Evaluating the Distinguishability of Tor Traffic over Censorship Circumvention Tools.

Previous research has shown that Tor traffic can be easily identified, making Tor connections frequently blocked. In order to access the Tor network successfully, some censorship circumvention tools such as Shadowsocks and OpenVPN are utilized as front-proxy to connect to Tor entry nodes. However, the distinguishability of Tor traffic over these censorship circumvention tools has not yet been fully evaluated. By analyzing the equal-size segmentation mechanism of Tor and the transmission mechanisms of circumvention tools, we find that the payload length distribution of Tor traffic encrypted and encapsulated through these tools displays a distinct pattern, which makes such Tor traffic retain distinguishable from regular encrypted traffic. To verify this finding, we develop an automated, large-scale Tor traffic collection system to capture Tor traffic forwarded by various circumvention tools, and then design corresponding algorithms to extract traffic features in terms of payload length distribution. Finally, we perform the evaluation on the distin-guishability between the captured Tor traffic and the normal non-Tor traffic through extracted features. The F1-Score can achieve 0.99 with the false positive rate close to 0 when using Support Vector Machines for training and classification. The experimental results prove that circumvention tools cannot mask the inherent features of Tor traffic, and thus the Tor traffic forwarded by these tools can still be clearly distinguished from normal non-Tor traffic.