{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T05:03:59Z","timestamp":1750309439160,"version":"3.41.0"},"reference-count":40,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2024,11,9]],"date-time":"2024-11-09T00:00:00Z","timestamp":1731110400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2025,2,28]]},"abstract":"<jats:p>\n            In an increasingly digital and interconnected world, online anonymity and privacy are paramount issues for Internet users. To address this, tools like The Onion Router (Tor) offer anonymous and private communication by routing traffic through multiple relays with multiple layers of encryption. However, traffic fingerprinting attacks have threatened anonymity and privacy. In response, the community has proposed additional defenses for Tor, but fingerprinting techniques that utilize deep neural networkss (DNNs) have undermined many of these defenses. The latest defenses that are both lightweight and robust against DNNs use adversarial examples, but these defenses require either the full traffic trace beforehand or a database of pre-computed adversarial examples. We propose\n            <jats:italic>Prism<\/jats:italic>\n            , a defense against fingerprinting attacks that utilizes adversarial examples with neither prior access to the full traffic trace nor a database. We describe a novel method of adversarial example generation as input is learned over time.\n            <jats:italic>Prism<\/jats:italic>\n            injects these adversarial examples into the Tor traffic stream to prevent DNNs from accurately classifying both websites and videos that a user is viewing, even if the DNN is hardened by adversarial training. We also show that the Tor network could implement\n            <jats:italic>Prism<\/jats:italic>\n            entirely on relays under certain conditions, extending the defense to users who may run Tor on devices without graphics processing units.\n          <\/jats:p>","DOI":"10.1145\/3698591","type":"journal-article","created":{"date-parts":[[2024,10,3]],"date-time":"2024-10-03T10:53:46Z","timestamp":1727952826000},"page":"1-23","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Defending Against Deep Learning-Based Traffic Fingerprinting Attacks With Adversarial Examples"],"prefix":"10.1145","volume":"28","author":[{"ORCID":"https:\/\/orcid.org\/0009-0004-9747-6167","authenticated-orcid":false,"given":"Blake","family":"Hayden","sequence":"first","affiliation":[{"name":"Computer Science, Naval Postgraduate School, Monterey, United States"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-1143-699X","authenticated-orcid":false,"given":"Timothy","family":"Walsh","sequence":"additional","affiliation":[{"name":"Computer Science, Naval Postgraduate School, Monterey, United States"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8227-3621","authenticated-orcid":false,"given":"Armon","family":"Barton","sequence":"additional","affiliation":[{"name":"Computer Science, Naval Postgraduate School, Monterey, United States"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2024,11,9]]},"reference":[{"key":"e_1_3_2_2_2","volume-title":"Defending Neural Networks Against Adversarial Examples","author":"Barton Armon","year":"2018","unstructured":"Armon Barton. 2018. Defending Neural Networks Against Adversarial Examples. Ph. D. Dissertation. University of Texas Arlington, Arlington, TX."},{"key":"e_1_3_2_3_2","doi-asserted-by":"crossref","unstructured":"Armon Barton and Matthew Wright. 2016. DeNASA: Destination-naive AS-awareness in anonymous communications. Proceedings on Privacy Enhancing Technologies 2016 4 (2016) 356\u2013372.","DOI":"10.1515\/popets-2016-0044"},{"key":"e_1_3_2_4_2","doi-asserted-by":"crossref","unstructured":"Sanjit Bhat David Lu Albert Kwon and Srinivas Devadas. 2019. Var-CNN: A data-efficient website fingerprinting attack based on deep learning. Proceedings on Privacy Enhancing Technologies 2019 4 (2019) 292\u2013310.","DOI":"10.2478\/popets-2019-0070"},{"key":"e_1_3_2_5_2","unstructured":"Tom B. Brown Dandelion Man\u00e9 Aurko Roy Mart\u00edn Abadi and Justin Gilmer. 2018. Adversarial patch. arxiv:1712.09665 [cs.CV] (2018). https:\/\/arxiv.org\/abs\/1712.09665"},{"key":"e_1_3_2_6_2","first-page":"227","volume-title":"Proceedings of the ACM Conference on Computer and Communications Security","author":"Cai Xiang","year":"2014","unstructured":"Xiang Cai, Rishab Nithyanand, Tao Wang, Rob Johnson, and Ian Goldberg. 2014. A systematic approach to developing and evaluating website fingerprinting defenses. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 227\u2013238."},{"key":"e_1_3_2_7_2","first-page":"605","volume-title":"Proceedings of the ACM Conference on Computer and Communications Security","author":"Cai Xiang","year":"2012","unstructured":"Xiang Cai, Xincheng Zhang, Brijesh Joshi, and Rob Johnson. 2012. Touching from a distance: Website fingerprinting attacks and defenses. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 605\u2013616."},{"key":"e_1_3_2_8_2","volume-title":"Towards Video Fingerprinting Attacks over Tor","author":"Campuzano Carlos","year":"2021","unstructured":"Carlos Campuzano. 2021. Towards Video Fingerprinting Attacks over Tor. Master\u2019s Thesis. Naval Postgraduate School, Monterey, CA."},{"key":"e_1_3_2_9_2","first-page":"753","volume-title":"Proceedings of the USENIX Security Symposium","author":"Cherubin Giovanni","year":"2022","unstructured":"Giovanni Cherubin, Rob Jansen, and Carmela Troncoso. 2022. Online website fingerprinting: Evaluating website fingerprinting attacks on Tor in the real world. In Proceedings of the USENIX Security Symposium. 753\u2013770."},{"key":"e_1_3_2_10_2","first-page":"1005","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy","author":"Deng Xinhao","year":"2023","unstructured":"Xinhao Deng, Qilei Yin, Zhuotao Liu, Xiyuan Zhao, Qi Li, Mingwei Xu, Ke Xu, and Jianping Wu. 2023. Robust multi-tab website fingerprinting attacks in the wild. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 1005\u20131022."},{"key":"e_1_3_2_11_2","first-page":"303","volume-title":"Proceedings of the USENIX Security Symposium","volume":"4","author":"Dingledine Roger","year":"2004","unstructured":"Roger Dingledine, Nick Mathewson, and Paul Syverson. 2004. Tor: The second-generation onion router. In Proceedings of the USENIX Security Symposium, Vol. 4. 303\u2013320."},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.28"},{"key":"e_1_3_2_13_2","unstructured":"Ian J. Goodfellow Jonathon Shlens and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. arxiv:1412.6572 [stat.ML] (2015). https:\/\/arxiv.org\/abs\/1412.6572"},{"key":"e_1_3_2_14_2","unstructured":"Shixiang Gu and Luca Rigazio. 2015. Towards deep neural network architectures robust to adversarial examples. arxiv:1412.5068 [cs.LG] (2015). https:\/\/arxiv.org\/abs\/1412.5068"},{"key":"e_1_3_2_15_2","first-page":"31","volume-title":"Proceedings of the ACM Workshop on Cloud Computing Security","author":"Herrmann Dominik","year":"2009","unstructured":"Dominik Herrmann, Rolf Wendolsky, and Hannes Federrath. 2009. Website fingerprinting: Attacking popular privacy enhancing technologies with the multinomial na\u00efve-Bayes classifier. In Proceedings of the ACM Workshop on Cloud Computing Security. ACM, New York, NY, USA, 31\u201342."},{"key":"e_1_3_2_16_2","first-page":"171","volume-title":"Proceedings of the Workshop on Privacy Enhancing Technologies","author":"Hintz Andrew","year":"2002","unstructured":"Andrew Hintz. 2002. Fingerprinting websites using traffic analysis. In Proceedings of the Workshop on Privacy Enhancing Technologies. 171\u2013178."},{"key":"e_1_3_2_17_2","doi-asserted-by":"crossref","unstructured":"Mohsen Imani Armon Barton and Matthew Wright. 2018. Guard sets in Tor using as relationships. Proceedings on Privacy Enhancing Technologies 2018 1 (2018) 145\u2013165.","DOI":"10.1515\/popets-2018-0008"},{"key":"e_1_3_2_18_2","first-page":"337","volume-title":"Proceedings of the ACM Conference on Computer and Communications Security","author":"Johnson Aaron","year":"2013","unstructured":"Aaron Johnson, Chris Wacek, Rob Jansen, Micah Sherr, and Paul Syverson. 2013. Users get routed: Traffic correlation on Tor by realistic adversaries. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 337\u2013348."},{"key":"e_1_3_2_19_2","first-page":"263","volume-title":"Proceedings of the ACM Conference on Computer and Communications Security","author":"Juarez Marc","year":"2014","unstructured":"Marc Juarez, Sadia Afroz, Gunes Acar, Claudia Diaz, and Rachel Greenstadt. 2014. A critical evaluation of website fingerprinting attacks. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 263\u2013274."},{"key":"e_1_3_2_20_2","first-page":"27","volume-title":"Proceedings of the European Symposium on Research in Computer Security","author":"Juarez Marc","year":"2016","unstructured":"Marc Juarez, Mohsen Imani, Mike Perry, Claudia Diaz, and Matthew Wright. 2016. Toward an efficient website fingerprinting defense. In Proceedings of the European Symposium on Research in Computer Security. 27\u201346."},{"key":"e_1_3_2_21_2","first-page":"109","volume-title":"Proceedings of the ACM Workshop on Privacy in the Electronic Society","author":"Lu David","year":"2018","unstructured":"David Lu, Sanjit Bhat, Albert Kwon, and Srinivas Devadas. 2018. DynaFlow: An efficient website fingerprinting defense based on dynamically-adjusting flows. In Proceedings of the ACM Workshop on Privacy in the Electronic Society. ACM, New York, NY, USA, 109\u2013113."},{"key":"e_1_3_2_22_2","unstructured":"Jiajun Lu Theerasit Issaranon and David Forsyth. 2017. SafetyNet: Detecting and rejecting adversarial examples robustly. arxiv:1704.00103 [cs.CV] (2017). https:\/\/arxiv.org\/abs\/1704.00103"},{"key":"e_1_3_2_23_2","unstructured":"Aleksander Madry Aleksandar Makelov Ludwig Schmidt Dimitris Tsipras and Adrian Vladu. 2019. Towards deep learning models resistant to adversarial attacks. arxiv:1706.06083 [stat.ML] (2019). https:\/\/arxiv.org\/abs\/1706.06083"},{"key":"e_1_3_2_24_2","first-page":"969","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy","author":"Mathews Nate","year":"2023","unstructured":"Nate Mathews, James K. Holland, Se Eun Oh, Mohammad Saidur Rahman, Nicholas Hopper, and Matthew Wright. 2023. SoK: A critical evaluation of efficient website fingerprinting defenses. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 969\u2013986."},{"key":"e_1_3_2_25_2","first-page":"2705","volume-title":"Proceedings of the USENIX Security Symposium","author":"Nasr Milad","year":"2021","unstructured":"Milad Nasr, Alireza Bahramali, and Amir Houmansadr. 2021. Defeating DNN-based traffic analysis systems in real-time with blind adversarial perturbations. In Proceedings of the USENIX Security Symposium. 2705\u20132722."},{"key":"e_1_3_2_26_2","doi-asserted-by":"crossref","unstructured":"Se Eun Oh Nate Mathews Mohammad Saidur Rahman Matthew Wright and Nicholas Hopper. 2021. GANDaLF: GAN for data-limited fingerprinting. Proceedings on Privacy Enhancing Technologies 2021 2 (2021) 305\u2013322.","DOI":"10.2478\/popets-2021-0029"},{"key":"e_1_3_2_27_2","first-page":"1","volume-title":"Proceedings of the Network and Distributed System Security Symposium","author":"Panchenko Andriy","year":"2016","unstructured":"Andriy Panchenko, Fabian Lanze, Jan Pennekamp, Thomas Engel, Andreas Zinnen, Martin Henze, and Klaus Wehrle. 2016. Website fingerprinting at Internet scale. In Proceedings of the Network and Distributed System Security Symposium. 1\u201315."},{"key":"e_1_3_2_28_2","first-page":"103","volume-title":"Proceedings of the ACM Workshop on Privacy in the Electronic Society","author":"Panchenko Andriy","year":"2011","unstructured":"Andriy Panchenko, Lukas Niessen, Andreas Zinnen, and Thomas Engel. 2011. Website fingerprinting in onion routing based anonymization networks. In Proceedings of the ACM Workshop on Privacy in the Electronic Society. ACM, New York, NY, USA, 103\u2013114."},{"key":"e_1_3_2_29_2","first-page":"1594","volume-title":"IEEE Transactions on Information Forensics and Security","author":"Rahman Mohammad Saidur","year":"2021","unstructured":"Mohammad Saidur Rahman, Mohsen Imani, Nate Mathews, and Matthew Wright. 2021. Mockingbird: Defending against deep-learning-based website fingerprinting attacks with adversarial traces. IEEE Transactions on Information Forensics and Security 16 (2021), 1594\u20131609."},{"key":"e_1_3_2_30_2","first-page":"2629","volume-title":"Proceedings of the ACM Conference on Computer and Communications Security","author":"Rahman Mohammad Saidur","year":"2019","unstructured":"Mohammad Saidur Rahman, Nate Matthews, and Matthew Wright. 2019. Poster: Video fingerprinting in Tor. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 2629\u20132631."},{"key":"e_1_3_2_31_2","doi-asserted-by":"crossref","unstructured":"Mohammad Saidur Rahman Payap Sirinam Nate Mathews Kantha Girish Gangadhara and Matthew Wright. 2020. Tik-Tok: The utility of packet timing in website fingerprinting attacks. Proceedings on Privacy Enhancing Technologies 2020 3 (2020) 5\u201324.","DOI":"10.2478\/popets-2020-0043"},{"key":"e_1_3_2_32_2","first-page":"1","volume-title":"Proceedings of the Network and Distributed System Security Symposium","author":"Rimmer Vera","year":"2018","unstructured":"Vera Rimmer, Davy Preuveneers, Marc Juarez, Tom Van Goethem, and Wouter Joosen. 2018. Automated website fingerprinting through deep learning. In Proceedings of the Network and Distributed System Security Symposium. 1\u201315."},{"key":"e_1_3_2_33_2","unstructured":"Shawn Shan Arjun Nitin Bhagoji Haitao Zheng and Ben Y. Zhao. 2021. A real-time defense against website fingerprinting attacks. arxiv:2102.04291 [cs.CR] (2021). https:\/\/arxiv.org\/abs\/2102.04291"},{"key":"e_1_3_2_34_2","first-page":"1928","volume-title":"Proceedings of the ACM Conference on Computer and Communications Security","author":"Sirinam Payap","year":"2018","unstructured":"Payap Sirinam, Mohsen Imani, Marc Juarez, and Matthew Wright. 2018. Deep fingerprinting: Undermining website fingerprinting defenses with deep learning. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 1928\u20131943."},{"key":"e_1_3_2_35_2","first-page":"1131","volume-title":"Proceedings of the ACM Conference on Computer and Communications Security","author":"Sirinam Payap","year":"2019","unstructured":"Payap Sirinam, Nate Mathews, Mohammad Saidur Rahman, and Matthew Wright. 2019. Triplet fingerprinting: More practical and portable website fingerprinting with n-shot learning. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 1131\u20131148."},{"key":"e_1_3_2_36_2","unstructured":"Sagar Vaze Kai Han Andrea Vedaldi and Andrew Zisserman. 2022. Open-set recognition: A good closed-set classifier is all you need?arxiv:2110.06207 [cs.CV] (2022). https:\/\/arxiv.org\/abs\/2110.06207"},{"key":"e_1_3_2_37_2","first-page":"28","volume-title":"Proceedings of the IEEE Security Privacy Workshop on Designing Security for the Web","author":"Walsh Tim","year":"2024","unstructured":"Tim Walsh, Trevor Thomas, and Armon Barton. 2024. Exploring the capabilities and limitations of video stream fingerprinting. In Proceedings of the IEEE Security Privacy Workshop on Designing Security for the Web. IEEE, 28\u201339."},{"key":"e_1_3_2_38_2","first-page":"152","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy","author":"Wang Tao","year":"2020","unstructured":"Tao Wang. 2020. High precision open-world website fingerprinting. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 152\u2013167."},{"key":"e_1_3_2_39_2","doi-asserted-by":"crossref","first-page":"201","DOI":"10.1145\/2517840.2517851","volume-title":"Proceedings of the ACM Workshop on Privacy in the Electronic Society","author":"Wang Tao","year":"2013","unstructured":"Tao Wang and Ian Goldberg. 2013. Improved website fingerprinting on Tor. In Proceedings of the ACM Workshop on Privacy in the Electronic Society. ACM, New York, NY, USA, 201\u2013212."},{"key":"e_1_3_2_40_2","first-page":"1375","volume-title":"Proceedings of the USENIX Security Symposium","author":"Wang Tao","year":"2017","unstructured":"Tao Wang and Ian Goldberg. 2017. Walkie-Talkie: An efficient defense against passive website fingerprinting attacks. In Proceedings of the USENIX Security Symposium. 1375\u20131390."},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2018.2886017"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3698591","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3698591","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:09:44Z","timestamp":1750295384000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3698591"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,11,9]]},"references-count":40,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,2,28]]}},"alternative-id":["10.1145\/3698591"],"URL":"https:\/\/doi.org\/10.1145\/3698591","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"type":"print","value":"2471-2566"},{"type":"electronic","value":"2471-2574"}],"subject":[],"published":{"date-parts":[[2024,11,9]]},"assertion":[{"value":"2024-04-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-09-22","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-11-09","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}