A Multi-tab Website Fingerprinting Attack

In a Website Fingerprinting (WF) attack, a local, passive eaves- dropper utilizes network ow information to identify which web pages a user is browsing. Previous researchers have extensively demonstrated the feasibility and e ectiveness of WF, but only un- der the strong Single Page Assumption: the network ow extracted by the adversary always belongs to a single page. In other words, the WF classi er will never be asked to classify a network ow corresponding to more than one page, or part of a page. The Single Page Assumption is unrealistic because people often browse with multiple tabs. When this happens, the network ow induced by multiple pages will overlap, and current WF attacks fail to classify correctly. Our work demonstrates the feasibility of WF without the Single Page Assumption: we can attack a client who visits two pages simultaneously First, we reduce it to a weaker assumption by allowing the attacker to know the start time of the second page. We present a new WF attack, which only uses packets between the first page’s start time to the second page’s start time. Compared to previous WF classifiers, our attack achieves a significantly higher true positive rate using a restricted chunk of packets. Second, we remove the weaker assumption by developing a new BalanceCascade-XGBoost scheme for the attacker to identify the start point of the second page. Our experiments demonstrate that in the multi-tab scenario, WF attacks are still practically effective. We have a TPR of 93.88% on SSH when using two seconds of packets, and we can also identify the page with a TPR of 77.08% on Tor using six seconds of packets.