Embedded Files
Detection and Classification of Malicious Traffic over the Tor Network
Detection and Classification of Malicious Traffic over the Tor Network
The thesis topic is completed last December 2019 and presented in a conference. You may watch this video presentation for the full details of this topic:
Abstract
Abstract
Tor is a popular anonymity tool used to protect the users’ identity, avoiding any eavesdropping and man-in-the-middle attacks. It implements the concept of onion routing where traffic is being routed to relay nodes which hides users’ identity and secures the data being transferred over the network. As its usage is increasing, there is a need to monitor Tor traffic to ensure that it is not being misused. There are already a number of cases where Tor is being used for malicious purposes. One is the use of Tor to hide malware traffic. Since Tor traffic is encrypted, traditional approaches such as port examination and packet inspection are ineffective. In this study, the classification of Tor traffic was conducted. First, Tor traffic was classified into nine types: web, chat, mail, audio, video, FTP, VoIP, P2P, and Whonix. Second, Tor web traffic was classified into malware and non-malware types. Two datasets were generated for the two experiments. Precision and Recall values were evaluated, but False Positive and False Negative Rates were also computed to evaluate the malware and non-malware classification. To automate the workflow of the experiments, a system was developed which mainly extracts features and classifies Tor traffic using machine learning algorithms.
Objectives of the Study
Objectives of the Study
The general objective of this study is to develop a computational workflow that can classify malicious traffic over the Tor network. Specifically, the study aims:
- To generate a Tor dataset comprising of different traffic types;
- To classify the applications being communicated over the Tor network
- To classify malware traffic over the Tor network; and
- To develop a system that will automate the computational workflow.
Internet Traffic Classification Approaches
Internet Traffic Classification Approaches
APPROACH
Port-based
Payload inspection
Statistical approach
CLASSIFICATION METHODOLOGY
Protocol port
Deep packet inspection
Flow-based
PROCESS TIME
Low
High
Low
SAMPLE TOOLS
Wireshark
nDPI, Snort, L7 filter
Random Forest, C4.5
Dataset Generation
Dataset Generation
DATASET
TorTraffic2019
TorMal2019
TRAFFIC TYPES
Web
Chat
Audio
Video
FTP
VoIP
P2P
Whonix
Web
Malware
APPLICATION/PROTOCOL
http, https
gmail, uplb
hangouts, messenger, utox
soundcloud, streamsquid
tedtalks, youtube
mmnt, rebex, wftserver
messenger, mumble, utox
qBittorent, deluge
TLS
http, https
dexter, kazy, locky, parite, wannacry
Experimental Setup
Experimental Setup
System Overview
System Overview
Advisory Committee
Advisory Committee
Thesis Adviser
Thesis Adviser
Prof. Jaderick Pabico
Professor 9
Institute of Computer Science
College of Arts and Sciences
University of the Philippines Los Baños
Email: jppabico@up.edu.ph
Advisory Committee Members
Advisory Committee Members
Prof. Jaime Samaniego
Associate Professor 2
Institute of Computer Science
College of Arts and Sciences
University of the Philippines Los Baños
Email: jmsamaniego2@up.edu.ph
Prof. Concepcion Khan
Assistant Professor 7
Advanced Databases, Artificial Intelligence,
Information Systems
Institute of Computer Science
College of Arts and Sciences
University of the Philippines Los Baños
Email: clkhan@up.edu.ph
Exploring Tor
Exploring Tor
Here are some topic/software explorations made in developing this thesis topic.
Page updated
Report abuse