SMART: A Lightweight and Reliable Multi-Path Transmission Model against Website Fingerprinting Attacks

Abstract

The rapid development of IoT technology has promoted the integration of physical space and cyberspace. At the same time, it has also increased the risk of privacy leakage of Internet users. A large number of research works have shown that attackers can infer Internet surfing privacy through traffic patterns without decryption. Most of the existing research work on anti-traffic analysis is based on a weakened experimental assumption, which is difficult to apply in the actual IoT network environment and seriously affects the user experience. This article proposes a novel lightweight and reliable defense—SMART, which can ensure the anonymity and security of network communication without sacrificing network transmission performance. SMART introduces a multi-path transmission model in the Tor network, and divides traffic at multiple Tor entry onion relays, preventing attackers from obtaining network traffic statistical characteristics. We theoretically proved that SMART can improve the uncertainty of website fingerprint analysis results. The experimental result shows that SMART is able to resist encrypted traffic analysis tools, reducing the accuracy of four state-of-the-art classifiers from 98% to less than 12%, without inducing any additional artificial delay or dummy traffic. In order to avoid the performance degradation caused by data reassembly, SMART proposes a redundant slice mechanism to ensure reliability. Even in the case of human interference, the communication success rate is still as high as 97%.

1. Introduction

The development of the IoT has brought new challenges to security and privacy. Cyborgs, one of the hottest core technologies in the IoT system, also face the risk of leaking communication privacy when interacting [1]. Virtual private networks (VPNs) usually only protect the confidentiality of communication content, and cannot guarantee that user communication relationships will not be leaked. An increasing number of individuals are choosing to use anonymous communication networks to communicate covertly without surveillance. For example, the Tor network, which has a global network of nearly 7000 volunteer nodes, has become the most popular tool due to its low latency among all anonymous communication systems. Tor hides user identities (i.e., IP addresses) and prevents third parties from connecting to communication partners. Each relay is only recognized by its predecessor and successor [2].

Although anonymous communication networks can hide the identity of users, they still face the risk of leaking user privacy, for example, the Tor network uses a single-path transmission model. It cannot hide statistical characteristics, such as the packet number, packet direction, and the inter-packet interval of packets. This vulnerability may be utilized by an attacker to do website fingerprinting (WFP). WFP is a unique kind of encrypted traffic analysis attack that aims to match anonymous users and the objects they communicate with (i.e., visited websites) by passively observing traffic patterns. According to numerous studies over the years, WFP attacks have been able to achieve more than 90% of their effectiveness and are becoming more applicable in real-world environments thanks to the advancement of machine learning (ML) [3,4,5,6,7,8,9,10].

Research on defenses against WFP attacks has received increasing attention. However, most current defenses struggle with balancing security and network overhead due to their significant bandwidth and latency overhead, including artificial delays or dummy packet padding to hide traffic patterns. In the current advanced padding defenses, trade-offs are unacceptable. They increase latency, slow page loads by an average of two to four times, and impose a bandwidth overhead of 40% to 350% [11]. Some defenses need to know the prior knowledge of the page in advance, so the database is required to store the resources generated by the dynamic changes of the page, such as SuperSequence [12] and Glove [13]. These additional requirements increase the difficulty of deployment.

Developing effective defensive countermeasures that are both easy to use and deploy is critical given the growing number of powerful WFP attacks. We propose SMART: a novel lightweight and reliable WFP multi-path transmission defense. It successfully combats several state-of-the-art WFP classifiers with reasonable overhead. This research is based on user control and splits traffic across multiple entry ORs, limiting the traffic information that can be observed at a single entry OR and destroying otherwise consistent pipeline model features without injecting any extra delays or packets. In this paper, our main contributions are as follows:

• We present the existing WFP attack model, background research on related attacks and defenses, and analyze the applicability of deploying defenses in the anonymous communication system, taking Tor as an example;
• We design a novel WFP defense for the lightweight reliable multi-path transmission, SMART, which allows decentralized data transmission based on user-selected multi-paths without padding any spurious packets and artificial delays during the period. Additionally, we prove the effectiveness of the defense from a theoretical argument;
• We solve the problem of the multi-path transmission of chaotic arrival and loss without recovery by implementing the concept of redundant coding in the scheme to improve the data reassembly rate to ensure transmission reliability;
• We conduct an extensive analysis to demonstrate the performance of this defense. We demonstrate that our adversarial strategy is effective in reducing classification accuracy from over 95% to less than 12% by applying four current advanced WFP attacks for simulation and realistic environmental assessment. In terms of performance, it significantly reduces overhead compared to the other four defense methods. In terms of availability, our defense allows the network to jitter and lose partial fragmentation. It still restores the original data based on the remaining fragments.

The remainder of this article is organized as follows. Section 2 introduces the existing research and related work. Section 3 presents the threat model. Section 4 gives a detailed description of SMART. Section 5 introduces the setup of the experiment. Section 6 gives the results of the experimental evaluation. Section 7 discusses several problems of our research. Section 8 summarizes this article.

2. Related Work

2.1. WFP Attacks

In research revealing the privacy of user communication relationships, communication traffic feature engineering has been a critical concern for researchers. In the early days of HTTP 1.0, every time a web resource (image, script, etc.) was loaded, a new TCP connection needed to be established with the server. This means that if an adversary wants to identify the overall length of each resource, they should have the ability to differentiate between different TCP connections. This is how the earliest attacks were carried out. The studies by Sun et al. 2002 [14], Hintz 2003 [15], and Cheng et al. 1998 [16] demonstrated how analyzing traffic length could contribute to page identification. However, later versions of HTTP 1.1 support long connections by default. When loading an HTML file, multiple requests and responses in the file can be transmitted over the same TCP connection, so it is not easy to have privacy compromised by resource length.

In 2006, Liberatore and Levine [17] showed that unique packet length is a powerful WFP feature and built two traffic identification systems. One is based on a Naive Bayes classifier, while the other is on Jaccard coefficients. Both schemes depend on packet length. The authors used the Jaccard coefficient to calculate the distance between two streams and assumed that the probability of the occurrence of various stream lengths in Naive Bayes is independent of each other. Subsequently, Herrmann et al. [18] improved this approach by combining text detection techniques.

In 2011, for the first time, Penchenko et al. [19] performed a WFP attack against Tor in an open-world scenario, defining a new set of characteristics using the packet count, packet interval, and direction, increasing WFP accuracy from 3% to 55% with a support vector machine (SVM) classifier. As a result, this work inspired a large amount of later work in the field of WFP. In the same year, Cai et al. [20] used the edit distance to calculate the gap between the traffic streams, and they significantly improved attack accuracy by modifying the SVM kernel. In 2013, Wang and Goldberg et al. [21] proposed improvements to Cai et al.’s system based on the further observed page loading approach and OSAD, an algorithm that modifies the edit distance.

Wang et al. 2014 [12] demonstrated a new k-nearest neighbor (k-NN) WFP classifier model, which uses monitored website fingerprinting to train feature weights, and the input data set in the classification stage also includes unmonitored website traces. The condition for a page to be classified into a certain class is that all the k neighbors are regarded as the same class. In the same year, Juarez et al. [22] criticized some unrealistic assumptions made in previous work, and Wang and Goldberg [3] revisited some of the conditions for WFP to execute successfully and showed the way for attackers to obtain the latest training data.

Current WF research efforts are trying to continuously optimize evaluation methods: avoiding the use of stale data, using large-scale datasets generated in realistic scenarios, increasing the size of the monitoring site set, etc. The most advanced machine learning methods are applied to WFP to improve accuracy [5,6,7].

In 2016, Penchenko et al. [8] collected the most representative and comprehensive dataset at that time in order to explore the practical limitations of WFP in the context of the Internet. They proposed a new classifier called CUMUL that performs better in terms of computational complexity and classification accuracy than previous approaches. As another contemporaneous WFP classifier, Random decision forests are used to carry out attacks via k-fingerprinting [9]. The authors showed that it is possible to launch WFP attacks when faced with large amounts of noisy data, and they can successfully identify 30 monitored hidden services that customers are visiting from an open scenario of 100,000 unmonitored web pages, with a true positive rate (TPR) of 85% and a false positive rate (FPR) of as low as 0.02%. K-fingerprinting obtains accuracy similar to that obtained by CUMUL. Other work has also analyzed different methods to illustrate the importance of WFP features.

Recent work on traffic analysis has applied DL methods. In contrast to previous traditional classifiers, these models do not rely on human-labeled features. Rimmer et al. [6] showed that capturing features automatically is more reliable when faced with changing network content. The most potent WFP attack at the time was deep fingerprinting (DF), which is an enhanced version of the CNN classifier, as proposed by Sirinam et al. [7]. Other work further explored the applicability of DL to WFP [12,23,24,25,26,27].

2.2. WFP Defenses

Currently, techniques designed to change traffic patterns before and after the network pipeline are mainly used to defend against WFP [28,29,30,31]. This reduces the accuracy of the WFP classification to a safe range. Shmatikov and Wang et al. [32] designed an adaptive padding (AP) defense early on, where the AP decides whether to pad based on the arrival of the next packet with a specified interval range. Wright et al. [33] made the packet sequence look like it came from another webpage by random padding, thus achieving traffic obfuscation. It is now only valid for identification methods that rely on unique packet lengths, not for those that rely on other elements [12,20,34]. The BuFlo defense (buffered fixed-length obfuscation), proposed by Dyer et al. [34], required additional auxiliary server support. At the same time, the defense modes such as packet padding, artificial delays, and circuit padding are concentrated, resulting in a very large network overhead. Cai et al. [35] proposed a CS-BuFLO defense to improve it by introducing a rate adaptation mechanism to solve the problem that BuFLO cannot adapt to different network connections.

Juarez et al. [11] proposed WTF-PAD (fingerprinting protection with adaptive defense), a mechanism based on the AP defense. Compared to the previous AP defense, WTF-PAD adds a state machine. How this works is that once the server’s message delivery time is reported to the client, the client will trigger the padding to further obfuscate traffic patterns. Secondly, after the client sends a request, WTF-PAD will evoke the server to padding to obfuscate website fingerprinting. However, this approach was later defeated by deep learning classifiers, so Abusnaina et al. [36] proposed DFD (deep fingerprinting defender) to improve WTF-PAD by designing two modules, injection monitoring and injection buffering, which are used to record the last burst length and project the current number of injected packets. Szegedy et al. [37] proposed an adversarial sample-based defense, which deliberately adds subtle imperceptible perturbations to the samples, causing the model to output incorrectly. To generate perturbed samples in real time, Nasr et al. [38] proposed the blind adversarial network perturbations (BANP) defense. This defense makes perturbation generation independent of the target input by solving a specific optimization problem. However, the performance of this approach for the BANP defense degrades dramatically under the adversarial training model. This team proposed another blind adversarial perturbation defense against WFP in 2021 by introducing a remapping function to ensure no interference with the original traffic patterns. This adversarial sample idea needs to consider overhead and defense performance, in addition to real-time performance and the ability to resist adversarial training.

There is a traffic-splitting defense technique [39,40] that ensures less overhead in the defense process. Cadena et al. [39] designed TrafficSliver according to the traffic splitting technique, which intercepts client traffic and distributes it to multiple Tor subcircuits for delivery by deploying a proxy between the client and entry ORs. This method achieves better security goals using less overhead. However, TrafficSliver must receive all dispersed subcircuit packets in order to aggregate them. If the data from one of the subcircuits arrives late, the next packet must wait until it arrives in order. If a packet of one path is lost, the original content cannot be restored. The defense SMART proposed in this paper solves this problem well, aiming at deployability and high feasibility, and significantly reduces the accuracy of state-of-the-art WFP attacks with low overhead.

3. Threat Model

3.1. Attack Model

Various anonymous communication systems, such as Tor, Loopix, I2P, etc., can protect user privacy through multi-layer encryption and onion routing. However, adversaries do not need to break the encryption algorithm in order to undermine this privacy protection by employing encrypted traffic analysis techniques. The most typical encryption traffic analysis techniques are website fingerprinting attacks (WFP), and current researchers have demonstrated adversaries’ ability to use WFP to recognize which pages users have visited. Traffic passes through the Tor network without any disturbance, like water flowing in and out of a water pipe without any change, which is called the pipeline model. The attacker can use machine/deep learning methods to match client-generated traffic patterns with the fingerprinting of visited websites: (1) The attacker must first monitor a set of known or interested websites; (2) The attacker collects the traffic traces generated by visiting each website page; (3) The attacker extracts the traffic trace features by a feature extractor and uses them as fingerprints to tag the corresponding website. The website fingerprints included the packet size, packet sequence, traffic burst number, inter-packet interval, etc. Although Tor encapsulates user data in a fixed cell, Tor still cannot hide metadata, such as the packet number, direction, and interval. An attacker can still passively exploit this side-channel leakage for attacks; (4) A classifier model can be trained using machine/deep learning algorithms utilizing the extracted features as a dataset. Training a classification model aims to classify traffic patterns by using a probability distribution. Traffic analysis attacks are more successful if the test data are correctly classified; and (5) Finally, the adversary uses the classifier model to determine which specific website a user has visited, as in Figure 1.

3.2. Attack Scope

We assume that the attacker can monitor the circuit between the client and the entry OR because the Tor network is made up of volunteer nodes from all over the world, and the security of the volunteer nodes cannot be guaranteed. In this scenario, it is assumed that the attacker has the ability to monitor node communication. While monitoring the communication, the attacker cannot know anything about the real payload by decrypting it because Tor uses multiple layers of encryption. On top of that, researchers typically assume that the adversary cannot break Tor’s encryption algorithms, so it can only record and observe traffic as a passive attack, meaning it cannot observe the rest of the network and cannot modify, delay, discard, or populate new packets in the original flow. As a result, attackers are difficult to detect. Previous work has shown that WFP attacks can be carried out by all the entities with this level of access to network traffic, including autonomous systems (AS), local network administrators, ISPs, etc. By capturing traffic at the transmission control protocol (TCP) layer, WFP attacks can be launched at the ISP level [27,41]. In this study, we also assume that the attacker can monitor the beginning and finish of each webpage load.

3.3. Attack Scenarios

Currently, research on WFP attack scenarios are divided into two main categories: closed world and open world. In the closed world, it is assumed that users have access to a limited set of identified websites and that the attacker has all the traffic patterns of that set and it can be used to train a classifier model [12]. Although this scenario is unlikely to happen in the real world, there are about 356 million websites worldwide as of December 2021, and users visit an even larger number of websites. Even the most formidable attackers are unable to collect traffic from all sites, but the closed world is suitable for analyzing and comparing the effectiveness of various classifier models. The open-world scenario is obviously closer to reality, where users can access any website without restriction, which is divided into sensitive and non-sensitive sites, and attackers are only interested in sensitive sites and have their traffic fingerprinting [29]. In this study, the closed world is chosen as the experimental scenario for evaluating the effects of classifiers. In addition, the experiments are reproduced in the open world in order to give a more accurate assessment of the results of this research in a real environment.

3.4. Classification Algorithm

Today, deep learning (DL) methods have produced breakthrough applications in a number of fields, such as pattern recognition and automatic speech recognition, and CNN and DNN are two of the most mature methods in DL. Because of their exceptional performance, deep neural networks (DNN) can effectively represent large amounts of input data by extracting high-level features from raw sensory data and applying statistical approaches to do this. Earlier methods that used manually extracted features or rules created by experts were different from this. Convolutional neural networks (CNNs) are a subclass of feed-forward neural networks, with a deep structure and convolutional computation. In terms of automatic feature extraction, processing a huge number of features, offering great performance, and requiring minimal preprocessing work, CNN has the capacity for representation learning. In recent studies, researchers have commonly used deep learning algorithms to identify network traffic patterns and obtain the desired accuracy through model design and parameter tuning, which have the advantages of high accuracy, good robustness, and wide applicability. For example, they can use convolutional neural networks to perform WFP successfully even with a small amount of data, such as Var-CNN [5]. They do not need to manually extract fingerprint features, and automatically extract features through machine learning algorithms, and can improve recognition accuracy [6,7]. They can also derive high attack accuracy over little encrypted traffic by leveraging adversarial domain adaption based on deep learning, such as adaptive fingerprinting [42]. In this study, we argue that attackers will tend to use deep learning algorithms for classification.

4. Methodolgy

WFP attacks are successful mainly because of the single-path pipeline model, in which packets in the pipeline are transmitted using the TCP/IP protocol. Regardless of whether the three handshakes are before a session or subsequent communications, the same path is still used to transmit data, resulting in the same traffic patterns at the entrance and exit of the pipeline. Our Section 3 threat model describes in detail how an attacker can combine deep learning to execute a WFP attack that directly threatens the unobservability and unassociability of Tor anonymous communication.

To counter WFP, the defense model SMART proposed in this study will change the network-pipelined transport model of Tor. It proposes a new decentralized transport model based on redundant coding that uses dynamic multi-pathing combined with a redundant slicing mechanism to split Tor traffic across multiple circuits. Our defense does not have to reconstruct the entire Tor network or modify exit ORs that are scarce and already overburdened, as the bandwidth and number of exit ORs are the lowest in Tor [10]. Considering that it can be better compatible with Tor, the defense function designed in this study is basically implemented in the user OP and middle ORs. Adjusting the middle ORs is rational because there are a great number of them (i.e., each volunteer relay can act as a middle OR by default) [43], and Tor has no particular demands for them. Every adjusted middle OR still ensures regular work, and our design is transparent to the unmodified parts of the Tor network, which means that the remaining network operation remains unchanged.

4.1. General Architecture

We have designed and implemented the Tor multi-path transmission defense architecture shown in Figure 2, which mainly consists of an authorized directory server, a user’s OP, a set of entry ORs, middle ORs, exit ORs, and a target service. Before starting the communication, the user’s OP first requests the relay information, such as the IP address, public key, etc., which is currently available for the entire Tor network from the authorized directory server (step 1). After receiving the node information, the user’s OP prioritizes three nodes to form an initial three-hop circuit, then establishes a multi-path sub-circuit based on the path selection algorithm, and generates a coding coefficient matrix for communication, which is used for redundant coding (step 2). After the circuit is successfully established, the user’s OP uses the coding coefficient matrix to process the data, creating partial redundant slices based on the data cutting (step 3). All the slices are scattered from the m entry ORs into the Tor network and finally converge at the same middle OR, which uses the coding coefficient matrix to decode the k slices that arrived, where k ≤ m. Even if some of the slices are lost during transmission, the receiver can still have a higher probability of restoring the original data with the help of the received data slices and redundant slices. The degree of redundancy can be adjusted by the user to suit the actual demand and network quality (step 4). The data is restored and forwarded by the middle OR to the exit OR (step 5) and forwarded by the exit OR to the destination (step 6). The traffic return is the reverse operation of the circuit. From the above steps, it can be concluded that the traffic patterns between the user’s OP and entry ORs bear little resemblance to the fingerprinting of the visited website, which will fundamentally reduce the probability of Tor being subjected to WFP attacks, and the specific experimental results in Section 6 demonstrate the effectiveness of our design. Algorithm 1 provides the pseudo-code of SMART for this work.

Algorithm 1 SMART defense algorithm

Require: $matrix\leftarrow$ The coding coefficient matrix fetched from the authority directory server.

Require: $subcircuit\leftarrow$ The subcircuit information fetched from the authority directory server.

Require: $splitStrategies\leftarrow$ The strategies of sending slices.

Require: $Data\leftarrow$ Communication data.

Require: $K\leftarrow$ The minimum number of recoverable slices.

function SEND($matrix,subcircuit,Data$)

$s\leftarrow Slicing\left(Data\right)$

$s_r\leftarrow Encode\left(s\right)$ based on matrix

$sStrategies\leftarrow Choose\left(splitStrategies\right)$

while $1<i<s_r$ do

for $m=1\to subcircuit$ do

$Send\left(i\right)\leftarrow$ based on strategies

if $Send\left(i\right)==1$ then

$j++$

end if

end for

$i\leftarrow j+i$

$j\leftarrow 0$

end while

end function

functionRECEIVE($matrix,K,s_r$)

$slice\leftarrow sizeof\left(s_r\right)/sizeof\left(s_r\left[0\right]\right)$

if $slice\ge K$ then

$Data\leftarrow Decode\left(slice\right)$ based on matrix

else

“Decoding failed, request retransmission”

end if

end function

4.1.1. Cell Format

We have made some improvements to the original Tor cell format to adapt to the current changes. To resist traffic analysis attacks, we maintain the fixed-size cell feature with 512 bytes [2]. As shown in

Table 1. Cell format.

Header Field	Byte	Description
Circ_ID	2	The circuit ID
Command	1	The command identifier
Relay Command	1	Represents the command and use of the packet
Recognized	2	For any non-encrypted packet, this field is always 0. If the Tor client finds that the field is not 0 after decryption, it means that it cannot be decrypted and will destroy the circuit in time.
Stream_id	2	Identifies the stream ID number generated by the client
Intergrity	4	Hashes the entire cell field and takes the first four bytes
Split_method	2	The slice method
SliceNum	1	The number of slices
SliceLen	1	The length of the slice
SliceID	1	Identifies a slice
fragmentID	1	The first data slice in a redundant slice
DATA	494	The payload of the cell

, each data cell is composed of a cell header and cell payload, and the header contains two fields: circuit identifier (Circ_ID) and command identifier (command). The forwarding cell has its own protocol header in the cell’s payload field and uses the first 11 bytes of the payload as its own forwarding cell command header (relay-header), and the remaining 498 bytes as the forwarding cell payload (relay-payload). The new cell format designed and implemented in this research, with the header information, is shown in Table 1. Divide_method, SliceNum, SliceLen, SliceID, and fragmentID are all new fields to identify data slices.

4.1.2. Creating Multi-Path Circuits

To meet strict time constraints, and performance overheads in some cases, the user pre-establishes an initial three-hop circuit by selecting three different relays from the set of entry ORs, exit ORs, and middle ORs, respectively, through a bandwidth-weighting algorithm [2]. Then, the user’s OP creates additional m-1 two-hop subcircuits, which, with the initial three-hop circuit, share the same middle OR. Each of them constitutes one of the multi-path transmission schemes. Once the m-1 subcircuits are successfully established, the anonymous multi-path can transmit data. It allows traffic to reach different entry ORs along the m subcircuits from the client and converge at a shared middle OR. The entry ORs serve as the splitting point and the middle OR serves as the reorganization point, and the recovered data leads to the destination via the exit OR.

4.1.3. Sender

The sender is the user’s OP. The sending data needs to go through the input buffer, data processing (encryption, data slicing, redundant coding, and other operations), and the output buffer, as shown in Figure 3. Tor’s data processing and forwarding functions are controlled by libevent’s read and write events [44]. When a read event is scheduled, the OP reads data from the input buffer and encrypts it with the session key of the three-hop ORs. The encrypted data will be converted into decimal units of 8 bits to facilitate the subsequent encoding process, and the converted data will be cut into s slices. Next, the slices will be redundantly encoded. Considering the actual demand and network quality, the redundancy degree s can be adjusted, which is determined by the sender. The detailed slicing and redundancy process is shown in Figure 3. After the data is processed by redundancy encoding, it will be split according to the number of circuits and the cell header field will be updated in real-time. Finally, a complete cell of 512 bytes in length is written to the cell queue for sending. If there is still data in the input buffer, the above operation is repeated until all the data is read. The write event is scheduled to write as many elements in the queue as possible to the output buffer. After that, another write event is called to write the elements from the output buffer to TLS layer encryption and converge them to the middle OR through the m-circuits.

4.1.4. Receiver

The receiver is the middle OR. After the middle OR receives n slices, where n ≤ (s+r), it needs to go through the receive buffer, data recovery (layer two decryption and slice recovery), and the send buffer. After the data is transmitted through the network layer and reaches the TLS read buffer of the middle OR, it will be read into the input buffer in cell units. After the decryption operation is executed according to the path direction, the n slices are restored to the original message data according to the redundant decoding algorithm. It does not matter if some of the data slices are lost, the original data can still be recovered according to the remaining slices, which solves the problem that the data slices are not recoverable when they are lost and the data is not recoverable in disorder. Of course, n has a critical threshold, if n ≤ k, (the minimum number of recoverable slices is k), the message “Decoding failed, request retransmission” will be returned to notify the sender. The user’s OP then regenerates the interaction information between the two parties. After the data is recovered, the cell is put into the corresponding queue according to the Circ_ID field of the cell. This is because the middle OR is responsible for forwarding the data received from all parties to the corresponding exit OR. The cells in the output buffer are written to the TLS buffer, encrypted, and transmitted to the exit OR via the TCP protocol. The exit OR works normally and is not affected in any way.

4.1.5. Information of the Multi-Path

In the following experimental part of this paper, we successfully demonstrate the efficiency of this defense, which can greatly reduce the accuracy of WFP analysis. In addition, we further explored the reason why the multi-path transmission scheme can reduce the accuracy of the classifier and quantified it with a mathematical model. The amount of information formula $H\left(X\right)$ proposed by Shannon [45] defines how much uncertainty is eliminated by the size of the amount of information contained in an event, and the calculated value is the amount of information, as shown in Equation (1). Inspired by this, we can evaluate how challenging it would be for an attacker to execute WFP attacks by calculating the amount of information contained in the multi-path transmission.

$$H\left(X\right)=-\sum _{i=1}^{n}p\left(x_i\right)logp\left(x_i\right)$$

(1)

The $p\left(x_i\right)$ represents the probability of the random event X, which is $x_i$. The splitting strategy we adopt is that each path has an equal probability of being selected and the amount of data transmitted is equal. Assuming that the number of entry relays is $m=4$, meaning the number of circuits is four, and the attacker has the ability to monitor one of the paths, the probability of the attacker obtaining 1/4 of the original traffic is 1/4, meaning $p\left(x_i\right)=1/4$, where $n=4$. Another case is that the probability that the attacker does not obtain the original traffic is $p\left(x_i\right)=3/4$, and the calculated amount of information contained in the traffic features obtained by the attacker from one of the paths is $H\left(X\right)=0.811$. If the traffic only relies on single-path transmission, the probability that the attacker can obtain all the traffic features is $p\left(x_i\right)=0$, $n=1$, so the calculated amount of information included is $H\left(X\right)=0$. It can be concluded that the amount of information contained in the traffic features obtained from the multi-path is greater, and the amount of information means that any uncertainty is eliminated. For the attackers, obtaining traffic features from the multi-path will be accompanied by more uncertainty. This means the uncertainty of the WFP classification increases, which causes the accuracy of the classifier to decline. This also means that the multi-path defenses only disclose limited useful signature information to the attackers. Therefore, we prove theoretically that the multi-path can reduce the density of the statistical features of the traffic, and can productively reduce the success rate of WFP.

This section describes the overall architecture of SMART and details how the sender and receiver work during the communication process, including the cell format and circuit creation during transmission. The Tor multi-path architecture, one of the contributions of this paper, is represented from the network layer to the transport layer to the application layer. The Tor lightweight and reliable multi-path scheme introduced in our paper effectively ensures the anonymity of Tor users and the unobservability of communication relationships. In the end, we proved that the multi-path will increase the uncertainty of WF, thereby reducing the accuracy of the classifiers. While improving the anonymity of Tor, and how to ensure the stable working of the Tor multi-path transmission, improving the reliability of data transmission is our next key research work.

4.2. Redundant Slicing

Traffic needs to go through m entry ORs to reach the middle OR convergence and is split into m slices and then recovered at the middle OR. The problem of whether the slices can arrive on time and in order is involved here because, in a real network environment, Tor does not contain any sequencing information [2]. Some slices may experience delays due to network jitter and cannot arrive in order, resulting in packets that cannot be recovered. Previous research has provided a solution by introducing a new INFO control cell [39], where the user regularly reports to middle ORs the packet sequences and the subcircuit where the packets are. If a packet arrives late, the corresponding merge relay caches all the follow-up packets before receiving the delayed one and processes all the acquired packets sequentially. However, this approach faces two problems. One is the slice loss problem where, as long as one of the slices is lost during communication, the middle OR cannot recover the original data in the expected order and the communication is immediately interrupted. Another problem is that the user’s OP communicates directly with the middle OR. We all know that the onion routing protocol used by Tor puts forward the idea of path isolation at the beginning of the design to ensure anonymity, where each node only knows its predecessor and successor. It will significantly increase the risk that the Tor communication path will be exposed if the client interacts directly with the middle OR because the middle OR is aware of both the source IP location and the exit OR location. We solve these two problems by using redundant coding as a way to guarantee the multi-path transmission’s reliability.

Redundancy mechanism: The redundancy mechanism implemented in this scheme is based on data coding generation, where the encoding and decoding processes are linear mathematical operations. The applied coding coefficient matrix must adhere to the following criteria to decode the initial content:

• Linear independence principle: Many problems may be faced during the communication process, such as the loss of data, malicious tampering, and data packets. The chaotic packets will be combined to decode. Thus, we create a square matrix for decoding using K corresponding row vectors from the coding coefficient matrix. In this regard, the inverse matrix of the square matrix is our need. Therefore, each row vector must be linear independent [46];
• Redundancy parameter: As shown in

  Table 2. Redundant symbol description.

  Symbol	Description
  K	The number of initial packets
  r	Redundant parameters
  IM	Independent matrix
  EM	Coding coefficient matrix
  CM	Circulant matrix
  M	Initial data matrix
  E	Packet matrix after coding
  RM	Matrix of received data
  DM	Decoding matrix

  , the redundancy parameter is r. Under the principle of linear independence, the redundant parameter r must strictly follow $(0\le r\le K)$ when constructing the coding coefficient matrix.

The encoding coefficient matrices, EM, contain IM and CM. IM is the independent matrix of the first K rows, and CM is the circulant matrices of the last K rows, as shown in Equation (2). A circulant matrix is a special form of a Toeplitz matrix, and each element of its column vector is the result obtained by shifting the elements of the previous column vector to the right position in turn.

$$\left[\begin{array}{ccccc}{e}_{1,1}\hfill & e_{1,2}\hfill & e_{1,3}\hfill & e_{1,4}\hfill & e_{1,5}\hfill \\ e_{2,1}\hfill & e_{2,2}\hfill & e_{2,3}\hfill & e_{2,4}\hfill & e_{2,5}\hfill \\ e_{3,1}\hfill & e_{3,2}\hfill & e_{3,3}\hfill & e_{3,4}\hfill & e_{3,5}\hfill \\ e_{4,1}\hfill & e_{4,2}\hfill & e_{4,3}\hfill & e_{4,4}\hfill & e_{4,5}\hfill \\ e_{5,1}\hfill & e_{5,2}\hfill & e_{5,3}\hfill & e_{5,4}\hfill & e_{5,5}\hfill \end{array}\right]$$

(2)

The encoding coefficient matrix EM is composed of IM and CM, such as in Equation (3).

$$E{M}_{n,k}=\left[\begin{array}{c}I{M}_{k,k}\\ C{M}_{n-k,k}\end{array}\right]=\left[\begin{array}{cccc}1& 0& \cdots & 0\\ 0& 1& \cdots & 0\\ ⋮& \ddots & \ddots & ⋮\\ 0& \cdots & 0& 1\\ e_{k+1,1}& \cdots & \cdots & e_{k+1,k}\\ ⋮& \ddots & \ddots & ⋮\\ e_{n,1}& \cdots & \cdots & e_{n,k}\end{array}\right]$$

(3)

Encoding operation: After the data-slicing process, the encoding operation of the data starts. In Equation (4), $r=K$.

$$E_{n,1}=E{M}_{n,k}\ast M_{k,1}$$

(4)

R means twice the amount of original data because the amount of initial data processed by the redundant encoding will double. After the encoding operation, the value of the post-redundancy R is obtained as 2∗K, according to Equation (5). The data will be encrypted layer by layer by the session keys of the entry and the middle OR after the redundancy encoding operation. The fragments will be transmitted via subcircuits.

$$R=\left\{\begin{array}{cc}r+2\ast K\hfill & (r=0,\mathrm{Default})\hfill \\ r+K\hfill & (r\in (0,K],\mathrm{Defined})\hfill \end{array}\right.$$

(5)

Decoding operation: The decoding operation starts when the receiver (middle OR) receives the minimum recovery number of redundant slices. The decoding operation should meet the following requirements for successful decoding:

• The minimum recovery amount K: This requires receiving a sufficient number of slices to recover the original data, where K is the number of minimum recoverable slices. The initial slice number, for instance, is K. After the redundant encoding procedure, the data slice number reaches 2K. When performing redundant decoding, the middle OR must receive at least K redundant slices to recover the original data;
• Linear independence principle: This requirement has been satisfied during the experiment. The coding coefficient matrix we applied satisfies the linear independence principle.

In the decoding process, as shown in Equation (6), the received packet data is first integrated into a corresponding square matrix, and its inverse matrix should be deduced later. The square matrix and the inverse matrix are used for matrix operations to finally obtain the original matrix M.

$$D{M}_{k,k}\ast R{M}_{k,1}=M_{k,1}$$

(6)

In order to make the reader understand the decoding process more clearly, we show the slice redundancy process in Figure 4. After the coding operation is completed, the traffic is transmitted over multiple Tor subcircuits, and the traffic pattern is observed by the attacker at the entry OR, and the website fingerprinting afterward is basically inconsistent, completely changing the original pipelined single path model, and the experimental results prove that this effectiveness against WFP attacks is significantly improved. The problem of unrecoverable data slice loss is also solved. If ${\mathrm{m}}_1$, m${}_3$, and r${}_1$ are lost during transmission (m${}_1$ and r${}_1$ represent the packet and redundant slice on the first subcircuit), the receiver will select the matching row vectors, which, in the encoding coefficient matrix, are made up of the slices received, compose the square matrix and perform the inverse operation to obtain the DM (decoding matrix), and then use RM to perform the decoding operation to successfully recover the initial content, which ensures the reliability of communication.

5. Experimental Setup

Classification setup: In our defense evaluation setup, we selected four of the most advanced website fingerprinting attack models, k-NN [12], k-fingerprinting [9], DF [7], and Var-CNN [5], which use everything from the k-nearest neighbors (k-NN) classifier to deep learning CNN, and DNN algorithms to classify Tor-loaded websites based on the external features they generate, and the analysis accuracy is more than 95%.

Simulated traffic: In order to initially evaluate the defense efficiency and resistance to WF attacks in our research, we designed and implemented a simulator to simulate the traffic transmission process. The simulator can automatically split traffic into different groups according to the splitting policy. The simulator simulates the multiple paths formed between the user’s OP and m entry ORs when Tor loads a single page. When executing this scheme, we measure the delay generated by 1000 redundant splits and the recovery process separately, considering that the redundant splits cause delay. Since the delay is also generated in the real Tor network, we record the round-trip RTTs of cells entering the Tor network from different entry ORs and, reaching the destination through the same middle and exit OR, we send the same data through different subcircuits, measure 1000 RTTs cumulatively, and integrate the redundant slice delay and the real Tor network delay into the simulated paths to evaluate the defense time overhead.

Closed world and open world: In the closed world, we evaluated our defense by collecting a dataset from the top 100 most popular websites ranked by Alexa [47]. First, we collected 100 undefended visited trajectories for each website to form a dataset called SMART-UNDEFENDED. Next, we started applying the defense system by collecting 100 defended access traces for each website. When selecting the splitting strategy, we referred to previous work [39], where we analyzed the experimental evaluation results of four different splitting strategies and compared them to select the optimal one, batched weighted random (BWR). The defended traffic patterns consist of the dataset called SMART-DEFENDED. To analyze our defense in the open world, 100 traffic patterns were recorded for each website based on the top 11,056 most popular websites of Alexa (excluding 100 websites in the closed world), and we called this dataset SMART-BACKGROUND. These traces were applied to the open world as background traffic for evaluating the defense. For all the experiments involved in this paper, each dataset collected was evenly divided into 10 copies and 10-fold cross-validation was used. The 10 copies of the dataset were run in both the training and testing phases, i.e., each phase was repeated 10 times. The test data can be selected as one of the 10 copies, the training dataset as the remaining 9 copies, and so on.

In the actual Tor network, we built a number of entry and middle ORs, and we deployed a Tor client that performed traffic slicing, redundancy, splitting, and merging policies based on pre-defined policies. Our middle OR supported both the regular single-path circuit and multi-path circuits to allow flexibility in responding to user needs. The Tor client we deployed applied the automated approach proposed in previous work to collect all traces during the crawling of datasets as in the related work [6,7,8,39]. For each page load, we used the tcpdump and Tor Browser 9.0.1 toolboxes to record the metadata, such as the TCP packet size and direction, and we applied the cell format we created. In addition, we removed traffic that showed page load errors or denied access, as attackers do not care about traffic with faulty page loading.

6. Experimental Evaluation and Discussion

In this part, we employ the novel defense given in this paper against several state-of-the-art WFP attacks and evaluate the defense’s efficiency and reliability. Due to the design of the reliable multi-path transmission, we assume that an attacker can compromise one of the m circuits from which it can obtain and record encrypted traffic into the outgoing relay. Furthermore, we assume that the adversary knows the multi-path transmission and redundant splitting scheme used in this defense and that they have enough resources to obtain the website fingerprints generated when a web page is loaded, and can collect the patterns of subcircuits in the multi-path and categorize them as loading the same website. At the same time, the attacker will use a state-of-the-art deep learning classifier to match the traffic patterns and determine whether the traffic patterns composed of sub-tracks have the same flow as the website fingerprinting. To compare the classification accuracy, we calculate the evaluation metrics for the classifier test results, which are the true positive rate (TPR) and false positive rate (FPR), where the TPR indicates the percentage of actually visited pages distinguished by the classifier and the FPR indicates the percentage of pages incorrectly identified by the classifier.

In Section 6, we first focus on the effectiveness of our defense. We first identify the defense that maximizes the difference by testing a different number of slices s, slicing strategies, and a different number of entry ORs m, then evaluate the effectiveness of the defense in the open world and real networks, respectively, and finally contrast this with other state-of-the-art defenses. In this section, we demonstrate the capability of our defense, SMART, successfully to reduce the accuracy of the most advanced WFP classifiers from over 98% to less than 12% without adding any padding packets and interval delay. Secondly, we focus on the reliability of this defense, and we show that using a redundant slice strategy increases the data recovery rate to close to 100% when using the same splitting strategy, compensating for the shortcoming of having to arrive sequentially to recover completed content. Thirdly, we test the network overhead of the entire scheme and can show that we provide a security boost to the Tor anonymous communication network at a very low overhead.

6.1. Closed World Evaluation

In order to make the defense optimal, we will find the optimal number of slices s, the optimal splitting strategy, and the optimal number of entry ORs m, evaluating which method is optimal based on the separately collected undefended dataset by pre-emptively using the simulator simulation experiments mentioned in the experimental setup in Section 5.

6.1.1. For Different Numbers of s and m

First, we analyze the effect of various numbers of slices on the defense. We separate the number of slices s and the number of splits m from each other. In

Table 3. The influence of a different number of slices and entry nodes on the classification accuracy.

m	Undefended	5
s	Undefended	2	4	6	8	(2, 8)
k-NN	92.45	5.66	3.78	2.41	1.12	2.38
K-F	95.80	16.28	8.79	4.65	3.14	5.63
DF	98.00	20.19	14.25	8.34	6.85	10.02
Var-CNN	98.80	23.32	15.57	9.98	7.19	11.24

, s denotes the quantity of each data processed by the slices in the Tor client, and m denotes the number of entry ORs, i.e., it represents how many multi-paths there are. It can be observed that with a fixed amount of entry ORs m, the attack effect of WFP becomes progressively worse as the number of slices s, m grows, and we believe that this situation is due to the fact that after the traffic is sliced and split, the disordered traffic changes the previous traffic pattern. Because we designed a redundant slicing strategy to use here, the number of redundant slices is r. The data need not arrive in sequence, and the middle OR need not wait to collect all the fixed sequence data, but needs only to receive a specified number k(k ≤ s + r) of slices to reconstruct the complete content. The traffic sequences as one of the features of WFP analysis of traffic patterns are no longer informative here.

6.1.2. For the Number of Entry ORs m

We simulate users’ loading webpages through different numbers of entry ORs in our experiments. We can observe that when fixing the slice variable s and increasing the number of entry ORs m, the WFP attack has almost no further validity, and the accuracy of the classifier is generally below 12% when m ≥ 5. We believe that this reduced success rate of WFP attacks is due to the variation in split traces, which is generated implicitly by passing different resources through different paths. Considering the challenge that attackers face, and the uncertainty about the number of splits and entry ORs, we add a set of random number tests s∈ [14,19] in each set of experiments, respectively, and the success rate of the WFP attacks drops dramatically when attackers cannot determine the traffic pattern. Our experiments confirm our intuition that an attacker can barely execute a successful WFP attack if they have the ability to compromise one of the entry ORs and can observe the traffic going in and out of this relay. The size of the m value here involves a trade-off between privacy protection and the overhead of the WFP defense. If the value of m is too large, the traffic forwarded by each entry OR contains less valid information and also reduces the strength of the WFP attack. However, too large an m will result in reduced performance and excessive overhead for the Tor network. If m is too small, the defense against WFP attacks will be reduced. Therefore, m is a very important variable in the trade-off between privacy protection and overhead.

In the previous experiment, we demonstrated the impact of the sub-paths m and slices s on defense effectiveness. In this study, it is also our concern how the splitting strategy of slices passes through the subcircuits. This means a splitting strategy to be adopted in order to make the traffic distribution highly diversified among the different paths loading the same page, thus hindering feature identification. In previous research work, the splitting strategy batched weighted random (BWR) was proposed to be effective [39]. The BWR means creating a separate vector w for the loaded pages, where the probability of n entry ORs being selected is m, calculated from the Dirichlet distribution in m dimensions. Here, we use m to weigh the selection of the n entry ORs for the data transmission between the client and middle ORs and keep n updated during a single page load. We use the simulation simulator mentioned above to simulate data splitting by slicing the same dataset into different groups according to different splitting strategies and, after weighing the balance between the defensive capabilities and network overhead, setting the number of slices as s = 4 and, considering that the attacker only monitors one of the websites, we select one of the groups to be classified.

We analyze and compare the results to further demonstrate that BWR, one of the four splitting strategies proposed in [39], is more defensive than the other splitting strategies, given that all the experimental conditions are the same. To learn more about the other three splitting strategies, please move to this paper to read about them in detail. There are two main reasons why BWR has the best defense. Firstly, the attacker is uncertain about the entry ORs (n is not regularly updated). Second, WFP attacks frequently employ the BWR approach to extract features for classification because it disrupts the continuous sequence of the Tor cells in a given circuit. This splitting strategy will be applied in our next experiments.

In summary, based on our simulation results in Table 3 and Figure 5, we show that the BWR splitting strategy that is divided into four slices with five entry ORs is able to generate sub-circuits with highly different patterns, thus it is the most effective and well-balanced performance defense that we use in the rest of the experiment.

6.2. Open World Evaluation

When we introduced the composition of the dataset, we mentioned the background traffic, SMART-BACKGROUND, which we had previously collected to apply to the open world environment, and for the foreground dataset, SMART-DEFENDED, we assumed that the attacker could collect sufficient traces of both kinds to weaken the potential negative effects, quantifying the adversary with specific data. The collection capacity can be expressed as the ratio has exceeded 110:1, reflecting the realism of the open world through this high ratio. All of our experiments employ confidence intervals to ensure that four attacks strike a good balance between TPR and FPR.

If the classification outcome falls inside the confidence interval, we conclude the traffic pattern and the foreground traffic belong to the same category. In addition, we also list the features that affect classification in a larger proportion one by one, as shown in Figure 6. The time-interval sequence of cells had the highest proportion of classification, with a proportion of 0.025.

We will focus on evaluating the effectiveness of Var-CNN, DF, K-F, and k-NN for SMART defense attacks in an open-world environment, and we will apply a simulator to artificially split these datasets (using BWR splitting, where s = 4 and m = 5) and use both undefended and defended traffic to calculate the ROC curves for each classifier. As depicted in Figure 7, we observe that the difference between the undefended and defended ROC curves is significant, with Var-CNN having a very high recognition accuracy for the undefended dataset, with an area under the AUC curve of over 0.85. While Var-CNN is close to the random guess curve (AUC = 0.5) for the defended dataset (AUC = 0.58), the adversary cannot successfully carry out WFP attacks in the open world as a result of our defense.

6.2.1. Effectiveness in a Real Network

We deployed Tor user agents on virtual machines and implemented the defense, SMART, for the lightweight and reliable multi-path transmission mentioned in this paper. To defend against these WFP attacks, the defense does not employ padding packets or artificial delays. We chose the best-proven scheme (s = 4, m = 5, and the BWR strategy) and collected real Tor network traffic as a dataset. We applied the state-of-the-art classifier to classify this defended dataset and collected the undefended real traffic for classification, using the results as a reference group to evaluate the effectiveness of SMART. As can be observed in

Table 4. Classification results before and after using SMART.

	k-NN	K-F	DF	Var-CNN
Undefended	95.2	97.5	98.6	98.43
SMART	5.34	6.21	9.22	10.98

, the classifications obtained using the defense traces from the actual Tor network are only a little less accurate than the simulations. The analysis success rate of all these current state-of-the-art WFP classifiers has dropped from over 95% to less than 11% now. From this, we can reasonably infer that our defense SMART is effective in the real world and can render the current WFP attacks ineffective.

6.2.2. Compared to Advanced Defenses

Currently, the most advanced and effective defense methods include WTF-PAD [11], BiMiorphing [48], DFD [36], and TrafficSliver [39]. We use the same dataset and classifiers to test the effectiveness of different defenses. In Figure 8, we can observe that SMART significantly outperforms WTF-PAD and BiMiorphing, with a direct drop in accuracy of about 90%. We believe that the effectiveness of DFD in DF and Var-CNN looks higher because it is used to change the original traffic pattern with the simultaneous injection of dummy packets both unilaterally and bilaterally, which clearly improves its perturbability at the cost of significant network overhead compared to our no-padding and no-delay defense. We will compare the network overhead of the schemes. It has been experimentally verified that our defense approach reduces the WFP accuracy rate better than most previous defense approaches.

6.3. Data Recovery

It is our most important goal to both ensure users communicate normally and protect user privacy. In other words, defense against WFP attacks must be based on the premise that users can work properly, so we must ensure the reliability of user data transmission. Here, we simulate the data slice transmission process through a simulator, and during the experiment. We artificially discard some data or interfere with the slice transmission sequence to evaluate the final data transmission success rate. Redundant slicing is an important basis for SMART to ensure the reliability of data transmission. We designed three control experiments with different redundancy values r, including (r = 0, 5, 10, 15, and 20), and different numbers of circuits (m = 1, 3, 5, and 7). Respectively, the process of slicing and the recovery of 1000 data was repeated five times. The data recovery is observed by fixing the number of redundant slices r constant or the number of m constant, and Figure 9 is the average data recovery rate (transmission success rate). We observe that the data recovery capability gradually increases when the proportion of the anonymous multi-path rises; the success percentage of multi-path transmission also gradually increases with the increase of redundant slices r.

In the case of data loss, the data recovery time of TrafficSliver without the redundant slicing function will far exceed our defense. This is because TrafficSliver must reorganize data sequentially and, when one packet is lost, the packets to be sent must queue up for the lost one to be resent, thus reducing the overall transmission speed. The redundant slicing policy we designed allows a certain percentage of data loss in the Tor network, but still recovers the complete data without retransmission, with a recovery rate of nearly 97%. This design not only protects user privacy but also guarantees the reliability of communication by users using the Tor network.

6.4. Defense Overhead

We believe that the overhead of defending WFP is as important as its defensive performance, and the acceptable overhead of defense must be considered when it is actually deployed. Therefore, this part of the experiment is mainly focused on the overhead. We evaluate the time overhead of different defense methods by loading the same pages. In terms of time overhead, SMART has less overhead than other defense methods. We believe this can be due to two reasons. One is that we do not change the transmission time of the original packet and do not add any delay. The other is because multiple cells are transmitted simultaneously over multi-paths, reducing the time overhead of waiting for packets to be queued and sent. After the experimental demonstration, we conclude that SMART has a high defense capability while incurring only a small time overhead, exceeding other previous defense methods. Although the time overhead of SMART is already small, there is still a struggle with zero latency. Next, we will consider redundant coding algorithms with a faster encoding speed and repair speed, such as RRS [49].

In addition to this, we also deploy SMART in real Tor nodes as a way to evaluate the additional overhead of nodes processing data in a real environment and repeat each set of evaluation experiments 1000 times. As the Tor client needs to do data splitting and redundancy, the middle OR needs to do data recovery and reorganization. We also focus on the time overhead of the user agent nodes and middle OR to process data, as shown in Figure 10. We believe that this part of the time overhead is acceptable and even almost negligible. Since multi-paths may generate jitter phenomena in real networks, we also add a set of comparison experiments to measure packet arrival time for packets transmitted over multiple paths. As shown in Figure 10, multiple connections reduce the packet arrival interval, but the jitter phenomenon generated by some circuits also increases the outliers. Additionally, the multi-path transmission may create the problem of packet loss that cannot be recovered, and we have shown in the above paper that it allows a certain number of packet losses and still restores the complete data.

In summary, we demonstrated the effectiveness of our defense against today’s WFP attacks and the transmission reliability during Tor communications, and confirm that this moderate overhead defense can be applied in real anonymity environments as a way to protect the higher privacy of users.

7. Discussion and Limitation

7.1. Anonymity Trilemma

The anonymity trilemma is one of the limitations of this work, where there is a trade-off between performance and user privacy protection [50]. We leave the choice between network performance and anonymity to the user in order to trade off network overhead and transmission reliability, and privacy. If the user needs a network environment with better performance, they can choose a smaller number of slices, as well as the number of entry ORs, to reduce overhead. In other words, some anonymity is sacrificed to improve network performance, and the reverse remains true. For Tor multi-path transmission, the failure rate of carrying out WFP attacks is lower due to the greater number of slices and circuits, and a smaller portion of the adversary’s limited data, which is not enough to represent the full connection information of the loaded web page. We are also continuing our in-depth research to solve this problem, and now that we have made the WFP attacks largely ineffective, we will next focus on how to reduce unnecessary network overhead and overcome the anonymity trilemma.

7.2. Assumptions about Attacker Capabilities

Another limitation is the assumption about the capabilities of the attacker. In our experiments, we only assumed that the attacker could monitor the connection between one of the client and entry nodes. However, the attacker’s success rate gradually increases if the attacker becomes an ISP that can control the user by starting more entry ORs in Tor. Tor protects relays by periodically changing the relay list [51]. Although it is difficult to control one or a few malicious nodes to successfully implement a WFP attack, or as a more powerful adversary who controls all the relays, it does not mean that the user’s anonymity will not be vulnerable due to this situation, so we need to do further research experiments to prove this issue.

7.3. Application Scenarios of WFP

It is also necessary to discuss the positive application scenarios of WFP. WFP has a wide range of applicable scenarios. It not only includes anti-anonymity attacks that associate users and their communication objects but it can also be used for bot detection to distinguish whether a user is a computer or a real person, such as Google’s reCAPTCHA [52]. It can also be used to detect and identify hacker attacks, phishing, and other security threats, helping network administrators take timely measures. At the same time, the research on WFP should not be limited to the identification of website fingerprintings. There are also some similar works, such as identification research based on features like cookies and a virtual private network (VPN).

7.4. Devices with Different Performance

In addition, the current application scenario of this defense scheme mainly focuses on the anonymous communication network of Tor as an example. Most of the defense operations can be processed by the server of the anonymous communication network. The minimum requirement for the device is to have the ability to process the coding operation. For example, narrow-bandwidth IoT networks and low-power devices have wider coverage, but do not have the processing ability to integrate complex security detection or protection mechanisms, and are often easy victims of network attacks. For example, the WebUI-based IoT device identification proposed by Wang et al. [53]. Therefore, for the security research of this type of equipment, we will further explore more applicable defense methods.

8. Conclusions

We proposed a novel lightweight and reliable multi-path defense against WFP attacks. SMART splits Tor traffic across multiple circuits, with the choice of slices and paths left to user control, allowing the entire defense strategy to flexibly adjust anonymity and network performance. It uses redundant coding to ensure the reliability of communication over multi-paths in order to address the problem that Tor data slice loss is irrecoverable and the sequential arrival generates delayed waiting. We demonstrated that our defense can effectively reduce the accuracy of WFP attacks, without adding any artificial latency or dummy traffic. To ensure compatibility with the current Tor network, SMART only requires minor modifications to the Tor and does not need any updates to the underlying anonymization network.