User Identification in Dynamic Web Traffic via Deep Temporal Features

Modern web applications rely heavily on dynamic content, i.e., page updates made by the browser using an XMLHttpRequest and more recently the JavaScript Fetch API. These requests are often made on behalf of user actions, such as typing on the keyboard or pointing at an HTML element. As a result, the timings of the user’s actions are strongly correlated with the timings of packets that carry these events. In this work, we examine several dynamic web applications and the ability to measure human behavior in encrypted network traffic by using deep temporal features. Our approach relies on the ability to accurately detect a subset of packets that correspond to user actions. Leveraging recent work in keystroke dynamics, we show that user identification can be performed with modest accuracy utilizing the packet timings induced by a user typing into a search engine. While this tool could be used by forensic investigators to perform target identification among encrypted network traffic, it also raises a privacy concern in which an on-path remote adversary able to detect these packets may infer user behaviors.