TorWard: Discovery of malicious traffic over Tor

Tor is a popular low-latency anonymous communication system. However, it is currently abused in various ways. Tor exit routers are frequently troubled by administrative and legal complaints. To gain an insight into such abuse, we design and implement a novel system, TorWard, for the discovery and systematic study of malicious traffic over Tor. The system can avoid legal and administrative complaints and allows the investigation to be performed in a sensitive environment such as a university campus. An IDS (Intrusion Detection System) is used to discover and classify malicious traffic. We performed comprehensive analysis and extensive real-world experiments to validate the feasibility and effectiveness of TorWard. Our data shows that around 10% Tor traffic can trigger IDS alerts. Malicious traffic includes P2P traffic, malware traffic (e.g., botnet traffic), DoS (Denial-of-Service) attack traffic, spam, and others. Around 200 known malware have been identified. To the best of our knowledge, we are the first to perform malicious traffic categorization over Tor.

[1]  Ming Yang,et al.  Application-level attack against Tor's hidden service , 2011, 2011 6th International Conference on Pervasive Computing and Applications.

[2]  Paul F. Syverson,et al.  Locating hidden servers , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[3]  Alex Biryukov,et al.  TorScan: Deanonymizing Connections Using Topology Leaks , 2012, ERCIM News.

[4]  Zhenhai Duan,et al.  A traceback attack on Freenet , 2013, 2013 Proceedings IEEE INFOCOM.

[5]  Zhen Ling,et al.  Protocol-level hidden server discovery , 2013, 2013 Proceedings IEEE INFOCOM.

[6]  Brian Hernacki,et al.  Emerging threats , 2005, WORM '05.

[7]  Dirk Grunwald,et al.  Shining Light in Dark Places: Understanding the Tor Network , 2008, Privacy Enhancing Technologies.

[8]  Ming Yang,et al.  Extensive analysis and large-scale empirical evaluation of tor bridge discovery , 2012, 2012 Proceedings IEEE INFOCOM.

[9]  Ian Goldberg,et al.  Changing of the guards: a framework for understanding and improving entry guard selection in tor , 2012, WPES '12.

[10]  Alex Biryukov,et al.  Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization , 2013, 2013 IEEE Symposium on Security and Privacy.

[11]  Mohamed Ali Kâafar,et al.  Digging into Anonymous Traffic: A Deep Analysis of the Tor Anonymizing Network , 2010, 2010 Fourth International Conference on Network and System Security.

[12]  Steven J. Murdoch,et al.  Hot or not: revealing hidden services by their clock skew , 2006, CCS '06.

[13]  Nicolas Christin,et al.  Traveling the silk road: a measurement analysis of a large anonymous online marketplace , 2012, WWW.