Anonymous communication networks, like Tor, partially protect the confidentiality of user traffic by encrypting all communications within the overlay network. However, Tor is not only used for good; a great deal of the traffic in the Tor networks is in fact port scans, hacking attempts, exfiltration of stolen data and other forms of online criminality. The anonymity network Tor is often misused by hackers and criminals in order to remotely control hacked computers. In this paper we present our methodology for detecting any connection to or from Tor network. Our detection method is based on a list of Tor servers. We process the network traffic and match the source and destination IP addresses for each connection with Tor servers list. The list of Tor servers is automatically updated each day and the detection is in the real time. We applied our methodology on campus live traffic and showed that it can automatically detect Tor connections in the real time. We also applied our methodology on packet capture (pcap) files which contain real and long-lived malware traffic and we proved that our methodology can successfully detect Tor connections.
展开▼
机译:匿名通信网络,如Tor,通过加密覆盖网络内的所有通信来部分地保护用户流量的机密性。然而,Tor不仅用于良好; Tor Networks中的大量交通实际上是港口扫描,黑客尝试,被盗数据的灭绝和其他形式的在线犯罪。匿名网络TOR经常被黑客和犯罪分子滥用,以便远程控制被攻击的计算机。在本文中,我们介绍了检测与Tor网络的任何连接的方法。我们的检测方法基于TOR服务器的列表。我们处理网络流量,并匹配每个与tor服务器列表的每个连接的源和目标IP地址。每天都会自动更新Tor服务器列表,检测实时。我们在校园实时流量上应用了我们的方法,并显示它可以在实时自动检测Tor连接。我们还在包含真实和长期恶意软件流量的数据包捕获(PCAP)文件上应用了我们的方法,并且我们证明了我们的方法可以成功检测Tor连接。
展开▼
