Go to DBLP homepage6RIS: IPv6 Address Correlation Attacks on TLS Encrypted Traffic Using Joint Representation of Interaction and Sequential Behavior
Abstract: IPv6 address correlation attacks determine whether two temporary addresses belong to the same user, compromising user privacy. Particularly, existing works have shown that methods based on TLS traffic analysis can be used to perform correlation attacks. However, they suffer from inaccurate differentiation of complex user behaviors and low correlation efficiency, leading to limitations in practical applications. In this paper, we propose a 6RIS model to improve IPv6 address correlation attacks on TLS-encrypted traffic. 6RIS learns the joint representation of interaction and sequential behavior from traffic, which is used to construct a KD-Tree for efficient correlation. Statistical aggregation and semantic preference modules are designed to extract generalized features from complex interaction behavior. To model sequential behavior, we utilize a sequence learning module to capture service dependencies, enhancing behavior representation. Experiments on a real-world IPv6 dataset show that 6RIS ($\mathbf{9 1. 8 6 \%}$ TPR, $\mathbf{0. 8 3 \%}$ FPR) outperforms state-of-theart methods. The correlation efficiency of 6RIS improves by at least 57 % compared to existing methods. Additionally, we further confirm through 6RIS that persistent session IDs in TLS session resumption can directly expose IPv6 temporary addresses to correlation attacks.
External IDs:dblp:conf/iwqos/LiLGCXLZG25
Loading