Anonymity Services Tor, I2P, JonDonym: Classifying in the Dark (Web)

Abstract

Traffic Classification (TC) is an important tool for several tasks, applied in different fields (security, management, traffic engineering, R&D). This process is impaired or prevented by privacy-preserving protocols and tools, that encrypt the communication content, and (in case of anonymity tools) additionally hide the source, the destination, and the nature of the communication. In this paper, leveraging a public dataset released in 2017, we provide classification results with the aim of investigating to which degree the specific anonymity tool (and the traffic it hides) can be identified, when compared to the traffic of other considered anonymity tools, using five machine learning classifiers. Initially, flow-based TC is considered, and the effects of feature importance and temporal-related features to the network are investigated. Additionally, the role of finer-grained features, such as the (joint) histogram of packet lengths (and inter-arrival times), is determined. Successively, “early” TC of anonymous networks is analyzed. Results show that the considered anonymity networks (Tor, I2P, JonDonym) can be easily distinguished (with an accuracy of 99.87% and 99.80%, in case of flow-based and early-TC, respectively), telling even the specific application generating the traffic (with an accuracy of 73.99% and 66.76%, in case of flow-based and early-TC, respectively).