Captured network traces
=======================
The followed are lists of proxy traffic traces and unobfuscated
(regular) traffic traces captured for testing and evaluation of
CovertMark during the project. All traffic were captured under realistic
internet browsing conditions on the modern web, which were carried out
by real humans. This marks the greatest distinction between the
CovertMark datasets and datasets used in prior protocol-obfuscation-detection
researches.
Sources and destinations of packets have been scrambled with
`Crypto-PAn `__,
which is primarily to protect the exact addresses of Tor PT bridges in
proxy traces. Regular traffic captured as controls and negative training
data were produced by human volunteers under experimental conditions with detailed instructions to
protect their privacy. All unencrypted and non-TCP traffic have also
been stripped out. However, in contrast with `CAIDA
traces `__, all encrypted payloads have been
preserved, along with some cleartext metadata such as TLS SNI
hostnames. This allows CovertMark to examine encrypted network traffic
from the exact perspective of state censors performing advanced DPI
detection of proxy servers.
Click on the file names below to download associated traces.
Proxy Traces
------------
All proxy traces are unaffected by TCP segmentation offload (TSO), with
longer-than-MTU payloads fully segmented.
+------------------+-----+-------------+-------------+---------------+
| File Name | Pac\| IP(s) of | IP(s) of | Port(s) of |
| | ket\| Proxy | Proxy | Proxy Servers |
| | s | Clients | Servers | |
+==================+=====+=============+=============+===============+
| `shadowsocks1_an\| 674\| 130.0.170.1\| 12.173.72.5\| 443, 995 |
| on `__ | | 130.0.174.2\| 56.136.248.\| |
| | | 53 | 69 | |
+------------------+-----+-------------+-------------+---------------+
| `shadowsocks2_an\| 286\| 130.0.175.1\| 213.69.160.\| 443 |
| on `__ | | | | |
+------------------+-----+-------------+-------------+---------------+
| `meek1_anon `__ | | 47 | 8.244 | |
+------------------+-----+-------------+-------------+---------------+
| `meek2_anon `__ | | | | |
+------------------+-----+-------------+-------------+---------------+
| `obfs4-1_anon `__ | | 207.52.86.2\| 109.45.76.1\| |
| | | 3 | 94 | |
+------------------+-----+-------------+-------------+---------------+
| `obfs4-2_anon `__ | | | | |
+------------------+-----+-------------+-------------+---------------+
Negative / Regular Traffic Traces
---------------------------------
The longer, multi-client ``cantab_anon.pcap`` was captured on machines
with TCP segmentation offloading due to technical limitations, which
means that longer-than-MTU payloads will appear unsegmented. This does
not however affect CovertMark’s default detection strategies. The
shorter, single-client ``lso_anon.pcap`` is unaffected with all longer-than-MTU
payloads properly segmented.
+-----------------+-----------------+-----------------+-----------------+
| File Name | Packets | Concurrent | Client |
| | | Users | IP’s/Subnets |
+=================+=================+=================+=================+
| `lso_anon `__ | | | |
+-----------------+-----------------+-----------------+-----------------+
| `cantab_anon `__ | | | |
+-----------------+-----------------+-----------------+-----------------+