Characterization of Tor Traffic using Time based Features

Arash Habibi Lashkari, Gerard Draper Gil, Mohammad Saiful Islam Mamun, Ali A. Ghorbani


Traffic classification has been the topic of many research efforts, but the quick evolution of Internet services and the pervasive use of encryption makes it an open challenge. Encryption is essential in protecting the privacy of Internet users, a key technology used in the different privacy enhancing tools that have appeared in the recent years. Tor is one of the most popular of them, it decouples the sender from the receiver by encrypting the traffic between them, and routing it through a distributed network of servers. In this paper, we present a time analysis on Tor traffic flows, captured between the client and the entry node. We define two scenarios, one to detect Tor traffic flows and the other to detect the application type: Browsing, Chat, Streaming, Mail, Voip, P2P or File Transfer. In addition, with this paper we publish the Tor labelled dataset we generated and used to test our classifiers.


  1. Aghaei-Foroushani, V. and Zincir-Heywood, A. N. (2015). A proxy identifier based on patterns in traffic flows. In 2015 IEEE 16th International Symposium on High Assurance Systems Engineering, pages 118-125.
  2. AlSabah, M., Bauer, K., and Goldberg, I. (2012). Enhancing tor's performance using real-time traffic classi-fi cation. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 7812, pages 73-84, New York, NY, USA. ACM.
  3. Bai, X., Zhang, Y., and Niu, X. (2008). Traffic identification of tor and web-mix. In 2008 Eighth International Conference on Intelligent Systems Design and Applications, volume 1, pages 548-551.
  4. Callado, A., Kamienski, C., Szabo, G., Gero, B., Kelner, J., Fernandes, S., and Sadok, D. (2009). A survey on internet traffic identification. Commun. Surveys Tuts., 11(3):37-52.
  5. Chaabane, A., Manils, P., and Kaafar, M. A. (2010). Digging into anonymous traffic: A deep analysis of the tor anonymizing network. In Proceedings of the 2010 Fourth International Conference on Network and System Security, NSS 7810, pages 167-174, Washington, DC, USA. IEEE Computer Society.
  6. Chakravarty, S., Barbera, M. V., Portokalidis, G., Polychronakis, M., and Keromytis, A. D. (2014). On the effectiveness of traffic analysis against anonymity networks using flow records. PAM 2014, pages 247-257, New York, NY, USA. Springer-Verlag New York, Inc.
  7. Dainotti, A., Pescap, A., and Claffy, K. (2012). Issues and future directions in traffic classification. IEEE Network, 26(1):35-40.
  8. Dingledine, R., Mathewson, N., and Syverson, P. (2004). Tor: The second-generation onion router. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13, SSYM'04, pages 21-21, Berkeley, CA, USA. USENIX Association.
  9. Draper-Gil, G., Lashkari, A. H., Mamun, M. S. I., and Ghorbani, A. A. (2016). Characterization of encrypted and vpn traffic using time-related features. In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,, pages 407-414.
  10. Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., and Witten, I. H. (2009). The WEKA data mining software: An update. SIGKDD Explorations, 11(1):10-18.
  11. He, G., Yang, M., Luo, J., and Gu, X. (2014). Inferring application type information from tor encrypted traffic. In 2014 Second International Conference on Advanced Cloud and Big Data, pages 220-227.
  12. ISCXFlowMeter (2016). Information security center of excellence, university new brunswick. /iscxflowmeter.html.
  13. Johnson, A., Wacek, C., Jansen, R., Sherr, M., and Syverson, P. (2013). Users get routed: Traffic correlation on tor by realistic adversaries. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS 7813, pages 337-348, New York, NY, USA. ACM.
  14. Juarez, M., Afroz, S., Acar, G., Diaz, C., and Greenstadt, R. (2014). A critical evaluation of website fingerprinting attacks. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 7814, pages 263-274, New York, NY, USA. ACM.
  15. Ling, Z., Luo, J., Wu, K., Yu, W., and Fu, X. (2014). Torward: Discovery of malicious traffic over tor. In IEEE INFOCOM 2014 - IEEE Conference on Computer Communications, pages 1402-1410.
  16. Mittal, P., Khurshid, A., Juen, J., Caesar, M., and Borisov, N. (2011). Stealthy traffic analysis of low-latency anonymous communication using throughput fingerprinting. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 7811, pages 215-226, New York, NY, USA. ACM.
  17. Nguyen, T. T. T. and Armitage, G. (2008). A survey of techniques for internet traffic classification using machine learning. IEEE Communications Surveys Tutorials, 10(4):56-76.
  18. Quinlan, J. R. (1993). C4.5: programs for machine learning. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA.
  19. Serjantov, A. and Sewell, P. (2003). Passive Attack Analysis for Connection-Based Anonymity Systems, pages 116- 131. Springer Berlin Heidelberg, Berlin, Heidelberg.
  20. Shmatikov, V. and Wang, M.-H. (2006). Timing analysis in low-latency mix networks: Attacks and defenses. In Proceedings of the 11th European Conference on Research in Computer Security, ESORICS'06, pages 18-33, Berlin, Heidelberg. Springer-Verlag.

Paper Citation

in Harvard Style

Habibi Lashkari A., Draper Gil G., Mamun M. and Ghorbani A. (2017). Characterization of Tor Traffic using Time based Features . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 253-262. DOI: 10.5220/0006105602530262

in Bibtex Style

author={Arash Habibi Lashkari and Gerard Draper Gil and Mohammad Saiful Islam Mamun and Ali A. Ghorbani},
title={Characterization of Tor Traffic using Time based Features},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},

in EndNote Style

JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Characterization of Tor Traffic using Time based Features
SN - 978-989-758-209-7
AU - Habibi Lashkari A.
AU - Draper Gil G.
AU - Mamun M.
AU - Ghorbani A.
PY - 2017
SP - 253
EP - 262
DO - 10.5220/0006105602530262