Traceback Research Of Tor Hidden Services Based On Fingerprint Recognition

Tor anonymous communication is used by a large number of malicious users to cover up their illegal network behavior while providing users with privacy protection.In particular,the Hidden Service protocol can hide the identity information of the service provider,resulting in the proliferation of illegal content in hidden services(the Web service based on Hidden Service protocol,also known as dark web).However,Tor uses the Meek bridge to disguise traffic as a normal TLS traffic accessing the cloud service to prevent it from being blocked.Therefore,traceback research of hidden services under the Tor-Meek mechanism has important theoretical and practical significance.Implementing traceback of hidden services that users are accessing under the Tor-Meek mechanism faces the following challenges:1)Since the hidden service is parasitic on the Tor network,the dataset of hidden services in the state-of-the-art research is limited and lacks representativeness;2)In the Hidden Service protocol,users and the hidden services utilize the negotiated six-hop rendezvous circuit for encrypted indirect communication,which can resist traditional tracking methods;3)A large number of interference packet generated by Meek's polling request mechanism can confuse the original characteristics of the traffic.Aiming at the above problems,we propose a novel Tor hidden service traceback method based on fingerprint identification.We use the hidden service with illegal content as the tracking target,and use the fingerprints presented by different target services on the traffic to track hidden services that users hiding under Tor-Meek are accessing.The key contributions of this work are as follows:(1)For the problem of the limited dataset of hidden service,according to to the way users publish hidden services on the social forum and the proxy mechanism of Tor2web for hidden services,we propose a discovery method of hidden services based on multi-platform.According to the characteristics of the short service life cycle,long update period and multiple domain names of hidden services,we propose a ranking algorithl of hidden services based on PageRank,and use this algorithm to select more representative tracking targets.(2)Aiming at the characteristics of negotiation rendezvous circuit according to the Rendezvous specification in Hidden Service protocol when users communicate with hidden services,we propose a novel traceback model for hidden service based on fingerprint recognition.The model consists of two phases:1)detecting whether the Tor-Meek user is communicating with hidden services or with the normal Web services;2)tracking which hidden service the user is communicating with according to the fingerprint of the target service.(3)In the implementation phase of the traceback model,we analyze the length distribution of Meek's data packet for the polling mechanism and combine its time interval distribution to remove Meekfs interference to traffic.Aiming at the problem of distinguishing traffic between hidden services and ordinary services,combined with the characteristics of Rendezvous specification,we analyze the difference in traffic between hidden services and ordinary services to extract features and use S VM algorithm to detect and classify them.For the tracking problem of the target service,we extract the features mapped to traffic based on the differences in page elements and their loading order for difierent hidden services and then combine the Random Forest algorithm to evaluate the importance of features to select the features for constructing fingerprint database of target services.We use a variety of classification algorithms to track the target services that the user accesses to verify the feasibility of the method.Our experiments show that our method can effectively track which target service the user is communicating with.In the Closed World scenario,the precision rate and recall rate of recognition are over 95%for 10 tracking targets.In the Open World scenario,when the background set size is 1000,the precision rate and recall rate of recognition is about 87%for 50 tracking targets,which is siguificantly improved compared with the state-of-the-art methods.