Zeyu Li’s research while affiliated with Beijing University of Posts and Telecommunications and other places

Criminals exploit the robust anonymity afforded by Tor for illicit purposes, prompting heightened interest among researchers in de-anonymization attacks on the Tor network. The execution of experiments on de-anonymization attacks within a real Tor network presents considerable challenges, hence the necessity for a simulation environment. However, existing methods for simulating the Tor network are inadequate regarding realism, flexibility, and scalability, with some being prohibitively expensive. In this paper, we develop a lightweight and scalable Tor network simulation environment based on Kubernetes (K8s), employing Docker containers to simulate Tor relays. The results demonstrate that a network of up to a thousand Tor relays can be simulated using just four standard hosts. Furthermore, two de-anonymization attack experiments were conducted within this simulated environment, which exhibited high levels of realism and flexibility. Finally, a hybrid networking approach combining multi-granularity relays was explored to enhance further the balance between realism and cost in Tor network simulations.

In this paper we propose a novel approach to classify darknet-access traffic with only partial traffic data, which significantly reduces resource consumption and is as accuracy as prior work. Besides, in order to keep up with the users’ real access activity, we simulate new and old user by simply whether delete the cached consensus document before each access and apply our approach. The experiment results confirm that there does exist a window of cell sequence contributes greatly to distinguish darknet-access traffic. With the window size 75 and the start point 67, we can achieve 95.97% accuracy for new user access scenario. Similarly, with the window size 85 and the start point 44, we achieve 94.43% accuracy for old user access scenario.

Tor enables end user the desirable cyber anonymity with obfuscation technologies like MEEK. However, it has also manifested itself a wide shield for various illegal hidden services involved cyber criminals, motivating the urgent need of deanonymization technologies. In this paper, we propose a novel communication fingerprint abstracted from key packet sequences, and attempt to efficiently identify end users MEEK-based access to Tor hidden services. Specifically, we investigate the communication fingerprint during the early connection stage of MEEK-based Tor rendezvous establishment, and make use of deep neural network to automatically learn and form a key packet sequence. Unlike most of existing approaches that rely on the entire long communication packet sequence, experiments demonstrate that our key packet sequence enabled scheme can significantly reduce both the time and hardware resource consumption for the identification task by 23%–37% and 80%–86%, respectively, while being able to keep a slightly better accuracy.KeywordsTorHidden serviceTraffic analysisMEEK