (red pill) lead to misclassification as the target web page, while normal traces (blue pill) are classified correctly, achieving directed control over the defense outcome. We use the Fast Levenshtein-like distance as the optimization objective to compute trigger patterns that can be effectively associated with our target page. Experiments show that CWFD significantly reduces RF's accuracy from 99% to 6% with 74% data overhead. In comparison, FRONT reduces accuracy to only 97% at similar overhead, while Palette achieves 32% accuracy with 48% more overhead. We further validate the practicality of our method in a real Tor network environment.

Red Pill and Blue Pill: Controllable Website Fingerprinting Defense via Dynamic Backdoor Learning

TL;DR

Controllable Website Fingerprint Defense is introduced, a novel defense perspective based on backdoor learning that injects only incoming packets on the server side into the target web page's traffic, keeping overhead low while effectively poisoning the attacker's model during training.

Abstract

Website fingerprint (WF) attacks, which covertly monitor user communications to identify the web pages they visit, pose a serious threat to user privacy. Existing WF defenses attempt to reduce the attacker's accuracy by disrupting unique traffic patterns; however, they often suffer from the trade-off between overhead and effectiveness, resulting in less usefulness in practice. To overcome this limitation, we introduce Controllable Website Fingerprint Defense (CWFD), a novel defense perspective based on backdoor learning. CWFD exploits backdoor vulnerabilities in neural networks to directly control the attacker's model by designing trigger patterns based on network traffic. Specifically, CWFD injects only incoming packets on the server side into the target web page's traffic, keeping overhead low while effectively poisoning the attacker's model during training. During inference, the defender can influence the attacker's model through a 'red pill, blue pill' choice: traces with the trigger (red pill) lead to misclassification as the target web page, while normal traces (blue pill) are classified correctly, achieving directed control over the defense outcome. We use the Fast Levenshtein-like distance as the optimization objective to compute trigger patterns that can be effectively associated with our target page. Experiments show that CWFD significantly reduces RF's accuracy from 99% to 6% with 74% data overhead. In comparison, FRONT reduces accuracy to only 97% at similar overhead, while Palette achieves 32% accuracy with 48% more overhead. We further validate the practicality of our method in a real Tor network environment.

Paper Structure

This paper contains 21 sections, 2 theorems, 19 equations, 7 figures, 6 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. WF Attacks
  4. WF Defenses
  5. Preliminaries
  6. Threat Model
  7. A New Defense: CWFD
  8. Backdoor Defense Framework
  9. Server-side Injection
  10. Poisoning Attacker and Controllable Defense
  11. Trigger Pattern Optimization
  12. Evaluation
  13. Experimental Settings
  14. Closed-world Evaluation
  15. Open-world Evaluation
  16. ...and 6 more sections

Key Result

Lemma 1

Assume the attacker's model $f_{\bm{\theta}}$ and its feature extractor $\phi$ are differentiable with respect to the input traffic pattern $\bm{x}$. If the perturbation $\bm{\delta}$ is too short, such that $\|\bm{\delta}\|_{0}$ is minimal, then for the feature extraction function $\phi$, it follow

Figures (7)

  • Figure 1: Based on a backdoor learning framework, our CWFD can toggle between a "Red Pill" state (where traces containing the trigger patterns are misclassified) and a "Blue Pill" state (maintaining normal classification conditions), thereby achieving effective control the attacker's model parameters and predictions.
  • Figure 2: The Overall Framework of CWFD. (a) Trigger Optimization, CWFD optimizes trigger patterns and inserts incoming cells on the server side to create poisoned traces with minimal impact on latency. (b) Poisoning Attacker, CWFD injects triggers into a selected target web page’s traffic and subtly infects the attacker’s model with poisoned traces. And (c) Controllable Defense, CWFD allows dynamic control during inference, misclassifying poisoned traces to the target label when in "red pill" mode while remaining covert in "blue pill" mode.
  • Figure 3: Defense performance against various attacks in the open-world setting. The value in brackets after the method in the legend represents its average mAP.
  • Figure 4: Effect of total incoming packets and burst count on CWFD defense effectiveness.
  • Figure 5: Impact of poisoning rate (pr) on CWFD defense effectiveness across varying packet totals.
  • ...and 2 more figures

Theorems & Definitions (2)

  • Lemma 1: Effect of Perturbation in Feature Space goodfellow2014explaining
  • Theorem 1: Ineffectiveness of Learning due to Suboptimal Trigger Pattern