Tor-based malware and Tor connection detection

Anonymous communication networks, like Tor, partially protect the confidentiality of user traffic by encrypting all communications within the overlay network. However, Tor is not only used for good; a great deal of the traffic in the Tor networks is in fact port scans, hacking attempts, exfiltration of stolen data and other forms of online criminality. The anonymity network Tor is often misused by hackers and criminals in order to remotely control hacked computers. In this paper we present our methodology for detecting any connection to or from Tor network. Our detection method is based on a list of Tor servers. We process the network traffic and match the source and destination IP addresses for each connection with Tor servers list. The list of Tor servers is automatically updated each day and the detection is in the real time. We applied our methodology on campus live traffic and showed that it can automatically detect Tor connections in the real time. We also applied our methodology on packet capture (pcap) files which contain real and long-lived malware traffic and we proved that our methodology can successfully detect Tor connections.