A novel application classification attack against Tor

Tor is a famous anonymous communication system for preserving users' online privacy. It supports TCP applications and packs upper-layer application data into encrypted equal-sized cells with onion routing to hide private information of users. However, we note that the current Tor design cannot conceal certain application behaviors. For example, P2P applications usually upload and download files simultaneously, and this behavioral feature is also kept in Tor traffic. Motivated by this observation, we investigate a new attack against Tor, application classification attack, which can recognize application types from Tor traffic. An attacker first carefully selects some flow features such as burst volumes and directions to represent the application behaviors and takes advantage of some efficient machine-learning algorithm (e.g., Profile Hidden Markov Model) to model different types of applications. Then he or she can use these established models to classify target's Tor traffic and infer its application type. We have implemented the application classification attack on Tor using parallel computing, and our experiments validate the feasibility and effectiveness of the attack. We argue that the disclosure of application type information is a serious threat to Tor users' anonymity because it can be used to reduce the anonymity set and facilitate other attacks. We also present guidelines to defend against application classification attack. Copyright (C) 2015 John Wiley & Sons, Ltd.