Anomalies and attacks
There is the temptation to think of anomalies as a result of attacks on Tor, seeing them as two sides of the same coin. However, in practise, it is more complicated.
There are both attacks on Tor that show up as anomalous behavior (be it by clients, the network or individual relays) and those that are not visible. At the same time there are anomalies showing up in our data which are not related to attacks but e.g. a bug or just (un-)expected, new behavior after a feature landed and got deployed.
While it is important to figure out whether anomalies in our data are due to bugs, attacks, misconfiguration or some other reason (as a proper remedy might depend on their correct classification) we are here mostly concerned with ways of detecting them in the first place. That way we can focus on the particular techniques without getting derailed by the task of coreectly classifying them or specific incidents correctly. Thus, even though many of the papers mentioned in the upcoming sections of this document are either outlining attacks or defenses against them the scope of this work is broader than just looking at anomalies found during attacks on Tor.