On Identifying Anomalies in Tor Usage with Applications in Detecting Internet Censorship
Joss Wright, Alexander Darer, Oliver Farnan
TL;DR
This paper presents a method to detect and rank anomalies in Tor network usage, serving as an early warning system for internet censorship events, applicable to other services and data sources.
Contribution
The paper introduces a novel anomaly detection approach that identifies contiguous anomalous periods and ranks countries by deviation, with a practical implementation used since 2016.
Findings
Successfully identified known censorship events
Enabled early detection of anomalous Tor usage patterns
Demonstrated applicability to multiple data sources
Abstract
We develop a means to detect ongoing per-country anomalies in the daily usage metrics of the Tor anonymous communication network, and demonstrate the applicability of this technique to identifying likely periods of internet censorship and related events. The presented approach identifies contiguous anomalous periods, rather than daily spikes or drops, and allows anomalies to be ranked according to deviation from expected behaviour. The developed method is implemented as a running tool, with outputs published daily by mailing list. This list highlights per-country anomalous Tor usage, and produces a daily ranking of countries according to the level of detected anomalous behaviour. This list has been active since August 2016, and is in use by a number of individuals, academics, and NGOs as an early warning system for potential censorship events. We focus on Tor, however the presented…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.