Filtering onion routing traffic from malicious domain generation algorithm (DGA)-based traffic classification

What is claimed is: 1. A method comprising: receiving, at a device in a network, domain information from a plurality of traffic flows in the network; identifying, by the device, a particular address from the plurality of traffic flows as part of an onion routing system based on the received domain information, wherein identifying the particular address as part of an onion routing system based on the received domain information comprises: determining, by the device, character counts for each character that appear in domain names associated with the particular address in the received domain information, determining, by the device, a statistical distance between the character counts and a uniform distribution of character counts, and comparing, by the device, the statistical distance to a threshold value, to determine whether the particular address is part of an onion routing system; distinguishing, by the device, the particular address during analysis of the traffic flows by a traffic flow analyzer that includes a domain generation algorithm (DGA)-based traffic classifier; detecting, by the device, a malicious traffic flow from among the plurality of traffic flows using the traffic flow analyzer; and causing, by the device, performance of a mitigation action based on the detected malicious traffic flow. 2. The method as in claim 1 , wherein the mitigation action comprises one of: generation of an alert regarding the malicious traffic flow or blocking the malicious traffic flow. 3. The method as in claim 1 , wherein the onion routing system comprises The Onion Router (TOR) network. 4. The method as in claim 1 , wherein receiving the domain information from the plurality of traffic flows comprises: capturing, by the device, the domain information from the plurality of traffic flows. 5. The method as in claim 1 , wherein the statistical distance is an entropy measurement of the character counts. 6. The method as in claim 1 , further comprising: constructing, by the device, a histogram based on the determined character counts. 7. The method as in claim 1 , wherein distinguishing the particular address during analysis of the traffic flows by the traffic flow analyzer comprises at least one of: preventing analysis of the traffic flows associated with the particular address by the DGA-based traffic classifier; or determining that a result of the DGA-based traffic classifier regarding a traffic flow associated with the particular address is a false positive. 8. The method as in claim 1 , wherein the DGA-based traffic classifier is configured to label a traffic flow as benign, malicious, or related to an onion routing system. 9. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to: receive domain information from a plurality of traffic flows in the network; identify a particular address from the plurality of traffic flows as part of an onion routing system based on the received domain information, wherein the apparatus identifies the particular address as part of an onion routing system based on the received domain information by: determining character counts for each character that appear in domain names associated with the particular address in the received domain information; and determining a statistical distance between the character counts and a uniform distribution of character counts; and comparing the statistical distance to a threshold value, to determine whether the particular address is part of an onion routing system; distinguish the particular address during analysis of the traffic flows by a traffic flow analyzer that includes a domain generation algorithm (DGA)-based traffic classifier; detect a malicious traffic flow from among the plurality of traffic flows using the traffic flow analyzer; and cause performance of a mitigation action based on the detected malicious traffic flow. 10. The apparatus as in claim 9 , wherein the mitigation action comprises one of: generation of an alert regarding the malicious traffic flow or blocking the malicious traffic flow. 11. The apparatus as in claim 9 , wherein the onion routing system comprises The Onion Router (TOR) network. 12. The apparatus as in claim 9 , wherein the apparatus receives the domain information from the plurality of traffic flows by capturing the domain information from the plurality of traffic flows. 13. The apparatus as in claim 9 , wherein the statistical distance is an entropy measurement of the character counts. 14. The apparatus as in claim 9 , wherein the process when executed is further operable to: construct a histogram based on the determined character counts. 15. The apparatus as in claim 9 , wherein the apparatus distinguishes the particular address during analysis of the traffic flows by the traffic flow analyzer by at least one of: preventing analysis of the traffic flows associated with the particular address by the DGA-based traffic classifier; or determining that a result of the DGA-based traffic classifier regarding a traffic flow associated with the particular address is a false positive. 16. The apparatus as in claim 9 , wherein the DGA-based traffic classifier is configured to label a traffic flow as benign, malicious, or related to an onion routing system. 17. A tangible, non-transitory, computer-readable medium storing program instructions that cause a device in a network to execute a process comprising: receiving, at the device, domain information from a plurality of traffic flows in the network; identifying, by the device, a particular address from the plurality of traffic flows as part of an onion routing system based on the received domain information, wherein identifying the particular address as part of an onion routing system based on the received domain information comprises: determining, by the device, character counts for each character that appear in domain names associated with the particular address in the received domain information, determining, by the device, a statistical distance between the character counts and a uniform distribution of character counts, and comparing, by the device, the statistical distance to a threshold value, to determine whether the particular address is part of an onion routing system; distinguishing, by the device, the particular address during analysis of the traffic flows by a traffic flow analyzer that includes a domain generation algorithm (DGA)-based traffic classifier; detecting, by the device, a malicious traffic flow from among the plurality of traffic flows using the traffic flow analyzer; and causing, by the device, performance of a mitigation action based on the detected malicious traffic flow. 18. The tangible, non-transitory, computer-readable medium as in claim 17 , wherein the statistical distance is an entropy measurement of the character counts. 19. The tangible, non-transitory, computer-readable medium as in claim 17 , wherein the process when executed is further operable to: construct a histogram based on the determined character counts. 20. The tangible, non-transitory, computer-readable medium as in claim 17 , wherein the process distinguishes the particular address during analysis of the traffic flows by the traffic flow analyzer by at least one of: preventing analysis of the tr