Website Fingerprinting (WF) enables a passive attacker to identify which website a user is visiting over an encrypted tunnel. Current WF attacks have two strong assumptions: (i) specific tunnel, i.e., the attacker can train on traffic samples collected in a simulated tunnel with the same tunnel settings as the user, and (ii) pseudo-open-world, where the attacker has access to training samples of unmonitored sites and treats them as a separate class. These assumptions, while experimentally feasible, render WF attacks less usable in practice. In this paper, we present Gene Fingerprinting (GF), a new WF attack that achieves cross-tunnel transferability by generating fingerprints that reflect the intrinsic profile of a website. The attack leverages Zero-shot Learning — a machine learning technique not requiring training samples to identify a given class — to reduce the effort to collect data from different tunnels and achieve a real open-world. We demonstrate the attack performance using three popular tunneling tools: OpenSSH, Shadowsocks, and OpenVPN. The GF attack attains over 94% accuracy on each tunnel, far better than existing CUMUL, DF, and DDTW attacks. In the more realistic open-world scenario, the attack still obtains 88% TPR and 9% FPR, outperforming the state-of-the-art attacks. These results highlight the danger of our attack in various scenarios where gathering and training on a tunnel-specific dataset would be impractical.

In machine translation (MT) mediated human-to-human communication, it is not an easy task to select the languages and translation services to be used as the users have various language backgrounds and skills. Our previous work introduced the best-balanced machine translation mechanism (BBMT) to automatically select the languages and translation services so as to equalize the language barriers of participants and to guarantee their equal opportunities in joining conversations. To assign proper languages to be used, however, the mechanism needs information of the participants' language skills, typically participants' language test scores. Since it is important to keep test score confidential, as well as other sensitive information, this paper introduces agents, which exchange encrypted information, and secure computation to ensure that agents can select the languages and translation services without destroying privacy. Our contribution is to introduce a multi-agent system with secure computation that can protect the privacy of users in multilingual communication. To our best knowledge, it is the first attempt to introduce multi-agent systems and secure computing to this area. The key idea is to model interactions among agents who deal with user's sensitive data, and to distribute calculation tasks to three different types of agents, together with data encryption, so no agent is able to access or recover participants' score.

User privacy preservation is critical to prevent many sophisticated attacks that are based on the user's server access patterns and ID-related information. We propose a password-based user authentication scheme that provides strong privacy protection using one-time credentials. It eliminates the possibility of tracing a user's authentication history and hides the user's ID and password even from servers. In addition, it is resistant against user impersonation even if both a server's verification database and a user's smart card storage are disclosed. We also provide a revocation scheme for a user to promptly invalidate the user's credentials on a server when the user's smart card is compromised. The schemes use lightweight operations only such as computing hashes and bitwise XORs.