Tor Network Research Articles

A Method for Identifying Tor Users Visiting Websites Based on Frequency Domain Fingerprinting of Network Traffic

Although the anonymous communication network Tor can protect the security of users’ data and privacy during their visits to the Internet, it also facilitates illegal users to access illegal websites. Website fingerprinting attacks can identify the websites that users are visiting to discern whether they are performing illegal operations. Existing methods tend to manually extract the traffic features of users visiting websites and construct machine learning or deep learning models to classify the features. While these methods can be effective in classifying unknown website traffic, the effect of classification in the use of defensive measures or onion service scenarios is not yet ideal. This paper proposes a method to identify Tor users visiting websites based on frequency domain fingerprinting of network traffic (FDF). We extract the direction and length features of circuit sequences in access traffic and combine and transform them into the frequency domain. The classification of access traffic is accomplished by using a deep learning classification model combining CNN, FC, and Self-Attention. In this paper, the proposed FDF method is experimentally validated in common scenarios of Tor networks. The results show that FDF outperforms the existing methods for classification in different Tor scenarios. It can achieve 98.8% and 94.3% classification accuracy in undefended and WTF-PAD defense scenarios, respectively. In the onion service scenario, the accuracy is improved by 4.7% over the current state-of-the-art Tik-Tok method.

Seeking anonymity on the Internet: The knowledge accumulation process and global usage of the Tor network

The Onion Router (Tor) network is one of the most prominent technologies for accessing online resources while preserving anonymity. Effectively employing the technology is not a trivial process and involves the following steps: (1) motivated by needs, (2) becoming aware of and learning the technology, and (3) realizing desired purposes by usage. Using country-level panel data, this study examines the knowledge accumulation process through which motivated users eventually employ Tor. The results suggest that Tor is often searched in less free countries for censorship circumvention, while it is employed for Dark Web activities in more free countries. There is also an indirect relationship between being aware of the technology and its usage through how-to knowledge accumulation. This study is the first attempt to understand the role of knowledge accumulation in the global usage of Tor. The findings provide insights into the worldwide concerns of online privacy and Dark Web regulation.

An improved video fingerprinting attack on users of the Tor network

In today’s digital age, there is less and less doubt that companies, governments, and hackers track our online patterns and collect personal data. Thus, over 2 million users daily flock to the Tor network, which secures their online identities by encrypting their traffic. Although the Tor network is often considered secure, it is vulnerable to fingerprinting attacks that threaten users’ online privacy. Using machine learning, these attacks attempt to classify which web page the victim is visiting based on the page’s unique traffic patterns. Since video streaming makes up 80% of total downstream web traffic, we aim to explore how well this content can be fingerprinted in Tor. In this paper, we develop a new video fingerprinting model. Our model is based on a random forest classifier, a supervised machine learning algorithm that assembles decision trees for various samples and classifies based on their majority vote. Our model uses 247 features from video traces to exploit the burst patterns present in video traffic that are unique to each video. Our model is able to distinguish which one of the 50 videos a user is hypothetically watching on the Tor network with 85% accuracy, which outperforms the state-of-the-art, Deep Fingerprinting model’s accuracy of 55%. This demonstrates that video fingerprinting poses a serious threat to the privacy of Tor users. Our model performs better as it is adjusted to consider the bursts that are streamed from video traffic’s DASH protocol.

Unikanie rejestrowania czynności użytkownika: TOR, Linux Tails

The Tor (The Onion Router) network is a virtual computer network that provides anonymisation and access to often illegal data or for those avoiding censorship. Linux Tails (The Amnesic Incognito Live System), on the other hand, is an operating system bootable only from a removable media (e.g.: flash drive, memory card or DVD) or run in a virtualized manner. Tails, as one of the tools, offers access to the Tor network providing, in addition, far sophisticated mechanisms to avoid leaving digital traces on the user’s machine. Despite the different intentions of the developers of the two tools discussed above, they have also become the favorite package of a huge group of criminals around the world. In this publication, the author focuses on discussing both the areas of formation of digital traces of Tor and Tails usage, as well as the research possibilities and inference possibilities based on them. The first part of the article describes the mechanism of the Tor anonymizing network. The author then introduces the reader to the Linux Tails environment and refers to actual use cases.

Multimodal Classification of Onion Services for Proactive Cyber Threat Intelligence Using Explainable Deep Learning

The dark web has been confronted with a significant increase in the number and variety of onion services of illegitimate and criminal intent. Anonymity, encryption, and the technical complexity of the Tor network are key challenges in detecting, disabling, and regulating such services. Instead of tracking an operational location, cyber threat intelligence can become more proactive by utilizing recent advances in Artificial Intelligence (AI) to detect and classify onion services based on the content, as well as provide an interpretation of the classification outcome. In this paper, we propose a novel multimodal classification approach based on explainable deep learning that classifies onion services based on the image and text content of each site. A Convolutional Neural Network with Gradient-weighted Class Activation Mapping (Grad-CAM) and a pre-trained word embedding with Bahdanau additive attention are the core capabilities of this approach that classify and contextualize the representative features of an onion service. We demonstrate the superior classification accuracy of this approach as well as the role of explainability in decision-making that collectively enables proactive cyber threat intelligence in the dark web.

Tail Time Defense Against Website Fingerprinting Attacks

In the past few years, many defense mechanisms have been proposed against website fingerprinting attacks. Walkie-Talkie (WT) built on top of the Tor network is known to be one of the most effective defense mechanisms. However, we observed that WT significantly increases the page loading time (time overhead) although the bandwidth overhead is not high. This paper analyzes the cause of the increased page loading time and presents a defending approach called Tail Time (TT), which addresses the problem by limiting the maximum time for which a pending request can block subsequent requests. Our experimental results indicate that the proposed TT defense can significantly reduce the page loading time while keeping the defense performance on par.

Edge-Based Detection and Classification of Malicious Contents in Tor Darknet Using Machine Learning

With the increase of data in the network, the load of servers and communication links becomes heavier and heavier. Edge computing can alleviate this problem. Due to a sea of malicious contents in Darknet, it is of high research value to combine edge computing with content detection and analysis. Therefore, this paper illustrates an intelligent classification system based on machine learning and Scrapy that can detect and judge fleetly categories of services with malicious contents. Because of the nondisclosure and short survival time of Tor Darknet domain names, obtaining uniform resource locators (URLs) and resources of the network is challenging. In this paper, we focus on a network based on the Onion Router (tor) anonymous communication system. We designed a crawler program to obtain the contents of the Tor network and label them into six classes. We also construct a dataset which contains URLs, categories, and keywords. Edge computing is used to judge the category of websites. The accuracy of the classifier based on a machine learning algorithm is as high as 89%. The classifier will be used in an operational system which can help researchers quickly obtain malicious contents and categorize hidden services.

MLEFlow: Learning from History to Improve Load Balancing in Tor

Abstract Tor has millions of daily users seeking privacy while browsing the Internet. It has thousands of relays to route users’ packets while anonymizing their sources and destinations. Users choose relays to forward their traffic according to probability distributions published by the Tor authorities. The authorities generate these probability distributions based on estimates of the capacities of the relays. They compute these estimates based on the bandwidths of probes sent to the relays. These estimates are necessary for better load balancing. Unfortunately, current methods fall short of providing accurate estimates leaving the network underutilized and its capacities unfairly distributed between the users’ paths. We present MLEFlow, a maximum likelihood approach for estimating relay capacities for optimal load balancing in Tor. We show that MLEFlow generalizes a version of Tor capacity estimation, TorFlow-P, by making better use of measurement history. We prove that the mean of our estimate converges to a small interval around the actual capacities, while the variance converges to zero. We present two versions of MLEFlow: MLEFlow-CF, a closed-form approximation of the MLE and MLEFlow-Q, a discretization and iterative approximation of the MLE which can account for noisy observations. We demonstrate the practical benefits of MLEFlow by simulating it using a flow-based Python simulator of a full Tor network and packet-based Shadow simulation of a scaled down version. In our simulations MLEFlow provides significantly more accurate estimates, which result in improved user performance, with median download speeds increasing by 30%.

From “Onion Not Found” to Guard Discovery

Abstract We present a novel web-based attack that identifies a Tor user’s guard in a matter of seconds. Our attack is low-cost, fast, and stealthy. It requires only a moderate amount of resources and can be deployed by website owners, third-party script providers, and malicious exits—if the website traffic is unencrypted. The attack works by injecting resources from non-existing onion service addresses into a webpage. Upon visiting the attack webpage with Tor Browser, the victim’s Tor client creates many circuits to look up the non-existing addresses. This allows middle relays controlled by the adversary to detect the distinctive traffic pattern of the “404 Not Found” lookups and identify the victim’s guard. We evaluate our attack with extensive simulations and live Tor network measurements, taking a range of victim machine, network, and geolocation configurations into account. We find that an adversary running a small number of HSDirs and providing 5 % of Tor’s relay bandwidth needs 12.06 seconds to identify the guards of 50 % of the victims, while it takes 22.01 seconds to discover 90 % of the victims’ guards. Finally, we evaluate a set of countermeasures against our attack including a defense that we develop based on a token bucket and the recently proposed Vanguards-lite defense in Tor.

Monitoring an anonymity network: Toward the deanonymization of hidden services

Anonymity networks are an example of Privacy Enhancing Technology (PET) whose historical goal is to avoid censorship, preserve users privacy, and promote freedom of speech. Such networks, however, also provide a “safe haven” for criminal activity: previous research observed a dominance of commerce platforms delivered as hidden services within The Onion Router (Tor) network, undoubtedly the most popular anonymization technology at the time of writing, largely around narcotics and illegal financial services.Extensive research has been conducted on locating hidden services on the Tor network, but a general method that is able, given a service delivered via anonymity network, to effectively produce a list of candidate nodes responsible for delivering the service still remains an open research problem. In this paper we describe the infrastructure we have designed and implemented for monitoring the Invisible Internet Project (I2P) network, which is a smaller scale anonymity network compared to Tor but already proven to be used for illicit activities, and how its output can be used to enable such general method.

Financial security of the state in the field of circulation and use of virtual currencies

Financial security of the state in the field of circulation and use of virtual currencies

Privacy Worlds: Exploring Values and Design in the Development of the Tor Anonymity Network

This paper explores, through empirical research, how values, engineering practices, and technological design decisions shape one another in the development of privacy technologies. We propose the concept of “privacy worlds” to explore the values and design practices of the engineers of one of the world’s most notable (and contentious) privacy technologies: the Tor network. By following Tor’s design and development we show a privacy world emerging—one centered on a construction of privacy understood through the topology of structural power in the Internet backbone. This central “cipher” discourse renders privacy as a problem that can be “solved” through engineering, allowing the translation and representation of different groups of imagined users, adversaries, and technical aspects of the Internet in the language of the system. It also stabilizes a “flattened,” neutralized conception of privacy, risking stripping it of its political and cultural depth. We argue for an enriched empirical focus on design practices in privacy technologies, both as sites where values and material power are shaped, and as a place where the various worlds that will go on to cluster around them—of users, maintainers, and others—are imagined and reconciled.

Deep Nearest Neighbor Website Fingerprinting Attack Technology

By website fingerprinting (WF) technologies, local listeners are enabled to track the specific website visited by users through an investigation of the encrypted traffic between the users and the Tor network entry node. The current triplet fingerprinting (TF) technique proved the possibility of small sample WF attacks. Previous research methods only concentrate on extracting the overall features of website traffic while ignoring the importance of website local fingerprinting characteristics for small sample WF attacks. Thus, in the present paper, a deep nearest neighbor website fingerprinting (DNNF) attack technology is proposed. The deep local fingerprinting features of websites are extracted via the convolutional neural network (CNN), and then the k-nearest neighbor (k-NN) classifier is utilized to classify the prediction. When the website provides only 20 samples, the accuracy can reach 96.2%. We also found that the DNNF method acts well compared to the traditional methods in coping with transfer learning and concept drift problems. In comparison to the TF method, the classification accuracy of the proposed method is improved by 2%–5% and it is only dropped by 3% when classifying the data collected from the same website after two months. These experiments revealed that the DNNF is a more flexible, efficient, and robust website fingerprinting attack technology, and the local fingerprinting features of websites are particularly important for small sample WF attacks.

Obfuscated Tor Traffic Identification Based on Sliding Window

Tor is an anonymous communication network used to hide the identities of both parties in communication. Apart from those who want to browse the web anonymously using Tor for a benign purpose, criminals can use Tor for criminal activities. It is recognized that Tor is easily intercepted by the censorship mechanism, so it uses a series of obfuscation mechanisms to avoid censorship, such as Meek, Format-Transforming Encryption (FTE), and Obfs4. In order to detect Tor traffic, we collect three kinds of obfuscated Tor traffic and then use a sliding window to extract 12 features from the stream according to the five-tuple, including the packet length, packet arrival time interval, and the proportion of the number of bytes sent and received. And finally, we use XGBoost, Random Forest, and other machine learning algorithms to identify obfuscated Tor traffic and its types. Our work provides a feasible method for countering obfuscated Tor network, which can identify the three kinds of obfuscated Tor traffic and achieve about 99% precision rate and recall rate.

A secured tor local network for nuclear power plant industry

The risk of cyber-attacks on a country has grown drastically. The cyber security risks against critical power infrastructure seem to be worsening. Obviously, any sort of assault on an atomic plant is very concerning. An attack that allows hackers to manipulate the system that control a nuclear reactor, while very difficult, could have very serious consequences. The main reason for this attack is vulnerabilities in local computer networks in power plants. Which has direct access to the internet without any major protection against cyber-attacks like phishing attacks against power plant employees, virus injection tools etc., As the main defense against this attacks is to make power plant networks and employees anonymous to the internet and making sure that no one is tracking the employees which can lead to loss of sensitive information of the plant. The Tor onion networking protocol is best suitable for these types of attacks on employees and computer networks in the power plant. Since providing Tor network for individual employee in practically impossible. Our projected work aims to establish an onion router which provide overall coverage of computer systems and employees which has access to power plant inside the perimeter of power plant. To simulate the plant local networks we construct an internet router using raspberry pi which is configured with Tor onion routing protocol access the internet by computers connected to our Router.

Detection of crawler traps: formalization and implementation—defeating protection on internet and on the TOR network

In the domain of web security, websites strive to prevent themselves from data gathering performed by automatic programs called bots. In that way, crawler traps are an efficient brake against this kind of programs. By creating similar pages or random content dynamically, crawler traps give fake information to the bot and resulting by wasting time and resources. Nowadays, there is no available bots able to detect the presence of a crawler trap. Our aim was to find a generic solution to escape any type of crawler trap. Since the random generation is potentially endless, the only way to perform crawler trap detection is on the fly. Using machine learning, it is possible to compute the comparison between datasets of webpages extracted from regular websites from those generated by crawler traps. Since machine learning requires to use distances, we designed our system using information theory. We considered widely used distances compared to a new one designed to take into account heterogeneous data. Indeed, two pages does not have necessary the same words and it is operationally impossible to know all possible words by advance. To solve our problematic, our new distance compares two webpages and the results showed that our distance is more accurate than other tested distances. By extension, we can say that our distance has a much larger potential range than just crawler traps detection. This opens many new possibilities in the scope of data classification and data mining.

DEANONYMIZATION OF TOR NETWORK USERS

Tor is a virtual network that implements onion routing and aims to provide the user withthe greatest possible anonymity on the Internet. Due to ensuring a high level ofanonymity, the Tor network attracts more and more criminals, mainly pedophiles,thieves and hackers, who use the opportunities associated with it for illegal activities.This paper presents the most popular attacks on the Tor network, aimed at establishingthe identity of its users. This paper will explore ways to de-anonymize by compromisingor having enough relays, and manipulating basic network communication to end up onthe Tor traffic forwarding path. The paper will also present traffic analysis techniquesthat allow an outside observer to infer which nodes are used to transmit traffic in thecircuit. Finally, the use of artificial intelligence to recognize what pages and services theTor user is visiting will be discussed. The work aims to present the vulnerability of theTor network, which should be considered an opportunity in the fight against cybercrime,and to encourage further research on the vulnerabilities of the Tor network, aimed atidentifying cybercriminals.

Phishing detection on tor hidden services

Phishing is the act of impersonating another party to attack a user, usually stealing information or money. In darknets, where participants are usually anonymous, phishing is a huge problem. We describe the current state of phishing in darknets, especially the Tor network. We analyse what techniques attackers can use to impersonate other services as well as develop some metrics to automatically detect phishing pages. Existing solutions against phishing are presented and phishing detection in the clearnet is examined on the transferability to darknets.

Investigative Techniques for the De-Anonymization of Hidden Services

Anonymity networks, also referred to as anonymous networks or darknets are an example of privacy-enhancing technology, the historical goal of which is to avoid censorship, preserve user privacy, and promote freedom of speech. The Tor network, undoubtedly the most popular anonymization technology at the time of this writing, according to its website, has several categories of users: individuals who wish to safeguard their online activity, businesses wanting to keep data confidential or conducting competitive analysis, journalists willing to protect anonymous sources and sensitive research, and activists who want to report abuses from danger zones.

Graph visualization of dark web hyperlinks and their feature analysis

Content regarding various illegal activities, such as weapon and drug trafficking, is shared on the dark web. Most of the illegal content is distributed on anonymous networks that cannot be directly accessed from the World Wide Web. A number of studies have been conducted on the network structure of the World Wide Web since its advent. Similar to the World Wide Web, the dark web is connected by hypertext transfer protocol (http); this makes it possible to use the methods developed for the web in the dark web. Many studies have investigated the dark web and its network structure. However, few studies have focused on the visualization of the dark web network structure, and there have been no studies investigating the temporal changes in the network structure. In this study, to understand the hypertext markup language (html) network structure of the dark web, we created and visualized a graph of the html hyperlink relations of the Tor network, which is popular on the dark web. We then compared the insights gained from graph centrality metrics with those gained from visualizations. The analyzed dataset comprised 25,270,157 pages of html text files crawled from the Tor network by breadth-first search from June 1, 2018, to January 30, 2021. Subsequently, we acquired half-yearly snapshots from the collected data and investigated the change in the dark web network over time using a time-series graph. Then, we derived the centrality metrics from the created graph data and confirmed the differences between the centrality metrics and visualizations. The results obtained in this study provided new insights into the dark web. First, we found that the dark web fluctuated significantly; the structure of the dark web network was more strongly interconnected. Second, most of the nodes that had increased in the past two years may have disappeared rapidly after May 2020. Third, analysis of each snapshot revealed that the proportion of highly volatile domains increased from 40% to 75% during the observation period. Fourth, after calculating the network centrality metrics from each snapshot and comparing the transition of hub nodes in chronological order, we observed that the importance of link-collection sites as the main information retrieval method used in the dark web decreased. Finally, we estimated the size of the dark web based on our observed dark web measurements using the mark-recapture method. To the best of our knowledge, this is the first study to use the mark-recapture method to estimate the size of the dark web network.