Random Segmentation: New Traffic Obfuscation against Packet-Size-Based Side-Channel Attacks
Despite encryption, the packet size is still visible, enabling observers to infer private information in the Internet of Things (IoT) environment (e.g., IoT device identification). Packet padding obfuscates packet-length characteristics with a high data overhead because it relies on adding noise to...
Main Authors: | , , , , |
---|---|
Format: | Article |
Language: | English |
Published: |
MDPI AG
2023-09-01
|
Series: | Electronics |
Subjects: | |
Online Access: | https://www.mdpi.com/2079-9292/12/18/3816 |
_version_ | 1797580466237210624 |
---|---|
author | Mnassar Alyami Abdulmajeed Alghamdi Mohammed A. Alkhowaiter Cliff Zou Yan Solihin |
author_facet | Mnassar Alyami Abdulmajeed Alghamdi Mohammed A. Alkhowaiter Cliff Zou Yan Solihin |
author_sort | Mnassar Alyami |
collection | DOAJ |
description | Despite encryption, the packet size is still visible, enabling observers to infer private information in the Internet of Things (IoT) environment (e.g., IoT device identification). Packet padding obfuscates packet-length characteristics with a high data overhead because it relies on adding noise to the data. This paper proposes a more data-efficient approach that randomizes packet sizes without adding noise. We achieve this by splitting large TCP segments into random-sized chunks; hence, the packet length distribution is obfuscated without adding noise data. Our client–server implementation using TCP sockets demonstrates the feasibility of our approach at the application level. We realize our packet size control by adjusting two local socket-programming parameters. First, we enable the TCP_NODELAY option to send out each packet with our specified length. Second, we downsize the sending buffer to prevent the sender from pushing out more data than can be received, which could disable our control of the packet sizes. We simulate our defense on a network trace of four IoT devices and show a reduction in device classification accuracy from 98% to 63%, close to random guessing. Meanwhile, the real-world data transmission experiments show that the added latency is reasonable, less than 21%, while the added packet header overhead is only about 5%. |
first_indexed | 2024-03-10T22:50:25Z |
format | Article |
id | doaj.art-947b827174c54c0d80e451699da9b08d |
institution | Directory Open Access Journal |
issn | 2079-9292 |
language | English |
last_indexed | 2024-03-10T22:50:25Z |
publishDate | 2023-09-01 |
publisher | MDPI AG |
record_format | Article |
series | Electronics |
spelling | doaj.art-947b827174c54c0d80e451699da9b08d2023-11-19T10:21:45ZengMDPI AGElectronics2079-92922023-09-011218381610.3390/electronics12183816Random Segmentation: New Traffic Obfuscation against Packet-Size-Based Side-Channel AttacksMnassar Alyami0Abdulmajeed Alghamdi1Mohammed A. Alkhowaiter2Cliff Zou3Yan Solihin4College of Engineering and Computer Science, University of Central Florida, Orlando, FL 32816, USACollege of Engineering and Computer Science, University of Central Florida, Orlando, FL 32816, USACollege of Engineering and Computer Science, University of Central Florida, Orlando, FL 32816, USACollege of Engineering and Computer Science, University of Central Florida, Orlando, FL 32816, USACollege of Engineering and Computer Science, University of Central Florida, Orlando, FL 32816, USADespite encryption, the packet size is still visible, enabling observers to infer private information in the Internet of Things (IoT) environment (e.g., IoT device identification). Packet padding obfuscates packet-length characteristics with a high data overhead because it relies on adding noise to the data. This paper proposes a more data-efficient approach that randomizes packet sizes without adding noise. We achieve this by splitting large TCP segments into random-sized chunks; hence, the packet length distribution is obfuscated without adding noise data. Our client–server implementation using TCP sockets demonstrates the feasibility of our approach at the application level. We realize our packet size control by adjusting two local socket-programming parameters. First, we enable the TCP_NODELAY option to send out each packet with our specified length. Second, we downsize the sending buffer to prevent the sender from pushing out more data than can be received, which could disable our control of the packet sizes. We simulate our defense on a network trace of four IoT devices and show a reduction in device classification accuracy from 98% to 63%, close to random guessing. Meanwhile, the real-world data transmission experiments show that the added latency is reasonable, less than 21%, while the added packet header overhead is only about 5%.https://www.mdpi.com/2079-9292/12/18/3816device fingerprintingIoT privacytraffic analysis countermeasuretraffic shaping |
spellingShingle | Mnassar Alyami Abdulmajeed Alghamdi Mohammed A. Alkhowaiter Cliff Zou Yan Solihin Random Segmentation: New Traffic Obfuscation against Packet-Size-Based Side-Channel Attacks Electronics device fingerprinting IoT privacy traffic analysis countermeasure traffic shaping |
title | Random Segmentation: New Traffic Obfuscation against Packet-Size-Based Side-Channel Attacks |
title_full | Random Segmentation: New Traffic Obfuscation against Packet-Size-Based Side-Channel Attacks |
title_fullStr | Random Segmentation: New Traffic Obfuscation against Packet-Size-Based Side-Channel Attacks |
title_full_unstemmed | Random Segmentation: New Traffic Obfuscation against Packet-Size-Based Side-Channel Attacks |
title_short | Random Segmentation: New Traffic Obfuscation against Packet-Size-Based Side-Channel Attacks |
title_sort | random segmentation new traffic obfuscation against packet size based side channel attacks |
topic | device fingerprinting IoT privacy traffic analysis countermeasure traffic shaping |
url | https://www.mdpi.com/2079-9292/12/18/3816 |
work_keys_str_mv | AT mnassaralyami randomsegmentationnewtrafficobfuscationagainstpacketsizebasedsidechannelattacks AT abdulmajeedalghamdi randomsegmentationnewtrafficobfuscationagainstpacketsizebasedsidechannelattacks AT mohammedaalkhowaiter randomsegmentationnewtrafficobfuscationagainstpacketsizebasedsidechannelattacks AT cliffzou randomsegmentationnewtrafficobfuscationagainstpacketsizebasedsidechannelattacks AT yansolihin randomsegmentationnewtrafficobfuscationagainstpacketsizebasedsidechannelattacks |