CN114189381B - Method for identifying malicious exit relay node of Tor anonymous communication network - Google Patents

Method for identifying malicious exit relay node of Tor anonymous communication network Download PDF

Info

Publication number
CN114189381B
CN114189381B CN202111506129.6A CN202111506129A CN114189381B CN 114189381 B CN114189381 B CN 114189381B CN 202111506129 A CN202111506129 A CN 202111506129A CN 114189381 B CN114189381 B CN 114189381B
Authority
CN
China
Prior art keywords
relay node
exit relay
exit
reputation
malicious
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111506129.6A
Other languages
Chinese (zh)
Other versions
CN114189381A (en
Inventor
玄世昌
杨武
王巍
苘大鹏
吕继光
李朝阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Engineering University
Original Assignee
Harbin Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Engineering University filed Critical Harbin Engineering University
Priority to CN202111506129.6A priority Critical patent/CN114189381B/en
Publication of CN114189381A publication Critical patent/CN114189381A/en
Application granted granted Critical
Publication of CN114189381B publication Critical patent/CN114189381B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0421Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method for identifying a malicious exit relay node of a Torr anonymous communication network, which comprises the following steps: s1: monitoring the current Torr network in real time, and recording all available exit relays; s2: scanning the behaviors of all the exit relay nodes in the Torr network; s3: marking behavior information of all the exit relay nodes; s4: respectively calculating credit scores of all the exit relay nodes according to the marked behavior information, judging whether the set total scanning times are reached, executing S5 if the set total scanning times are reached, otherwise returning to the step 2; s5: and judging whether the exit relay node is a malicious node according to the relation between the reputation threshold and the reputation score. According to the invention, the quantification of the behavior of the exit relay node is realized, the exit relay node with a low reputation value for a long time is removed from the Torr network by giving the reputation threshold value, and the anonymity of the Torr network is improved. And quantifying the behavior of the exit relay node by calculating the reputation score, and exciting the exit relay node to keep good behavior for a long time.

Description

Method for identifying malicious exit relay node of Tor anonymous communication network
Technical Field
The invention belongs to the field of Torr anonymous communication, and relates to a method for identifying a Torr anonymous communication network malicious exit relay node, in particular to a method for identifying a Torr anonymous communication network malicious exit relay node based on a reputation model.
Background
The internet is the most current carrier of information that is being regulated, with tens of thousands of people each day on the internet asking for the information they want. Of course, when information is obtained, personal information can be revealed and stolen, and the problem of privacy protection is naturally a great difficulty in the current Internet development road. In order to hide the identity of a user, tor is currently the most widely used anonymous communication system that forwards traffic through a plurality of relay nodes. However, these relay nodes are sometimes unreliable because most nodes in the entire anonymous communication network are provided by volunteers around the world, where it is inevitable that some of the attacker may have originated from maliciously providing these relay nodes, which may be unintentionally selected when the user is connected to the Tor, and the attacker may now perform traffic analysis by controlling such nodes, thereby jeopardizing the privacy security of the user. In the conventional method at present, a simple marking is carried out on a malicious exit relay node, and the method has the defect that available nodes are continuously reduced, so that the efficiency of the Torr network is greatly reduced.
Disclosure of Invention
Aiming at the prior art, the technical problem to be solved by the invention is to provide a method for identifying the malicious exit relay nodes of the Torr anonymous communication network based on a reputation model, which is used for evaluating a reputation value of each node, detecting the reputation value of each relay node in real time and endowing a low reputation value for the malicious nodes, so that a user cannot select the malicious nodes and the anonymity is improved.
In order to solve the technical problems, the method for identifying the malicious exit relay node of the Tor anonymous communication network comprises the following steps:
s1: monitoring the current Torr network in real time, and recording all available exit relays;
s2: scanning the behaviors of all the exit relay nodes in the Torr network;
s3: marking behavior information of all the exit relay nodes;
s4: respectively calculating credit scores of all the exit relay nodes according to the marked behavior information, judging whether the set total scanning times are reached, executing S5 if the set total scanning times are reached, otherwise returning to the step 2;
s5: and judging whether the exit relay node is a malicious node according to the relation between the reputation threshold and the reputation score.
Further, the behavior information of marking all the egress relay nodes in S3 includes: the behavior of the exit relay node is divided into two types, namely good and malicious, and the exit relay node behavior information R with good behavior is displayed c Marked as 1; exit relay node behavior information R representing maliciousness c Marked as-1; exit relay node behavior information R not scanned at this time c Marking as 0, and recording fingerprint information of the exit relay nodeAnd behavioral information;
further, respectively calculating reputation scores of all the exit relay nodes according to the marked behavior information includes:
solving the n-th scanning reputation score C of relay node n (x) The calculation method is as follows:
C n (x)=β n (x)·R c +[1-β n (x)]·C n-1 (x)
C n-1 (x) Representing the reputation score calculated by the n-1 th scanning of the exit relay node, C 0 (x) Representing an initial value, defaulting to 1; beta n (x) Calculating a weighting coefficient of the reputation score, and representing the influence degree of the nth-1 scanning result of the export relay node on the nth reputation score; beta n (x) The method comprises the following steps:
wherein delta n (x) Is the nearest error, which represents the difference between the n-1 th scanning result and the history score, delta n (x) The method comprises the following steps:
wherein mu and v represent the reward and penalty factors, respectively, and mu > v is set such that the penalty impact should be greater than the reward impact, ζ n (x) Is the accumulated error, which represents the latest error delta each time from the beginning of the detection to the nth-1 detection n (x) Is calculated by:
ξ n (x)=ξ n-1 (x)+δ n (x)
ξ 0 (x) Taking 0 and P as initial error n (x) Is a balance factor, and represents the weight of the times of providing service for the exit relay node in the total scanning times, and the calculation mode is as follows:
P n (x)=t/N
wherein t is the number of times that the scanning result is a normal relay, and N is the total number of times that the relay is scanned.
Further, the exitmap relay scanner is used for scanning the behaviors of all the exit relay nodes in the Tor network, and all man-in-the-middle attacks initiated by the exit relay nodes are identified.
The invention has the beneficial effects that: compared with the prior art, the method can realize quantification of the behavior of the exit relay node. By giving the reputation threshold, the Tor network can be eliminated from the exit relay nodes which are in low reputation for a long time. In this way, there will be fewer and fewer malicious egress relay nodes in the Tor network, greatly enhancing the anonymity of the Tor network. In addition, the behavior of the exit relay node is quantified by calculating the reputation score, so that the exit relay node can be stimulated to keep good behavior for a long time. On the other hand, the Torr manager can judge the performance of the Torr network outlet relay according to the credit score, thereby facilitating the Torr manager to manage the Torr network and ensuring that the Torr outlet relay node maintains a certain scale.
Drawings
FIG. 1 is a reputation score based malicious node determination flow diagram;
FIG. 2 is a flow chart of reputation score calculation of the present invention;
fig. 3 is a graph of a constantly malicious relay node behavior scan;
FIG. 4 is a relay node reputation calculation result that is always malicious;
FIG. 5 is a occasionally malicious egress relay node behavioral scan result;
FIG. 6 is an occasional malicious exit relay node reputation calculation result;
FIG. 7 is a graph of oscillating malicious egress relay node behavior scan results;
FIG. 8 is a graph of oscillating malicious egress relay node reputation calculation results;
fig. 9 is a relay node behavior scan result without service;
FIG. 10 is an exit relay node reputation calculation result for no service;
FIG. 11 is a relay node SIR simulation diagram of a Torr network that does not employ the present reputation model;
fig. 12 is a relay node SIR simulation diagram of a Tor network employing the present reputation model.
Detailed Description
The invention is further described below with reference to the drawings and specific examples.
Referring to fig. 1, the present invention includes the steps of:
1) The current Torr network is monitored in real time, and all available exit relays are recorded.
2) The behavior of all egress relay nodes in the Tor network is scanned on the model server using exitmap. exitmap is a lightweight Python-based egress relay scanner. The method mainly aims at detecting the exit relay node on the Torr network and identifying all man-in-the-middle attacks initiated by the exit relay node.
3) Marking behavior information R of all egress relay nodes c The well behaved egress relay node will be marked 1; an egress relay node exhibiting malicious behavior would be marked-1; the exit relay nodes which are not scanned at this time are marked as 0, and fingerprint information and behavior information of the exit relay nodes are recorded correspondingly.
4) And calculating the reputation scores of all the exit relay nodes. First, the weight β is updated by Rc n (x) A. The invention relates to a method for producing a fibre-reinforced plastic composite Then, according to beta n (x) Rc and C n-1 (x) Obtaining the current reputation score C of the exit relay node n (x) A. The invention relates to a method for producing a fibre-reinforced plastic composite Similarly, the current reputation score is used as a historical reputation score for the next calculation. C (C) n (x) Representing the current reputation score of the egress relay node, C n-1 (x) Representing reputation score of one round of calculation on exit relay node, C 0 (x) Represents an initial value, default to 1.C (C) n (x) The calculation mode of (2) is shown in formula 1:
C n (x)=β n (x)·R c +[1-β n (x)]·C n-1 (x) (1)
C n (x) Beta in the formula n (x) The method comprises the steps of calculating a weighting coefficient of the reputation score, and representing the influence degree of the last scanning result of the export relay node on the current reputation score. Beta n (x) The calculation mode of (2) is shown in the formula 2:
β n (x) Delta in the formula n (x) Is the most recent error, which represents the difference between the last scan result and the history score. Delta n (x) The calculation mode of (2) is shown in the formula 3:
where μ and v represent the reward and penalty factors, respectively. We set μ > v because the penalty impact should be greater than the bonus impact. Beta n (x) Xi in the formula n (x) The accumulated error is calculated as shown in formula 4:
ξ n (x)=ξ n-1 (x)+δ n (x) (4)
it represents each time the latest error delta from the beginning of detection to the last detection n (x) Is a sum of (a) and (b). Zeta type toy 0 (x) For initial errors, default to 0 is taken, since no errors will occur at the beginning of the detection. Beta n (x) P in the formula n (x) Is a balance factor, and the calculation mode is shown in formula 5:
P n (x)=t/N (5)
it represents the weight of the number of times the egress relay node provides service over the total number of scans. P (P) n (x) In the calculation formula, t is the number of times that the scanning result is normal relay, and N is the total number of times that the relay is scanned. After the reputation score is calculated, returning to step 2) to scan the Tor network again. The Tor network is continuously scanned, and the credit score of the exit relay node is updated until the initial set scanning times are reached.
5) After the reputation score is calculated, whether the exit relay node is a malicious node can be judged according to the reputation threshold. In detail, when the reputation score of an egress relay node is less than the reputation threshold, the egress relay node is a malicious egress node, otherwise it is not malicious.
6) And (5) completing the Tor network malicious exit relay identification.
The flow of the reputation score calculation is shown in figure 2. In order to judge the feasibility of the reputation model, the results of behavior scanning and reputation calculation of the relay node which is always malicious, occasionally malicious, concussive malicious and does not provide a service outlet are given first, as shown in fig. 3 to 10. It can be found that the reputation score of an exit relay node for which malicious behavior is occurring is continuously decreasing, and when non-malicious behavior is occurring, the reputation score is also increasing. However, the rising amplitude is not as large as the falling amplitude, so that the malicious behavior of the node is punished. In addition, to motivate the egress relay node to maintain service for a long period of time, the reputation score of the egress relay node that is no longer providing service is appropriately reduced. And finally, comparing the SIR simulation without the reputation model with the residual number of relay nodes in a relay node SIR simulation diagram of the Torr network with the reputation model. As shown in fig. 11 and 12, the abscissa is time in days and the ordinate is the number of egress relay nodes in the Tor network. It can be seen from fig. 11 that the number of egress relay nodes in the Tor network has been reduced from 1500 to around 800 after 100 days without the help of the reputation model, and it is difficult to support long-term stable use by large-scale users. As shown in fig. 12, the number of relay egress nodes of the Tor network using the present reputation model is given. It can be seen that after 100 days the egress relay node in the Tor network has been reduced from 1500 to around 1400, the size of the remaining relay nodes is still relatively large. And with the help of the reputation score, the reputation score of the rest of the exit relay nodes is above the reputation threshold, so that some exit relay nodes with poor performance can be well removed.

Claims (2)

1. The method for identifying the malicious exit relay node of the Tor anonymous communication network is characterized by comprising the following steps of:
s1: monitoring the current Torr network in real time, and recording all available exit relays;
s2: scanning the behaviors of all the exit relay nodes in the Torr network;
s3: marking behavior information of all egress relay nodes, including: the behavior of the exit relay node is divided into two types, namely good and malicious, and the exit relay node behavior information R with good behavior is displayed c Marked as 1; exit relay node behavior information R representing maliciousness c Marked as-1; exit relay node behavior information R not scanned at this time c Marking as 0, and recording fingerprint information and behavior information of the exit relay node;
s4: the reputation scores of all the exit relay nodes are calculated respectively according to the marked behavior information, and the method comprises the following steps:
solving the n-th scanning reputation score C of relay node n (x) The calculation method is as follows:
C n (x)=β n (x)·R c +[1-β n (x)]·C n-1 (x)
C n-1 (x) Representing the reputation score calculated by the n-1 th scanning of the exit relay node, C 0 (x) Representing an initial value, defaulting to 1; beta n (x) Calculating a weighting coefficient of the reputation score, and representing the influence degree of the nth-1 scanning result of the export relay node on the nth reputation score; beta n (x) The method comprises the following steps:
wherein delta n (x) Is the nearest error, which represents the difference between the n-1 th scanning result and the history score, delta n (x) The method comprises the following steps:
wherein mu and v represent the reward and penalty factors, respectively, and mu > v is set so that the penalty effect is greater than the reward effect, and xi n (x) Is the accumulated error, which represents the latest error delta each time from the beginning of the detection to the nth-1 detection n (x) Is calculated by:
ξ n (x)=ξ n-1 (x)+δ n (x)
ξ 0 (x) Taking 0 and P as initial error n (x) Is a balance factor, and represents the weight of the times of providing service for the exit relay node in the total scanning times, and the calculation mode is as follows:
P n (x)=t/N
wherein t is the number of times that the scanning result is a normal relay, and N is the total number of times that the relay is scanned;
judging whether the set total scanning times are reached, if so, executing S5, otherwise, returning to S2;
s5: and judging whether the exit relay node is a malicious node according to the relation between the reputation threshold and the reputation score.
2. The method for identifying the malicious exit relay node of the Tor anonymous communication network according to claim 1, wherein the method comprises the following steps: and using an exitmap relay scanner to scan the behaviors of all the exit relay nodes in the Torr network, and identifying all man-in-the-middle attacks initiated by the exit relay nodes.
CN202111506129.6A 2021-12-10 2021-12-10 Method for identifying malicious exit relay node of Tor anonymous communication network Active CN114189381B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111506129.6A CN114189381B (en) 2021-12-10 2021-12-10 Method for identifying malicious exit relay node of Tor anonymous communication network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111506129.6A CN114189381B (en) 2021-12-10 2021-12-10 Method for identifying malicious exit relay node of Tor anonymous communication network

Publications (2)

Publication Number Publication Date
CN114189381A CN114189381A (en) 2022-03-15
CN114189381B true CN114189381B (en) 2023-08-01

Family

ID=80543049

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111506129.6A Active CN114189381B (en) 2021-12-10 2021-12-10 Method for identifying malicious exit relay node of Tor anonymous communication network

Country Status (1)

Country Link
CN (1) CN114189381B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112533170A (en) * 2020-12-08 2021-03-19 吉林电子信息职业技术学院 Malicious node identification method based on time credit sequence
CN113381975A (en) * 2021-05-10 2021-09-10 西安理工大学 Internet of things security access control method based on block chain and fog node credit

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10965668B2 (en) * 2017-04-27 2021-03-30 Acuant, Inc. Systems and methods to authenticate users and/or control access made by users based on enhanced digital identity verification
US10437775B2 (en) * 2017-09-14 2019-10-08 Microsoft Technology Licensing, Llc Remote direct memory access in computing systems
US11436358B2 (en) * 2018-09-25 2022-09-06 Imperva, Inc. Data based web application firewall

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112533170A (en) * 2020-12-08 2021-03-19 吉林电子信息职业技术学院 Malicious node identification method based on time credit sequence
CN113381975A (en) * 2021-05-10 2021-09-10 西安理工大学 Internet of things security access control method based on block chain and fog node credit

Also Published As

Publication number Publication date
CN114189381A (en) 2022-03-15

Similar Documents

Publication Publication Date Title
Agah et al. Preventing DoS attacks in wireless sensor networks: A repeated game theory approach.
CN103198123B (en) For system and method based on user's prestige filtering spam email message
Pouryazdan et al. Game-theoretic recruitment of sensing service providers for trustworthy cloud-centric Internet-of-Things (IoT) applications
CN111030992B (en) Detection method, server and computer readable storage medium
CN107491996A (en) A kind of webpage advertisement delivery method and system
CN110166344B (en) Identity identification method, device and related equipment
CN101466098A (en) Method, device and communication system for evaluating network trust degree
CN109698809A (en) A kind of recognition methods of account abnormal login and device
CN115174251B (en) False alarm identification method and device for safety alarm and storage medium
CN110336815A (en) Attack defense method, device, equipment and readable storage medium storing program for executing based on block chain
CN114418109A (en) Node selection and aggregation optimization system and method for federal learning under micro-service architecture
CN114301935A (en) Reputation-based method for selecting edge cloud collaborative federated learning nodes of Internet of things
CN103890758A (en) Method and apparatus for deriving composite tie metric for edge between nodes of telecommunication call graph
CN115086089A (en) Method and system for network security assessment prediction
Krundyshev et al. The security risk analysis methodology for smart network environments
CN114189381B (en) Method for identifying malicious exit relay node of Tor anonymous communication network
CN111611519A (en) Method and device for detecting personal abnormal behaviors
CN114742442A (en) Trust-based participant selection method for improving data quality
CN114238885A (en) User abnormal login behavior identification method and device, computer equipment and storage medium
CN116047223A (en) Electricity larceny distinguishing method based on real-time electricity consumption and big data analysis
CN108521435B (en) Method and system for user network behavior portrayal
CN112733170B (en) Active trust evaluation method based on evidence sequence extraction
CN115758387A (en) Information security risk assessment method
Dehghan et al. Proapt: Projection of apt threats with deep reinforcement learning
CN115310625A (en) Longitudinal federated learning reasoning attack defense method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant