基于ARF的Tor网站指纹识别技术

doi:10.3969/j.issn.1671-1122.2021.04.005

摘要/Abstract

摘要：

不法分子通过Tor等匿名通信系统构建暗网隐匿其不法行为,给网络监管带来了严峻挑战。网站指纹识别技术能根据加密流量来推测用户访问的站点,是一种有效的监管手段。已有的网站指纹识别技术采用的多为基于批处理的静态模型,无法有效解决概念漂移问题。针对Tor网站指纹,文章提出一种基于自适应随机森林(ARF)算法的动态网站指纹识别模型。模型使用自适应随机森林算法作为分类器,支持手工特征以及自动特征两种输入,能够根据特征流动态更新分类器模型,实现网站指纹的在线分类识别。实验结果表明,基于ARF的动态网站指纹识别模型检测能力优于已有的多种网站指纹识别方法,并能够有效解决已有模型存在的概念漂移问题。

关键词: 网站指纹, 匿名网络, 网络安全, 数据流挖掘, 自适应随机森林

Abstract:

Criminals use Tor and other anonymous communication systems to construct dark Webs to conceal their illegal activities, which brings severe challenges to network supervision. Website fingerprint recognition technology can infer the sites that users visit based on encrypted traffic, which is an effective monitoring method. Existing Website fingerprint recognition technologies mostly use batch-based static models, which cannot effectively solve the problem of concept drift. Aiming at Tor Website fingerprints, a dynamic Website fingerprint recognition model based on adaptive random forest algorithm is proposed. The model uses an adaptive random forest algorithm as the classifier, supports two input of manual features and automatic features, and can dynamically update the classifier model according to the feature stream to realize online classification and recognition of Website fingerprints. The experimental results show that the dynamic Website fingerprint recognition model based on ARF is better than the existing multiple Website fingerprint recognition methods, and can effectively solve the problem of concept drift in existing models.

Key words: Website fingerprint, anonymous network, cyber security, stream mining, adaptive random forest

中图分类号:

TP309

蔡满春, 王腾飞, 岳婷, 芦天亮. 基于ARF的Tor网站指纹识别技术[J]. 信息网络安全, 2021, 21(4): 39-48.

CAI Manchun, WANG Tengfei, YUE Ting, LU Tianliang. ARF-based Tor Website Fingerprint Recognition Technology[J]. Netinfo Security, 2021, 21(4): 39-48.

图/表 18

图1

图2

图3

图4

图5

图6

表1

表2

表3

表4

图7

表5

图8

图9

表6

图10

图11

表7

参考文献 26

[1]	SHI Y, MATSUURA K. Fingerprinting Attack on the Tor Anonymity System[C]// Springer. International Conference on Information and Communications Security(ICICS), December 14-17, 2009, Beijing, China. Heidelberg: Springer, 2009: 425-438.
[2]	JUAREZ M, AFROZ S, ACAR G, et al. A Critical Evaluation of Website Fingerprinting Attacks[C]// ACM. Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 3-7, 2014, Scottsdale Arizona USA. New York: Association for Computing Machinery, 2014: 263-274.
[3]	DEY R, SALEM F M. Gate-variants of Gated Recurrent Unit (GRU) Neural Networks[C]// IEEE. 2017 IEEE 60th International Midwest Symposium on Circuits and Systems (MWSCAS), August 6, 2017, Medford, MA, United States. New York: IEEE, 2017: 1597-1600.
[4]	BHAT S, LU D, KWON A, et al. Var-cnn: A Data-efficient Website Fingerprinting Attack Based on Deep Learning[J]. Proceedings on Privacy Enhancing Technologies, 2019,19(4):292-310.
[5]	SIRINAM P, IMANI M, JUAREZ M, et al. Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning[C]// ACM. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, October 15-19, 2018, Toronto Canada. New York: Association for Computing Machiner, 2018: 1928-1943.
[6]	HINTZ A. Fingerprinting Websites Using Traffic Analysis[EB/OL]. https://link.springer.com/chapter/10.1007/3-540-36467-6_13, 2020-10-08.
[7]	LU Liming, CHANG E C, CHAN M C. Website Fingerprinting and Identification Using Ordered Feature Sequences[C]// Springer. European Symposium on Research in Computer Security. September 20-22, 2010, Athens, Greece. Heidelberg: Springer, 2010: 199-214.
[8]	HERRMANN D, WENDOLSKY R, FEDERRATH H. Website Fingerprinting: Attacking Popular Privacy Enhancing Technologies with the Multinomial Naïve-bayes Classifier[C]// ACM. Proceedings of the 2009 ACM Workshop on Cloud Computing Security, November 13-15, 2009, Chicago Illinois, USA. New York: Association for Computing Machinery, 2009: 31-42.
[9]	PANCHENKO A, NIESSEN L, ZINNEN A, et al. Website Fingerprinting in Onion Routing Based Anonymization Networks[C]// ACM. Proceedings of the 10th Annual ACM Workshop on Privacy in the Electronic Society. October 15-17, 2011, Chicago Illinois, USA. New York: Association for Computing Machinery, 2011: 103-114.
[10]	CAI Xiang, ZHANG Xincheng, JOSHI B, et al. Touching From a Distance: Website Fingerprinting Attacks and Defenses[C]// ACM. Proceedings of the 2012 ACM Conference on Computer and Communications Security. October 7-9, 2012, Raleigh North Carolina, USA. New York: Association for Computing Machinery, 2012: 605-616.
[11]	WANG Tao, CAI Xiang, NITHYANAND, et al. Effective Attacks and Provable Defenses against Website Fingerprinting[C]// USENIX. Usenix Conference on Security Symposium, August 16-18, 2014, San Diego, Berkeley. New York: USENIX Association, 2014: 143-157.
[12]	RIMMER V, PREUVENEERS D, JUAREZ M, et al. Automated Website Fingerprinting through Deep Learning[EB/OL]. https://arxiv.org/pdf/1708.06376.pdf, 2020-10-02.
[13]	RAHMAN M S, SIRINAM P, MATHEWS N, et al. Tik-Tok: The Utility of Packet Timing in Website Fingerprinting Attacks[J]. Proceedings on Privacy Enhancing Technologies, 2020,20(3):5-24.
[14]	HE Xiaomin, WANG Jin, HE Yueying, et al. A Deep Learning Approach for Website Fingerprinting Attack[C]// IEEE. 2018 IEEE 4th International Conference on Computer and Communications (ICCC), December 10, 2018, Chengdu, China. New York: IEEE, 2018: 1419-1423.
[15]	SIRINAM P, IMANI M, JUAREZ M, et al. Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning[C]// ACM. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, October 15-19 ,2018, Toronto, Canada. New York: Association for Computing Machiner, 2018: 1928-1943.
[16]	MA Chencheng, DU Xuehui, CAO Lifeng, et al. Burst-analysis Website Fingerprinting Attack Based on Deep Neural Network[J]. Journal of Computer Research and Development, 2020,57(4):746-766.
	马陈城, 杜学绘, 曹利峰, 等. 基于深度神经网络burst特征分析的网站指纹攻击方法[J]. 计算机研究与发展, 2020,57(4):746-766.
[17]	WANG Xudong, YU Xiangzhan, ZHANG Hongli. Research on Traffic Identification Technology for Unknown Protocols[J]. Netinfo Security, 2019,19(10):74-83.
	王旭东, 余翔湛, 张宏莉. 面向未知协议的流量识别技术研究[J]. 信息网络安全, 2019,19(10):74-83.
[18]	ATTARIAN R, ABDI L, HASHEMI S. AdaWFPA: Adaptive Online Website Fingerprinting Attack for Tor Anonymous Network: A Stream-wise Paradigm[J]. Computer Communications, 2019,19(148):74-85.
[19]	BIFET A, READ J, PFAHRINGER B, et al. CD-MOA: Change Detection Framework for Massive Online Analysis[C]// Springer. International Symposium on Intelligent Data Analysis, October 17-19, 2013, London, England. Heidelberg: Springer, 2013: 92-103.
[20]	WANG Tao, GOLDBERG I. Improved Website Fingerprinting on Tor[C]// ACM. Proceedings of the 12th ACM Workshop on Workshop on Privacy in the Electronic Society, November 5-7, 2013, Berlin, Germany. New York: Association for Computing Machiner, 2013: 201-212.
[21]	GOMES H M, BIFET A, READ J, et al. Adaptive Random Forests for Evolving Data Stream Classification[J]. Machine Learning, 2017,106(9-10):1469-1495. doi: 10.1007/s10994-017-5642-8 URL
[22]	COHEN J. A Coefficient of Agreement for Nominal Scales[J]. Educational and Psychological Measurement, 1960,20(1):37-46. doi: 10.1177/001316446002000104 URL
[23]	MONTIEL J, READ J, BIFET A, et al. Scikit-multiflow: A Multi-output Streaming Framework[J]. The Journal of Machine Learning Research, 2018,19(1):2915-2914.
[24]	ALEXA. Alexa-actionable Analytics for the Web[EB/OL]. http://www.alexa.com, 2020-10-02.
[25]	JUAREZ M. Tor Browser Crawler[EB/OL]. https://github.com/webfp/tor-browser-crawler, 2020-10-02.
[26]	HAYES J, DANEZIS G. K-fingerprinting: A Robust Scalable Website Fingerprinting Technique[EB/OL]. https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_hayes.pdf, 2020-10-02.

配置	参数
操作系统	Ubuntu18.0 LTS 64 bit
处理器	2.3 GHz 八核Intel Core i9
内存	16 G 2400 MHz DDR4
Anaconda3	4.7.12版本 64 bit
Tensorflow	1.14.0
scikit-multiflow	0.4.1
scikit-learn	0.18.1

数据类型		网站数量/个	样本数量（网站）/个
KNN data	监管网站	100	90
KNN data	非监管网站	9000	1
Week1数据集	监管网站	100	100
Week1数据集	非监管网站	8000	1
Week2数据集	监管网站	100	100
Week2数据集	非监管网站	8000	1

维度	特征
流量维度	传输数据总大小
	传输时间以及传入
	传出数据包的数量
burst维度	burst的数量
	最大长度
	平均长度

模型	参数名	类型	参数值
seq2seq	Batch_size	Int	10
	Encoder_hidden_states	Int	100
	Cell-type	Str	GRU
	Learning_rate	float	0.001
	Batch_norm	Bool	False
ARF	n_estimators	Int	10
	lambda_value	Int	6
	split_criterion	Str	info_gain
	drift_detect_method	Str	ADWIN(0.001)
	warning_detect_method	Str	ADWIN(0.01)

Encoder_hidden_states	特征向量长度/bit	提取耗时/s	最小损失值
80	160	658	51.756
100	200	649	51.728
120	240	641	51.734
140	280	635	52.133