基于统计的浏览器指纹采集技术

doi:10.3969/j.issn.1671-1122.2019.11.007

信息网络安全 ›› 2019, Vol. 19 ›› Issue (11): 49-55.doi: 10.3969/j.issn.1671-1122.2019.11.007

基于统计的浏览器指纹采集技术

张良峰^1,², 汪毅^1,^2,³, 吴源燚², 孔睿⁴()

1.上海微系统与信息技术研究所,上海 200050
2.上海科技大学信息学院,上海 201210
3.中国科学院大学,北京 100029
4.信息系统安全技术国防科技重点实验室,北京 100101

收稿日期:2019-02-05 出版日期:2019-11-10 发布日期:2020-05-11
作者简介:
作者简介：张良峰（1982—）,男,山东,助理教授,博士,主要研究方向为安全多方计算、网络安全;汪毅（1995—）,男,江西,硕士研究生,主要研究方向为网络安全、移动安全;吴源燚（1992—）,男,江苏,硕士研究生,主要研究方向为网络安全、安卓平台安全;孔睿（1987—）,女,山东,工程师,硕士,主要研究方向为网络安全。
基金资助:
国家自然科学基金[61602304]

Statistics-based Browser Fingerprint Acquisition Technology

Liangfeng ZHANG^1,², Yi WANG^1,^2,³, Yuanyi WU², Rui KONG⁴()

1. Shanghai Institute of Microsystem and Information Technology, Shanghai 200050, China
2. School of Information Science and Technology of Shanghai Tech University, Shanghai 201210, China
3. University of Chinese Academy of Sciences, Beijing 100029, China
4. National Key Laboratory of Science and Technology on Information System Security, Beijing 100101, China

Received:2019-02-05 Online:2019-11-10 Published:2020-05-11

摘要/Abstract

摘要：

浏览器指纹是一项识别用户浏览器的新技术,它能够通过用户使用浏览器的各种独一无二的特征来区别不同用户并标记。浏览器指纹可以被用于广告营销和对抗网络诈骗,同时也可以被攻击者用来跟踪用户。为了保护用户隐私安全,研究者们提出了多种解决方案来避免用户被跟踪。最新的防御方法是在不影响用户使用的前提下,对浏览器指纹中的关键属性随机化,破坏用户不同会话间的关联性。针对这样的防御方法,为了能够准确得到用户浏览器指纹,文章采用了统计和侧信道攻击的方法,并根据观察所得的浏览器指纹关键属性的随机值,还原出了浏览器指纹中关键属性的真实值,从而达到区分和跟踪用户的目的。实验结果表明,该方法还原浏览器指纹的精确度超过了98%。

关键词: 浏览器隐私, 设备指纹, 侧信道攻击, 随机化, 假设检验

Abstract:

Browser’s fingerprint is a new technology used as a unique identifier for the user,it can learn enough information about your browser to uniquely distinguish you from all the other visitors to that site. When it is used to marketing advertising and defend fraud, attackers use this technology to track users at the same time. To protect users’ privacy, researchers have proposed many solutions to avoid being tracked. One of the newest is randomizing key attributes of browser’s fingerprint to disruptive relevance between user’s different sessions. This paper proposed an attack on a recent proposal that randomizes browser features to defeat fingerprinting and demonstrated the attack’s effectiveness. With a statistics method and Side-channel attack method, this paper can restore the truth of the key attribute of browser’s fingerprint and distinguishdifferent users . The experimental results show that with our method, the accuracy of restore the browser’s fingerprint is more than 98%.

Key words: browser privacy, fingerprint, side-channel attack, randomize, hypothesis testing

中图分类号:

TP309

张良峰, 汪毅, 吴源燚, 孔睿. 基于统计的浏览器指纹采集技术[J]. 信息网络安全, 2019, 19(11): 49-55.

Liangfeng ZHANG, Yi WANG, Yuanyi WU, Rui KONG. Statistics-based Browser Fingerprint Acquisition Technology[J]. Netinfo Security, 2019, 19(11): 49-55.

图/表 2

参考文献 17

[1]	WU Quan, LAI Bin. New Network Technology Standards of the Changes Brought[J]. Computer Knowledge and Technology, 2010, 6(15): 3937-3938.
	吴权,赖斌.浅谈新网络技术标准带来的改变[J].电脑知识与技术,2010,6(15):3937-3938.
[2]	JIANG Pengfei.The Browser User Behavior Recognition Technology Research[D]. Xi’an: Xi’an University of Technology, 2016.
	蒋鹏飞. 浏览器用户行为识别技术的研究[D]. 西安:西安理工大学,2016.
[3]	SHEN Jianmiao. Watch out for New Security Issues Caused by HTML5[N]. Computer World, 2010-9-6(S7).
	沈建苗.警惕 HTML5 引发新的安全问题[N]. 计算机世界,2010-9-6(S7).
[4]	ZHANG Yuqing, WANG Weiping, WANG Wei.Identification of Changed Browser Fingerprint[J]. Computer Engineering and Applications, 2018, 54(7): 102-106.
	张雨清,王伟平,王维. 一种面向渐变浏览器指纹的识别方法[J]. 计算机工程与应用,2018,54(7):102-106.
[5]	ECKERSLEY P.How Unique Is Your Web Browser?[C]//PETS. Privacy Enhancing Technologies, 10th International Symposium, July 21-23, 2010, Berlin, Germany. New York: Springer, 2010: 1-18.
[6]	LAPERDRIX P, RUDAMETKIN W, BAUDRY B.Mitigating Browser Fingerprint Tracking: Multi-level Reconfiguration and Diversification[C]//IEEE. Software Engineering for Adaptive and Self-Managing Systems(SEAMS), May 18-19, 2015, Firenze, Italia. New York: IEEE, 2015: 98-108.
[7]	NIKIFORAKIS N, KAPRAVELOS A, JOOSEN W, et al.Cookieless Monster: Exploring the Ecosystem of Web Based Device Fingerprinting[C]// IEEE. Security and privacy(SP), May 19-22, 2013, Berkeley, California, USA. New York: IEEE, 2013: 541-555.
[8]	ACAR G, JUAREZ M, NIKIFORAKIS N, et al.FPDetective: Dusting the Web for Fingerprinters[C]//ACM. Sigsac Conference on Computer & Communications Security. November 4-8, 2013, Berlin, Germany. New York: ACM, 2013: 1129-1140.
[9]	SHEN jie, XUE Guirong. Security and Solution of Cookies[J]. Computer Engineering and Applications, 2002, 38(14): 149-151.
	沈洁,薛贵荣. COOKIES的安全及其解决方案[J]. 计算机工程与应用,2002,38(14):149-151.
[10]	AAFA J S, SOJA S.Fingerprint Combinations for Privacy Protection: A Performance Analysis[J]. International Journal of Computer Applications, 2014, 103(6): 12-17.
[11]	TOLKOFF S.Blue Cava Looks to Recruit Talent With Food Trucks[J]. Orange County Business Journal, 2011, 34(2): 24.
[12]	SPOSITO S.Threat Metrix Raises $18M in Round[J]. American Banker, 2012, 117(48): 16.
[13]	BODLE R.Privacy and Participation in the Cloud: Ethical Implications of Google’s Privacy Practices and Public Communications[J]. The Ethics of Emerging Media: Information, Social Norms, and New Media Technology, 2011: 155-174.
[14]	WANG Xiaoqian.Research on Cause and Mechanism of Web Client’s Privacy Leakage[D]. Beijing: Beijing University of Technology, 2017.
	王晓茜. Web 客户端隐私泄露成因与机理研究[D]. 北京:北京工业大学,2017.
[15]	WANG T, Goldberg I.Improved Website Fingerprinting on Tor[C]// ACM.Workshop on Workshop on Privacy in the Electronic Society. November 4, 2013. Berlin, Germany. New York: ACM, 2013: 201-212.
[16]	TORRES C F, Jonker H, Mauw S.FP-Block : Usable Web Privacy by Controlling Browser Fingerprinting[M]//Springer. Computer Security ESORICS 2015.Heidelberg: Springer International Publishing, 2015.
[17]	NIKIFORAKIS N, JOOSEN W, LIVSHITS B.PriVaricator: Deceiving Fingerprinters with Little White Lies[C]//O.I.C. International World Wide Web Conference. May 18-22, 2015. Florence, Italy. New York: Springer, 2015: 820-830

基于统计的浏览器指纹采集技术

Statistics-based Browser Fingerprint Acquisition Technology

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 2

参考文献 17

相关文章 5

编辑推荐

Metrics

本文评价

[1]	文伟平, 贾世琳, 杜嘉薇, 秦策. Windows堆地址随机化原理剖析与改进[J]. 信息网络安全, 2017, 17(7): 1-10.
[2]	王庆, 屠晨阳, 沈嘉荟. 侧信道攻击通用框架设计及应用[J]. 信息网络安全, 2017, 17(5): 57-62.
[3]	贾徽徽, 王潮, 顾健, 陆臻. 基于Grover量子中间相遇搜索算法的ECC攻击错误bit的修正[J]. 信息网络安全, 2016, 16(6): 28-34.
[4]	陈宇航, 贾徽徽, 姜丽莹, 王潮. 基于Grover算法的ECC扫描式攻击[J]. 信息网络安全, 2016, 16(2): 28-32.
[5]	尹心明, 胡正梁, 陈国梁, 黄海晔. 基于设备指纹决策树分类的IP视频专网入网检测方案研究[J]. 信息网络安全, 2016, 16(12): 68-73.