利用網路封包分析進行洋蔥網路瀏覽器設定偵測

Abstract

隨著網路封包分析技術的進步，一些學者將封包分析的技術運用在洋蔥網路上並提出兩種新攻擊，分別是網站辨識 (Website Fingerprinting, WF) 跟洋蔥網路匿名服務辨識 (Hidden Service Fingerprinting, HSF)。這兩種攻擊能夠讓攻擊者透過監聽使用者到洋蔥網路之間的封包，利用封包傳遞的統計資料和機器學習的演算法來預測使用者瀏覽的網站或洋蔥網路服務。這兩種攻擊對使用者的隱私匿名性造成威脅。 但 WF 和 HSF 目前仍然不構成大威脅，因為諸如瀏覽器的設定，網路狀況，使用者瀏覽習慣，這些原因都會影響到網站的網路封包的統計資料進而影響 WF和 HSF 的準確率。之前的研究 [27] 觀察到洋蔥網路瀏覽器版本會影響到封包的特徵，並提出提升 WF 和 HSF 準確率的條件就是攻擊者必須跟使用者使用相同的瀏覽器版本。 基於以上的觀察，我們更進一步研究洋蔥網路瀏覽器的設定對於WF 的影響。我們著重在於瀏覽器版本以及安全性設定這兩項瀏覽器設定進行研究。我們提出了一種基於網路封包分析的方法來辨識使用者的瀏覽器設定的攻擊 (BSF)，並實做了一個分類器透過網路封包特徵來偵測使用者的瀏覽器版本和安全性設定。 BSF 的一個特色是，因為使用者不會很頻繁的更動瀏覽器的設定，因此 BSF 能夠透過多次的偵測來提高單一使用者瀏覽器設定的偵測準確度。在封閉世界的假設中，BSF 分類器能夠在使用者瀏覽七個網站後有高達 99% 機率能夠正確判斷瀏覽器版本，然後在開放世界的假設中則是需要使用者瀏覽 59 個網站後才能夠有 99%準確率。關於安全性設定，在封閉世界假設中，使用者瀏覽 19 個網站後會有 99%機率正確判斷安全性設定，在開放世界假設中，單次的安全性設定偵測只有 60%準確率。最後我們進行封包特徵的分析找到重要的網路封包特徵，和研究洋蔥網路瀏覽器的更新紀錄跟安全性設定對瀏覽器功能影響，並且分析 BSF 預測中，準確率前 10 高跟準確率前 10 低的網站和這些網站的特色。我們發現最高級別的安全設定會把許多瀏覽器送出的請求擋掉，但預設跟第二級別的安全設定中，我們沒辦法從網路封包特徵中看出安全性設定造成的差異。在瀏覽器版本的分析中，我們發現單純從瀏覽器發出的請求類別看不太出不同版本間是否有顯著的差異，但可以從瀏覽網站中平均傳遞跟收到的位元數目看到一些不同版本間微小的差異。 根據我們的研究，我們提供洋蔥網路瀏覽器開發者跟一般的網站開發者一些抵抗 BSF 攻擊的建議。第一個方法是採用目前研究中針對 WF 的防禦方法，因為目前 WF 的防禦研究是隱藏原本網站的封包特徵，這樣的方法也適合拿來做為 BSF 攻擊的防禦機制。另一種方案是網站開發者可以採用一些針對大流量攻擊防護的服務，這些服務通常會產生一些具混淆性的封包跟暫時性的跳轉頁面，而額外的混淆性的封包跟跳轉頁面可以拿來隱藏原有網站的封包特徵，因而無法讓 BSF 的分類器蒐集到足夠的封包特徵和資訊做分類。

The advance in Network Traffic Analysis (NTA) techniques has introduced new lines of de-anonymization attacks [4] against the Tor network, inclusive of Website Fingerprinting(WF) and Hidden Service Fingerprinting (HSF). These attacks can identify which regular websites or Tor hidden services a Tor user visited by using machine learning algorithms to analyze network traffic, thus undermining the privacy protection provided by Tor. However, WF and HSF are far from practical in the real world [27, 34] because the real-world traffic trace may be affected by not only the visited websites but other factors such as browser settings, network conditions, and users’ access patterns. For example, previous work [27] observed that using different Tor browser versions might affect the network traffic and argued that one challenge in constructing an effective WF adversary is to ensure the adversary has the same browser version as the user’s. Inspired by their observation, in this work, we investigate the impact of browser settings, including the browser versions and security levels, on WF in the Tor network. After confirming that browser settings have substantial impacts on WF, we present a new NTA branch called Browser Setting Fingerprinting (BSF) and construct classifiers to identify a user’s Tor browser version and security level. Interestingly, unlike WF and HSF, BSF can improve classification accuracy over time because users do not frequently change their browser settings. Our version classifier achieves over 99% accuracy when the user visits more than seven websites without changing the browser setting under the closed-world assumption and 59 under the open-world assumption. Our security-level classifier also achieves over 99% accuracy when the user visits 19 websites without changing settings under the closed-world assumption. However, the security-level classifier achieves 60% accuracy under the open-world assumption. Last, we conduct an in-depth and comprehensive analysis to identify the most informative features, inspect the changelogs of Tor browsers, and investigate the root cause of the most/least accurate classification results. The safest security setting level significantly influences the number of JavaScript, font, and POST requests, while the standard and safer levels have indistinguishable traffic features. For the Tor browser version, we can only observe little traffic difference from the examined request content types among browser versions, but the average number of bytes sent and received shows the TBB version has observable difference. Based on our findings, we provide recommendations for browser developers and web developers to defend against BSF, WF, and HSF in general. The first approach is adopting the WF defense. Because WF defense aims at concealing websites’ traffic features, it may be effective in BSF defense as well. For the second approach, web developers can adopt a cloud-based DDoS protection service to obfuscate the traffic patterns as it will redirect the visit to a temporary website, and this approach will be particularly useful if the attackers terminate the website visit before the DDoS protection actually redirect the visit to the targeted website because the attackers do not collect the website’s traffic patterns in this case.