Time-sensitive VPN traffic classification
C. Stoleriu (TU Delft - Electrical Engineering, Mathematics and Computer Science)
G. Smaragdakis – Mentor (TU Delft - Cyber Security)
E. Bassetti – Mentor (TU Delft - Cyber Security)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
Globalization and the aftermath of Covid-19 saw an increasing number of people working from home, using their company’s VPN to access various internal resources hosted on enterprise servers. Similarly, VPNs have experienced more widespread use among the general public in recent years as a result of a growing understanding of digital privacy. While previous research has shown that VPNs are vulnerable to fingerprinting, our hypothesis is that attackers can discern even more precise information about VPN traffic. Specifically, because the VPN server and endpoint are hosted physically close in the business use case but not in the internet browsing case, an attacker can exploit the Round Trip Time (RTT) difference to distinguish between the two scenarios.
To compute the RTT of an encrypted VPN connection, we devise a method to identify underlying request-response packet pairs. We target TLS handshakes, using the fact that the order and size of their constituent packets remain unaffected by encryption and consistent among most connections. The latency is computed by subtracting the arrival times of the identified handshake packets. Applying our method on synthetic data, we find that the mean and median RTT of a business-use VPN are lower than those of a private-use VPN, implying an attacker can differentiate between the two scenarios by simply observing encrypted data.