[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Results of experiment on distinguishing tor from normal SSL traffic

Hi all,

Beginning of last year I took on an Honours course at uni and began a thesis, I wanted to try and attempt to answer some of the questions being asked here:

Our censorship-resistance goals include preventing an attacker who's looking at Tor traffic on the wire fromdistinguishing it from normal SSL traffic. Obviously we can't achieve perfect steganography and still remain usable, but for a first step we'd like to block any attacks that can win by observing only a few packets. One of the remaining attacks we haven't examined much is that Tor cells are 512 bytes, so the traffic on the wire may well be a multiple of 512 bytes. How much does the batching and overhead in TLS records blur this on the wire? Do different buffer flushing strategies in Tor affect this? Could a bit of padding help a lot, or is this an attack we must accept?

Being an honours project conducted part time amongst otherÂresponsibilities, the scope of my research has been quite limited but I've made some progress.

The experiment was conducted with a small physically isolated test network, 15 test relays on a single pc and about 30 different sample websites with different network characteristics. I sniffed traffic from a number of Selenium test examples connecting over HTTPS, using HTTP over Tor and using HTTPS over Tor.

My initial analysis has just been plugging the packet traces into Weka and seeing what happened. This is what the matchers come up with so far (sorry about the formatting, I've just replaced the & characters in the latex table):

ÂTrue Positive Rate False Positive Rate ROCÂ
ÂÂ Â-------------------------------------------------
ÂÂ ÂRandom Forest
ÂÂ Â-------------------------------------------------
ÂÂ ÂHTTPS 0.957 0.036 0.99
ÂÂ ÂHTTP over Tor 0.937 0.037 0.986
ÂÂ ÂHTTPS over Tor 0.977 0.003 0.999
ÂÂ ÂWeighted Avg. 0.954 0.03 0.99
ÂÂ Â-------------------------------------------------
ÂÂ Âj4.8 With 10 fold cross validation
ÂÂ Â-------------------------------------------------
ÂÂ ÂHTTPS 0.951 0.04 0.989
ÂÂ ÂHTTP over Tor 0.978 0.043 0.98
ÂÂ ÂHTTPS over Tor 0.97 0.007 0.992
ÂÂ ÂWeighted Avg. 0.964 0.018 0.986
ÂÂ Â-------------------------------------------------
ÂÂ ÂRandom Tree
ÂÂ Â-------------------------------------------------
ÂÂ ÂHTTPS 0.961 0.046 0.963
ÂÂ ÂHTTP over Tor 0.906 0.04 0.94
ÂÂ ÂHTTPS over Tor 0.955 0.01 0.972
ÂÂ ÂWeighted Avg. 0.941 0.037 0.957
ÂÂ Â-------------------------------------------------
ÂÂ ÂAdaboost
ÂÂ Â-------------------------------------------------
ÂÂ ÂHTTPS 0.95 0.001 0.975
ÂÂ ÂHTTP over Tor 0.999 0.324 0.838
ÂÂ ÂHTTPS over Tor 0 0 0.777
ÂÂ ÂWeighted Avg. 0.785 0.109 0.891

Plenty more work to go and hopefully soon I can answer some more of the above.

tor-talk mailing list