Tor Traffic’s Representation and Classification Based on Packet Timing Characteristics

Abstract

Tor provides users with great anonymity due to its multi-layer proxy operating mechanism, but also provides living space for illegal and criminal activities. It is necessary to further analyze users' behaviors based on the identification of Tor traffic to effectively supervise Tor users' online conduct. We focus on the differences in traffic patterns when users use different applications, and propose a Tor traffic classification method based on the timing distribution characteristics of packets, which treats each packet as an object with several attributes, analyzes its distribution in unit time, and generates visual samples, finally use CNN to identify the application type. Focusing on the transmission stage of application data, this method can effectively avoid the influence of Tor’s existing defense mechanism, and the processed samples can intuitively present the traffic features of a specific application that are visible to the naked eye. The experiment al results show that the proposed method can not only provide higher recognition accuracy but also effectively improve the problem of poor recognition ability of previous models for certain application types.