| The Tor anonymous communication system has one-way anonymity which also means client anonymity.It can also provide two-way anonymity,that is,the client and server communicate anonymously at the same time.Tor hidden service mechanism is the realization of this two-way anonymity.Hidden service effectively protects the privacy of users and servers,but it is also easy to be abused,causing Tor to become a "criminal paradise" for illegal activities such as drug trading and arms trading.How to trace the real physical address of the hidden service has important application significance for protecting network security and combating illegal acts on the dark web.Tor hidden service is based on security mechanisms such as multi-hop routing,traffic obfuscation,Guard nodes,etc.,making it very difficult to trace the source.In response to the above challenges,this paper proposes and implements a hidden service traceability method based on the combination of information leakage and link correlation analysis.The main contributions are as follows:(1)A method for tracing the real address of hidden services based on information leakage and communication link correlation analysis is proposed.First,the hidden service configuration and the identity or address information of the hidden service leaked from the content of the Web page are used to mine and analyze the relationship between the hidden service-related information.Obtain a set of candidate sets of hidden service and IP address mapping pairs,which we call candidate address pairs.Then,through long-term deployment of controlled Guard nodes in the Tor network and recording related information of the remote link server,another set of candidate address pairs can be obtained.Finally,the candidate pairs are tested on the open web and dark web to measure the page similarity to verify.In addition,it is necessary to access the given hidden service domain name on the client side and embed the traffic watermark.At the same time,the traffic watermark is extracted at the controlled Guard node,and the dark web service IP address is finally confirmed through the flow watermark correlation analysis.(2)Based on the design specification of Tor's Hidden service protocol and the method introduced in this article,a hidden service traceability system is proposed.Design and implement node implantation and monitoring module,data collection and preprocessing module,candidate address mining module and real address verification module.The node implantation and monitoring module implements the function of implanting controlled nodes in the Tor network and monitoring their operating status.The data collection and preprocessing module realizes the function of verifying the effectiveness of hidden services,and at the same time completes the collection and preprocessing of traceable data.The candidate address mining module completes the selection and matching of the candidate mapping pair between the hidden service and its real IP address,which is used as the input for the subsequent address verification module.The real address verification module can verify the candidate real addresses of the hidden service,including the verification of the page similarity measurement under the light and dark web and the verification of the watermark.(3)Based on the implemented traceability system,we conducted a verifying experiment on real Tor,and traced to a total of 381 real IP addresses of hidden services.Analyzed 68861 hidden service addresses,found that 2443 hidden services had page leaks,and 132 were verified.Based on the guard node,1926553 remote service link information was collected,and 134 were found to be dark web IP addresses after verification.In addition,there are 95 other types of hidden services that have been successfully verified by running watermarks.Experiments show that the method and system designed and implemented in this article can effectively de-anonymize the Tor hidden service and trace the source to its real address. |
PDF Full Text Request