Identification Of Tor Over VPN Tunneled Anonymous Network Traffic

With the continuous evolution of offensive and defensive countermeasures in cyberspace,encrypted tunnels and anonymous networks have become the focus of current encrypted network traffic analysis.Encrypted tunnel technique represented by Virtual Private Network(VPN)can provide users with proxy node-based tunnel communication,as well as enhancing the imperceptibility of communication content and behavior.The anonymous network communication technology represented by the Onion Router(Tor)can confuse the communication relationship and improve the anti-tracing ability of the communication.Based on these two advantages,VPN and Tor have become important means for various cybercriminals to avoid supervision and increase the difficulty of traceability.Existing works have studied a variety of traffic identification methods based on Deep Packet Inspection(DPI),statistical analysis and machine learning for VPN traffic and Tor traffic.Nevertheless,in recent years,in order to further conceal the protocol fingerprint and length characteristics of Tor,many attackers access the Tor network through a VPN proxy to complete the encrypted tunnel to carry Tor traffic,thereby further concealing the identifiable characteristics of Tor.To the best of our knowledge,there have been no passive traffic analysis methods for such Tor over VPN tunneled anonymous network communication.Its compound advantages such as double encryption,strong obfuscation,and anonymity in cross-border data transmission have brought severe challenges to the current cyberspace security governance.This dissertation takes the widely used Open VPN and Tor as the research objects,and conducts research on traffic detection and bearer service type identification of Tor over VPN tunneled anonymous network communications,the main work can be concluded as follows:(1)The spatio-temporal distribution characteristics of Tor over VPN tunneled anonymous network traffic are analyzed.We have conducte a comparative analysis for temporal and spatial characteristics among unproxy traffic,VPN traffic,Tor over VPN traffic,and also among traffic with different service types.Temporal characteristics including inter-packet delay,round-trip delay,and transmission rate,as well as spatial characteristics including window size,load length,and fragmentation law are analyzed.Analysis of the temporal and spatial characteristics for tunneled anonymous network traffic can lay the foundation for the following feature selection and model design required.(2)A Tor over VPN traffic identification method based on multi-scale spatio-temporal feature ensemble learning is proposed.The identification framework includes three parts: tunnel traffic detection based on rule matching,multi-scale spatiotemporal feature set construction based on Min-Redundancy and Max-Relevance(m RMR),and ensemble learning based on voting.The designed tunnel traffic detection method uses the fragment length sequence,the proportion of opcodes,and the heartbeat mechanism to generate matching rules to identify Open VPN encrypted tunnel traffic.On the basis of tunnel traffic identification,the m RMR feature selection method based on mutual information is combined with incremental search strategy to construct the best multi-scale spatiotemporal feature set.An ensemble learning strategy based on voting method is utilized to realize the identification of Tor over VPN traffic.Experimental results show that the proposed identification method can accurately identify Tor over VPN tunneled anonymous network traffic,the accuracy rate can achieve over 99%.(3)A method for identifying Tor over VPN traffic bearer service types based on Convolutional Gated Transformer Neural Network(CGTNN)is proposed.The identification framework includes three parts: packet-by-packet fine-grained spatio-temporal feature extraction,unified spatiotemporal data representation,and convolutional gated self-attention transform neural network model design.The designed packet-level fine-grained feature set contains spatial features such as payload length,full-load mark,window size,fragment serial number,payload byte,etc,and temporal characteristics such as general delay,inter-packet delay,round-trip delay,and arrival time.On this basis,we construct a unified spatiotemporal data representation form of data flow,and design a CGTNN model that can effectively mine the temporal and spatial correlation to realize the identification of the service type carried in the tunneled anonymous network traffic.Experimental results show that the proposed identification method can effectively identify the service type carried in Tor over VPN,the accuracy rate can achieve over 97%.(4)A refined identification system for Tor over VPN tunneled anonymous network traffic is proposed.The system is based on the proposed encrypted tunnel traffic identification method,the Tor traffic identification method in the tunnel,and the Tor over VPN service identification method.The working mechanisms of the identification system including system framework,work flow,and module design are discussed.The effectiveness of the system is verified in the actual environment.The experimental results show that the system can effectively identify Tor over VPN and the inherent service.Finally,the dissertation is summarized,and the content worthy of further research in the future is prospected.