Proactive Response and Detection of TOR Anonymizers through Signature and Heuristic-based Mechanisms Justin David Pineda Asia Pacific College 3 Humabon Place, Magallanes Makati City, Philippines (02) 852-9232 justinp@apc.edu.ph Arianne Wisdom Abinal Asia Pacific College 3 Humabon Place, Magallanes Makati City, Philippines (02) 852-9232 amabinal@student.apc.edu.ph Aliana Marie Lachica Asia Pacific College 3 Humabon Place, Magallanes Makati City, Philippines (02) 852-9232 arlachica@student.apc.edu.ph ABSTRACT The Onion Router (TOR) is a free anonymizer software available in the Internet. It uses chain of proxy servers all over the world, called nodes, that accepts minutiae of data to be sent over the Internet. Tracing the content sent to the TOR is challenging because it uses encrypted protocol such as HTTPS. Filtering whether information sent to the TOR is legal or not becomes a problem. The Proactive Response and Detection for TOR (PReDTOR) is an adaptable security tool that can detect outbound TOR traffic in a Local Area Network (LAN) environment using signature and heuristic-based mechanisms. It also contains an incident response and reporting feature where a TOR connection can be closed and the offending IP address be blocked for investigation. Businesses can use the PReDTOR to complement and integrate it to the functions of the firewall and the Intrusion Detection System (IDS) to monitor their network. CCS Concepts • Security and Privacy肱 Pseudonymity, anonymity and untraceability Keywords Anonymizers; heuristics-based detection; incident response; proxy detection. 1. INTRODUCTION The concept of The Onion Router (TOR) starts with tweaking the functionalities and limitations of an Application Firewall (AF). An AF is a type of firewall that checks the application contents of a website, specifically the content and the hostname and checks it with the different categories it has. For example, a specific category, “Social Networking Sites,” is blocked in the Application firewall. This means that Facebook (facebook.com) cannot be accessed by default. In order for a user to bypass the firewall block is through the use of proxy. The proxy, for example, https://kproxy.com/, is another website that requests for the website you intend to visit. In that manner, the firewall is “fooled” by allowing a normal website to access a blocked website 1 . There are a number of proxy sites available. A good initiative of security companies that offer AF is that they have already created another category called “Proxy Avoidance” which detects known proxy websites and stops users from accessing it. 1 Muir, B. 2010. Tor Packet Analysis: Locating Identifying Markers. (February 2014). Retrieved from http://www.slideshare.net/bsmuir/tor-packet-analysis Figure 1. How normal web browsing works. Figure 2. How proxy servers work. There are ways to detect if the traffic is coming from a known TOR exit node. However, tracing the traffic back is impossible because of the speed and the variety of proxies involved. Figure 3. How TOR browsing works. Because of the anonymity in TOR usage, there is no concrete statistics as to why users are utilizing the TOR services. There are always two sides in a coin – the good and the bad. In the perspective of the government or law enforcement agencies, TOR can be used by criminals or terrorist to anonymize their plans of sabotage and unscrupulous activities 2 . In the perspective of a 2 Erkkonen, H. and Larsson, J. 2010. Onion Routing with TOR, Garlic Routing with I2P. (May 2010). Retrieved March 27, 2016 from http://www.cse.chalmers.se/~tsigas/Courses/DCDSeminar/Fi les/onion_routing.pdf Proceedings of the 14th National Conference on IT Education (NCITE 2016) 241