Per Connection Server-Side Identification of Connections via Tor

This paper presents two new and novel methods to separate network connections between those that have originated behind the Tor network and those that have not. Our methods identify Tor inbound connections through the use of two distinct timing signatures, delay and round-trip time, that can be used to create effective metrics. In order to evaluate our methods' ability to correctly identify Tor connections, we present the results of two small-scale experiments, one testing performance with HTTP traffic and the other testing SSH. These experiments resulted in very high accuracy rates (100% and 98.99% respectively) when partitioning network connections into Tor and non-Tor originating connections. Through the use of our techniques, we believe that inbound connections that have traversed the Tor network can be identified on a per-connection basis rather than the current per-IP basis.

[1]  Paul F. Syverson A peel of onion , 2011, ACSAC '11.

[2]  Peter Hannay,et al.  Using Traffic Analysis to Identify the Second Generation Onion Router , 2011, 2011 IFIP 9th International Conference on Embedded and Ubiquitous Computing.

[3]  Nicholas Hopper,et al.  How much anonymity does network latency leak? , 2007, TSEC.

[4]  Shou-Hsuan Stephen Huang,et al.  Matching TCP packets and its application to the detection of long connection chains on the Internet , 2005, 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers).

[5]  Nick Mathewson,et al.  Deploying Low-Latency Anonymity: Design Challenges and Social Factors , 2007, IEEE Security & Privacy.

[6]  Eric C. Price,et al.  Browser-Based Attacks on Tor , 2007, Privacy Enhancing Technologies.

[7]  Zhen Ling,et al.  One Cell is Enough to Break Tor's Anonymity , 2009 .

[8]  Shou-Hsuan Stephen Huang,et al.  Detecting Intruders Using a Long Connection Chain to Connect to a Host , 2011, 2011 IEEE International Conference on Advanced Information Networking and Applications.

[9]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[10]  Shou-Hsuan Stephen Huang,et al.  A real-time algorithm to detect long connection chains of interactive terminal sessions , 2004, InfoSecu '04.