Tor traffic classification based on encrypted payload characteristics

Pitpimon Choorod; George Weir

doi:10.1109/NCCC49330.2021.9428874

Tor traffic classification based on encrypted payload characteristics

Pitpimon Choorod, George Weir

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution book

12 Citations (Scopus)

Abstract

Tor is increasingly used on the Internet as a means of accessing illicit or illegal services. If enacted by employees, such use may lead to negative impact on the organization. By its nature. Tor traffic is encrypted multiple times before being sent across networks to reach a destination. Therefore it may be impossible to detect the nature of a Tor user's online activities. Nevertheless, such users cannot hide the fact that they are using Tor. This paper proposes a novel data payload analysis as a means of classifying Tor traffic using machine learning. To this end, we consider the characteristics of the encrypted data payload for Tor and encrypted nonTor packets from 8 different applications and extract features to train our machine learning model. Our results indicate that, contrary to the commonsense assumption that Tor packets resemble other encrypted packets, such payload content can be used to distinguish between Tor and nonTor packets.

Original language	English
Title of host publication	2021 National Computing Colleges Conference (NCCC)
Place of Publication	Piscataway, N.J.
Publisher	IEEE
ISBN (Electronic)	9781728167190
ISBN (Print)	9781728167190
DOIs	https://doi.org/10.1109/NCCC49330.2021.9428874
Publication status	Published - 27 Mar 2021

Keywords

machine learning
payload features
Tor
traffic classification

Access to Document

10.1109/NCCC49330.2021.9428874

Cite this

@inproceedings{9f7bbccd88554d3a8440829d4bf84e33,

title = "Tor traffic classification based on encrypted payload characteristics",

abstract = "Tor is increasingly used on the Internet as a means of accessing illicit or illegal services. If enacted by employees, such use may lead to negative impact on the organization. By its nature. Tor traffic is encrypted multiple times before being sent across networks to reach a destination. Therefore it may be impossible to detect the nature of a Tor user's online activities. Nevertheless, such users cannot hide the fact that they are using Tor. This paper proposes a novel data payload analysis as a means of classifying Tor traffic using machine learning. To this end, we consider the characteristics of the encrypted data payload for Tor and encrypted nonTor packets from 8 different applications and extract features to train our machine learning model. Our results indicate that, contrary to the commonsense assumption that Tor packets resemble other encrypted packets, such payload content can be used to distinguish between Tor and nonTor packets.",

keywords = "machine learning, payload features, Tor, traffic classification",

author = "Pitpimon Choorod and George Weir",

year = "2021",

month = mar,

day = "27",

doi = "10.1109/NCCC49330.2021.9428874",

language = "English",

isbn = "9781728167190",

booktitle = "2021 National Computing Colleges Conference (NCCC)",

publisher = "IEEE",

}

TY - GEN

T1 - Tor traffic classification based on encrypted payload characteristics

AU - Choorod, Pitpimon

AU - Weir, George

PY - 2021/3/27

Y1 - 2021/3/27

N2 - Tor is increasingly used on the Internet as a means of accessing illicit or illegal services. If enacted by employees, such use may lead to negative impact on the organization. By its nature. Tor traffic is encrypted multiple times before being sent across networks to reach a destination. Therefore it may be impossible to detect the nature of a Tor user's online activities. Nevertheless, such users cannot hide the fact that they are using Tor. This paper proposes a novel data payload analysis as a means of classifying Tor traffic using machine learning. To this end, we consider the characteristics of the encrypted data payload for Tor and encrypted nonTor packets from 8 different applications and extract features to train our machine learning model. Our results indicate that, contrary to the commonsense assumption that Tor packets resemble other encrypted packets, such payload content can be used to distinguish between Tor and nonTor packets.

AB - Tor is increasingly used on the Internet as a means of accessing illicit or illegal services. If enacted by employees, such use may lead to negative impact on the organization. By its nature. Tor traffic is encrypted multiple times before being sent across networks to reach a destination. Therefore it may be impossible to detect the nature of a Tor user's online activities. Nevertheless, such users cannot hide the fact that they are using Tor. This paper proposes a novel data payload analysis as a means of classifying Tor traffic using machine learning. To this end, we consider the characteristics of the encrypted data payload for Tor and encrypted nonTor packets from 8 different applications and extract features to train our machine learning model. Our results indicate that, contrary to the commonsense assumption that Tor packets resemble other encrypted packets, such payload content can be used to distinguish between Tor and nonTor packets.

KW - machine learning

KW - payload features

KW - Tor

KW - traffic classification

U2 - 10.1109/NCCC49330.2021.9428874

DO - 10.1109/NCCC49330.2021.9428874

M3 - Conference contribution book

SN - 9781728167190

BT - 2021 National Computing Colleges Conference (NCCC)

PB - IEEE

CY - Piscataway, N.J.

ER -

Tor traffic classification based on encrypted payload characteristics

Abstract

Keywords

Access to Document

Fingerprint

Cite this