k-fingerprinting: a Robust Scalable Website Fingerprinting Technique

Website fingerprinting enables an attacker to infer which web page a client is browsing through encrypted or anonymized network connections. We present a new website fingerprinting technique based on random decision forests and evaluate performance over standard web pages as well as Tor hidden services, on a larger scale than previous works. Our technique, k-fingerprinting, performs better than current state-of-the-art attacks even against website fingerprinting defenses, and we show that it is possible to launch a website fingerprinting attack in the face of a large amount of noisy data. We can correctly determine which of 30 monitored hidden services a client is visiting with 85% true positive rate (TPR), a false positive rate (FPR) as low as 0.02%, from a world size of 100,000 unmonitored web pages. We further show that error rates vary widely between web resources, and thus some patterns of use will be predictably more vulnerable to attack than others.

💡 Research Summary

The paper introduces “k‑fingerprinting,” a novel website fingerprinting attack that leverages a modified random forest ensemble to create robust fingerprints of encrypted or anonymized web traffic. Traditional website fingerprinting attacks rely on classifiers such as SVM, k‑nearest neighbor, or Naïve Bayes, often exploiting fine‑grained features like packet ordering, inter‑arrival times, and size sequences. While effective in closed‑world settings, these approaches degrade sharply in realistic open‑world scenarios and are vulnerable to existing defenses (e.g., traffic morphing, BuFLO, padding).

k‑fingerprinting departs from direct classification. Each decision tree in a random forest maps a traffic instance to a leaf identifier; concatenating the leaf IDs across all trees yields a fixed‑length “fingerprint vector.” The similarity between two traffic traces is measured by the Hamming distance between their fingerprint vectors. For classification, the algorithm finds the k nearest training fingerprints (according to Hamming distance) and declares a match only if all k agree on the label. This k‑nearest‑fingerprint scheme allows the attacker to trade true‑positive rate (TPR) against false‑positive rate (FPR) by adjusting k, something not possible with a plain random‑forest vote.

The authors conduct an extensive empirical evaluation. Two datasets are collected: (1) DS_Norm, captured via a standard browser from 55 popular Alexa sites (30 instances each) plus 7 000 unmonitored sites; (2) DS_Tor, captured via the Tor Browser, containing the same 55 sites plus 30 popular hidden services, with an unmonitored set of 100 000 Alexa sites. In total, more than 101 130 unique websites are examined—an order of magnitude larger than prior open‑world studies.

Key findings include:

• Simple quantitative features (total packet count, total bytes, direction) provide more discriminative power than complex ordering or timing features, because Tor and similar anonymity networks preserve these coarse statistics.
• Using only a fraction (≈10 %) of the total training data still yields high TPR, dramatically reducing the attacker’s initial data‑collection cost.
• Error rates vary widely across individual pages; an attacker can pre‑select pages with low intrinsic error to improve overall success.
• In the closed‑world setting, the random forest alone achieves high accuracy; in the open‑world setting, the k‑fingerprint distance metric outperforms prior state‑of‑the‑art attacks (e.g., CUMUL, k‑NN) even when defenses are applied.
• Against defenses such as packet padding, fixed‑size cells, random HTTP pipelining, and BuFLO, k‑fingerprinting maintains a TPR of 85 % with an FPR as low as 0.02 % when identifying 30 Tor hidden services among 100 000 non‑monitored sites.

The paper also defines a Bayesian Detection Rate (BDR) to capture the practical probability that a positive classification is correct, showing that BDR remains high under realistic priors.

Overall, k‑fingerprinting demonstrates that a random‑forest‑derived fingerprint, combined with a simple Hamming‑distance nearest‑neighbor rule, yields a scalable, accurate, and defense‑resilient website fingerprinting attack. The work highlights the need for stronger, perhaps information‑theoretic, defenses and provides a clear roadmap for future research on both attack mitigation and privacy‑preserving network design.