The Effect Background Traffic in VPNs has on Website Fingerprinting

Abstract: Tor and VPNs are used by many to be anonymous and circumvent censorship on the Internet. Therefore, traffic analysis attacks that enable adversaries to link users to their online activities are a severe threat. One such attack is Website Fingerprinting (WF), which analyses patterns in the encrypted traffic from and to users to identify website visits. To better understand to which extent WF can identify patterns in VPN traffic, there needs to be a deeper exploration into which extent background traffic in VPNs impacts WF attacks, which is traffic in the stream that the adversary does not wish to classify. This thesis explores how different background traffic types affect WF on VPN traffic. It is done by using existing VPN datasets and combining them into datasets which simulate a VPN tunnel where both foreground and background traffic is sent simultaneously. This is to explore how different kinds of background traffic affect known state-of-the-art WF attacks using Deep Learning (DL). Background traffic does affect DL-based WF attacks, but the impact on accuracy is relatively small compared to the bandwidth overhead: 200 % overhead reduces the accuracy from roughly 95 % to 70 %. WF attacks can be trained without any background traffic, as long as the overhead of the background traffic is smaller than 2 %, without any impact on accuracy. WF attacks can also be trained with background traffic from other applications than what it is tested on, as long as the applications produce similar traffic patterns. For example, traffic from different pre-recorded streaming applications like Netflix and YouTube is similar enough, but not traffic from pre-recorded and live streaming applications such as Twitch. Also, having access to the size of the packets makes WF attacks better than if the size is obscured, making VPNs probably more vulnerable than Tor to WF attacks. Thesis artefacts are available at: https://github.com/gustavRehnholm/wf-vpn-bg