Detecting Malicious Users Behind Circuit-Based Anonymity Networks

Abstract

Read online

This project addresses the issue of detecting intruders from hiding behind privacy-protecting anonymity networks. The freely available Tor and the SOCKS proxy services have been popular tools that provide circuit-based anonymous connections to network users. However, recent security breaches reveal that SSH and HTTPS have been used to launch attacks by malicious users by taking advantage of these services to hide their identities. This paper investigates strategies to detect SSH and HTTPS connections via the circuit-based anonymity networks, to help servers and websites defend against anonymous intruders. We evaluate our approaches with SSH and HTTPS connections and show that they achieve high performance for both applications. Our detection algorithms are based on the extra latency delays introduced by the presence of the anonymity networks. Since the latency disparity is sensitive to the location of the anonymity network, our algorithms must be evaluated in the most challenging scenarios. The detection rates for all four combinations of SSH/HTTPS applications via Tor/SOCKS networks were very high, with a low false-positive rate. To demonstrate the robustness of our approach in the Tor case, we tested our method in multiple Tor circuit node selection strategies. The approach can be applied to other applications meeting the same criteria.

Keywords

• Network security
• intrusion detection
• anonymous proxies
• anonymity networks
• circuit-based connections