An Empirical Analysis of Plugin-Based Tor Traffic over SSH Tunnel

Abstract

Tor is the most widely used system for anonymous low-latency communication. However, the anonymity of TOr is not invulnerable according to a large amount of researches, even with the traffic obfuscation provided by pluggable transports. Concerned about security issues such as identity leakage, users deploy fronting servers as proxies that forward traffic to the entry node of Tor, and encrypted tunneling services such as secure shell (SSH) protocol are commonly used to connect users with proxies. To quantitatively analyze the plugin-based Tor traffic over encrypted tunnels, experiments involving the traffic identification and correlation are performed. Identification aims at recognizing tunneled Tor flows among background traffic at the client side, while correlation associates outward flows of Tor at the server side with corresponding inward flows at the client side. We access to the self-built server through the SSH proxy and Tor successively, capturing data flows generated by different pluggable transports and upper applications. Then identification and correlation techniques based on various machine learning algorithms are used to break anonymity. The accuracy and F1 scores reach above 95% while false positive rates approach 0% under certain conditions. The result demonstrates that Tor traffic encrypted by tunneling protocols is also at risk of anonymity revealing when confronted with traffic analysis.