Trace-agnostic and Adversarial Training-resilient Website Fingerprinting Defense

Deep neural network (DNN) based website fingerprinting (WF) attacks can achieve an attack success rate (ASR) of over 90%, seriously threatening the privacy of Tor users. At present, adversarial example (AE) based defenses have demonstrated great potential to defend against WF attacks. However, existing AE-based defenses require knowing complete traffic trace for adversarial perturbation calculation, which is unrealistic in practice. Moreover, they may become ineffective once adversarial training (AT) is adopted by attackers. To mitigate these two problems, we propose a defense called ALERT. It generates adversarial perturbations without knowing traffic traces. Moreover, ALERT can effectively resist AT-aided WF attacks. The key idea of ALERT is to produce universal perturbations that vary from user to user. We conduct extensive experiments to evaluate ALERT. In the closed world, ALERT significantly surpasses four representative WF defenses, including the state-of-the-art (SOTA) defense AWA. Specifically, ALERT reduces the ASR of the SOTA DF attack to 12.68% and uses only 20.13% of communication bandwidth. In the open world, ALERT uses only 19.91% of bandwidth, reduces the True Positive Rate (TPR) of the DF attack to 37.46%, obviously outperforming the other defenses.