Traffic Classification for the Detection of Anonymous Web Proxy Routing

Abstract

There is an increasing need to be able to classify whether an incoming packet is from a legitimate originating IP address or has been modified through an intermediate proxy or node. Being able to verify the originating IP address allows a business (e.g. bank) to use geolocation services in order to then ascertain which geographical location that packet was sent from. This can then feed into the system intrusion system or backend fraud alert mechanisms. The web however is going 'dark'. There is a noticeable uptake in the amount of encrypted data and third party anonymous traffic proxies which aim to mask the try location and IP address of a web request. We present here a system which identifies the characteristics or signatures whenever a user is using a web proxy by developing a Detection System that records packets and analyses them looking for identifying patterns of web proxies.