Leaked-Web: Accurate and Efficient Machine Learning-Based Website Fingerprinting Attack through Hardware Performance Counters

Since website browsing history contains much sensitive information like medical status, political interest, etc., it is critical to prevent leakage, protect users’ privacy, and enhance the system’s security against potential cyber-attacks. However, prior research has demonstrated that fingerprinting attacks can be independent of operating systems and browsers and rely on side-channel information collected passively. Such attacks can be launched both remotely and locally, or via a peripheral device. The side-channel information exists across different computing abstracts, including hardware, system, and network. Once the side-channel information is collected, ML-based classification is leveraged to infer users’ visited website information. There are three popular threat models targeting stealing users’ browsing history, including native attack model [9], malicious website attack model [31], and hardware attack model [5].

Hardware performance counters are a set of special-purpose registers built-in modern microprocessors to capture the count of hardware-related events. HPCs have been extensively used to predict the power, performance tuning [38, 24, 36], attacks detection [37, 43, 45, 40, 39, 30, 44, 42, 41, 46, 33], debugging, and energy efficiency of computing systems. It also enhances systems’ security by providing microarchitectural information of malware, side-channel attacks, and building detectors based on the events’ information [7, 16, 50]. However, recent studies have shown the suitability of such HPCs-based classification for spying on users’ behaviors and violating users’ privacy [9, 25]. Such privacy breach attacks gain access to HPCs via Perf tool which is a Linux-based low-level performance monitoring tool and provides considerable functionality and abstraction in the kernel, making the interface straightforward for ordinary users [1, 6]. Though Perf is equipped with access control setting, i.e. $perf\_event\_paranoid$, attacks are still able to access HPCs of applications initiated outside kernel space unless $perf\_event\_paranoid$ equals 4. Hence, the HPCs-based fingerprinting attacks still pose significant threats to system security and users’ privacy.

Protecting browsing history has emerged recently as a crucial concept to ensure the preservation of users’ privacy. In response, [49, 28] are proposed to leverage SSH based protection methods; [49] encrypts and authenticates messages in one session, and [28] adds cover traffic conservatively while maintaining high levels of security. Similarly, Tor project [34] is one of the most popular traffic transmission approaches, where messages are not directly routed to the receiver but encrypted and forwarded according to ephemeral paths of an overlay network. Though great progress made by such works, there are still a number of attacks which could bypass such protection mechanisms and extract users’ browsing history.

Some recent website fingerprint attacks exploit the clients’ machine information when visiting different websites, like memory footprint [13], storage [32], etc. To obtain the information, some attacks prepare a malicious website for users to visit, or a local malware to be launched on the target host. For example, [31] launches a Prime+Probe attack to measure cache occupancy through a malicious website. Then, a deep learning method is leveraged to classify websites and recover users browsing history. Other works such as [13] samples the memory footprint of browsers through the procfs file system in Linux. To defend against such attacks, [12] proposes ML-based syntactic-semantic approach that detects browser fingerprinting attacks’ behaviors by incorporating both static and dynamic JavaScript analysis. [8] proposes to monitor the running Web objects on user’s browser and collect fingerprinting related data. Then, it analyzes them and searches for patterns of fingerprinting attempts. Though effective, they only work for attacks deployed through malicious websites. Furthermore, advanced attacks [9] can be deployed in native code and bypass such detection systems. [27] randomizes properties, like offsetHeight and plugins, to the JavaScript environment, which generates different fingerprints even for the same website and increases non-determinism for attackers. However, the randomization is complex and can change the visual appearance of websites.

As shown in Figure 1(a), for our threat model we consider that the malicious codes reside in the host machine, initiate HPCs collection, and send them to a remote attacker. The malicious codes can be launched by inserting it into benign applications or downloading accidentally. With this model, the website fingerprinting attacks can be activated as long as the malicious codes are installed already and do not need users to open certain malicious websites. Furthermore, $perf\_event\_paranoid$ is set less than 4, giving access to reading HPCs from registers. The attacker is able to obtain the potential websites users might open at Alex top site [2].

In this work, all experiments are conducted on an Intel i5-3470 desktop with 4 cores and 8GB DRAM, three-level cache system. In this on-chip cache memory subsystem, while L1 and L2 caches are exclusively separated, the L3 cache memory is inclusive and shared among all cores. In addition, the operating system is Ubuntu 20.0.4 LST with Linux kernel 5.8.0. The proposed HPC-based attack is implemented on a widely used web browsers, Firefox.

In this work, we use Perf [1] to measure the hardware-related features, and memory and processor’s low-level behavior. Perf is a profiling and performance analysis tool that can help to track the hardware performance counters. As introduced in Section II, any value less than 4 for $/proc/sys/kernel/perf\_event\_paranoid$ gives users access to the HPCs-based profiling of website process. Additionally, we examine the performance overhead and sample size caused by HPCs monitoring in Figure 3. As depicted, the x-axis represents applied the sampling rate ranging from $1^{6}$ to $1^{0}$, the primary y-axis denotes the execution time of victim applications, and the second y-axis represents performance overhead under different sampling rate. Moreover, execution time under no HPCs monitoring is used to obtain the performance overhead percentage. It is observed that generally, the smaller the sampling rate is, the larger the performance overhead is. For instance, when the monitoring scale is $1^{6}$, the performance overhead is at its highest value reaching to 30%. Hence, to make the influence of sampling rate on system performance and the proposed attack less noticeable, we choose $1^{0}$ for the HPCs monitoring in Leaked-Web.

We select the top 30 websites from Alexa Top Sites [2]. Similar to previous works no traffic modeling is applied in our database implementation. For the purpose of thorough analysis, this work considers both Closed World and Open World datasets as described below:

Figure 4 compares the accuracy of Logit-RandomF-based classifier for websites classification using different HPC events (due to space limitations only 5 events are reported). As can be seen in this figure, changing the HPC could result in over 10% accuracy loss when the same ML classifier is applied. Furthermore, given that there exists a limited number of HPC registers physically available on modern microprocessors’ chips that can be accessed simultaneously [11], it is necessary to identify the most important HPCs for classifying the websites. To select the most prominent HPC features we employ Correlation Attribute Evaluation ($CorrelationAttributeEval$ in Weka [10]) with its default settings to calculate the Pearson correlation between attributes (HPC features) and classes (websites). Correlation attribute evaluation algorithm calculates the Pearson correlation coefficient between each attribute and class, as given below:

where $\rho$ is the Pearson correlation coefficient. $Z_{i}$ is the input dataset of event $i$ ($i=1,\dots,16$). $C$ is the output dataset containing labels, i.e., websites, like ”google.com”, ”youtube.com” and etc. in our case. The $cov(Z_{i},C)$ measures the covariance between input data and output data. The $var(Z_{i})$ and $var(C)$ measure variance of both input and output datasets, respectively. Next, the HPCs will be ranked according as shown in Table II and this work chooses the top 4 HPCs for classification.

In the proposed Leaked-Web attack, supervised learning is used to model the website fingerprinting attack. The ML implementation stage consists of a building step (training) and attack step (testing). In the building step, multiple traces (50) from each website are collected and labeled. The labeled dataset is used to trainvarious types of ML classifier including classical machine learning, classical machine learning with boosting, time-series, or deep learning models. The rationale for choosing these machine learning models is that they are from different branches of ML including classical model (RandomForest, LogitBoost RandomForest), deep learning models (FCN, LSTM), time-series models (DTW, BOP, Shapelet) techniques covering a diverse range of learning algorithms that support our comprehensive analysis and experiments. For the attacking phase, the proposed attack model receives unlabeled traces in which each of the trace is corresponding to a user’s website visit and the trained classifier outputs the prediction results. Each website has 20 traces for testing and the accuracy is calculated by comparing correctly classified labels and actual samples.

As introduced in Section III-D, 30 websites selected from the Alexa ranking are executed on our target system and each website has 50 traces for training and 20 traces for testing. Various ML classification models from classic, boosting, time-series and deep learning methods are investigated. As shown in Figure 5 and Figure 6, X-axis represents the number of traces for training in selected classification models from four ML types (classic, boosting, time-series, and deep learning methods) and Y-axis represents the classification accuracy and F-measure respectively for closed world. F-measure is interpreted as a weighted average of the precision (p) and recall (r) which is formulated as $\frac{2\times(p\times r)}{p+r}$. The precision is the proportion of the sum of true positives versus the sum of positive instances and the recall is the proportion of instances that are predicted positive of all the instances that are positive. F-measure is a comprehensive evaluation metric since it takes both the precision and the recall into consideration. More importantly, F-measure is also resilient to class imbalance in the dataset which is the case in our experiments.

As observed from the results, generally, reducing number of traces in training phase reduces both classification accuracy and F-measure values. This observation becomes more noticeable as we reduce the traces to lower than 20 where the accuracy becomes below to 80% for all the applied ML classification models. Another interesting observation is that Logit-RandomF classifier outperforms the previous work Perf-Web [9] for most of the training sizes (except when the number of traces for training drops to 5). When training traces is 50, Logit-RandomF classifier achieves the highest classification accuracy and F-measure, 91% and 0.901 respectively. As seen, the accuracy is improved in Leaked-Web by around 5% from 86% of previous work [9]. Another observation is that Shaplet-based classification model has shown to be more effective than the rest of two time-series classification models.

As our analysis showed that the Logit-RandomF model performs best among all experimented ML models in Leaked-Web. Hence, we explore the classification accuracy of Logit-RandomF model under various number of HPCs features and samples, which gives further insights into the potentially vulnerable architectures and duration of attacks. Such analysis is important for evaluating the effectiveness and complexity of future protection mechansims against such privacy violation attacks. This section primarily examines the accuracy of HPC-based website fingerprinting attacks when the number of HPCs changes from 8 to 2, indicating the leakage potential under other architectures with less or more available HPCs registers. As shown in Figure 7, the accuracy remains above 89% and 91% for both open and closed dataset when the number of HPCs features reduces from 8 to 2. This indicates that such HPC-based fingerprinting attacks can be effective in accurately inferring users’ browsing history at run-time in processor architectures with varying number of HPC registers even with limited available resources (only 2 HPC registers).

In this Section, we further investigate the HPCs monitoring duration in order to maintain a high classification performance. Since the number of samples per trace directly decides the duration for data collection when the attack is launched, using less samples indicates that the attack can be applied even when users visit a website within less than 1 minute. As shown in Figure 8, X-axis represents the number of samples ranging from 60 to 5 which means monitoring website for 60 second to 5 second. It can be observed that when reducing the number of samples from 60 to 20, the classification accuracy for closed and open world dataset has slight decrease from 90% to 88%, and 93% to 89% for closed and open world dataset. However, further reduction from 20 samples to 10 samples and then to 5 samples per trace causes more significant reduction, from 88% to 84% and then to 79%. Though the noticeable decrease of classification accuracy with only 5 samples, they accuracy still remains around 80%, indicating the capability of inferring websites of the attacker within 5 seconds.