Abstract

Website Fingerprinting attacks allow an adversary to predict which web pages a victim visits, even when she browses through Tor/VPN, by using Machine Learning classification techniques on the encrypted traffic she produces. To date, the standard method for evaluating Website Fingerprinting defences is testing them against state-of-the-art attacks; this generated a 10 years-long arms race.

This talk presents a practical method for deriving security bounds for Website Fingerprinting defences, which is based on an original application of Machine Learning theory. The method gives, with respect to the set of features used by an adversary, a lower bound estimate of the smallest error the adversary can achieve, for any classifier he may use. This result i) allows practitioners to evaluate and compare defences in terms of their security, and ii) it favours the shift of WF research to a classifier-agnostic identification of optimal features.