Detection of Tor Traffic Hiding Under Obfs4 Protocol Based on Two-Level Filtering

Tor (The second generation Onion Router) is the most popular anonymous communication network. In order to protect Tor user from traffic analysis attack, many obfuscation techniques are adopted and Obfs4 is one of the states of art techniques used in Tor. It is very hard to detect the Tor traffic camouflaged under Obfs4, especially in the real world when there is a large volume of various traffic, because of random padding and randomization of time sequence. In this paper, we propose a novel scheme for Obfs4 traffic detection based on two-level filtering. We sequentially utilize coarse-grained fast filtering and fine-grained accurate identification to achieve high-precision, real-time recognition of Obfs4 traffic. In the coarse-grained filtering phase, we use the randomness detection algorithm to detect the randomness of the handshake packet payload in the communication and use the timing sequence characteristics of the packet in the handshake process to remove other interference traffic. In the fine-grained identification phase, we analyze its statistical feature on a large number of Obfs4 traffic and use the classification algorithms to identify the Obfs4 traffic. We train and test with different classifiers. The experiments show that the accuracy for identifying Obfs4 is above 99% when using the SVM (Support Vector Machine) algorithm, which indicates that Obfs4 cannot effectively counteract traffic analysis attacks in practical applications.