Adaptive Traffic Fingerprinting for Darknet Threat Intelligence

  • Hamish Haughey
  • Gregory Epiphaniou
  • Haider Al-Khateeb
  • Ali DehghantanhaEmail author
Part of the Advances in Information Security book series (ADIS, volume 70)


Darknet technology such as Tor has been used by various threat actors for organising illegal activities and data exfiltration. As such there is a case for organisations to block such traffic, or to try and identify when it is used and for what purposes. However, anonymity in cyberspace has always been a domain of conflicting interests. While it gives enough power to nefarious actors to masquerade their illegal activities, it is also the corner stone to facilitate freedom of speech and privacy. We present a proof of concept for a novel algorithm that could form the fundamental pillar of a darknet-capable Cyber Threat Intelligence platform. The solution can reduce anonymity of users of Tor, and considers the existing visibility of network traffic before optionally initiating targeted or widespread BGP interception. In combination with server HTTP response manipulation, the algorithm attempts to reduce the candidate data set to eliminate client-side traffic that is most unlikely to be responsible for server-side connections of interest. Our test results show that MITM manipulated server responses lead to expected changes received by the Tor client. Using simulation data generated by shadow, we show that the detection scheme is effective with false positive rate of 0.001, while sensitivity detecting non-targets was 0.016±0.127. Our algorithm could assist collaborating organisations willing to share their threat intelligence or cooperate during investigations.


Threat intelligence Traffic finger printing Darknet MITM 


  1. 1.
    Michael Backes et al. “(Nothing else) MATor (s): Monitoring the Anonymity of Tor’s Path Selection”. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM. 2014, pp. 513–524.Google Scholar
  2. 2.
    Sean Barnum. “Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX)”. In: MITRE Corporation 11 (2012).Google Scholar
  3. 3.
    Todd Baumeister et al. “A Routing Table Insertion (RTI) Attack on Freenet”. In: Cyber Security (CyberSecurity), 2012 International Conference on. IEEE. 2012, pp. 8–15.Google Scholar
  4. 4.
    BGPMon. BGPMon 2016. URL: (visited on 10/31/2016).
  5. 5.
    Nikita Borisov et al. “Denial of service or denial of security?” In: Proceedings of the 14th ACM conference on Computer and communications security. ACM. 2007, pp. 92–102.Google Scholar
  6. 6.
    Eric W Burger et al. “Taxonomy model for cyber threat intelligence information exchange technologies”. In: Proceedings of the 2014 ACM Workshop on Information Sharing & Collaborative Security. ACM. 2014, pp. 51–60.Google Scholar
  7. 7.
    Kim-Kwang Raymond Choo. “The cyber threat landscape: Challenges and future research directions”. In: Computers & Security 30.8 (2011), pp. 719–731.Google Scholar
  8. 8.
    Mandiant Corporation. The OpenIOC Framework. 2017. URL: (visited on 01/03/2017).
  9. 9.
    The MITRE Corporation. Cyber Observable eXpression. 2017. URL: (visited on 01/03/2017).
  10. 10.
    The MITRE Corporation. STIX : Structured Threat Information eXpression. 2017. URL: (visited on 01/03/2017).
  11. 11.
    Adrian Crenshaw “Darknets and hidden servers: Identifying the true ip/network identity of i2p service hosts”. In: Black Hat (2011).Google Scholar
  12. 12.
    Norman Danner et al. “Effectiveness and detection of denial-of-service attacks in Tor”. In: ACM Transactions on Information and System Security (TISSEC) 15.3 (2012), p. 11.Google Scholar
  13. 13.
    Ali Dehghantanha and Katrin Franke. “Privacy-respecting digital investigation”. In: Privacy Security and Trust (PST), 2014 Twelfth Annual International Conference on. IEEE. 2014, pp. 129–138.Google Scholar
  14. 14.
    Ali Dehghantanha, Nur Izura Udzir, and Ramlan Mahmod. “Towards a pervasive formal privacy language”. In: Advanced Information Networking and Applications Workshops (WAINA), 2010 IEEE 24th International Conference on. IEEE. 2010, pp. 1085–1091.Google Scholar
  15. 15.
    Roger Dingledine, Nick Mathewson, and Paul Syverson. Tor: The second-generation onion router Tech. rep. DTIC Document, 2004.Google Scholar
  16. 16.
    Zakir Durumeric et al. “The matter of heartbleed”. In: Proceedings of the 2014 Conference on Internet Measurement Conference. ACM. 2014, pp. 475–488.Google Scholar
  17. 17.
    EFF. The Electronic Frontier Foundation 2015. URL: (visited on 10/30/2015).
  18. 18.
    Juan A Elices, Fernando Pérez-González, et al. “Locating Tor hidden services through an interval-based traffic-correlation attack”. In: Communications and Network Security (CNS), 2013 IEEE Conference on. IEEE. 2013, pp. 385–386.Google Scholar
  19. 19.
    John Geddes, Rob Jansen, and Nicholas Hopper “How low can you go: Balancing performance with anonymity in Tor”. In: Privacy Enhancing Technologies Springer. 2013, pp. 164–184.Google Scholar
  20. 20.
    Gaofeng He et al. “A novel active website fingerprinting attack against Tor anonymous system”. In: Computer Supported Cooperative Work in Design (CSCWD), Proceedings of the 2014 IEEE 18th International Conference on. IEEE. 2014, pp. 112–117.Google Scholar
  21. 21.
    Nguyen Phong HOANG, Yasuhito ASANO, and Masatoshi YOSHIKAWA. “Anti-RAPTOR: Anti Routing Attack on Privacy for a Securer and Scalable Tor”. In: IEEE. 2015, pp. 147–154.Google Scholar
  22. 22.
    Amir Houmansadr and Nikita Borisov. “SWIRL: A Scalable Watermark to Detect Correlated Network Flows.” In: NDSS 2011.Google Scholar
  23. 23.
    Amir Houmansadr, Negar Kiyavash, and Nikita Borisov. “RAINBOW: A Robust And Invisible Non-Blind Watermark for Network Flows.” In: NDSS 2009.Google Scholar
  24. 24.
    i2p Project. Get i2p 2015. URL: (visited on 10/24/2015).
  25. 25.
    Internet Engineering Task Force (IETF). RFC 6545 Real-time Inter-network Defense (RID). 2017. URL: (visited on 01/03/2017).
  26. 26.
    Rob Jansen and Nicholas Hooper. Shadow: Running Tor in a box for accurate and efficient experimentation. Tech. rep. DTIC Document, 2011.Google Scholar
  27. 27.
    Rob Jansen et al. “Methodically Modeling the Tor Network.” In: CSET. 2012.Google Scholar
  28. 28.
    Albert Kwon. “Circuit fingerprinting attacks: passive deanonymization of tor hidden services”. In: USENIX Security Symposium, 2015 24th Proceedings of. USENIX. 2015, pp. 286–302.Google Scholar
  29. 29.
    Spider Labs. Responder 2015. URL: (visited on 10/28/2015).
  30. 30.
    Ralph Langner. “Stuxnet: Dissecting a cyberwarfare weapon”. In: IEEE Security & Privacy 9.3 (2011), pp. 49–51.Google Scholar
  31. 31.
    Zhen Ling et al. “A new cell-counting-based attack against Tor”. In: IEEE/ACM Transactions on Networking (TON) 20.4 (2012), pp. 1245–1261.Google Scholar
  32. 32.
    Zhen Ling et al. “Equal-sized cells mean equal-sized packets in Tor?” In: Communications (ICC), 2011 IEEE International Conference on. IEEE. 2011, pp. 1–6.Google Scholar
  33. 33.
    Peipeng Liu et al. “Empirical Measurement and Analysis of I2P Routers”. In: Journal of Networks 9.9 (2014), pp. 2269–2278.Google Scholar
  34. 34.
    Peipeng Liu et al. “IX-Level Adversaries on Entry-and Exit-Transmission Paths in Tor Network”. In: Networking Architecture and Storage (NAS), 2013 IEEE Eighth International Conference on. IEEE. 2013, pp. 166–172.Google Scholar
  35. 35.
    Gary T Marx. “What’s in a Name? Some Reflections on the Sociology of Anonymity”. In: The Information Society 15.2 (1999), pp. 99–112.Google Scholar
  36. 36.
    MITMProxy. MITM Proxy Replacements 2015. URL: (visited on 10/28/2015).
  37. 37.
    Bodo Möller, Thai Duong, and Krzysztof Kotowicz. “This POODLE bites: exploiting the SSL 3.0 fallback”. In: Google Sep (2014).Google Scholar
  38. 38.
    Arsalan Mohsen Nia and Niraj K Jha. “A comprehensive study of security of internet-of-things”. In: IEEE Transactions on Emerging Topics in Computing (2016).Google Scholar
  39. 39.
    NIST. Security Content Automation Protocol 2017. URL: (visited on 01/03/2017).
  40. 40.
    Guevara Noubir and Amirali Sanatinia. Honey Onions: Exposing Snooping Tor HSDir Relays 2016. URL: (visited on 07/10/2016).
  41. 41.
    Opeyemi Osanaiye et al. “Ensemble-based multi-filter feature selection method for DDoS detection in cloud computing”. In: EURASIP Journal on Wireless Communications and Networking 2016.1 (2016), p. 130.Google Scholar
  42. 42.
    Hamed Haddad Pajouh et al. “A two-layer dimension reduction and two-tier classification model for anomaly-based intrusion detection in IoT backbone networks”. In: IEEE Transactions on Emerging Topics in Computing (2016).Google Scholar
  43. 43.
    The Tor Project. The Tor Project: obfsproxy 2016. URL: (visited on 07/10/2016).
  44. 44.
    The Tor Project. Want Tor to Really Work? 2015. URL:{%}5C{\#}Warning (visited on 10/25/2015).Google Scholar
  45. 45.
    Darren Quick and Kim-Kwang Raymond Choo. “Big forensic data reduction: digital forensic images and electronic evidence”. In: Cluster Computing 19.2 (2016), pp. 723–740.Google Scholar
  46. 46.
    Verizon Security Research and Cyber Intelligence Center The VERIS Framework 2017. URL: (visited on 01/03/2017).
  47. 47.
    Schneier B. Anonymity Won’t Kill the Internet 2006. URL: (visited on 10/18/2015).
  48. 48.
    Kaveh Shaerpour Ali Dehghantanha, and Ramlan Mahmod. “A survey on cyber-crime prediction techniques”. In: International Journal of Advancements in Computing Technology 5.14 (2013), p. 52.Google Scholar
  49. 49.
    Fatemeh Shirazi, Matthias Goehring, and Claudia Diaz. “Tor experimentation tools”. In: Security and Privacy Workshops (SPW), 2015 IEEE. IEEE. 2015, pp. 206–213.Google Scholar
  50. 50.
    Daniel Sun et al. “Non-intrusive anomaly detection with streaming performance metrics and logs for DevOps in public clouds: a case study in AWS”. In: IEEE Transactions on Emerging Topics in Computing 4.2 (2016), pp. 278–289.Google Scholar
  51. 51.
    Yixin Sun et al. “RAPTOR: routing attacks on privacy in tor”. In: arXiv preprint arXiv:1503.03940 (2015).Google Scholar
  52. 52.
    The Freenet Project. The Freenet Project 2002. URL: (visited on 10/24/2015).
  53. 53.
    Juan Pablo Timpanaro, Isabelle Chrisment, and Olivier Festor. “Group-Based Characterization for the I2P Anonymous File-Sharing Environment”. In: New Technologies, Mobility and Security (NTMS), 2014 6th International Conference on. IEEE. 2014, pp. 1–5.Google Scholar
  54. 54.
    Juan Pablo Timpanaro, Isabelle Chrisment, and Olivier Festor. “Monitoring anonymous P2P file-sharing systems”. In: Peer-to-Peer Computing (P2P), 2013 IEEE Thirteenth International Conference on. IEEE. 2013, pp. 1–2.Google Scholar
  55. 55.
    Tor Project. Tor Project 2015. URL: (visited on 10/03/2015).
  56. 56.
    GOV UK. Investigatory powers bill 2016.Google Scholar
  57. 57.
    Laurent Vanbever et al. “Anonymity on quicksand: Using BGP to compromise Tor”. In: Proceedings of the 13th ACM Workshop on Hot Topics in Networks. ACM. 2014, p. 14.Google Scholar
  58. 58.
    Xiaogang Wang et al. “A potential HTTP-based application-level attack against Tor”. In: Future Generation Computer Systems 27.1 (2011), pp. 67–77.Google Scholar
  59. 59.
    Steve Watson and Ali Dehghantanha. “Digital forensics: the missing piece of the Internet of Things promise”. In: Computer Fraud & Security 2016.6 (2016), pp. 5–8.Google Scholar
  60. 60.
    Zachary Weinberg et al. “StegoTorus: a camouflage proxy for the Tor anonymity system”. In: Proceedings of the 2012 ACM conference on Computer and communications security. ACM. 2012, pp. 109–120.Google Scholar
  61. 61.
    Philipp Winter and Stefan Lindskog. “How China is blocking Tor”. In: arXiv preprint arXiv:1204.0447 (2012).Google Scholar
  62. 62.
    Philipp Winter and Stefan Lindskog. “How the great firewall of China is blocking tor”. In: Free and Open Communications on the Internet (2012).Google Scholar
  63. 63.
    Philipp Winter Tobias Pulls, and Juergen Fuss. “ScrambleSuit: A polymorphic network protocol to circumvent censorship”. In: Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society. ACM. 2013, pp. 213–224.Google Scholar
  64. 64.
    Lu Zhang et al. “Application-level attack against Tor’s hidden service”. In: Pervasive Computing and Applications (ICPCA), 2011 6th International Conference on. IEEE. 2011, pp. 509–516.Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Hamish Haughey
    • 1
  • Gregory Epiphaniou
    • 2
  • Haider Al-Khateeb
    • 2
  • Ali Dehghantanha
    • 3
    Email author
  1. 1.University of NorthumbriaNewcastleUK
  2. 2.University of BedfordshireBedfordshireUK
  3. 3.Department of Computer ScienceUniversity of SheffieldSheffieldUK

Personalised recommendations