Defending Against Deep Learning-Based Video Fingerprinting Attacks with Adversarial Examples
Abstract
In an increasingly digital world, online anonymity and privacy is a paramount issue for internet users. Tools like The Onion Router (Tor) offer users anonymous internet browsing. Recently, however, Tors anonymity has been compromised through fingerprinting, where machine learning models are used to analyze Tor traffic and predict user viewing habits, with some models achieving an accuracy of over 99 percent.There are defenses for Tor that attempt to prevent fingerprinting, but many are defeated by new techniques that utilize Deep Neural Networks (DNNs). New defenses that are robust against DNNs use adversarial examples to fool the classifier, but those defenses either assume the user has access to the full traffic trace beforehand or require expensive maintenance from Tor servers. In this thesis, we propose Prism, a defense against fingerprinting attacks that uses adversarial examples to fool classifiers in real time. We describe a novel method of adversarial example generation that enables adversarial example creation as input is learned over time. Prism injects these adversarial examples into the Tor traffic stream to prevent DNNs from accurately predicting sites that a user is viewing, even if the DNN is hardened by adversarial training. We show that Prism reduces the accuracy of defended fingerprinting models from over 98 percent to 0 percent. We also show that Prism can be implemented entirely on the server side, increasing deployability for users who run Tor on devices without GPUs.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jun 01, 2022
- Accession Number
- AD1184913
Entities
People
- Blake A. Hayden
Organizations
- Naval Postgraduate School