Captured network traces

The followed are lists of proxy traffic traces and unobfuscated (regular) traffic traces captured for testing and evaluation of CovertMark during the project. All traffic were captured under realistic internet browsing conditions on the modern web, which were carried out by real humans. This marks the greatest distinction between the CovertMark datasets and datasets used in prior protocol-obfuscation-detection researches.

Sources and destinations of packets have been scrambled with Crypto-PAn, which is primarily to protect the exact addresses of Tor PT bridges in proxy traces. Regular traffic captured as controls and negative training data were produced by human volunteers under experimental conditions with detailed instructions to protect their privacy. All unencrypted and non-TCP traffic have also been stripped out. However, in contrast with CAIDA traces, all encrypted payloads have been preserved, along with some cleartext metadata such as TLS SNI hostnames. This allows CovertMark to examine encrypted network traffic from the exact perspective of state censors performing advanced DPI detection of proxy servers.

Click on the file names below to download associated traces.

Proxy Traces

All proxy traces are unaffected by TCP segmentation offload (TSO), with longer-than-MTU payloads fully segmented.

File Name

Packets

IP(s) of Proxy Clients

IP(s) of Proxy Servers

Port(s) of Proxy Servers

shadowsocks1_anon

674458

130.0.170.18, 130.0.174.253

12.173.72.53, 56.136.248.69

443, 995

shadowsocks2_anon

286887

130.0.175.123

213.69.160.49

443

meek1_anon

756548

39.22.50.9, 130.0.168.247

6.78.64.204, 35.130.168.244

443

meek2_anon

602134

39.22.56.17

6.97.147.45

443

obfs4-1_anon

619754

39.22.52.90 , 207.52.86.23

20.234.236.206, 109.45.76.194

443, 38224

obfs4-2_anon

373504

130.0.171.196

20.234.236.206

38224

Negative / Regular Traffic Traces

The longer, multi-client cantab_anon.pcap was captured on machines with TCP segmentation offloading due to technical limitations, which means that longer-than-MTU payloads will appear unsegmented. This does not however affect CovertMark’s default detection strategies. The shorter, single-client lso_anon.pcap is unaffected with all longer-than-MTU payloads properly segmented.

File Name

Packets

Concurrent Users

Client IP’s/Subnets

lso_anon

200405

1

130.0.169.136/32

cantab_anon

1566737

5

171.69.236.0/25