TorBot Stalker: Detecting Tor Botnets Through Intelligent Circuit Data Analysis

Botnets are collections of infected computers that are controlled centrally by a botmaster, often for sending spam or launching denial of service attacks. The task to take down these botnets is often a cat and mouse game with operators frequently changing domains for their control infrastructure. More recently, operators have moved to using Tor, a pseudo-anonymous network for hosting services whereby identification is difficult. Additionally, because connections to the Tor network are encrypted, we cannot use traditional methods like Domain Name System (DNS) and traffic signatures to detect infected hosts. In this paper, we introduce TorBot Stalker: the first mechanism for detecting, de-anonymizing, and destroying Tor botnets. We use machine learning to analyse and fingerprint the timings and frequency of Tor network circuit data when routing botnet traffic, and build a detection mechanism that is able to identify infected hosts at the Tor network border, in real-time, while preserving the privacy of legitimate users. TorBot Stalker can be implemented at any node in the Tor network and can differentiate between botnets and legitimate applications like Internet Relay Chat (IRC) coming from the same host. Experimental data demonstrates an accuracy of 99% with few false positives. We then apply the technique at the entry to the Tor network to measure the fraction of traffic which is for botnet. We observed that Torbot Stalker is able to de-anonymize real botnets in the Tor network and further identify infected hosts and control servers.