Abstract
As common tools for evading censorship and protecting privacy, anonymous proxies are widely favored for their lightweight and easy deployment. In recent years, anonymous proxies have continually evolved regarding traffic obfuscation and masking strategies. Due to the lack of design targeting the connection behavior features of different proxy flows, current methods for proxy traffic identification often suffer from high false positive rates. Consequently, these methods are insufficient for real-world applications. This masks the deficiencies of existing anonymous proxy technologies in combating detection models based on flow relationship analysis.
To address the issues mentioned, we introduce a novel proxy traffic attack model called ProxyKiller based on multi-flow connection behavior features. After obtaining the original PCAP traffic files, ProxyKiller constructs traffic behavior graphs using extracted temporal, spatial, content, and specially designed byte features. Subsequently, ProxyKiller extracts latent topological structure features through graph neural networks, integrates them into a unified graph-level representation vector, and obtains prediction results for each traffic behavior graph through a random forest model. Finally, ProxyKiller implements a global decision-making mechanism from a traffic graph correlation perspective to correct prediction results for related traffic behavior graphs. Experimental results on three real-world datasets demonstrate that ProxyKiller outperforms several state-of-the-art traffic classification methods and shows robustness in various proxy traffic classification tasks. These results indicate that current anonymous proxies exhibit certain vulnerabilities when countering traffic analysis methods based on traffic behavior graph structure.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The AnonProxy2023 dataset can be found at https://github.com/MrRobotsAA/AnonProxy2023-Dataset. Researchers who use the dataset should indicate the data source by citing this paper.
References
Al-Naami, K., et al.: Adaptive encrypted traffic fingerprinting with bi-directional dependence. In: Proceedings of the 32nd Annual Conference on Computer Security Applications (2016)
Alice, Bob, Carol, Beznazwy, J., Houmansadr, A.: How China Detects and Blocks Shadowsocks. In: Proceedings of the ACM Internet Measurement Conference, pp. 111–124 (2020)
Aouini, Z., Pekár, A.: NFStream: a flexible network data analysis framework. Comput. Networks 204, 108719 (2022)
Azab, A., Khasawneh, M.T., Alrabaee, S., Choo, K.K.R., Sarsour, M.: Network traffic classification: techniques, datasets, and challenges. Digit. Commun. Networks (2022)
Breakwa11: ShadowsocksR Project. https://github.com/shadowsocksrr. Accessed 12 Sept 2023
Chen, H.Y., Lin, T.N.: The challenge of only one flow problem for traffic classification in identity obfuscation. Environments 9, 84110–84121 (2021)
Clowwindy: Shadowsocks Project. https://github.com/shadowsocks (2012). Accessed 12 Sept 2023
Community, D.: DataCon Open Dataset - DataCon2021 - Encrypted Proxy Traffic Dataset. https://datacon.qianxin.com/opendata/openpage?resourcesId=10 (2021). Accessed 12 Sept 2023
Frolov, S., Wampler, J., Wustrow, E.: Detecting Probe-resistant Proxies. In: Network and Distributed System Security Symposium (2020)
Frolov, S., Wustrow, E.: HTTPT: a probe-resistant proxy. In: 10th USENIX Workshop on Free and Open Communications on the Internet (FOCI 20) (2020)
Gorishniy, Y., Rubachev, I., Khrulkov, V., Babenko, A.: Revisiting Deep Learning Models for Tabular Data. vol. abs/2106.11959, pp. 18932–18943 (2021)
GreaterFire: Trojan-GFW Project. https://github.com/trojan-gfw. Accessed 12 Sept 2023
Grinsztajn, L., Oyallon, E., Varoquaux, G.: Why do tree-based models still outperform deep learning on typical tabular data? Adv. Neural. Inf. Process. Syst. 35, 507–520 (2022)
Gu, Z., Gou, G., Hou, C., Xiong, G., Li, Z.: LFETT2021: A large-scale fine-grained encrypted tunnel traffic dataset. In: 2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 240–249 (2021)
Hou, Z., Liu, X., Cen, Y., Dong, Y., Yang, H., Wang, C., Tang, J.: GraphMAE: self-supervised masked graph autoencoders. In: Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, pp. 594–604 (2022)
Kipf, T., Welling, M.: Semi-supervised classification with graph convolutional networks. ArXiv abs/1609.02907 (2016)
Lichy, A., Bader, O., Dubin, R., Dvir, A., Hajaj, C.: When a RF Beats a CNN and GRU, together - a comparison of deep learning and classical machine learning approaches for encrypted malware traffic classification. Comput. Secur. 124, 103000 (2022)
Liu, C., He, L., Xiong, G., Cao, Z., Li, Z.: FS-Net: a flow sequence network for encrypted traffic classification. In: IEEE INFOCOM 2019 - IEEE Conference on Computer Communications, pp. 1171–1179 (2019)
Panchenko, A., et al.: Website fingerprinting at internet scale. In: Network and Distributed System Security Symposium (2016)
Raymond, V.: Project V. https://github.com/v2ray. Accessed 12 Sept 2023
Salesforce: JA3: A method for fingerprinting SSL clients (2024). https://github.com/salesforce/ja3. Accessed 17 Apr 2024
Shadowsocks-NET: Shadowsocks 2022 Edition. https://github.com/Shadowsocks-NET/shadowsocks-specs/blob/main/2022-1-shadowsocks-2022-edition.md (2022). Accessed 17 Apr 2024
Shen, M., Zhang, J., Zhu, L., Xu, K., Du, X.: Accurate decentralized application identification via encrypted traffic analysis using graph neural networks. IEEE Trans. Inf. Forensics Secur. 16, 2367–2380 (2021)
Velickovic, P., Cucurull, G., Casanova, A., Romero, A., Lio’, P., Bengio, Y.: Graph attention networks. ArXiv abs/1710.10903 (2017)
Wang, S., Yang, C., Guo, G., Chen, M., Ma, J.: SSAPPIDENTIFY: a robust system identifies application over Shadowsocks’s traffic. Comput. Networks 203, 108659 (2021)
Wu, M.L., et al.: How the great firewall of china detects and blocks fully encrypted traffic. In: USENIX Security Symposium (2023)
Xie, J., Li, S., chun Yun, X., Zhang, Y., Chang, P.: HSTF-Model: an HTTP-based Trojan detection model via the Hierarchical Spatio-temporal Features of Traffics. Comput. Secur. 96, 101923 (2020)
Xu, K., Hu, W., Leskovec, J., Jegelka, S.: How powerful are graph neural networks? Abs/1810.00826 (2019)
Xue, D., Kallitsis, M., Houmansadr, A., Ensafi, R.: Fingerprinting Obfuscated Proxy Traffic with Encapsulated TLS Handshakes (2024)
Zhao, P., Gou, G., Liu, C., Guan, Y., Cui, M., Xiong, G.: TMT-RF: tunnel mixed traffic classification based on random forest. In: Security and Privacy in Communication Networks (2021)
Acknowledgments
This work is supported by the Scaling Program of Institute of Information Engineering, CAS (Grant No. E3Z0041101).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Ethics declarations
Disclosure of Interests
The authors have no competing interests to declare that are relevant to the content of this article.
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Xu, H. et al. (2024). ProxyKiller: An Anonymous Proxy Traffic Attack Model Based on Traffic Behavior Graphs. In: Garcia-Alfaro, J., Kozik, R., Choraś, M., Katsikas, S. (eds) Computer Security – ESORICS 2024. ESORICS 2024. Lecture Notes in Computer Science, vol 14983. Springer, Cham. https://doi.org/10.1007/978-3-031-70890-9_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-70890-9_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-70889-3
Online ISBN: 978-3-031-70890-9
eBook Packages: Computer ScienceComputer Science (R0)