Tor is a widespread network for anonymity over the Internet. Network owners try to identify and block Tor flows. On the other side, Tor developers enhance flow anonymity with various plugins. Tor and its plugins can be detected by deep packet inspection (DPI) methods. However, DPI-based solutions are computation intensive, need considerable human effort, and usually are hard to maintain and update. These issues limit the application of DPI methods in practical scenarios. As an alternative, we propose to use machine learning-based techniques that automatically learn from examples and adapt to new data whenever required. We report an empirical study on detection of three widely used Tor pluggable transports, namely Obfs3, Obfs4, and ScrambleSuit using four learning algorithms. We investigate the performance of Adaboost and Random Forests as two ensemble methods. In addition, we study the effectiveness of SVM and C4.5 as well-known parametric and nonparametric classifiers. These algorithms use general statistics of first few packets of the inspected flows. Experimental results conducted on real traffics show that all the adopted algorithms can perfectly detect the desired traffics by only inspecting first 10–50 packets. The trained classifiers can readily be employed in modern network switches and intelligent traffic monitoring systems.
