CybersecurityDefense

NSDI '26 - Defending Against Traffic Analysis Attacks with Flexible In-Network Obfuscation

USENIX Association
USENIX AssociationJun 2, 2026

Why It Matters

By eliminating third‑party dependencies and dramatically cutting bandwidth overhead, Securities makes large‑scale traffic‑analysis mitigation practical for both data‑center and edge networks, protecting user privacy while preserving high‑speed connectivity.

Key Takeaways

  • New framework "Securities" obfuscates traffic without third‑party proxies.
  • Uses packet fragmentation and low‑TTL packet insertion guided by neural policy.
  • Policy gradient training minimizes attack accuracy while limiting bandwidth overhead.
  • Implemented on P4 switches; achieves 95 Gbps throughput in hardware.
  • Reduces traffic‑analysis attack success by 96% with 42× lower overhead.

Summary

The NSDI ’26 presentation introduced “Securities,” a flexible in‑network obfuscation system designed to thwart traffic‑analysis attacks without relying on external proxy services. By moving the obfuscation logic to the user’s edge network, the framework eliminates the need for cooperation from commercial VPN providers and enables dynamic protection directly within programmable switches.

Securities combines two core operations—packet fragmentation based on IP behavior and low‑TTL packet insertion that triggers ICMP replies—to mask size, timing, and direction features observable to attackers. A neural‑agent, trained via policy‑gradient feedback from a proxy DNN that simulates an adversary, selects when and how to apply these operations, balancing attack‑evasion effectiveness against bandwidth overhead. The loss function incorporates prediction accuracy, added bytes, and similarity constraints to ensure robustness against unknown attackers.

The authors demonstrated the approach on P4‑compatible hardware and software switches, achieving 95 Gbps outbound throughput and a 1.8× faster page‑load time compared with prior solutions. In controlled experiments, attack‑classification accuracy dropped by 96 % while bandwidth overhead was reduced 42‑fold. Real‑world tests across 20 web sites and IoT hubs confirmed minimal latency impact, with most sites experiencing sub‑150 ms delays.

If adopted, Securities could reshape how enterprises and service providers defend encrypted traffic, offering a scalable, low‑cost alternative to heavyweight padding or proxy‑based schemes. Its learning‑driven, hardware‑agnostic design promises rapid deployment across existing network fabrics, strengthening privacy without sacrificing performance.

Original Description

NSDI '26 - Defending against Traffic Analysis Attacks with Flexible In-Network Obfuscation
Guorui Xie and Qing Li, Pengcheng Laboratory; Zhenning Shi, Tsinghua Shenzhen International Graduate School; Gianni Antichi, Politecnico di Milano; Yijia Zhu, Xidian University; Kejun Li and Changxing Weng, Pengcheng Laboratory; Sebastiano Miano, Politecnico di Milano; Yong Jiang, Tsinghua Shenzhen International Graduate School and Pengcheng Laboratory; Mingwei Xu, Tsinghua University
Traffic analysis attacks can exploit side channels in encrypted traffic (e.g., packet sizes) to infer user activities. Existing defenses provide weak protection, impose excessive bandwidth overhead, or require hard-to-deploy coordination. We present Securitas, a novel network traffic obfuscation framework that protects from side-channel attacks using a learning-guided mix of packet fragmentation and insertion. We implemented Securitas on a number of different data planes: Tofino switch, AMD/Xilinx FPGA, eBPF, and BMv2. Experiments show that Securitas reduces attack accuracy by up to 95.89%, while consuming 42.69× less bandwidth than prior defenses. Real-world Internet tests confirm minimal performance impact, e.g., adding 0.15s to the web page load.

Comments

Want to join the conversation?

Loading comments...