Distinguishing Tor From Other Encrypted Network Traffic Through Character Analysis (2405.09412v1)

Abstract: For journalists reporting from a totalitarian regime, whistleblowers and resistance fighters, the anonymous use of cloud services on the Internet can be vital for survival. The Tor network provides a free and widely used anonymization service for everyone. However, there are different approaches to distinguishing Tor from non-Tor encrypted network traffic, most recently only due to the (relative) frequencies of hex digits in a single encrypted payload packet. While conventional data traffic is usually encrypted once, but at least three times in the case of Tor due to the structure and principle of the Tor network, we have examined to what extent the number of encryptions contributes to being able to distinguish Tor from non-Tor encrypted data traffic.

• The paper demonstrates that hexadecimal frequency analysis is applied to distinguish Tor from non-Tor encrypted traffic.
• It employs machine learning models like J48, Random Forest, and k-Nearest Neighbors, achieving >90% accuracy on some datasets before multi-encryption tests reduced performance to chance levels.
• The findings confirm that encryption layers alone do not enable reliable differentiation, prompting further research into other distinguishing features of Tor traffic.

Understanding the Difference: Tor vs. Non-Tor Encrypted Traffic

Introduction to Tor and Its Importance

Tor (The Onion Router) is a critical tool for those who require anonymity online, such as journalists, whistleblowers, and everyday users wanting to stay private. The Tor network routes traffic through multiple nodes and layers of encryption, making it incredibly challenging to trace the origin of the data.

However, this paper investigates whether it is possible to differentiate between Tor-encrypted and non-Tor encrypted traffic just by analyzing the encrypted data packets. This has significant bearing on user privacy and the robustness of Tor as an anonymization service.

The Core Question

The main focus of the research is straightforward but vital: Can you distinguish between Tor traffic and non-Tor encrypted traffic? This stems from the fundamental question in cryptography about whether multiple layers of encryption can affect the distinguishability of traffic.

Related Work

Previous studies have employed various methods to classify Tor traffic, including:

• Flow-based features: Using metrics like packet timing and size to distinguish traffic types.
• Packet-based features: Focusing on individual packet contents, such as the initial bytes of TCP headers.

For example, Lashkari et al. used time-based features and achieved exceptionally high precision and recall with a decision tree algorithm. Kim et al. improved on this by using one-dimensional convolutional neural networks, achieving perfect accuracy in some cases.

Preliminary Work

A significant chunk of this paper is built upon Pitpimon Choorod's PhD thesis. She delved into the statistical characteristics of encrypted payloads to differentiate between Tor and non-Tor traffic.

Methods included:

• Hexadecimal Frequency Analysis: Counting the frequencies of each hexadecimal character in the data payloads.
• Feature Engineering: Using frequency sets and ratio features to normalize and analyze the payloads.

The datasets were a mix of public and private Tor traffic, encapsulating various types of applications like audio, browsing, and video. Machine learning models—specifically J48, Random Forest, and k-Nearest Neighbors (kNN)—achieved remarkably high accuracies, often exceeding 90%.

New Experiments

The crux of the paper is exploring whether multiple layers of encryption (a haLLMark of Tor) could be making Tor traffic identifiable. The authors created datasets that simulated single-encrypted and triple-encrypted data, using the Advanced Encryption Standard (AES) with different modes of operation—CBC, CTR, and even the insecure ECB.

The process involved:

1. Data Generation: Producing large sets of random and zero data.
2. Encryption: Encrypted these sets once and then three times.
3. Feature Extraction: Counting the hexadecimal digit frequencies.
4. Machine Learning Models: Training and testing models to see if they could distinguish between single and triple encryption.

Key Findings

The results were clear across all encryption modes:

• The machine learning models could not reliably differentiate between single- and triple-encrypted traffic.
• Accuracy hovered around the guess probability of 50%, regardless of the model or data used.

This indicates that the number of encryption layers is not the key factor enabling the high classification accuracies seen in Choorod's work.

Implications and Future Directions

The implications are twofold:

• Practical: Tor remains robust in its encryption layers, as these layers alone do not expose traffic to classification.
• Theoretical: More research is needed to uncover what unique features of Tor traffic are being picked up by machine learning models, as it is not merely the result of multi-layer encryption.

Future research will aim to isolate and identify other characteristics of Tor traffic that might be aiding in its classification. This could involve more in-depth analysis of network behaviors or examining other metadata associated with Tor traffic.

In summary, while distinguishing between Tor and non-Tor traffic posed a challenging hypothesis that was not resolved by simply examining multi-layer encryption, the quest continues. Further investigations will help clarify and potentially fortify anonymization techniques, making the internet a safer place for those who depend on privacy.

This exploration might just be the tip of the iceberg, but it's an important step in understanding internet privacy and security.