antiTree | posts and projects
posted on Dec 10, 2017

The folks at Rochester 2600 were regaled by a talk from Payap Sirinam who is on Matthew Wright’s academic team at RIT. They’re working on an interesting system that aims to defend against website fingerprinting attacks – a major threat to anonymity systems like tor. As in, if you’re using tor, passive adversaries in position to watch traffic between the tor client and a guard, can determine the website you’re visiting… with frightening accuracy.


Website traffic fingerprinting is the idea where even though traffic is encrypted, due to the patterns of the packets (bursts, gaps,etc), tools can learn to guess what site a user is visiting. Normally this is done through machine learning models that are taught against common websites like Alex Top 35K.

Each system will key in on different features of the traffic. For example some of the related work used:

  • Total size of all packets in one direction
  • Total size of the HTML document requested
  • Unique Packet lengths
  • Packet ordering
  • Initial packets
  • Gaps or concentration of outgoing packets
  • Bursts

The last two are what WTF-PAD focuses on when being defensive.


There’s a lot of existing research in the defensive realm. When attacks were simpler, the defenses were simpler. Previously you could simply add noise or padding to communications and it would break the models enough to collapse the attack.

But the main goal isn’t simple to evade fingerprinting, it’s also to keep bandwidth overhead to a minimum since doubling the amount of bandwidth consumed by a connection would mean that the Tor Network could only provide half the capacity. This is where adaptive padding came in.

Adaptive Padding

Adaptive Padding is the practice of trying to trick the machine learning models to create false positives or negatives by targeting the features listed above. In other words, Adaptive Padding will try to make users' traffic look like some other traffic (false positive) or make it look like no other traffic the model has ever seen (false negative).

The previous Adaptive Padding research was the BuFLO, Tamaraw, and CS-BuFLO methods until WTF-PAD came along. Each of the previous work was successful in defending from traffic fingerprinting but at a cost to performance either from a bandwidth consumption or latency perspective.

The methods were straight-forward: inject gaps in what would normally be a burst of traffic and inject dummy traffic in what would normally be a gap. The success of the model was a factor of their success at defending against fingerprinting attacks and the cost to network performance.

WTFPAD and RIT Research

So what is the team at RIT doing that’s different? The one is that there’s a control system in place so the you’re not following the exact same model for each client and if you wanted to update or tune the Adaptive Padding method, you can do so by simply updating the server to tell the client to communicate in this manner. That has a secondary benefit of exchanging extra data at the beginning of the transmission to further obfuscate the real traffic.

One of the other take-aways I got was that previous models had a difficult time knowing when to stop communications. That’s because one of the features above is total transmission time. If you can obfuscate that transmission time you can break those models as well. WTF-PAD uses what they describe as a “soft stopping condition”.

More Details

I think it’s really great work and I liked seeing that RIT was working on defensive attack methods for their tor-related research. Here’s some more information if you’re interested: