[tor-talk] Results of experiment on distinguishing tor from normal SSL traffic

John Barker jebarker at gmail.com
Mon Mar 14 05:09:41 UTC 2011 

Hi all,

Beginning of last year I took on an Honours course at uni and began a
thesis, I wanted to try and attempt to answer some of the questions being
asked here:

*Our censorship-resistance goals include preventing an attacker who's
looking at Tor traffic on the wire fromdistinguishing it from normal SSL
traffic<https://svn.torproject.org/svn/projects/design-paper/blocking.html#sec:network-fingerprint>.
Obviously we can't achieve perfect steganography and still remain usable,
but for a first step we'd like to block any attacks that can win by
observing only a few packets. One of the remaining attacks we haven't
examined much is that Tor cells are 512 bytes, so the traffic on the wire
may well be a multiple of 512 bytes. How much does the batching and overhead
in TLS records blur this on the wire? Do different buffer flushing
strategies in Tor affect this? Could a bit of padding help a lot, or is this
an attack we must accept?*

Being an honours project conducted part time amongst other responsibilities,
the scope of my research has been quite limited but I've made some progress.

The experiment was conducted with a small physically isolated test network,
15 test relays on a single pc and about 30 different sample websites with
different network characteristics. I sniffed traffic from a number of
Selenium test examples connecting over HTTPS, using HTTP over Tor and using
HTTPS over Tor.

My initial analysis has just been plugging the packet traces into Weka and
seeing what happened. This is what the matchers come up with so far (sorry
about the formatting, I've just replaced the & characters in the latex
table):

 True Positive Rate  False Positive Rate  ROC
    -------------------------------------------------
    Random Forest
    -------------------------------------------------
    HTTPS  0.957  0.036  0.99
    HTTP over Tor  0.937  0.037  0.986
    HTTPS over Tor  0.977  0.003  0.999
    Weighted Avg.  0.954  0.03  0.99
    -------------------------------------------------
    j4.8 With 10 fold cross validation
    -------------------------------------------------
    HTTPS  0.951  0.04  0.989
    HTTP over Tor  0.978  0.043  0.98
    HTTPS over Tor  0.97  0.007  0.992
    Weighted Avg.  0.964  0.018  0.986
    -------------------------------------------------
    Random Tree
    -------------------------------------------------
    HTTPS  0.961  0.046  0.963
    HTTP over Tor  0.906  0.04  0.94
    HTTPS over Tor  0.955  0.01  0.972
    Weighted Avg.  0.941  0.037  0.957
    -------------------------------------------------
    Adaboost
    -------------------------------------------------
    HTTPS  0.95  0.001  0.975
    HTTP over Tor  0.999  0.324  0.838
    HTTPS over Tor  0  0  0.777
    Weighted Avg.  0.785  0.109  0.891

Plenty more work to go and hopefully soon I can answer some more of the
above.

Cheers,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110314/897fcb82/attachment.htm>

More information about the tor-talk mailing list