[tor-dev] TOR SoP proposal: extending and improving TOR network anomaly detection

Philipp Winter phw at nymity.ch
Wed Apr 15 15:28:32 UTC 2015

On Tue, Apr 14, 2015 at 01:38:54AM -0400, Kibo Schaffer wrote:
> I want to improve TOR's ability to detect anomalies such as sybil
> attacks, and make it easy to include other heuristics for other
> potential attacks. When a potential attack is detected, users and
> maintainers are notified (as necessary). There has been research and
> development with this field with TorDoctor, exitmap, and
> HoneyConnector. However, as far as I am aware, these projects could use
> some help being solidified and integrated into TOR.

What do you mean by "solidified and integrated into TOR"?  Tor, the
network or tor, the C program?  exitmap (and I think Doctor and
HoneyConnector too) is meant to be a stand-alone tool that only uses the
Tor network as a client.

And do you already have some concrete ideas about detecting anomalies?
It's an interesting topic, but also a theory-heavy one.  If we don't
have good ideas about concrete things to work on, we can easily spend
all three months researching, which is not quite what TSoC is about.

While I'm currently working on Sybil attack detection [0], and more
broadly anomaly detection, we are still mostly in the process of working
out the theory.

There might be, however, ways to extend exitmap and add new modules to
it, which is mostly programming.  The GitHub issue tracker lists two of
them [1].

[0] <http://notebooks.nymity.ch/detecting_sybils.html>
[1] <https://github.com/NullHypothesis/exitmap/issues>


More information about the tor-dev mailing list