Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

DecETT: Accurate App Fingerprinting Under Encrypted Tunnels via Dual Decouple-based Semantic Enhancement

Zheyuan Gu, Chang Liu, Xiyuan Zhang, Chen Yang, Gaopeng Gou, Gang Xiong, Zhen Li, Sijia Li

TL;DR

DecETT tackles the problem of accurate app fingerprinting when traffic is protected by encrypted tunnels. It introduces TLS traffic as a semantic anchor and a dual decouple-based architecture to separate app semantic features from tunnel protocol features, mitigating re-encapsulation obfuscation. The approach leverages a parallel flow representation with a partially shared Siamese network, employing SRC, PSM, CPD, ASA, and ASC losses to preserve app semantics while minimizing tunnel noise. Experiments across five tunnels and 54 apps show DecETT substantially outperforms baselines, with strong performance on short flows and resilience under mixed-tunnel scenarios, indicating practical applicability for network management under privacy-preserving tunnels.

Abstract

Due to the growing demand for privacy protection, encrypted tunnels have become increasingly popular among mobile app users, which brings new challenges to app fingerprinting (AF)-based network management. Existing methods primarily transfer traditional AF methods to encrypted tunnels directly, ignoring the core obfuscation and re-encapsulation mechanism of encrypted tunnels, thus resulting in unsatisfactory performance. In this paper, we propose DecETT, a dual decouple-based semantic enhancement method for accurate AF under encrypted tunnels. Specifically, DecETT improves AF under encrypted tunnels from two perspectives: app-specific feature enhancement and irrelevant tunnel feature decoupling.Considering the obfuscated app-specific information in encrypted tunnel traffic, DecETT introduces TLS traffic with stronger app-specific information as a semantic anchor to guide and enhance the fingerprint generation for tunnel traffic. Furthermore, to address the app-irrelevant tunnel feature introduced by the re-encapsulation mechanism, DecETT is designed with a dual decouple-based fingerprint enhancement module, which decouples the tunnel feature and app semantic feature from tunnel traffic separately, thereby minimizing the impact of tunnel features on accurate app fingerprint extraction. Evaluation under five prevalent encrypted tunnels indicates that DecETT outperforms state-of-the-art methods in accurate AF under encrypted tunnels, and further demonstrates its superiority under tunnels with more complicated obfuscation. \textit{Project page: \href{https://github.com/DecETT/DecETT}{https://github.com/DecETT/DecETT}}

DecETT: Accurate App Fingerprinting Under Encrypted Tunnels via Dual Decouple-based Semantic Enhancement

TL;DR

DecETT tackles the problem of accurate app fingerprinting when traffic is protected by encrypted tunnels. It introduces TLS traffic as a semantic anchor and a dual decouple-based architecture to separate app semantic features from tunnel protocol features, mitigating re-encapsulation obfuscation. The approach leverages a parallel flow representation with a partially shared Siamese network, employing SRC, PSM, CPD, ASA, and ASC losses to preserve app semantics while minimizing tunnel noise. Experiments across five tunnels and 54 apps show DecETT substantially outperforms baselines, with strong performance on short flows and resilience under mixed-tunnel scenarios, indicating practical applicability for network management under privacy-preserving tunnels.

Abstract

Due to the growing demand for privacy protection, encrypted tunnels have become increasingly popular among mobile app users, which brings new challenges to app fingerprinting (AF)-based network management. Existing methods primarily transfer traditional AF methods to encrypted tunnels directly, ignoring the core obfuscation and re-encapsulation mechanism of encrypted tunnels, thus resulting in unsatisfactory performance. In this paper, we propose DecETT, a dual decouple-based semantic enhancement method for accurate AF under encrypted tunnels. Specifically, DecETT improves AF under encrypted tunnels from two perspectives: app-specific feature enhancement and irrelevant tunnel feature decoupling.Considering the obfuscated app-specific information in encrypted tunnel traffic, DecETT introduces TLS traffic with stronger app-specific information as a semantic anchor to guide and enhance the fingerprint generation for tunnel traffic. Furthermore, to address the app-irrelevant tunnel feature introduced by the re-encapsulation mechanism, DecETT is designed with a dual decouple-based fingerprint enhancement module, which decouples the tunnel feature and app semantic feature from tunnel traffic separately, thereby minimizing the impact of tunnel features on accurate app fingerprint extraction. Evaluation under five prevalent encrypted tunnels indicates that DecETT outperforms state-of-the-art methods in accurate AF under encrypted tunnels, and further demonstrates its superiority under tunnels with more complicated obfuscation. \textit{Project page: \href{https://github.com/DecETT/DecETT}{https://github.com/DecETT/DecETT}}

Paper Structure

This paper contains 28 sections, 12 equations, 8 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. App Fingerprinting
  4. Encrypted Tunnel Traffic Analysis
  5. Preliminaries
  6. Threat Model
  7. Re-encapsulation Mechanism
  8. Impact on Tunnel Flow Sequences
  9. Design of DecETT
  10. Traffic Preprocess and Correlation
  11. Dual decouple-based Fingerprint Enhancement
  12. Flow Representation Decoupling.
  13. App Semantic Feature Augmentation
  14. Generated Fingerprint Classification
  15. Experiments
  16. ...and 13 more sections

Figures (8)

  • Figure 1: Three main challenges in App Fingerprinting under encrypted tunnels: (1) Diversity of encrypted tunnels, (2) Server concealment, and (3) Traffic re-encapsulation.
  • Figure 2: Source code of re-encapsulation mechanism summarized from Shadowsocks. Illustrations for the other 4 encrypted tunnels can be found in Appendix \ref{['tunnelcode']}.
  • Figure 3: Flow sequence variation caused by tunnel re-encapsulation mechanism.
  • Figure 4: The overall architecture of DecETT.
  • Figure 5: Comparison results of different flow lengths.
  • ...and 3 more figures