Captured network traces
The followed are lists of proxy traffic traces and unobfuscated (regular) traffic traces captured for testing and evaluation of CovertMark during the project. All traffic were captured under realistic internet browsing conditions on the modern web, which were carried out by real humans. This marks the greatest distinction between the CovertMark datasets and datasets used in prior protocol-obfuscation-detection researches.
Sources and destinations of packets have been scrambled with Crypto-PAn, which is primarily to protect the exact addresses of Tor PT bridges in proxy traces. Regular traffic captured as controls and negative training data were produced by human volunteers under experimental conditions with detailed instructions to protect their privacy. All unencrypted and non-TCP traffic have also been stripped out. However, in contrast with CAIDA traces, all encrypted payloads have been preserved, along with some cleartext metadata such as TLS SNI hostnames. This allows CovertMark to examine encrypted network traffic from the exact perspective of state censors performing advanced DPI detection of proxy servers.
Click on the file names below to download associated traces.
Proxy Traces
All proxy traces are unaffected by TCP segmentation offload (TSO), with longer-than-MTU payloads fully segmented.
File Name |
Packets |
IP(s) of Proxy Clients |
IP(s) of Proxy Servers |
Port(s) of Proxy Servers |
---|---|---|---|---|
674458 |
130.0.170.18, 130.0.174.253 |
12.173.72.53, 56.136.248.69 |
443, 995 |
|
286887 |
130.0.175.123 |
213.69.160.49 |
443 |
|
756548 |
39.22.50.9, 130.0.168.247 |
6.78.64.204, 35.130.168.244 |
443 |
|
602134 |
39.22.56.17 |
6.97.147.45 |
443 |
|
619754 |
39.22.52.90 , 207.52.86.23 |
20.234.236.206, 109.45.76.194 |
443, 38224 |
|
373504 |
130.0.171.196 |
20.234.236.206 |
38224 |
Negative / Regular Traffic Traces
The longer, multi-client cantab_anon.pcap
was captured on machines
with TCP segmentation offloading due to technical limitations, which
means that longer-than-MTU payloads will appear unsegmented. This does
not however affect CovertMark’s default detection strategies. The
shorter, single-client lso_anon.pcap
is unaffected with all longer-than-MTU
payloads properly segmented.
File Name |
Packets |
Concurrent Users |
Client IP’s/Subnets |
---|---|---|---|
200405 |
1 |
130.0.169.136/32 |
|
1566737 |
5 |
171.69.236.0/25 |