TorWard: Discovery, Blocking, and Traceback of Malicious Traffic Over Tor

Ling, Zhen; Luo, Junzhou; Wu, Kui; Yu, Wei; Fu, Xinwen

doi:10.1109/tifs.2015.2465934

Cited by 33 publications

(29 citation statements)

References 16 publications

(28 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Torward is an IDS to detect and classify malicious traffic including botnet traffic at an exit router of the Tor network. The defense system then processes these IDS alerts and blocks suspected connections [19]. Unfortunately, most Tor botnets use hidden services which do not use exit servers.…”

Section: Related Workmentioning

confidence: 99%

TorBot Stalker: Detecting Tor Botnets Through Intelligent Circuit Data Analysis

Fajana

Owenson

Cocea

2018

2018 IEEE 17th International Symposium on Network Computing and Applications (NCA)

View full text Add to dashboard Cite

Botnets are collections of infected computers that are controlled centrally by a botmaster, often for sending spam or launching denial of service attacks. The task to take down these botnets is often a cat and mouse game with operators frequently changing domains for their control infrastructure. More recently, operators have moved to using Tor, a pseudoanonymous network for hosting services whereby identification is difficult. Additionally, because connections to the Tor network are encrypted, we cannot use traditional methods like Domain Name System (DNS) and traffic signatures to detect infected hosts. In this paper, we introduce TorBot Stalker: the first mechanism for detecting, de-anonymizing, and destroying Tor botnets. We use machine learning to analyse and fingerprint the timings and frequency of Tor network circuit data when routing botnet traffic, and build a detection mechanism that is able to identify infected hosts at the Tor network border, in real-time, while preserving the privacy of legitimate users. TorBot Stalker can be implemented at any node in the Tor network and can differentiate between botnets and legitimate applications like Internet Relay Chat (IRC) coming from the same host. Experimental data demonstrates an accuracy of 99% with few false positives. We then apply the technique at the entry to the Tor network to measure the fraction of traffic which is for botnet. We observed that Torbot Stalker is able to de-anonymize real botnets in the Tor network and further identify infected hosts and control servers.

show abstract

Section: Related Workmentioning

confidence: 99%

TorBot Stalker: Detecting Tor Botnets Through Intelligent Circuit Data Analysis

Fajana

Owenson

Cocea

2018

2018 IEEE 17th International Symposium on Network Computing and Applications (NCA)

View full text Add to dashboard Cite

show abstract

“…In addition, with the continuous improvement of IP geolocation technology, it is expected that it will play a role in geolocating hidden servers in Tor networks 5,6 and data in Cloud Computing. 7,8 In recent decade years, many methods have been proposed in IP geolocation.…”

Section: Introductionmentioning

confidence: 99%

IP Geolocation based on identification routers and local delay distribution similarity

Zhao¹,

Luo²,

Gan

et al. 2018

Concurrency and Computation

View full text Add to dashboard Cite

SummaryIP geolocation is usually used in fog computing to avoid high latency and discriminate malicious requests by judging the location of users. Existing delay measurement-based IP geolocation approaches are not applicable to the network that has hierarchical topology and weak connectivity, and the precision of the classical Street-Level Geolocation (SLG) method will decrease dramatically when the common routers are anonymous. In this paper, an IP geolocation method based on identification routers and local delay distribution similarity is proposed. The target IP's location at city-level is firstly derived by matching its routing path with the identification routers that only forward packets to the same city. After that, the target IP's local delay between the nearest common router and the target IP is gathered, and the landmarks' are obtained at the same time. Finally, the location of the landmark that has the most similar local delay distribution with the target IP is taken as the geolocation result. Theoretical analysis and experimental results show that the proposed method can derive reliably geolocation results at city-level for the target IP in the network with hierarchical architecture. Moreover, the geolocation accuracy of classical SLG method is improved obviously when the common routers are anonymous. KEYWORDS anonymous router, city-level geolocation, identification router, IP geolocation, local delay distribution similarity, street-level geolocation INTRODUCTIONFog computing is proposed to enable computing directly at the edge of the network, which can provide elastic resources and services to end users through fog nodes. 1,2 IP geolocation technology, which aims to obtain a network device's location only with its IP address, has attracted extensive attention of researchers, 3 and it plays an important role in fog computing. For example, judging the geographical locations of users using IP geolocation technology could help the fog computing service providers to select nearby fog nodes for users such as to improve the quality of service. 4With IP geolocation technology, the service providers can authenticate users and identify malicious requests based on their location. In addition, with the continuous improvement of IP geolocation technology, it is expected that it will play a role in geolocating hidden servers in Tor networks 5,6 and data in Cloud Computing. 7,8 In recent decade years, many methods have been proposed in IP geolocation. Existing IP geolocation methods can be divided into two categories according to the granularity of geolocation results: city-level geolocation and street-level geolocation.The city-level geolocation methods aim to obtain the location of target IP at city-level granularity and can be further categorized into two types: measurement-based and database-based. The measurement-based geolocation method is the focus of current research in IP geolocation.They usually geolocate the target IP based on delay, topology, or both, simultaneously. These methods include GeoPing, 3 CB...

show abstract

“…The same process is repeated on one router (hop) at a time to extend the circuit each time with established session keys for the previous routers. The last hop called the exit router communicates direct with the destination as a proxy [1]. With the establishment of three routers, the circuit is ready for internet traffic.…”

Section: Introductionmentioning

confidence: 99%

Machine Learning Approach for Detection of nonTor Traffic

Hodo

Bellekens

Iorkyase

et al. 2017

Proceedings of the 12th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Intrusion detection has attracted a considerable interest from researchers and industries. After many years of research the community still faces the problem of building reliable and efficient intrusion detection systems (IDS) capable of handling large quantities of data with changing patterns in real time situations. The Tor network is popular in providing privacy and security to end user by anonymising the identity of internet users connecting through a series of tunnels and nodes. This work focuses on the classification of Tor traffic and nonTor traffic to expose the activities within Tor traffic that minimizes the protection of users. A study to compare the reliability and efficiency of Artificial Neural Network and Support vector machine in detecting nonTor traffic in UNB-CIC Tor Network Traffic dataset is presented in this paper. The results are analysed based on the overall accuracy, detection rate and false positive rate of the two algorithms. Experimental results show that both algorithms could detect nonTor traffic in the dataset. A hybrid Artificial neural network proved a better classifier than SVM in detecting nonTor traffic in UNB-CIC Tor Network Traffic dataset. KEYWORDSArtificial neural network, support vector machines, intrusion detection systems, Tor and nonTor, UNB-CIC Tor Network Traffic dataset.

show abstract

TorWard: Discovery, Blocking, and Traceback of Malicious Traffic Over Tor

Cited by 33 publications

References 16 publications

TorBot Stalker: Detecting Tor Botnets Through Intelligent Circuit Data Analysis

TorBot Stalker: Detecting Tor Botnets Through Intelligent Circuit Data Analysis

IP Geolocation based on identification routers and local delay distribution similarity

Machine Learning Approach for Detection of nonTor Traffic

Contact Info

Product

Resources

About