Efficient yet Robust Privacy Preservation for MPEG-DASH-Based Video Streaming

MPEG-DASH is a video streaming standard that outlines protocols for sending audio and video content from a server to a client over HTTP. However, it creates an opportunity for an adversary to invade users’ privacy. While a user is watching a video, information is leaked in the form of meta-data, the size of data and the time the server sent the data to the user. After a ﬁngerprint of this data is created, the adversary can use this to identify whether a target user is watching the corresponding video. Only one defense strategy has been proposed to deal with this problem: diﬀerential privacy that adds suﬃcient noise in order to muddle the attacks. However, that strategy still suﬀers from the trade-oﬀ between privacy and eﬃciency. This paper proposes a novel defense strategy against the attacks with rigorous privacy and performance goals creating a private, scalable solution. Our algorithm, “No Data are Alone” (NDA), is highly eﬃcient. The experimental results show that our scheme is more than two times eﬃcient in terms of excess downloaded video (represented as waste) compared to the most eﬃcient diﬀerential privacy-based scheme. Additionally, no classiﬁer can achieve an accuracy above 7.07% against videos obfuscated with our scheme.


Introduction
Server to client video streaming is commonly encrypted and is characterized by a series of requests from client to server and subsequent fulfillment of these requests from server to client. Popular online streaming services, such as YouTube and Netflix, all share the industry standard MPEG-DASH, a protocol for server to client video streaming over HTTP. Chosen ubiquitously in the industry for its high performance, in spite of the widespread use of cryptography today, the standard has a weakness: it can be exploited by a side channel attack, allowing for an adversary to compromise user privacy by determining whether or not a user is streaming any video chosen by the adversary. With YouTube being used both for recreation and as an educational hub, there are many things a user might not want to expose. It is possible for an adversary to steal sensitive information about a user's health, personal relationships, possessions, or future actions, including, for example, how to make a house appear occupied while on vacation.
One of the components of MPEG-DASH that allows it to become an effective attack surface is the reliance on variable bit-rate encoding (VBR). Bit-rate is the measure of bits per second being sent across a system; in the case of video streaming, it is the amount of bits needed to encode one second of video that is sent from server to client. is number of bits can be fixed, constant bit-rate encoding (CBR), or vary depending on the content to be sent. VBR is a double-edged sword. It allows for efficient use of storage and high quality streaming but also allows a unique fingerprint to be made for a video. VBR only sends as many bits as needed to render each segment of video, making it far less wasteful than CBR, and that is the reason it is widely used instead of CBR. In a video encoded by VBR, a high action scene will require more bits and have a relatively higher bit-rate, and a lower action scene will require a lower bit-rate. MPEG-DASH breaks videos into time segments of approximately the same length [1], and a client will only request a new video segment when its buffer falls below the threshold. us, a client creates uniquely sized bursts of traffic over time, which can be used as a fingerprint for a video. Researchers have created various attack models based on this information [2][3][4][5].
e most effective of these attacks was introduced by Schuster et al. [2]; its effectiveness is due to the fact that it makes no closed world assumptions, has high accuracy, and can be executed by JavaScript code (e.g., in the form of a malicious web browser advertisement). is attack relies on a Convolutional Neural Network (CNN) that is trained on the meta-data of the target video to be identified, and other video bit-rate measurements are used for negative examples. e adversary measures video stream bursts by saturating the network connection between the client and the server and then estimating the change in congestion; a form of timing side channel attack is used against schedulers [6].
is saturation allows the adversary to learn the victim traffic pattern and, consequently, the video burst pattern. is attack was used to great effect, and the YouTube video classifier from the paper had 98.8% recall and 0 false positives [2]. e defense against these attacks is straightforward in principle, but its implementation requires careful consideration because of the potential computational overhead. To stop the bit-rate streaming pattern from being able to be identified by an adversary, the streaming pattern must be obfuscated. To the best of our knowledge, the only defense algorithm was proposed by Zhang et al. [7]. is paper focused on defending against the CNN attack model mentioned above [2]. e work done in this paper uses differential privacy, specifically d * − privacy [8], which is adjusted for time series data, and the Fourier Perturbation Algorithm (FPA k ) which was proposed by Rastogi and Nath [9]. e goal of the defense is to create an obfuscated bit-rate pattern with differential privacy and then use a proxy in the form of a browser extension to send segment requests based on this differentially private pattern. ese methods were able to successfully reduce the accuracy of the CNN model below 50%, but incurred waste in the form of extra downloaded material or ran a deficit by not downloading enough material. Differential privacy always trades a lack of utility in exchange for privacy; in this case, the waste incurred by this solution is a hindrance when watching video streams, especially on already computationally weak mobile devices.
In light of the computational constraints of many users, seeking to find a bit-rate request pattern that was not random but efficient, we pursued K-Means clustering. e centroid of a cluster in K-Means clustering would provide us with an average of all videos in that cluster, so this pattern would be representative of many videos and thus can be used to obfuscate efficiently by replacing a video with its centroid pattern. Sometimes, a cluster may only have one data point (video), making the cluster's centroid equal to the video in the cluster. Obfuscation with this centroid would provide no privacy. Because of this, K-Means cannot be used without augmentation.
Our proposed defense scheme "No Data are Alone" (NDA), an augmented version of K-Means, clusters videos based on bit-rate over time. We then use the cluster centroids as the new pattern for video requests to be sent, creating an efficient request pattern. Our privacy is shown through experimentation and formally. We recreate the CNN video classifier [2] to show our scheme's effectiveness. In addition to the experimentation done to show our scheme's privacy, we give a formal privacy definition that is based on the L 1 norm, in order to give a broader view of privacy beyond just one attack. When compared to differential privacy, our method significantly reduces computational waste while providing higher privacy. e contributions of our paper are summarized as follows: (i) An effective and novel defense scheme that generates an optimal request pattern called "No Data are Alone" (NDA) is proposed (ii) e time complexity of our scheme is compared with the differential privacy schemes; it has not been shown previously for the differentially private schemes (iii) Multiple attack CNNs are created and trained on unobfuscated data and noised data, and detailed explanations of how they are trained are given. (iv) ese CNNs are then used for a thorough evaluation f privacy provided by our scheme compared to differentially private schemes (v) e privacy of both schemes is evaluated using a privacy definition based on the L 1 norm, and the results show that our scheme outperforms differential privacy e remainder of this paper is organized as follows: Section 2 gives necessary background knowledge, and then Section 3 lays out the problem description. Section 4 introduces our proposed scheme in detail, and Section 5 details implementation and experimental methods. Section 6 shows the results of our evaluations. Section 7 introduces some notable related research results. Finally, we conclude this paper in Section 8. e MPD is an XML file that outlines the video segments available for each quality level, along with other characteristics needed for streaming. e DASH client then parses this file and determines the appropriate quality, segments to request, and other information. en it begins streaming using HTTP GET requests [1].

Background
MPEG-DASH uses VBR, an often used means of encoding video streams because of its efficiency. VBR encodes only as much of a video file as is necessary. Meaning that scenes in a video have a comparatively higher or lower bit-rate depending on what takes place in the stream at that point in time. DASH mandates that the video is streamed in segments, with each being requested when a user falls below their buffer threshold. e segment sizes (bits) are based on video display time. Video display time can be of variable sizes or held constant [1] but is most often held constant. Because of variable bit-rate encoding, each segment contains a different amount of bytes.
In addition to using VBR and standardized segment sizes with MPEG-DASH, video streaming is bursty [10] because there are periods when new segments are being requested, which causes a spike in bits being sent from server to client; then, there are break periods where no bits are requested.
is combination of variable bit-rate segments, size standardized segments, and bursty segment request patterns led researchers to develop a successful traffic analysis attack that uses this data as a fingerprint. A visualization of a video's unobfuscated bit-rate over time can be seen in Figure 1.

K-Means.
K-Means is an unsupervised learning algorithm that clusters data points into discrete groups. Let S be a finite set of vectors, i.e., S � x 1 , . e algorithm first requires k ∈ N * as input, where N * is a set of all positive whole numbers excluding 0, and then instantiates a set of clusters C � C 1 , C 2 , . . . , C k . Once C is created, the algorithm instantiates a set of means M � m 1 , m 2 , . . . , m k , where m i ∈ R n is initialized randomly or with an algorithm such as K-Means++. For each cluster C i ∈ C, m i ∈ M is considered to be its centroid. After the initialization of means, each vector x i ∈ S is assigned to a cluster C j ∈ C based on the minimum Euclidean distance between x i and m j . More specifically, for each mean m j ∈ M, the Euclidean distance between x i and m j defined by (1) is computed.
en, x i is assigned to the cluster C j whose centroid m j is the closest to (1) After the assignment phase, each cluster C i ∈ C should be a subset of S and given another cluster C j , with i ≠ j, Finally, m j , the centroid of C j , is updated as in the following equation: where x (C j ) i represents the vector in C j at position i. e assignment and centroid update process is repeated until the value of each centroid remains constant.

Traffic Analysis Attack.
e traffic analysis attack against MPEG-DASH video streaming relies on side channel information to identify the video a user is streaming. During video streaming, a client requests video segments from the server at regular intervals. e video segments themselves are encrypted, but the meta-data including packet size and arrival times are visible at the application layer to any adversary on the network [2]. e bit-rate data seen by the adversary can be used to determine whether or not a user is streaming a specific video selected by the adversary. Multiple approaches, both algorithmic and machine learning based, have been taken to use this data for malicious purposes. e algorithmic approaches [3,4] seek to measure similarity between the user's bit-rate data and the adversary's prerecorded bitrate data for a specific video. e machine learning approaches [2,5] seek to predict whether or not a user is watching the video selected by the adversary. Schuster et al. introduced a traffic analysis attack based on a CNN and extended it to work in a web browser; it is executed by JavaScript code that saturates a victim's connection to a server and then measures the traffic changes [2]. More information about the attacks and their implementation is included in Section 7.
However this attack is implemented, whether by machine learning or an algorithmic approach, the data it relies on is the same. e vital information being leaked is the size of the packets and the times of their delivery, which allow an adversary to observe the rate at which bits are sent, or the bitrate of the video stream. e unobfuscated graph in Figure 1 is a graphical representation of the format of this bit-rate data. Because of MPEG-DASH and VBR, these bit-rate patterns are a unique fingerprint for at least 20% of videos when analyzed theoretically [2], though all implementations of this attack show accuracy values above 90% for video identification.
For this attack, we make two assumptions. First, we assume a polynomial time adversary, that is, an adversary restricted to practical means of attack. Second, we assume that the adversary is external and cannot be executing their attack from the server side.

Problem Definition.
Creating a defense mechanism for this attack is in theory straightforward. e video request pattern, seen as bit-rate by the adversary, must be changed so that an adversary can no longer use this information to compromise user privacy. In practice, there are more considerations, primarily computational efficiency. Video streaming is a computationally expensive process, and if a request pattern is obfuscated too much, it will cause video lag or video buffering because not enough data is being sent or, conversely, because excess data is being downloaded. To the best of our knowledge at the time of this writing, only one defense strategy has been proposed, by Zhang et al. [7]. It leverages differential privacy and works by setting a proxy between the client and server in the form of a browser extension. e extension perturbs the video segment request pattern using differential privacy. Differential privacy adds noise to data; in the case of video streaming, this noise changes the time intervals of the requests from the client and the amount of data requested by the client. e defense scheme proposed by Zhang et al. [7] leverages two differential privacy methods for obfuscation, d * − privacy and FPA k .
While the strategy of video request pattern obfuscation with differential privacy successfully defended against the CNN based attack proposed by Schuster et al. [2], there was computational overhead incurred by the defense because of the use of differential privacy, which always trades utility for privacy. Because of this and the need for scalability in the field of video streaming, we sought to create a more efficient defense solution.
In our attempt to define constraints for a more efficient, private solution, we considered that a defensive scheme should improve with more available data, growing more robust over time. Additionally, we assert that the solution must be scalable, considering the scale of the video streaming industry, the number of users who stream on computationally constrained mobile devices, and the computational cost of video streaming.

Privacy Definition.
We sought to create a formal privacy definition to reach beyond the privacy shown through experimental results and give a more in depth view of the privacy being provided. Drawing on the attack paper by Schuester et al. [2], we used the L 1 norm as the basis of our privacy definition. e L 1 norm can be defined for two vectors, a, b ∈ R n , by the following equation: For this privacy definition, we consider two vectors, x and y. Let the vector x represent video byte data recorded at a constant interval t � 0.25 seconds over a time space T. Let y represent the vector x after obfuscation. In the paper by Schuester et al. [2], the adversary was successfully able to identify a video if the L 1 norm between the recorded data v and the attacker's fingerprint y was less than 3,500,000 bytes.
To make a robust privacy model, we reduced this threshold to 2,200,000 bytes so that videos must have an increased level of privacy, making the scenario more favorable to the attacker.
We also used this privacy definition to compare our proposed scheme, NDA, to differential privacy [7]. For our own scheme, privacy is twofold. ere is privacy given by the obfuscation of the original video, and there is privacy given by belonging to a cluster with a high number of videos. If a cluster has 10 videos, guessing at random, the adversary has a 10% chance of guessing the correct video even if the adversary has full knowledge of which videos are in the cluster. erefore, for our scheme, we multiply the L 1 norm by the number of items in the cluster to account for the extra privacy provided by being included in a cluster with an increasingly large number of data. Additionally, this will account for the degradation of privacy that comes when the number of clusters increases, causing the number of videos per cluster to decrease. Letting C be a cluster, we show our scheme's privacy by (|C| × ‖x − y‖ 1 ) ≤ 2, 200, 000. is privacy threshold of 2,200,000 bytes is further validated with the accuracy levels shown later in the experimentation. For differential privacy, we used only the L 1 norm as the privacy measure, represented by ‖x − y‖ 1 ≤ 2, 200, 000, because all the privacy given by differentially private solutions comes from noise added. It is therefore logical to conclude that a measurement of the distance between two vectors because of added noise in order to preserve privacy will give a clear view of the level of privacy provided.  video should be downloaded. Waste can be defined as the opposite, the amount of extra video that is being downloaded and that does not need to be. Let a ∈ R n be a vector that represents the original unobfuscated video pattern and let b ∈ R n be a vector that represents the obfuscated video pattern.

4.2.
Overview. Our proposed scheme, "No Data are Alone" (NDA), seeks to find an efficient and effective way to obfuscate video requests from a client. Figure 2 depicts our overall scheme in detail, and Table 1 gives definitions of notations used in this section to define our scheme. In our proposed scheme, the server has a database of all video segment request patterns from which a random subset will be selected to fit a K-Means algorithm on. Let a video request pattern be defined as a vector x ∈ R n , where x i represents video i sent from the server to the client. Let S � (x 1 , . . . , x l ) be the set of video request patterns. In our scheme, the server has knowledge of S and its contents. When a client selects a video whose request pattern is x i ∈ S, this video request pattern x i is altered by our algorithm NDA so that its value is now y i . As a client streams a video, the client will send requests to the server. Each request is filled with a segment of video that can be defined as x i,n from the vector x i . In an unaltered system, the vector x i is defined progressively by the size of data sent from the server to the client, with the size of each video request x i (in bytes) being dependent on the content of the video clip, the desired streaming quality, and the quality of the network the client is streaming from. Under our proposed scheme, the requests are not filled according to the request of the client, but according to the vector y i .
In order to preserve video streaming quality, the vector y i is defined by our algorithm and minimizes the two metrics defined in Section 4.1.
Our algorithm is an augmentation of K-Means clustering. We use K-Means clustering instead of other clustering algorithms because K-Means clustering provides a centroid. is centroid is the average of all values in the cluster and is crucial to our scheme. With another clustering algorithm, we would need to compute the value of the centroid ourselves. One of the advantages to using K-Means clustering is that initialization is different each time the model is fit, and therefore cluster distribution is also different with each fitting. e implication of this is that even if the attacker knows the full set of videos and performs his own clustering, he will not receive the same cluster distributions. Accordingly, if the adversary determines that the target video V is in his cluster, Cluster 1, this will not necessarily be true in the defensive schemes cluster distribution.
In our scheme, first, we apply K-Means clustering to the set of videos S. In a naive approach, the centroid m j of a cluster C j , which is defined as a vector m j � (m j,1 , m j,2 , . . . , m j,n ) that has identical dimensions with video segments and is calculated by (2), can then serve as an obfuscated pattern for each video x i ∈ C j . eoretically, since there are multiple videos in each cluster, the adversary cannot distinguish between them if they are all streamed with the same (centroid) pattern. In practice, the naive approach encounters problems, and this theory does not hold (see Figure 3).
While clustering data, it is inevitable that some data points x will be alone in a cluster C. When this is the case, the mean m calculated will be equal to the data point x so that this instance can be shown by considering where |C| � 1 and x (C) i indicates x i ∈ C. In this case, implementation of the naive algorithm would result in the obfuscated pattern y i being equal to x i , and no privacy would be provided. To combat this, we developed "No Data are Alone" (NDA). e assumptions made by our algorithm are as follows: a user will request video segments (x i,1 , x i,2 , . . . , x i,n ) ∈ x i for some video x i , and the server will fulfill these requests with an obfuscated pattern y i . e server has a database of videos S and an NDA model N that is fit on a random subset of these videos. Whenever a video x i is requested by the user, the server must compute y i . is computation is the same as the assignment step in K-Means. Instead of directly returning this result as y i , our algorithm will check the value of |C j |. If this value is 1 (meaning the data is alone in a cluster), our algorithm performs a new assignment.
Our algorithm's reassignment step is based on the minimization of waste + deficit instead of Euclidean distance and requires |C j | > 1 so that the cluster assignment C j of a video x i will not be alone in a cluster, ensuring privacy and an obfuscated pattern y i that minimizes waste and deficit when compared to all other cluster patterns M � m 1 , m 2 , . . . , m k . Our algorithm can be represented as follows:

Security and Communication Networks
For Algorithm 1, let M be a list of the cluster centroids, where m j ∈ M is the centroid of a cluster C j . x represents the video segment to be made private, and y is the video segment after obfuscation. All cluster centroids are evaluated to determine which cluster assignment C j produces the lowest value of waste + deficit.

Client Side vs. Server
Side. In our scheme, the defense is implemented at server side. We chose server side implementation because we considered that the server already has full knowledge of the video the user is watching and any information about the user that has been given to the site either voluntarily (i.e., creating an account) or automatically (i.e., IP address). Additionally, the server side implementation is ideal from a computation perspective, giving the burden to the server and not the client. is is especially important considering the high number of users who access video streaming websites from mobile devices.
However, it can be argued that there are privacy advantages to considering the server as an untrustworthy third party. When considering this, we postulate that our scheme could be implemented on the client side. For our scheme to work on the client side, we must implement it using one of two ways: In the first way, the client side application must have knowledge from the server about the possible videos that are going to be watched, so that the client side can perform cluster prediction. In order for our scheme to be executed, there must be a prefit NDA model.
is prefit model will be downloaded onto the client side with a browser extension that controls the implementation. Each prefit NDA model will have random initialization so that each model is unique. Over time, the model will refit as the client watches more videos, making it totally unique. When a client searches a video, the video provider shows a long list of videos that match search suggestions. e client would then query the video provider for the bit-rate pattern of these videos. e bit-rate pattern of each (starting with the best     match) would be predicted by the NDA algorithm to determine the centroid. e video request pattern would then be changed to that of the centroid.
Alternatively, the client side application could cluster the video based on only the first 10 seconds of the video, not enough for the adversary to use for classification. e video would stream regularly for the first 10 seconds, and then this data would have its cluster predicted by the prefit NDA model on the client side. After successful prediction, the video request pattern would then be changed to the predicted cluster's centroid.

Cluster Recreation Probability.
Our proposed scheme maps multiple inputs to one output. Multiple videos are in any given cluster, and these videos will all have their patterns obfuscated to the same cluster centroid pattern. When mapping multiple videos to one centroid, the probability of guessing which video is mapped to the output is dependent on the number of videos in the cluster. If there are 10 videos in the cluster, the probability of guessing based on the output would be 10%. A concern for a scheme that provides privacy in this way is the recreation of the same mapping. In the case of our scheme, NDA, the adversary would have to produce the same cluster distribution. In our scheme, we performed clustering on 40 videos (though this number could greatly increase in real world implementation).
To consider the privacy given by our scheme more fully, we consider the possibility of the adversary recreating the same cluster distribution used by our defensive scheme. We give the adversary full knowledge of all 40 videos that were used to perform the NDA algorithm. Using this knowledge, the adversary is allowed to perform his own clustering to attempt to obtain the same distribution as our proposed scheme. A cluster distribution can be defined as which videos belong to which clusters; i.e., there are 4 videos in cluster 1, 12 videos in cluster 2, etc. If the adversary is able to obtain a distribution with the same videos in the same cluster as the defensive scheme distribution, it would be a breach of privacy.
For the cluster initialization algorithm in our scheme, we use K-Means++ [11].
is algorithm will determine the probability of obtaining the same cluster distribution twice.
is algorithm randomly selects a data point as a starting cluster centroid and then initializes the rest of the cluster centroids with probabilities proportional distance from the chosen data point; i.e., a cluster with a distance closer to the chosen centroid has a lower probability of being chosen as the next centroid, while a data point that is the furthest away from the initial cluster centroid has the highest probability of being chosen. is means that with K-Means++ there are 40 possible initial data points to choose in our dataset. is means the adversary has at most a 1/40 or 2.5% chance of producing the same initial cluster centroid. e probability of maintaining the same cluster distribution degrades with each subsequent assignment. Additionally, the adversary has no way of knowing if he has successfully produced the same cluster.

Data Collection.
Data collection was automated using tshark by Wireshark (http://www.wireshark.org) and Selenium (http://www.selenium.dev). We collected data from YouTube, and only videos of 20+ minutes were captured, ad content was filtered out, and video quality was kept constant (720p). We recorded the server to client bit-rate of each video in segments of 0.25 seconds. We collected a dataset of 41 different hand selected videos. e bit-rate data of each of these 41 videos was collected for 100 captures each, and each capture only lasted for exactly 20 minutes. With a 20 minute long capture that captured data every 0.25 seconds, each Input: M, x (1) let min_waste � 0 (2) let min_deficit � 0 (3) let y ∈ R n (4) for m k in M where k � (1, . . . , l) do let C be the cluster corresponding to m k (5) if |C| � 1 then (6) remove m from M end end ese videos were not used during experimentation but are used in Figure 4 to elaborate on our scheme. e collected dataset is available from our website (IIS Lab: http://i2s. kennesaw.edu/resources.html).

Comparison of Defense Schemes.
To evaluate the performance of our scheme NDA compared to the proposed scheme of Zhang et al. [7], we implemented d * − privacy and FPA k exactly the same as Zhang et al. with one modification. e value for k in the paper by Zhang et al. was set as 10, and their video length was 720. Our video length was 4800, so accordingly we increased k to 67. e unobfuscated graph in Figure 1 is a graph of the data exploited by this attack, bit-rate over time. e bursty nature of video streaming can be seen here; the graph continues at a low number of bytes, and then a large spike (burst) in the graph occurs when a client's request is filled. A graph of our defensive method NDA and graphs of each differential privacy method are shown to add a deeper analysis of each method, beyond just the waste and deficit measure in Section 6.
e NDA graph in the bottom right of Figure 1 is a graphical representation of the obfuscation that our proposed scheme creates. Our scheme provides obfuscation by computing an average of many video patterns like the unobfuscated graph at the top. is average is the cluster centroid. Because the centroid is the average of multiple videos, NDA has slightly smaller bursts than the unobfuscated pattern but still retains the bursty nature. In the experimentation from which this graph was derived, 36% of videos were assigned to this cluster. In our scheme, the 36% of videos assigned to this cluster will be obfuscated with the pattern shown in the NDA graph in Figure 1.
e FPA k graph in Figure 1 is a representation of obfuscation by FPA k , which relies on a Fast Fourier Transformation, addition of Laplacian noise, and subsequent Inverse Fast Fourier Transformation for its obfuscation. It can be seen that this video does not exhibit the bursty nature of video streaming but instead has more gradual fluctuations, which could lead to video lag because of prolonged periods without requesting new video segments. e d * − privacy graph in Figure 1 is a graphical representation of d * − privacy, which adds simple Laplacian noise to time series data. is method adds the most noise; the range of bytes for the original unobfuscated video stays mostly within the 50,000-300,000 range, but the d * − privacy method has a large number of points in the 1,000,000 bytes range, which would cause an excess download of video data. is result agrees with the waste and deficit measurements given in Section 6.

Various Clustering Algorithms.
While doing experimentation on K-Means clustering, we also performed clustering with two other popular clustering algorithms, Agglomerative and DB-SCAN clustering. When performing clustering, we noticed that both algorithms tended to generate the exact same pattern, such that they provided very lopsided clusters; most of the videos were grouped into a single cluster with only a few videos falling into other clusters. We tried to fit the models multiple times but the result was always the same. Since the output and the performance of all three clustering algorithms were nearly identical, we decided to use K-Means clustering. Additionally, our schemes need the cluster centroid in order to provide privacy. K-Means provides this as part of its implementation, but it would have to be calculated manually for another clustering algorithm.
is would introduce a small amount of computational overhead because it would have to be implemented manually instead of using a package optimized for it as we did with K-Means, and since the distributions were very similar across different algorithms, the centroids would be as well.

Attack Classifiers.
To test our proposed algorithm, we implemented the CNN created by Schuster et al. [2], with a few minor modifications to the architecture. We did this to accommodate our data vectors, which were significantly longer than the ones used by Schuster et al. We used a filter size of 32 with a kernel size of 3 and a pooling size of 2 instead of 6. We also used the Adadelta optimizer instead of Adam. Additionally, we used z-score normalization and a learning rate of 0.001. ese were the only differences. Our classifier has 41 classes, one for each video. We trained this classifier on our full dataset for 80 epochs. e classifier, For evaluation, we used 10 samples for each video, totalling 410 samples for all 41 videos. e results of accuracy, waste, and deficit for all 410 samples tested were averaged to give a broad view of the performance of each algorithm. Figure 5 is a visual representation of these evaluation methods.
We created three "attack CNNs" and trained one on noised data from our scheme and one on noised data from each of the two differential privacy schemes, in an attempt to increase the performance against them. We then tested these defense schemes against our attack CNNs and recorded the waste and deficit for NDA, and for the differential privacy schemes with varying epsilon values. Results of the accuracy for each of these schemes can be seen in Table 2.
To train against our scheme, we used one dataset of videos obfuscated by our scheme and the original unobfuscated dataset. Instead of training a new classifier, we retrained the original model, Model A . is new attack model, Model B , was trained for 50 epochs; otherwise, significant overfitting occurred.
is model theoretically should not be able to successfully learn to predict our scheme, because of the method our scheme uses to provide privacy. When we fit our algorithm with 4 clusters, all videos can be obfuscated to one of four options. is may result in, for example, 15 of 41 videos all being assigned to the same cluster and obfuscated with the same pattern. e classifier will be unable to learn any correlation between an obfuscated pattern and a video class, because so many videos from different classes will have the same pattern. e results in Section 6 support this conclusion.
To create the FPA k attack CNN, Model C , we retrained Model A on 5 datasets. We included the original unobfuscated dataset and then 4 different datasets of data obfuscated by FPA k , two with an epsilon values of 15 and two with epsilon values of 25. Different epsilon values will yield classifiers robust to different levels of obfuscation. We chose 15 and 25 to have a well-balanced model. We trained the model for 500 epochs. is model required more data and longer training time to become accurate when compared to the d * − privacy, which is unsurprising when you consider FPA k in Figure 1 and the higher level obfuscation when compared to d * − privacy which added significant noise but retained the bursty pattern. is model had an accuracy of 0.9317 and a false positive rate of 0.0024 on the unobfuscated data.
To create the d * − privacy attack model, we trained the Model D from the original model Model A with 2 datasets. We used the original unobfuscated data and one dataset obfuscated by d * − privacy with an epsilon value of 0.0007. is model was trained for only 50 epochs; otherwise, overfitting occurred.
Furthermore, to show that transfer learning was taking place when we retrained Model A , we reconstructed the original architecture from Model A and trained it against FPA k from scratch on the 5 datasets; however, the accuracy of this model on the unobfuscated data was significantly lower than that of retraining the previous model and lower on data obfuscated by FPA k that is was trained for classification. is implies that the knowledge about identifying unobfuscated data successfully transferred from one task (detecting unobfuscated data) to another (detecting obfuscated data). From this it can be inferred that, even after obfuscation with differential privacy, the video pattern retains identifiable features that can be learned.

Privacy Evaluation.
To get a broader view of the privacy levels shown by our scheme and the extant scheme, we performed obfuscation on all the videos in our dataset, both with our scheme, NDA, and with the two differential privacy schemes used by Zhang et al. [7]. We then represented the privacy level of each video with a Boolean value, either private or nonprivate based on the privacy definition given in Section 3.3. We then divided the total number of nonprivate videos for each scheme by the total number of videos, giving the percentage of nonprivate videos for each scheme.
e results are shown in Table 3. ese results can also be interpreted inversely; that is, NDA with 4 clusters has a 1.4% chance of leaving a video nonprivate, or NDA has a 98.6% chance of successfully privatizing a video. It can also be seen that the privacy of our scheme degrades a little as the number of clusters increases, but still remains high. It can be seen here that at an epsilon value of 0.5, FPA k performs well; however, the waste incurred at this value is high (see Table 2). When the epsilon value is increased slightly, the privacy degrades very quickly, more quickly than the attack accuracy using the CNN (see Table 2). is calls into question the protection level of this scheme against other attacks. When observing d * − privacy, the privacy level looks impressive, but the computational cost of this scheme is very high (see Table 2). Figure 4 depicts the clustering of 1000 unique videos that each fall into one of 10 categories. e purpose of this figure is to show the distribution of video category among different clusters.

Clusters and Video Types.
is is important to consider, because it is possible that the attacker might try to determine the cluster identity and then infer the category of the video from the cluster. is graph gives insight to the possibility of invading a user's privacy this way. e ten categories in the graph fall into 3 broader categories. Sports videos are shown in blue, Video Game videos are shown in green, and Low Action videos are shown in orange. e Y axis of the graph represents the percentage of videos in a given cluster; i.e., 40% of all Football videos fall into cluster 1, 20% of Football videos fall into cluster 2, etc. is graph shows a broad distribution of videos even within the same category. League of Legends videos have their highest percentage in cluster 2, along with Basketball. Fortnite, the other group of videos in the Video Game category, has the most videos in cluster 2, along with Boxing videos. From this graph, it can be seen that there is no category of videos that dominates a single cluster. Figure 3 is a measure of accuracy with an increasingly large number of clusters with both traditional K-Means and our proposed scheme NDA.

Traditional K-Means vs. NDA.
is graph displays the need for an altered K-Means algorithm. As the number of clusters increases, the number of videos alone in their own cluster also increases. Data points alone in a cluster have no privacy, because the cluster centroid is equal to the video pattern. is is why as the clusters increase, the number of alone data points increases, and therefore the privacy of the scheme decreases. e privacy of our proposed scheme, however, remains almost constant and the accuracy against our scheme never goes higher than 7%.
6.4. Accuracy vs. Waste + Deficit. Figure 6 is a comparison of the attack accuracy against each scheme vs. waste + deficit (measured in megabytes) of each scheme; each defensive scheme was tested against the classifier trained to attack it. For d * − privacy and FPA k , we considered multiple epsilon values. Table 2 represents a summary of the performance of each defensive scheme when evaluated against the CNN that was trained to attack it, i.e., the performance of NDA against classifier trained on NDA obfuscated data.
In every epsilon case, our scheme outperforms differential privacy when considering both accuracy and waste + deficit. Our scheme significantly outperforms d * − privacy and creates 1 MB less waste + deficit while having an attack accuracy half as high as FPA k . e correlation between epsilon, waste and deficit, and accuracy can also be clearly seen from this graph. Higher epsilon values will add less noise, resulting in higher attack accuracy and less waste and deficit. We did not include the accuracy for d * − privacy that would have been equivalent to ours because the waste incurred was extremely high, and we wanted to preserve the scale of the graph (see Table 2).  Figure 5: An overview of the evaluation methods.    Figure 7 shows the accuracy of the attack CNNs of each scheme across multiple epochs of training. In Figure 7, epoch 0 represents the classification accuracy of Model A before training on noised data. Figure 7(c) depicts the accuracy of the classifier that was trained on both unobfuscated data and data that was privatized using our algorithm NDA. is result shows that over 50 epochs the classifier does not learn anything about the data and the accuracy remains below 8% for the entire training time. is result is predictable because of the privacy preserving format of our proposed scheme. With only 4 clusters, all videos are obfuscated to 1 of 4 patterns. In the testing, 410 samples are taken. All 410 samples are obfuscated to only 4 videos. With so many samples being obfuscated into one of only four possibilities, no learning can occur.

Attack Accuracy across Epochs.
From Figure 7(a), it can be seen that the FPA k attack classifier effectively learned all the different epsilon values of FPA k except for one, when epsilon is 0.5, which adds considerable waste and deficit. e accuracy improvement is expected, because differential privacy always adds noise within a range (controlled by epsilon), so with enough data a classifier can still learn prediction accurately through the obfuscation. We used only 4 obfuscated datasets to produce this result, but it is logical to conclude that accuracy would grow higher against FPA k if more obfuscated datasets were used. Additionally, we included one dataset of unobfuscated data while training the FPA k attack classifier so that the model did not overfit and learn only FPA k . Figure 7(b) depicts the d * − privacy attack classifier. e accuracy for this scheme can also be seen to increase for all but the highest level of privacy protection, which adds too much waste to be viable.
is is the downside of differential privacy; there is always a trade-off of computational efficiency and privacy, and a scheme that adds too little noise can be overcome by training against the differential privacy scheme, but a scheme that adds too much noise can create too much computational overhead. Our scheme overcomes this tradeoff and provides constant high level privacy while being computationally efficient.

Time Complexity.
Because of the real world nature of this problem and the need for scalability in the video streaming industry, we examined the computational overhead of both our scheme and the scheme proposed by Zhang et al. [7].
Finding an optimal solution to K-Means is NP-hard [12], so many similar but alternative algorithms have been proposed; the most commonly used (and used in this paper) is Lloyd's algorithm. e time complexity of Lloyd's algorithm is O(t × k × n × d) [13] where t is a number of iterations over n points in d dimensions with k number of clusters.
e time complexity of our algorithm is O(k × k z × v), where k is the number of clusters. For each cluster, defined as C j , the value |C j | must be evaluated, which must be done iteratively. k z is the number of clusters where |C j | > 1 so that the potential waste and deficit of the video V will be evaluated relative to each centroid. e value v represents the time taken to find the maximum and minimum values of a data vector so that the difference between x and y can be calculated for waste and deficit. erefore, the time complexity of NDA is e lower bound of the time complexity of a Fast Fourier Transformation has not been proven, but through experimentation we determined that the slowest component of the computation of FPA k privacy is the calculation of sensitivity, which is defined as the greatest difference between any two data vectors in a dataset. Considering all videos x ∈ S, one must find the difference between all videos in a set relative to each other, for example, the difference between the first video compared to every other video, etc., so the time complexity of this calculation is O(n 2 ).
is is an important constraint, because the provable privacy of differential privacy is contingent on the value for sensitivity [9], so this value cannot be chosen randomly to speed up computation. e time complexity of d * − privacy would be O(λ × n), because it performs a series of constant time computations for the length of one data vector; additionally, during each iteration it must compute D(i). e time consuming component for our implementation was the calculation of D(i) which is defined as the largest power of two that divides a number i [8]. We found this value iteratively, trying m numbers until we found the largest square that divided i; this made out implementation O(n × m). ere are more efficient ways to find that value, so it is defined as λ.
e implementation of d * − privacy was considerably slower than both NDA and FPA k prefit algorithms. Both FPA k and NDA have an impressive computational performance when the precomputation of a component of each is considered. In the case of NDA, prefitting the K-Means algorithm considerably increased performance; in the case of FPA k , precomputation of the sensitivity increases performance considerably. Considering the time complexity of each solution, without precomputation, FPA k is not viable, and while d * − privacy is potentially viable, the waste added by this scheme can be a problem. Our algorithm will scale better compared to FPA k if precomputation is not possible and does not require a list of all videos for precomputation; without a full list, FPAK k cannot be proven to be differentially private. Results obtained through experimentation for the computation of y i from x i both with and without precomputation can be seen in Table 4. We recorded the time it took each method to obfuscated a single video, measuring both precomputation times and nonprecomputed times for FPA k and NDA.

MPEG-DASH Leak.
ere have been multiple traffic analysis attacks that exploit the MPEG-DASH leak on video streaming. e most effective attack with the broadest attack surface is that proposed by Schuster et al. [2]. e attack can be implemented in the form of a malicious web advertisement written in JavaScript. Additionally, no closed world assumptions were imposed on the attack model; the adversary can identify the target video without need for a predetermined "set" of videos. e authors train a Convolutional Neural Network (CNN) for target video identification and achieve high accuracy and precision, with the accuracy of their YouTube identifier being 99.4% depending on the features selected for training.
Implementing algorithmic approaches has also been effective in video fingerprinting for identification. Gu et al. [3] achieved up to 90% accuracy using a variant of dynamic time warping. Dynamic time warping is an algorithm for comparing time series data. is algorithm was implemented to determine the similarity between a known video traffic pattern and an unknown video fingerprint to determine the identity of the unknown video from a set of possible candidates.
Instead of using dynamic time warping to determine similarity, Reed and Klimkowski [4] used a multistage algorithm that breaks videos into candidate "windows" that have a similar throughput to the target video. After selecting potential candidates, Pearson's correlation coefficient is used to determine a "match" between two video fingerprints. e model achieved an accuracy of 96%.  Finally, Dubin et al. [5] also used machine learning to great effect, employing nearest neighbor, nearest neighbor to class algorithm, and support vector machines and achieved an accuracy above 95%.
In response to these attacks, specifically the CNN based attack, Zhang et al. [7] used differential privacy as a defense mechanism to obfuscate video bit-rate data.

Traffic Analysis.
A traffic analysis attack is a form of attack in which an adversary learns information by spying on a victim's network traffic. Traffic analysis attacks have a broad set of goals. Some seek to compromise information about a victim's smart home for theft or other malicious purposes [14,15]. Some seek to compromise privacy of an unsuspecting victim [16][17][18][19][20]. Some traffic analysis attacks target victims that are using an anonymous browsing service such as Tor or Psiphon [21][22][23][24][25]. Some of these attacks are even able to determine the IP address of users on Tor [26].
Since most web traffic is encrypted these days, most traffic analysis attacks often rely on side channel information and machine learning to be effective. Some side channel reliant traffic analysis attacks use only timing information [20,27] while others depend on different side channel information, such as presence or absence of communication information [28], delaying and analyzing HTTP requests [27], and standard side channel information, such as packet length, number of packets, and time [25]. Machine learning allows adversaries to analyze even encrypted traffic to steal user information [15,[29][30][31].
Defending against traffic analysis attacks can be difficult; as noted previously, encryption is not enough. Some work done seeks to make an efficient defense using Adaptive Padding [32]. To defend against website fingerprinting, some researchers [33] modify the way browsers communicate, allowing burst sequences to be molded more easily. Privacy can be added at the network layer by adding latency [34], controlling the network latency to allow for privacy and utility. Differential privacy also presents a viable solution for obfuscating traffic from an adversary. Differential privacy can also be employed [35] to protect smart homes from traffic analysis attacks.

Conclusion
is paper aimed to develop a privacy preservation scheme that conformed to rigorous privacy standards while having a high computational efficiency, overcoming the common trade-off between privacy and computational speed. Using K-Means clustering as a base, we created our own algorithm, named "No Data are Alone," that accomplished this goal. Our algorithm provided privacy at a higher level when measured against the most robust attack method, which relied on a Convolutional Neural Network (CNN). We created multiple CNNs, each trained on data obfuscated by a different scheme. e attack CNN being trained on data obfuscated by our scheme never improved in accuracy and was always able to reach an accuracy above 7.07%. Other differential privacy defense techniques were vulnerable to a CNN trained against them, and the CNNs trained against these schemes had 20% or greater increases in accuracy. Additionally, the computational cost, measured in waste + deficit, of our scheme was less than half that of the best performing scheme.

Data Availability
e data used to support the findings of this study, which are bit-rate patterns of streaming videos, have been deposited in our lab repository (http://i2s.kennesaw.edu/resources.html).
ere are no restrictions, except commercial uses, placed on the usage of these data.

Disclosure
A part of this work was presented at the College of Computing and Software Engineering (CCSE) Computing Showcase (C-Day), Spring 2021 (Spring 2021 C-Day Program: https://ccse.kennesaw.edu/computing-showcase/ cday-programs/spring2021program.php).

Conflicts of Interest
e authors declare that they have no conflicts of interest.