Mockingbird: Defending Against Deep-Learning-Based Website Fingerprinting Attacks with Adversarial Traces

Website Fingerprinting (WF) is a type of traffic analysis attack that enablesa local passive eavesdropper to infer the victim's activity, even when thetraffic is protected by a VPN or an anonymity system like Tor. Leveraging adeep-learning classifier, a WF attacker can gain over 98% accuracy on Tortraffic. In this paper, we explore a novel defense, Mockingbird, based on theidea of adversarial examples that have been shown to undermine machine-learningclassifiers in other domains. Since the attacker gets to design and train hisattack classifier based on the defense, we first demonstrate that at astraightforward technique for generating adversarial-example based traces failsto protect against an attacker using adversarial training for robustclassification. We then propose Mockingbird, a technique for generating tracesthat resists adversarial training by moving randomly in the space of viabletraces and not following more predictable gradients. The technique drops theaccuracy of the state-of-the-art attack hardened with adversarial training from98% to 42-58% while incurring only 58% bandwidth overhead. The attack accuracyis generally lower than state-of-the-art defenses, and much lower whenconsidering Top-2 accuracy, while incurring lower bandwidth overheads.