An Improved Real Time Method for Detection, Blocking and Traceback of Malicious Traffic Over TOR

Tor is a prominent low-latency anonymous communication system. But it is currently abused in numerous ways. Attackers choose Tor because of its assurance of communication privacy. To gain an insight into such abuse, it is necessary to designed and implemented a novel system, for the discovery and the systematic study of malicious traffic over Tor. In this paper a novel real-time detection method based on fractal and information fusion is proposed. It focuses on the intrinsic macroscopic characteristics of network. It regards network traffic as the signal, and synthetically considers the macroscopic characteristics of network under different time scales with the fractal theory, including the self-similarity and the local singularity, which dont vary with the topology structures, the protocols and the attack types. To facilitate forensic traceback of malicious traffic, we implemented a dual-tone multi-frequency signaling-based approach to correlate botnet traffic at Tor entry routers and that at exit routers.