Random Segmentation: New Traffic Obfuscation against Packet-Size-Based Side-Channel Attacks
Reviewed by Pithpith:HT4H24GAopen to challenge →
read the original abstract
Despite encryption, the packet size is still visible, enabling observers to infer private information in the Internet of Things (IoT) environment (e.g., IoT device identification). Packet padding obfuscates packet-length characteristics with a high data overhead because it relies on adding noise to the data. This paper proposes a more data-efficient approach that randomizes packet sizes without adding noise. We achieve this by splitting large TCP segments into random-sized chunks; hence, the packet length distribution is obfuscated without adding noise data. Our client-server implementation using TCP sockets demonstrates the feasibility of our approach at the application level. We realize our packet size control by adjusting two local socket-programming parameters. First, we enable the TCP_NODELAY option to send out each packet with our specified length. Second, we downsize the sending buffer to prevent the sender from pushing out more data than can be received, which could disable our control of the packet sizes. We simulate our defense on a network trace of four IoT devices and show a reduction in device classification accuracy from 98% to 63%, close to random guessing. Meanwhile, the real-world data transmission experiments show that the added latency is reasonable, less than 21%, while the added packet header overhead is only about 5%.
This paper has not been read by Pith yet.
Forward citations
Cited by 1 Pith paper
-
Secrets Best Not Shared: DNS Privacy Enhancements for the Constrained IoT
DNS over CoAP with packet length equalization, block-wise transfer, header and payload compression reduces DNS identification accuracy to 77-86% in constrained IoT scenarios, outperforming DNS over HTTPS.
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.