Tor Traffic Identification and Analysis

About this sample

About this sample


Words: 2142 |

Pages: 5|

11 min read

Published: Jul 10, 2019

Words: 2142|Pages: 5|11 min read

Published: Jul 10, 2019


Tor is a free software system which enables anonymous Internet communication. Tor network is based on the onion router network. According to Deng, Qian, Chen and Su (2017), “Tor is known as the second generation of onion routing, which is currently the most popular and widely used anonymous communication system”. Identification of anonymous traffics plays an essential role in today’s world which helps in preventing the misuse of technology. The user’s internet activity cannot be easily traced with the usage of Tor network. The privacy of users can be well protected with this Tor network. By using Tor, the users can browse the internet and send messages to the people without disclosing the details of the user. Hence, this network helps in protecting the privacy of users by sending the messages anonymously.

'Why Violent Video Games Shouldn't Be Banned'?

According to Cuzzocrea, Martinelli, Mercaldo and Vercelli (2017), “Tor is increasingly used for not legal activities i.e., to gain access to censored information, to organize political activities, or to circumvent laws against criticism of heads of state Tor has, for instance, been used by criminal enterprises, hack-tivism groups, and law enforcement agencies at cross purposes”. Tor network consists of a group of operating networks and these are connected by a series of virtual tunnels. The main idea behind the design of Tor is to reduce the tracing of users instead of completely erasing the tracks. Several machine learning techniques can be applied to know whether a host is generating Tor-related traffic. The adequacy of the technique can also be evaluated using this method.

According to Oda, Obukata, Yamada, Hiyama, Barolli and Takizawa (2016), “Compared with other anonymizers Tor is more popular and has more visibility in the academic and hacker communities”. The Tor anonymous traffic can also be identified using a method called as gravitational clustering algorithm. In gravitational clustering analysis, every vector in the dataset is considered as an object in the component space. Furthermore, the objects are moved by utilizing gravitational force and the second motion law. This method automates the process involved in identifying the cluster number. This method could adjust to any unkown network traffic. The Gravitational Clustering Analysis has the best performance for Tor traffic recognition when compared to other traditional clustering methods such as Kmeans, EM, and DBSCAN.

Tor is progressively utilized for not legal activities i.e., to access censored data, to sort out political exercises, or to go around laws against feedback of heads of state1. Tor has, for example, been utilized by criminal ventures, hacktivism gatherings, and law requirement offices experiencing some miscommunication, once in a while simultaneously2; moreover, offices inside the U.S. government differently support Tor. Web, especially TCP/IP, was not composed with anonymity at first. An answer for giving anonymity is to make overlay arrange which keeps running over TCP/IP network. At that point the overlay network gives message directing control, henceforth covering hosts' IP addresses. This control brings through IP address obfuscation, and along these lines empowers anonymity.

One of the generally utilized anonymous system applications is the onion routing (TOR) browser created by TOR project. TOR is a distributed system utilizing low inactivity network, including an additional encryption layer per network hop and making irregular system paths for every exchange. The customer and server paths can't be followed without traffic analysis. There is not exist a hub on the communication path which can resolve messages sent by a customer to those received by the server. Still, numerous scientists discover it is entangled to analyze how TOR functions, because of its security features empowered.

A few types of research has been led to displaying TOR network. Since a live TOR experimentation is troublesome because it's not anticipated and controllable condition. There are a variety of system conditions which may bring about inclination, henceforth it is disturbed to rehash the experiments. Also, gathering customer information is awkward because it can uncover protection dangers. Alternative methodologies at that point developed, for example, using emulation and simulation. The field of research in anonymity innovations began in the mid 80's with David Chaum's paper on untraceable electronic mail. In any case, it was not before year 2000 that anonymity and privacy upgrading innovations began to get the consideration of a vast research network. In 2004, the underlying plan of a practical relay network called Tor was published. Its low latency makes it exceptionally reasonable for basic Internet communication applications. Tor has at that point turn into the best open anonymity communication benefit on the Internet.


Tor was planned not to demolish user data on the site end, however to make it difficult for the sites to backtrace any user activity. This is given first by the encryption of user identity and the data it holds and after that by making a pseudo identity for the user. According to Kiran, Vignesh, Shenoy, Venugopal, Prabhu and Prasad (2017), “The obscurity of the client is achieved by routing the traffic through three randomly chosen relays viz. Entry Guard Relay, Middle Relay and Exit Relay and by providing layered encryption to the data at each level”. The selection of these relays is arbitrary and repetitive. Arbitrary, in choosing any three transfers, regardless of their attributes and intermittent, in the occasional determination of another circuit. The packets that should be sent to the server are encoded thrice utilizing session key exchanged each with the three relays. The packet is then sent and each layer decodes utilizing its own particular session key and then forwards the decoded packet to the following relay. Along these lines when the Exit Relay gets the packet, it forwards the packet to the server and the server sees the Exit relay's IP Address as the user's IP Address. The layered decryption at each hop entails the originality of the packet.

In order to select the relays in a circuit, Tor uses two algorithms. They are:

1) Entry Guard Selection Algorithm

2) Non-Entry Relay Selection Algorithm

The first algorithm is all about categorizing relays based on their data transfer capacities, commonly known as bandwidths and uptime. The parameter of classification was chosen as transfer speed, predominantly to improve the speed of Tor circuits. This arbitrary determination was eradicated by arranging the guards as quick and stable. The quick guards were the ones whose transmission capacity offered was over the median bandwidth of all the relays, while stable guards were the ones whose uptime was more greater than the median uptime of all the relays. Uptime is a measure of steadiness that characterizes the measure of time a framework has been working and accessible.

By utilizing uptime as a parameter, it is guaranteed that an attacker can't simply make new relays and begin getting traffic immediately. As per the algorithm, an entry guard must be quick and stable. In spite of the fact that this change made the circuits stable, it compromised on the anonymity of the entry guards as just a specific few relays were presently qualified to serve as entry guards. Further, the periodicity of choosing another circuit was hampered when the condition that another guard could be picked just when the old one was inaccessible was brought into impact. The ones that were inaccessible were dumped and resigned. In ways more than one, the determination of entry guards was confined to a restricted pool.

The second algorithm is all about enhancing the anonymity factor of the non-entry guards. It recognized, that the main algorithm was discovered ailing in this perspective. Therefore, the entire arrangement of picking just the best relays was brought down and new selection criteria was attested. A consistency in choice of the relays was given primal significance. This algorithm guaranteed that the quick and the stable relays weren't the main relays chosen rather it ensured that they were chosen all the more frequently. Stress was laid on choosing relays that were evaluated stable. Additionally, Tor names a couple of ports as long-lived and if the traffic transiting a path utilizes one of these enduring ports, Tor will enhance the way for stability by pruning the rundown of accessible routers to just those that are set apart as steady.

Onion routing is executed by encryption in the application layer of a protocol stack, settled like the layers of an onion. Tor encodes the information, including the following destination IP address and sends it through a virtual circuit involving arbitrarily chose Tor relays. Each relay decodes a layer of encryption to uncover just the following relay in the circuit keeping in mind the end goal to pass the rest of the encoded information on to it. The last relay decodes the deepest layer of encryption and sends the original information to its destination without uncovering the source IP address. Since the directing of the communication is somewhat disguised at each hop in the Tor circuit, this technique wipes out any single point when the communication peers can be determined.

According to Johnson, McLaughlin and Thompson (2010), “Tor is an overlay protocol and uses an underlying layer of transmission control protocol (TCP) / internet protocol (IP) to handle data transport, delivery and routing”. The little volume of centralized control which exists in any Tor network originates from the central registry servers. These keep up the condition of the system and gather and examine information, for example, which nodes are reasonable for use as exit nodes, their uptime and any data transfer capacity confinements forced by the node administrators. This data enables Tor to decide a decision of course for a particular connection based on user requirements. Traffic to and from an index server utilizes an alternate port to that of the payload traffic and can be effortlessly isolated.

There are three types of node usually experienced in a Tor network. Exit nodes - which send activity un-encrypted to its destination. Entry nodes - which acknowledge un-encoded movement, encode and forward it into the system and routers - which forward movement between Tor router nodes. The entry and exit nodes are for the most part the end purposes of any Tor communication. There are an expansive number of conceivable designs however it is most regular for every user node to be a entry, router and exit node.

According to Liu, Liu, Winter, Mittal and Hu (2017), “Today's Tor network does not implement any access control mechanism, meaning that anyone with a Tor client can use the network without limitation”. While the absence of access control cultivates network growth, it has additionally caused different issues, above all botnet abuse. In practice, botnets utilize Tor to assault outsider administrations, spam remark segments on sites, scrape content, and scan services for vulnerabilities. Accordingly, numerous service organizations and content delivery networks (CDNs) have begun to regard Tor users as "second-class" Web natives, by either compelling Tor users to comprehend various CAPTCHAs or blocking Tor exit relay IP addresses together.

Another sort of botnet-related abuse of Tor emerges from command and control (C&C) servers keep running as Tor onion administrations. Previously, such occasions caused a fast spike in the quantity of Tor clients. Other than the reputational issue of Tor being related with botnet foundation, the gigantic number of circuit creation demands from botnets is an overwhelming weight on Tor relays, causing noteworthy degradation in performance for honest Tor users. Different sorts of botnet mishandle incorporate incapacitating Tor relays by means of hand-off flooding assaults and performing vast scale traffic analysis by means of throughput or clog fingerprinting.

There are many crimes going on with the usage of Tor network. According to Lin, Tong, Zhijie and Zhen (2017), “Silk Road is an online black market, and its servers are deployed in the Tor network's hidden services to hide the host's real location”. The online underground market deals basically in drug trafficking, kid explicit entertainment, and arms trafficking, with exchanges esteemed at $12 billion and about one million clients. Silk Road was closed around FBI in October 2013. Scientists have investigated vindictive activity in Tor systems and discovered botnet traffic, spam, dissent of administration assaults, and others. The world's biggest hacker association "anonymous", with the assistance of the anonymous network in April 2011, propelled a denial of service attack on the Sony Corp, at that point SONY's PC framework intrusion.

Get a custom paper now from our expert writers.

Almost 1 billion person's names, birthday events and other individual data were stolen, and the assault caused $171 million misfortune. In May 2013, 25 and 26, the Korean Central News Agency, work news, Korea carriers, between our country and Pyongyang productions, national solidarity, for example, voice of Korea North Korea's fundamental site loss of motion. Existing PC organize following strategies, for example, customary techniques in view of IP data, are never again substantial for such anonymous systems. Keeping in mind the end goal to track and affirm the correspondence connection between anonymous channels, it is important to consider the viable and proficient tracking technology to track anonymous network crooks, and to give the fundamental online privacy protection.

Image of Alex Wood
This essay was reviewed by
Alex Wood

Cite this Essay

Tor Traffic Identification and Analysis. (2019, Jun 27). GradesFixer. Retrieved May 21, 2024, from
“Tor Traffic Identification and Analysis.” GradesFixer, 27 Jun. 2019,
Tor Traffic Identification and Analysis. [online]. Available at: <> [Accessed 21 May 2024].
Tor Traffic Identification and Analysis [Internet]. GradesFixer. 2019 Jun 27 [cited 2024 May 21]. Available from:
Keep in mind: This sample was shared by another student.
  • 450+ experts on 30 subjects ready to help
  • Custom essay delivered in as few as 3 hours
Write my essay

Still can’t find what you need?

Browse our vast selection of original essay samples, each expertly formatted and styled


Where do you want us to send this sample?

    By clicking “Continue”, you agree to our terms of service and privacy policy.


    Be careful. This essay is not unique

    This essay was donated by a student and is likely to have been used and submitted before

    Download this Sample

    Free samples may contain mistakes and not unique parts


    Sorry, we could not paraphrase this essay. Our professional writers can rewrite it and get you a unique paper.



    Please check your inbox.

    We can write you a custom essay that will follow your exact instructions and meet the deadlines. Let's fix your grades together!


    Get Your
    Personalized Essay in 3 Hours or Less!

    We can help you get a better grade and deliver your task on time!
    • Instructions Followed To The Letter
    • Deadlines Met At Every Stage
    • Unique And Plagiarism Free
    Order your paper now