Inferring Application Type Information from Tor Encrypted Traffic

Tor is a famous anonymity communication system for preserving users´ online privacy. It supports TCP applications and packs application data into encrypted equal-sized cells to hide some private information of users, such as the running application type (Web, P2P, FTP, Others). The known of application types is harmful because they can be used to reduce the anonymity set and facilitate other attacks. However, unfortunately, the current Tor design cannot conceal certain application behaviors. For example, P2P applications usually upload and download files simultaneously and this behavioral feature is also kept in Tor traffic. Motivated by this observation, we investigate a new attack against Tor, traffic classification attack, which can recognize application types from Tor traffic. An attacker first carefully selects some flow features, e.g., burst volumes and directions to represent the application behaviors and takes advantage of some efficient machine learning algorithm to model different types of applications. Then these established models can be used to classify target´s Tor traffic and infer its application type. We have implemented the traffic classification attack on Tor and our experiments validate the feasibility and effectiveness of the attack.