Skip to main content
SpringerLink
Log in

ACER: detecting Shadowsocks server based on active probe technology

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Anonymous server is created for hiding the information of hosts when they are surfing the Internet, such as Tor, Shadowsocks, etc. It is quite difficult to identify these servers, which provides potential criminals with opportunities to commit crime. Also, hackers can make use of these servers to threaten public network security, such as DDoS and Phishing attacks. Hence, the study of identifying these servers is pretty crucial. Current works on detecting Shadowsocks servers are mostly based on the features of servers’ data stream combined with machine learning. However, they are passive methods because they can only be established when the servers are in connection state. Therefore, we propose a new system named ACER, which AC means active and ER means expert, to detect these servers. Besides, we introduce XGBoost algorithm to process the data stream to optimize the detection. The method can recognize more Shadowsocks servers actively instead of monitoring the communication tunnel passively to identify the servers. The experiment result has achieved an accuracy of 94.63% by taking proposed framework and 1.20% more accurate than other existing solutions. We hope to provide a novel solution for those who are conducting research in this area, and provide a detection scheme for network censors to block illegal servers at the same time.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Notes

  1. Great Firewall, https://en.wikipedia.org/ wiki/Great_Firewall.

  2. Free-ss.site, https://free-ss.site.

  3. FOFA, https://fofa.so/.

References

  1. Lu, Z., Li, Z., Yang, J., Xu, T., Zhai, E., Liu, Y., Wilson, C.: Accessing google scholar under extreme internet censorship: a legal avenue. In: Proceedings of the 18th ACM/IFIP/USENIX Middleware Conference: Industrial Track, pp. 8–14 (2017)

  2. Dixon, L., Ristenpart, T., Shrimpton, T.: Network traffic obfuscation and automated internet censorship. IEEE Secur. Privacy 14(6), 43–53 (2016)

    Article  Google Scholar 

  3. Pannu, M., Gill, B., Bird, R., Yang, K., Farrel, B.: Exploring proxy detection methodology. In: IEEE International Conference on Cybercrime and Computer Forensic (ICCCF), pp. 1–6. IEEE (2016)

  4. Deng, Z., Liu, Z., Chen, Z., Guo, Y.: The random forest based detection of shadowsock’s traffic. In: 9th International Conference on Intelligent Human–Machine Systems and Cybernetics (IHMSC), vol. 2, pp. 75–78. IEEE (2017)

  5. Zeng, X., Chen, X., Shao, G., He, T., Han, Z., Wen, Y., Wang, Q.: Flow context and host behavior based Shadowsocks’s traffic identification. IEEE Access 7, 41017–41032 (2019)

    Article  Google Scholar 

  6. Amari, S., et al.: The Handbook of Brain Theory and Neural Networks. MIT Press, Cambridge (2003)

    Google Scholar 

  7. Lewis, R.J: An introduction to classification and regression tree (cart) analysis. In: Annual Meeting of the Society for Academic Emergency Medicine in San Francisco, CA, vol. 14 (2000)

  8. Liaw, A., Wiener, M., et al.: Classification and regression by randomforest. R News 2(3), 18–22 (2002)

    Google Scholar 

  9. Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. Technical report. Naval Research Lab, Washington DC (2004)

  10. Hodo, E., Bellekens, X., Iorkyase, E., Hamilton, A., Tachtatzis, C., Atkinson, R.: Machine learning approach for detection of nontor traffic. In: Proceedings of the 12th International Conference on Availability, Reliability and Security, pp. 1–6 (2017)

  11. He, G., Yang, M., Gu, X., Luo, J., Ma, Y.: A novel active website fingerprinting attack against tor anonymous system. In: Proceedings of the 2014 IEEE 18th International Conference on Computer Supported Cooperative Work in Design (CSCWD), pp. 112–117. IEEE (2014)

  12. Lashkari, A., Habibi, D.-G., Gerard, M., Mohammad S.I., Ghorbani, A.A: Characterization of tor traffic using time based features. In: ICISSP, pp. 253–262 (2017)

  13. Wright, J., Darer, A., Farnan, O.: On identifying anomalies in tor usage with applications in detecting internet censorship. In: Proceedings of the 10th ACM Conference on Web Science, pp. 87–96 (2018)

  14. Seid, H.A., Lespagnol, A.: Virtual private network. US Patent 5,768,271 (1998)

  15. Bagui, S., Fang, X., Kalaimannan, E., Bagui, S.C., Sheehan, J.: Comparison of machine-learning algorithms for classification of VPN network traffic flow using time-related features. J. Cyber Secur. Technol. 1(2), 108–126 (2017)

    Article  Google Scholar 

  16. Kleinbaum, D.G., Dietz, K., Gail, M., Klein, M., Klein, M.: Logistic Regression. Springer, New York (2002)

    Google Scholar 

  17. Scholkopf, B., Smola, A.J.: Learning with Kernels: Support Vector Machines, Regularization, Optimization, and Beyond. MIT Press, Cambridge (2001)

    Google Scholar 

  18. Murphy Kevin, P., et al.: Naive bayes classifiers. Univ. B.C. 18, 60 (2006)

    Google Scholar 

  19. Peterson, L.E.: K-nearest neighbor. Scholarpedia 4(2), 1883 (2009)

    Article  Google Scholar 

  20. Dietterich, T.G: Ensemble methods in machine learning. In: International Workshop on Multiple Classifier Systems, pp. 1–15. Springer (2000)

  21. Draper-Gil, G., Lashkari, A.H., Mamun, M.S.I., Ghorbani, A.A: Characterization of encrypted and vpn traffic using time-related. In Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP), pp. 407–414 (2016)

  22. Dreger, H., Feldmann, A., Mai, M., Paxson, V., Sommer, R.: Dynamic application-layer protocol analysis for network intrusion detection. In: 15th USENIX Security Symposium, pp. 257–272. USENIX Association (2006)

  23. Moore, A.W., Papagiannaki, K.: Toward the accurate identification of network applications. In: International Workshop on Passive and Active Network Measurement, pp. 41–54. Springer (2005)

  24. Rezaei, S., Liu, X.: Deep learning for encrypted traffic classification: an overview. IEEE Commun. Mag. 57(5), 76–81 (2019)

    Article  Google Scholar 

  25. Kim, H., Claffy, K.C., Fomenkov, M., Barman, D., Faloutsos, M., Lee, K..: Internet traffic classification demystified: myths, caveats, and the best practices. In: Proceedings of the 2008 ACM CoNEXT Conference, pp. 1–12 (2008)

  26. Lotfollahi, M., Siavoshani, M.J., Zade, R.S.H., Saberian, M.: Deep packet: a novel approach for encrypted traffic classification using deep learning. Soft. Comput. 24(3), 1999–2012 (2020)

    Article  Google Scholar 

  27. Anderson, B., McGrew, D.: Identifying encrypted malware traffic with contextual flow data. In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, pp. 35–46 (2016)

  28. Torroledo, I., Camacho, L.D., Bahnsen, A.C.: Hunting malicious TLS certificates with deep neural networks. In Proceedings of the 11th ACM Workshop on Artificial Intelligence and Security, pp. 64–73 (2018)

  29. Münz, G., Li, S., Carle, G.: Traffic anomaly detection using k-means clustering. In: GI/ITG Workshop MMBnet, pp. 13–14 (2007)

  30. Chou, L.D., Tseng, C.-W., Lai, M.-S., Chen, W.-Y., Chen, K.-C., Yen, C.-K., Ou, T.-F., Tsai, W.-H., Chiu, Y.-H.: Classification of malicious traffic using tensorflow machine learning. In: 2018 International Conference on Information and Communication Technology Convergence (ICTC), pp. 186–190. IEEE (2018)

  31. Michael, A.K.J., Valla, E., Neggatu, N.S., Moore, A.W: Network traffic classification via neural networks. Technical report. University of Cambridge, Computer Laboratory (2017)

  32. Li, R., Xiao, X., Ni, S., Zheng, H., Xia, S.: Byte segment neural network for network traffic classification. In: 2018 IEEE/ACM 26th International Symposium on Quality of Service (IWQoS), pp. 1–10. IEEE (2018)

  33. Zheng, Z., Reddy, A.N.: Safeguarding building automation networks: the-driven anomaly detector based on traffic analysis. In: 26th International Conference on Computer Communication and Networks (ICCCN), pp. 1–11. IEEE (2017)

  34. Winter, P., Lindskog, S.: How the great firewall of china is blocking tor. USENIX-The Advanced Computing Systems Association (2012)

  35. Friedman, J.H.: Greedy function approximation: a gradient boosting machine. Ann. Stat. 1189–1232 (2001)

  36. DeLong, E.R., DeLong, D.M., Clarke-Pearson, D.L: Comparing the areas under two or more correlated receiver operating characteristic curves: a nonparametric approach. Biometrics 837–845 (1988)

  37. Cristianini, N., Shawe-Taylor, J., et al.: An Introduction to Support Vector Machines and Other Kernel-Based Learning Methods. Cambridge University Press, Cambridge (2000)

    Book  Google Scholar 

Download references

Acknowledgements

We thank anonymous reviewers for provided helpful comments on earlier drafts of the manuscript. This work is partly supported by Development Plan Project of Sichuan Province (No. 20ZDYF3077) and Key Lab of Information Network Security, Ministry of Public Security (C19601).

Author information

Authors and Affiliations

  1. College of Cybersecurity, Sichuan University, Chengdu, 610065, China

    Jiaxing Cheng, Ying Li & Cheng Huang

  2. Department of Computer Science, Boston University, Boston, MA, 02215, USA

    Ailing Yu

  3. The Third Research Institute of Minister of Public Security, Shanghai, 201204, China

    Tao Zhang

Authors
  1. Jiaxing Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ying Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Cheng Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ailing Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Tao Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tao Zhang.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Cheng, J., Li, Y., Huang, C. et al. ACER: detecting Shadowsocks server based on active probe technology. J Comput Virol Hack Tech 16, 217–227 (2020). https://doi.org/10.1007/s11416-020-00353-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-020-00353-z

Keywords

Search

Navigation