"Keeping Web-Browsing Data Safe From Hackers"

Threat actors can use Machine Learning (ML) to execute strong attacks that steal information in difficult-to-prevent and often-difficult-to-study ways. Data that leaks between software programs running on the same machine can be captured by attackers. They can then decode the signals using ML techniques, thus allowing them to extract passwords or other secret information. These are referred to as "side-channel attacks" since the information is obtained using a channel not meant for communication. Researchers at MIT have shown that side-channel attacks assisted by ML are both highly robust and poorly understood. Using ML algorithms is a challenge because their complexity makes them difficult to fully understand. In a new paper, the researchers studied a documented attack thought to work by capturing signals leaked when a computer accesses memory. They discovered that the mechanisms behind this attack were misidentified, preventing researchers from developing effective defenses. In order to study the attack, they removed all memory accesses and noticed the attack became even more powerful. Then they looked for sources of information leakage and found that the attack monitors events interrupting other programs on a computer. The team demonstrated the possible use of this ML-assisted attack by an adversary to exploit a security hole and determine what website a user is browsing. With this information, they devised two tactics to counter this attack. The first security strategy they developed involves a browser extension that generates frequent interrupts (i.e., pinging random websites to create bursts of activity). The added noise makes signal decoding significantly more difficult for the attacker. This reduced the attack's accuracy from 96 percent to 62 percent but decreased the computer's performance. For their second countermeasure, they altered the timer to return values close to, but not identical to, the actual time, making it more difficult for an attacker to measure the computer's activities over time. This mitigation reduced the attack's accuracy from 96 percent to 1 percent. This article continues to discuss the MIT researchers' analysis of a website-fingerprinting attack and the strategies they developed to reduce the attack's chances of success. 

MIT News reports "Keeping Web-Browsing Data Safe From Hackers"