Tor traffic analysis using Hidden Markov Models
Article first published online: 12 OCT 2012
Copyright © 2012 John Wiley & Sons, Ltd.
Security and Communication Networks
Volume 6, Issue 9, pages 1075–1086, September 2013
How to Cite
Zhioua, S. (2013), Tor traffic analysis using Hidden Markov Models. Security Comm. Networks, 6: 1075–1086. doi: 10.1002/sec.669
- Issue published online: 16 JUL 2013
- Article first published online: 12 OCT 2012
- Manuscript Accepted: 4 SEP 2012
- Manuscript Received: 28 JUN 2012
- Tor protocol;
- traffic analysis
Tor protocol has been designed primarily to defend against traffic analysis, which threatens privacy while using Internet. In this paper, we consider a very common threat model where an attacker can observe only the local traffic between the target Tor client and the first Tor relay. We show that even with this restricted threat model, the attacker can infer relevant information about the client's traffic, in particular when exactly new circuits are constructed. This is achieved by analyzing the Tor traffic using Hidden Markov Models (HMMs). The experimental analysis shows that the proposed HMM-based approach has a high precision (93 % on average) and F-measure (75 % on average). The more interesting part of the paper discusses how a local attacker can identify the hops forming circuits initiated by the Tor client victim. The attack is based on sampling the timing patterns of the most “probable” paths and then estimating the likelihood of each one of them given a circuit construction packets sequence. The experimental analysis shows that the proposed approach has an acceptable precision (around 50 %) as long as the time delay between HMM learning and the actual traffic analysis is relatively small. Copyright © 2012 John Wiley & Sons, Ltd.