TorBot Stalker: detecting Tor botnets through intelligent circuit data analysis

Research output: Chapter in Book/Report/Conference proceedingConference contribution

562 Downloads (Pure)


Botnets are collections of infected computers that are controlled centrally by a botmaster, often for sending spam or launching denial of service attacks. The task to take down these botnets is often a cat and mouse game with operators frequently changing domains for their control infrastructure. More recently, operators have moved to using Tor, a pseudo-anonymous network for hosting services whereby identification is difficult. Additionally, because connections to the Tor network are encrypted, we cannot use traditional methods like Domain Name System (DNS) and traffic signatures to detect infected hosts. In this paper, we introduce TorBot Stalker: the first mechanism for detecting, de-anonymizing, and destroying Tor botnets. We use machine learning to analyse and fingerprint the timings and frequency of Tor network circuit data when routing botnet traffic, and build a detection mechanism that is able to identify infected hosts at the Tor network border, in real-time, while preserving the privacy of legitimate users. TorBot Stalker can be implemented at any node in the Tor network and can differentiate between botnets and legitimate applications like Internet Relay Chat (IRC) coming from the same host. Experimental data demonstrates an accuracy of 99% with few false positives. We then apply the technique at the entry to the Tor network to measure the fraction of traffic which is for botnet. We observed that Torbot Stalker is able to de-anonymize real botnets in the Tor network and further identify infected hosts and control servers.
Original languageEnglish
Title of host publication2018 IEEE 17th International Symposium on Network Computing and Applications (NCA)
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages8
ISBN (Electronic)978-1-5386-7659-2, 978-1-5386-7658-5
ISBN (Print)978-1-5386-7660-8
Publication statusPublished - 29 Nov 2018
Event17th IEEE Networking and Computing Applications Conference 2018 - Cambridge, United States
Duration: 1 Nov 20183 Nov 2018


Conference17th IEEE Networking and Computing Applications Conference 2018
Abbreviated titleIEEE NCA
Country/TerritoryUnited States
Internet address


  • Tor
  • botnet
  • Machine Learning
  • malware
  • Intrusion Detection
  • noissn


Dive into the research topics of 'TorBot Stalker: detecting Tor botnets through intelligent circuit data analysis'. Together they form a unique fingerprint.

Cite this