Tor-based Malware and Tor Connection Detection

Warning

This publication doesn't include Institute of Computer Science. It includes Faculty of Informatics. Official publication website can be found on muni.cz.
Authors

GHAFIR Ibrahim SVOBODA Jakub PŘENOSIL Václav

Year of publication 2014
Type Article in Proceedings
Conference Proceedings of International Conference on Frontiers of Communications, Networks and Applications
MU Faculty or unit

Faculty of Informatics

Citation
Web http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7141237&newsearch=true&searchWithin=%22First%20Name%22:Ibrahim&searchWithin=%22Last%20Name%22:Ghafir
Doi http://dx.doi.org/10.1049/cp.2014.1411
Field Informatics
Keywords Cyber attacks; botnet; Tor network; malware; intrusion detection system
Attached files
Description Anonymous communication networks, like Tor, partially protect the confidentiality of user traffic by encrypting all communications within the overlay network. However, Tor is not only used for good; a great deal of the traffic in the Tor networks is in fact port scans, hacking attempts, exfiltration of stolen data and other forms of online criminality. The anonymity network Tor is often misused by hackers and criminals in order to remotely control hacked computers. In this paper we present our methodology for detecting any connection to or from Tor network. Our detection method is based on a list of Tor servers. We process the network traffic and match the source and destination IP addresses for each connection with Tor servers list. The list of Tor servers is automatically updated each day and the detection is in the real time. We applied our methodology on campus live traffic and showed that it can automatically detect Tor connections in the real time. We also applied our methodology on packet capture (pcap) files which contain real and long-lived malware traffic and we proved that our methodology can successfully detect Tor connections.
Related projects:

You are running an old browser version. We recommend updating your browser to its latest version.

More info