DarknetSec: A novel self-attentive deep learning method for darknet traffic classification and application identification

https://doi.org/10.1016/j.cose.2022.102663Get rights and content

Abstract

Darknet traffic classification is crucial for identifying anonymous network applications and defensing cyber crimes. Although notable research efforts have been dedicated to classifying darknet traffic by combining machine learning algorithms and elaborately designed features, current methods either heavily depend on hand-crafted features or overlook the global intrinsic relationships among the local features automatically extracted from different data positions, leading to limited classification performance. To tackle this issue, we propose DarknetSec, a novel self-attentive deep learning method for darknet traffic classification and application identification. Concretely, DarknetSec utilizes a cascaded model with a 1-dimensional Convolutional Neural Network (1D CNN) and a bidirectional Long Short-Term Memory (Bi-LSTM) network to capture local spatial-temporal features from the payload content of packets, while the self-attention mechanism is integrated into the abovementioned feature extraction network to mine the intrinsic relationships and hidden connections among the previously extracted content features. In addition, DarknetSec extracts side-channel features from payload statistics to enhance its classification performance. We evaluate DarknetSec on the CICDarknet2020 dataset, which is a representative of darknet traffic covering both Virtual Private Network (VPN) and The Onion Router (Tor) applications. Thorough experiments show that DarknetSec is superior to other state-of-the-art methods, achieving a multiclass accuracy of 92.22% and a macro-F1-score of 92.10%. Additionally, DarknetSec maintains its high accuracy when applied to other encrypted traffic classification tasks.

Introduction

Darknet is described as an individual encrypted part of the Internet that can only be accessed with specific anonymity tools such as The Onion Router (Tor), Invisible Internet Project (I2P), Virtual Private Network (VPN), and JonDonym (generally known as Java Anon Proxy, JAP, or WebMix) (Montieri et al., 2018). The earliest case of using darknet can be traced back to 1971, when two students from the Massachusetts Institute of Technology and Stanford University used the Advanced Research Project Agency (ARPANET) to trade marijuana in the artificial intelligence laboratory of the Massachusetts Institute of Technology (Buxton and Bingham, 2015). Since the ARPANET was formed, the definition of darknet has been extended to Peer-to-Peer (P2P) networks and private networks such as Tor (Barratt, 2015, Wood, 2009). After the publication of “The Darknet and the Future of Content Distribution” in 2002 (Biddle et al., 2002), the concept of darknet has gained wide acceptance in academic communities. It should be noted that in some previous literature, darknet is also defined as the unused address space of the Internet (also known as network telescopes, sinkholes, or blackholes) that has not been assigned to any hosts or devices (Fachkha, Debbabi, 2015, Iglesias, Zseby, 2017, Niranjana, Kumar, Sheen, 2020). However, such type of darknet is beyond the scope of this paper and will be left for future research.

Through encryption techniques and P2P connection networks, darknet provides anonymous services to individual users and can effectively combat routing eavesdropping and other traffic analysis techniques, thus ensuring the confidentiality and integrity of the communication data. In the first quarter of 2020, nearly two million worldwide users directly connected to Tor services, while approximately 50,000 users indirectly connected to Tor services through bridges (Habibi Lashkari et al., 2020). Due to its anonymous nature, darknet is widely used for criminogenic activities, such as drug dealing, arms smuggling, child pornography, terrorism and cyberattacks (e.g., botnets) (Adewopo, Gonen, Varlioglu, Ozer, 2019, Al-Nabki, Fidalgo, Alegre, Fernández-Robles, 2019). Therefore, accurately identifying darknet traffic and its corresponding application types is very meaningful for monitoring malware propagation early, detecting malicious activities and combating cybercrimes. Although private networks and encryption techniques provide individual users with anonymity, the interactive network traffic generated when an end user visits a darknet application can still reveal the intrinsic characteristics of the hidden network service (Dong, Zhang, Lu, Liu, Jiang, 2020, Lin, Xu, Gao, 2021, Shapira, Shavitt, 2021). Indeed, as an essential part of traffic engineering, network traffic classification can be used to identify the specific darknet application type that an end user communicates with.

Previous works on network traffic classification can be distributed into three main categories according to their analysis approaches: port-based, signature-based and statistical-based techniques (Xie et al., 2021). Port-based methods rely on the specific transport port numbers registered by the Internet Assigned Numbers Authority (IANA) to represent well-known services; such approaches are prone to failure due to the widespread use of dynamic ports and covert channel techniques. Signature-based methods generally use payload analysis techniques such as Deep Packet Inspection (DPI) to mine unique signatures from packet payloads and judge whether the traffic to be inspected contains a specific signature. However, due to the adoption of encrypted communication techniques, conventional signature-based methods fail to analyze darknet traffic. Statistical-based methods extract traffic features at the packet-level or flow-level and leverage machine learning algorithms to train a classifier to distinguish between different traffic types. Since machine learning has made great progress in many classification-related fields, statistical-based methods have become a research hotspot in network traffic classification, attracting widespread attention from both academia and industry (Pacheco et al., 2018).

At present, many researchers mainly adopt the technical route of executing data-driven methods to make full use of the powerful learning capabilities of machine learning algorithms to solve the darknet traffic classification problem. For instance, several conventional machine learning methods, including the Light Gradient Boosting Machine (LightGBM), K-nearest Neighbor (KNN) algorithm, Logistic Regression (LR), Random Forest (RF), Naive Bayesian (NB) model and Decision Tree (DTree) (Kumar, Vranken, van Dijk, Hamalainen, 2019, Montieri, Ciuonzo, Aceto, Pescapé, 2018, Montieri, Ciuonzo, Bovenzi, Persico, Pescapé, 2019), have already been applied to this research field. However, in terms of model training, these methods either rely heavily on hand-crafted features or resort to a time-consuming feature selection process, thus leading to unstable performance when dealing with different network environments. As a further improvement, deep learning methods (Dong, Zhang, Lu, Liu, Jiang, 2020, Habibi Lashkari, Kaur, Rahali, 2020, Lin, Xu, Gao, 2021, Shapira, Shavitt, 2021, Singh, Shukla, Sajwan, 2021) such as Convolutional Neural Networks (CNNs) and Recurrent Neural Networks (RNNs) have also been introduced to automatically extract high-level features representations from network traffic, thus significantly reducing the reliance on domain experts and improving the generalizability for different network environments. Compared with conventional machine learning approaches, deep learning possesses an advantage in that features are not extracted manually but rather are automatically learned from the input data through a neural network. However, current deep learning-based methods mainly concentrate on extracting local spatial or temporal features from network traffic, whereas the global intrinsic dependency relationships and hidden connections among the local features extracted from different data positions are not fully considered, which ultimately leads to unsatisfied classification performance.

To tackle the aforementioned problems, in this paper, we propose DarknetSec, a novel self-attentive deep learning method for darknet traffic classification and application identification. Each part of DarknetSec processes the payload content or payload statistics of a network flow. Concretely, a self-attention-embedded 1D CNN and a bidirectional Long Short-Term Memory (Bi-LSTM) network are leveraged to extract local spatial-temporal features from the payload content of packets, and a multi-head self-attention module is designed to deal with the payload content in parallel. The output of the multi-head self-attention module and the local spatial-temporal features extracted by the self-attention-embedded 1D CNN and Bi-LSTM network are simultaneously fed into another attention module to automatically capture the global intrinsic dependency relationships and hidden connections among the local spatial-temporal features with different attention weights. Additionally, to enhance classification accuracy, a side-channel feature learning module is leveraged to extract feature representations from the payload statistics. Finally, the multiple abovementioned deep features are concatenated into a single vector and fed into a classification layer to obtain predictions. Thorough experiments on the CICDarknet2020 dataset show that the adoption of the self-attention mechanism, as well as the comprehensive consideration of both side-channel features and content features, significantly improves the accuracy of darknet traffic classification and application identification.

In summary, the main contributions of this paper are as follows:

  • The 1D CNN, Bi-LSTM network and self-attention mechanism are integrated into a classifier to capture efficient local spatial-temporal features and mine the global intrinsic dependency relationships and hidden connections among them. To the best of our knowledge, this is the first study that addresses the darknet traffic classification problem using a multi-head self-attention module.

  • We propose DarknetSec, a powerful end-to-end deep learning-based classification architecture using both side-channel features and content features. Our experiments show that DarknetSec can not only accurately classify darknet traffic but also maintain a high accuracy when applied to other encrypted traffic classification tasks.

  • Extensive experiments conducted on the CICDarknet2020 dataset show that DarknetSec significantly outperforms other state-of-the-art methods in terms of the accuracy and F1-score metrics, demonstrating its superiority to effectively classify darknet traffic and identify its underlying application types.

The rest of this paper is organized as follows. Section 2 reviews the state-of-the-art related work. The system architecture of DarknetSec and its key components are detailed in Section 3. Experimental evaluations are presented in Section 4, and we conclude this paper in Section 5.

Section snippets

Related work

In this section, we review the related studies that investigate, analyze and classify darknet traffic, and we also shed light on encrypted traffic classification and spatial-temporal feature learning for classification-related tasks.

The proposed DarknetSec

In this work, we propose DarknetSec, a self-attentive deep feature learning architecture, to classify darknet traffic and identify its specific application types. We present the overview and design details of each layer in DarknetSec. In summary, DarknetSec is a typical end-to-end classification solution for darknet traffic that outputs the application type of each network flow. The notations introduced in this paper are presented in Table 1.

Experimental evaluation

In this section, we are dedicated to evaluate the performance of DarknetSec. We conduct most experiments on the CICDarknet2020 dataset, which is composed of VPN and Tor applications and acts as a real representative of darknet traffic by merging two public datasets, namely, ISCXTor2016 and ISCXVPN2016 (Habibi Lashkari et al., 2020). Network flow samples are divided into two types: benign and darknet types, and the numbers of benign and darknet network flows containing application layer data are

Conclusion

In this paper, we propose DarknetSec, which can accurately classify the encrypted network flows of darknet traffic using a self-attentive deep learning method. We extract content features from the payload content of packets and side-channel features from payload statistics. Through multiple deep feature learning, we turn the darknet application identification problem into a typical classification task and use hybrid deep learning algorithms to design a powerful classifier. The experiments

CRediT authorship contribution statement

Jinghong Lan: Conceptualization, Methodology, Validation, Software, Investigation, Data curation, Writing – original draft, Writing – review & editing. Xudong Liu: Supervision, Resources, Formal analysis, Writing – review & editing. Bo Li: Funding acquisition, Supervision, Project administration. Yanan Li: Visualization, Software, Validation. Tongtong Geng: Validation, Writing – review & editing.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgments

This work was supported by the National Key R&D Program China (2018YFB0803 503), the 2018 joint Research Foundation of Ministry of Education, China Mobile (MCM20180507) and the Opening Project of Shanghai Trusted Industrial Control Platform (TICPSH202003020-ZC).

Jinghong Lan is a PhD candidate in the School of Computer Science and Engineering, Beihang University, China. He received the MS degree in the School of Cyberspace Security from PLA Information Engineering University in Zhengzhou, China. His current research interests include intrusion detection, machine learning, and deception defense.

References (42)

  • J. Yang et al.

    A hierarchical deep convolutional neural network and gated recurrent unit framework for structural damage detection

    Inf. Sci.

    (2020)
  • Z.-b. Yang et al.

    Interpreting network knowledge with attention mechanism for bearing fault diagnosis

    Appl. Soft Comput.

    (2020)
  • V. Adewopo et al.

    Plunge into the underworld: a survey on emergence of darknet

    2019 International Conference on Computational Science and Computational Intelligence (CSCI)

    (2019)
  • M. Barratt

    A discussion about dark net terminology

    Drugs Internet Soc.

    (2015)
  • P. Biddle et al.

    The darknet and the future of content distribution

    ACM Workshop on Digital Rights Management

    (2002)
  • J. Buxton et al.

    The rise and challenge of dark net drug markets

    Policy Brief

    (2015)
  • C. Fachkha et al.

    Darknet as a source of cyber intelligence: survey, taxonomy, and characterization

    IEEE Commun. Surv. Tutor.

    (2015)
  • A. Habibi Lashkari et al.

    DIDarknet: a contemporary approach to detect and characterize the darknet traffic using deep image learning

    2020 the 10th International Conference on Communication and Network Security

    (2020)
  • F. Iglesias et al.

    Pattern discovery in internet background radiation

    IEEE Trans. Big Data

    (2017)
  • L.A. Iliadis et al.

    Darknet traffic classification using machine learning techniques

    2021 10th International Conference on Modern Circuits and Systems Technologies (MOCAST)

    (2021)
  • P.R. Kanna et al.

    Unified deep learning approach for efficient intrusion detection system using integrated spatial–temporal features

    Knowl. Based Syst.

    (2021)
  • Cited by (26)

    • MEMBER: A multi-task learning model with hybrid deep features for network intrusion detection

      2022, Computers and Security
      Citation Excerpt :

      Regarding network intrusion detection and many other application identification tasks, class imbalance has long been a challenging problem that can lead to biased classification boundaries for minority classes. Typical solutions for class imbalance include re-sampling-based (under-sampling and over-sampling) (Andresini et al., 2021a; Cui et al., 2022; Ding et al., 2022; Farajzadeh-Zanjani et al., 2021; Liu et al., 2021; Zhang et al., 2020), cost-sensitive learning-based (Fernando and Tsokos, 2021; Gupta et al., 2022; Lan et al., 2022; Lin et al., 2022; Mulyanto et al., 2020; Xiao et al., 2021) and tree algorithm-based (Le et al., 2022b; Louk and Tama, 2021; Panigrahi et al., 2021) methods. For instance, Cui et al. (2022) proposed to combine a GMM-based under-sampling clustering algorithm and a Wasserstein Generative Adversarial Network (WGAN)-based over-sampling model to alleviate the imbalanced distributions of the training samples.

    • HDFEF: A hierarchical and dynamic feature extraction framework for intrusion detection systems

      2022, Computers and Security
      Citation Excerpt :

      In Xie et al. (2021), weights were assigned through a self-attention mechanism for explanatory exploration; thus, the model can understand the input features learned by the model. Regarding darknet traffic classification in Lan et al. (2022), the self-attention mechanism was integrated into a feature extraction network to capture local spatial-temporal features from the packet payload and to mine the intrinsic relationships and hidden connections between previously extracted features. In this section, we describe the architecture of the hierarchical dynamic feature extraction framework (HDFEF) in detail.

    • Robust stacking ensemble model for darknet traffic classification under adversarial settings

      2022, Computers and Security
      Citation Excerpt :

      Such illegitimate activities are undertaken mainly by botnets in the darknet, for example, trojans, spam, ransomware, and distributed denial of service (DDoS) attacks (Fajana et al., 2018). Therefore, the analysis and characterisation of darknet traffic and its equivalent applications becomes very critical for ensuring and maintaining network security (Habibi Lashkari et al., 2020; Lan et al., 2022; Sarwar et al., 2021; Singh and Sikdar, 2021). Machine learning (ML) and deep learning (DL) models form the core technology in various path-breaking fields like Natural Language Processing (Sutskever et al., 2014), Computer Vision (Voulodimos et al., 2018), Autonomous Vehicles or Robotics (Pierson and Gashler, 2017).

    • Empowering smart city situational awareness via big mobile data

      2024, Frontiers of Information Technology and Electronic Engineering
    View all citing articles on Scopus

    Jinghong Lan is a PhD candidate in the School of Computer Science and Engineering, Beihang University, China. He received the MS degree in the School of Cyberspace Security from PLA Information Engineering University in Zhengzhou, China. His current research interests include intrusion detection, machine learning, and deception defense.

    Xudong Liu is a professor in the School of Computer Science and Engineering, Beihang University, China. His current research interests include machine learning, big data and industrial information security.

    Bo Li is an Assistant Professor in the School of Computer Science and Engineering, Beihang University, China. He received the PhD degree in the School of Computer Science and Engineering from Beihang University. His current research interests include industrial information security, mobile and IoT security, and cyber threat intelligence.

    Yanan Li is a MSc candidate in the School of Computer and Information Security, Guilin University of Electronic Technology, China. He received the BS degree in the School of Cyberspace Security from PLA Information Engineering University in Zhengzhou, China. His current research interests include intrusion detection, machine learning, and knowledge graph technology.

    Tongtong Geng is a PhD candidate in the School of Economics and Management, Xidian University, China. Her received the MS degree in the School of Economics and Management, Xidian University, China. Her current research interests include sharing economy business model, machine learning, and big data research.

    View full text