Detecting Malicious Users Behind Circuit-Based Anonymity Networks

This project addresses the issue of detecting intruders from hiding behind privacy-protecting anonymity networks. The freely available Tor and the SOCKS proxy services have been popular tools that provide circuit-based anonymous connections to network users. However, recent security breaches reveal that SSH and HTTPS have been used to launch attacks by malicious users by taking advantage of these services to hide their identities. This paper investigates strategies to detect SSH and HTTPS connections via the circuit-based anonymity networks, to help servers and websites defend against anonymous intruders. We evaluate our approaches with SSH and HTTPS connections and show that they achieve high performance for both applications. Our detection algorithms are based on the extra latency delays introduced by the presence of the anonymity networks. Since the latency disparity is sensitive to the location of the anonymity network, our algorithms must be evaluated in the most challenging scenarios. The detection rates for all four combinations of SSH/HTTPS applications via Tor/SOCKS networks were very high, with a low false-positive rate. To demonstrate the robustness of our approach in the Tor case, we tested our method in multiple Tor circuit node selection strategies. The approach can be applied to other applications meeting the same criteria.

[1]  Dogan Kesdogan,et al.  Stop-and-Go-MIXes Providing Probabilistic Anonymity in an Open System , 1998, Information Hiding.

[2]  George Danezis,et al.  Mixminion: design of a type III anonymous remailer protocol , 2003, 2003 Symposium on Security and Privacy, 2003..

[3]  Paul C. van Oorschot,et al.  Accurate One-Way Delay Estimation With Reduced Client Trustworthiness , 2015, IEEE Communications Letters.

[4]  C. Redhead,et al.  The Target and Other Financial Data Breaches: Frequently Asked Questions , 2015 .

[5]  Ali A. Ghorbani,et al.  Characterization of Tor Traffic using Time based Features , 2017, ICISSP.

[6]  Martin Schmiedecker,et al.  NavigaTor: Finding Faster Paths to Anonymity , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[7]  Tatu Ylönen,et al.  The Secure Shell (ssh) Transport Layer Protocol , 2006 .

[8]  Kevin Curran,et al.  Detecting the Use of Anonymous Proxies , 2018, Int. J. Digit. Crime Forensics.

[9]  Zhi-Hua Zhou,et al.  Isolation Forest , 2008, 2008 Eighth IEEE International Conference on Data Mining.

[10]  Giuseppe Serazzi,et al.  Unsupervised learning algorithms for intrusion detection , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[11]  Anubhav,et al.  Application layer proxy detection, prevention with predicted load optimization , 2016, 2016 International Conference on Recent Advances and Innovations in Engineering (ICRAIE).

[12]  Prateek Mittal,et al.  RAPTOR: Routing Attacks on Privacy in Tor , 2015, USENIX Security Symposium.

[13]  Steven J. Murdoch,et al.  Do You See What I See? Differential Treatment of Anonymous Users , 2016, NDSS.

[14]  A. Nur Zincir-Heywood,et al.  A Proxy Identifier Based on Patterns in Traffic Flows , 2015, 2015 IEEE 16th International Symposium on High Assurance Systems Engineering.

[15]  Zhen Ling,et al.  TorWard: Discovery of malicious traffic over Tor , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[16]  Shou-Hsuan Stephen Huang,et al.  Detecting Stepping-Stone Connection Using Association Rule Mining , 2009, 2009 International Conference on Availability, Reliability and Security.

[17]  Daniel J. Barrett,et al.  SSH, The Secure Shell: The Definitive Guide , 2001 .

[19]  Shou-Hsuan Stephen Huang,et al.  Detecting Intruders Using a Long Connection Chain to Connect to a Host , 2011, 2011 IEEE International Conference on Advanced Information Networking and Applications.

[20]  Shou-Hsuan Stephen Huang,et al.  Stepping-Stone Intrusion Detection Using Neural Networks Approach , 2008 .

[21]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[22]  Shou-Hsuan Stephen Huang,et al.  Detecting stepping-stones under the influence of packet jittering , 2013, 2013 9th International Conference on Information Assurance and Security (IAS).

[23]  Yong Zhang,et al.  Traffic Identification of Tor and Web-Mix , 2008, 2008 Eighth International Conference on Intelligent Systems Design and Applications.

[24]  Paul C. van Oorschot,et al.  CPV: Delay-Based Location Verification for the Internet , 2017, IEEE Transactions on Dependable and Secure Computing.

[25]  Allen T. Webb,et al.  Finding proxy users at the service using anomaly detection , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).

[26]  Elizabeth D. Zwicky,et al.  Building internet firewalls - internet and web security (2. ed.) , 2000 .

[27]  Shou-Hsuan Stephen Huang,et al.  Detecting Intruders and Preventing Hackers from Evasion by Tor Circuit Selection , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[28]  Harsha V. Madhyastha,et al.  LASTor: A Low-Latency AS-Aware Tor Client , 2012, IEEE/ACM Transactions on Networking.

[29]  Claudia Díaz,et al.  Generalising Mixes , 2003, International Symposium on Privacy Enhancing Technologies.