Traffic Classification for the Detection of Anonymous Web Proxy Routing

  • Shane Miller

    Student thesis: Doctoral Thesis


    Network Proxies and Virtual Private Networks (VPN) are tools that are used every day to facilitate various business functions. However, they have gained popularity amongst unintended userbases as tools that can be used to hide mask identities while using websites and web-services. Anonymising Proxies and/or VPNs act as an intermediary between a user and a web server with a Proxy and/or VPN IP address taking the place of the user’s IP address that is forwarded to the web server. For a business whose primary service is hosted on the internet, such as Facebook or Netflix, security systems are a vital part of these services; unauthorised user detection can be a vital feature of such systems. The detection of unauthorised users can be problematic for techniques that are available at present if the suspect users are using identity hiding tools such as anonymising proxies or VPNs.
    This work presents computational models based on intelligent machine learning techniques to address the limitations currently experienced by unauthorised user detection systems. A model to detect usage of anonymising proxies was developed using a Multi-layered perceptron neural network that was trained using data found in the Transmission Control Protocol (TCP) header of captured network packets. Two models to detect usage of two different VPN configurations were also developed using a similar Multi-layered Perceptron neural network and were trained using flow statistics. The first model successfully classifies network traffic as either OpenVPN or as non-VPN traffic; the second model successfully classifies network traffic as either OpenVPN traffic that is tunnelled using Stunnel or as non-VPN traffic. Validation testing showed that the presented models are capable of classifying network traffic in a binary manner as direct (originating directly from a user’s own device) or indirect (makes use of identity and location hiding features of proxies or VPNs) with high degrees of accuracy.
    The proxy detection model additionally showed strong generalisation abilities when tested against multiple types of web-based anonymising proxies. These results demonstrate a significant advancement in the detection of unauthorised user access with evidence showing that there could be further advances for research in this field particularly in the application of business security.
    Date of AwardAug 2019
    Original languageEnglish
    SupervisorTom Lunney (Supervisor) & Kevin Curran (Supervisor)


    • Network
    • Artificial Intelligence
    • VPNs
    • Security
    • Machine Learning
    • Packet Capture
    • Data Analysis

    Cite this