Figure - available from: Journal of Computer Virology and Hacking Techniques
This content is subject to copyright. Terms and conditions apply.
Source publication
Anonymous server is created for hiding the information of hosts when they are surfing the Internet, such as Tor, Shadowsocks, etc. It is quite difficult to identify these servers, which provides potential criminals with opportunities to commit crime. Also, hackers can make use of these servers to threaten public network security, such as DDoS and P...
Similar publications
ARTICLE INFO ABSTRACT Recently, with the development of digital technology and the spread of the social media network and made the communication of human beings between each other more easily, but with the put the personal information and private evidence and the participation of others via the Internet, it causes a great danger that this informati...
Citations
... They detect Shadowsocks traffic using the Random Forest algorithm. Cheng et al. [13] propose an active method for Shadowsocks servers detection. They collect the IP and port of the server as a dataset, and then classify servers of the Shadowsocks using machine learning algorithm XGBoost. ...
Anonymous proxies are used by criminals for illegal network activities due to their anonymity, such as data theft and cyber attacks. Therefore, anonymous proxy traffic detection is very essential for network security. In recent years, detection based on deep learning has become a hot research topic, since deep learning can automatically extract and select traffic features. To make (heterogeneous) network traffic adapt to the homogeneous input of typical deep learning algorithms, a major branch of existing studies convert network traffic into images for detection. However, such studies are commonly subject to the limitation of large-sized image representation of network traffic, resulting in very large storage and computational resource overhead. To address this limitation, a novel method for anonymous proxy traffic detection is proposed. The method is one of the solutions to reduce storage and computational resource overhead. Specifically, it converts the sequences of the size and inter-arrival time of the first N packets of a flow into images, and then categorizes the converted images using the one-dimensional convolutional neural network. Both proprietary and public datasets are used to validate the proposed method. The experimental results show that the converted images of the method are at least 90% smaller than that of existing image-based deep learning methods. With substantially smaller image sizes, the method can still achieve F1 scores up to 98.51% in Shadowsocks traffic detection and 99.8% in VPN traffic detection.
... us, a continuously increasing number of users protect their anonymity while browsing the Internet by utilizing anonymous network communication systems. However, current research [1][2][3][4][5][6][7][8][9][10] shows that privacy can be compromised even though clients use privacy-enhancing technologies such as Shadowsocks [11], I2P [12], Tor [13], Anonymizer [14], SSH, and VPN. Among several cyberattacks compromising anonymity, the website fingerprinting attack is one of the most representative ones. ...
Website fingerprinting attacks allow attackers to determine the websites that users are linked to, by examining the encrypted traffic between the users and the anonymous network portals. Recent research demonstrated the feasibility of website fingerprinting attacks on Tor anonymous networks with only a few samples. Thus, this paper proposes a novel small-sample website fingerprinting attack method for SSH and Shadowsocks single-agent anonymity network systems, which focuses on analyzing homology relationships between website fingerprinting. Based on the latter, we design a Convolutional Neural Network-Bidirectional Long Short-Term Memory (CNN-BiLSTM) attack classification model that achieves 94.8% and 98.1% accuracy in classifying SSH and Shadowsocks anonymous encrypted traffic, respectively, when only 20 samples per site are available. We also highlight that the CNN-BiLSTM model has significantly better migration capabilities than traditional methods, achieving over 90% accuracy when applied on a new set of monitored sites with only five samples per site. Overall, our experiments demonstrate that CNN-BiLSTM is an efficient, flexible, and robust model for website fingerprinting attack classification.
It is very difficult to identify Shadowsocks (SS) traffic, most of which stay in the laboratory environment, and there are very few published research results in this field at home and abroad. ShadowsocksR (SSR) is an enhanced version of SS. It can disguise the traffic of SS as that of conventional protocol, such as HTTP traffic, TLS traffic, etc., which makes it more difficult to identify SSR traffic. Based on Xgboost algorithm, this paper proposes a method to identify SSR traffic for the first time. The experimental results show that this method has a good recognition effect on SSR traffic, and the precision, the recall, the accuracy is all above 95.3%.