Abstract

Website Fingerprinting (WF) enables a local passive attacker to infer which website a user is visiting over an encrypted connection. Classifiers utilizing deep neural networks (DNNs) automatically extract reliable features and have achieved up to 98&#x0025; accuracy even against Tor. Since DNNs are known to be vulnerable to adversarial examples, several recent studies have exploited adversarial perturbations to defeat WF attacks. These defenses, however, require a high bandwidth overhead that typically exceeds 20&#x0025; of the original traffic, prohibiting them from real-world deployment. Moreover, many studies on WF defense have been criticized for unrealistic assumptions such as full access to the target model and operating on the entire website trace. In this paper, we leverage adversarial patches&#x2014;a special type of adversarial example that perturbs only local parts of the input&#x2014;to control the overhead and enable black-box perturbation. In particular, we propose a new WF defense called <i>Minipatch</i> that injects extremely few dummy packets in real-time traffic to evade the attacker&#x2019;s classifier. Experimental results demonstrate that <i>Minipatch</i> provides over 97&#x0025; protection success rate with less than 5&#x0025; bandwidth overhead, much lower than existing defenses. Moreover, we show that our adversarial patches remain effective in challenging settings, e.g., where dummy packets are injected only on the client-side and where perturbations are applied almost two months later. Finally, we also analyze several potential countermeasures and suggest ways to preserve perturbation effectiveness during deployment.