The ascent of network traffic classification in the dark net: A survey

Abstract

The Darknet is a section of the internet that is encrypted and untraceable, making it a popular location for illicit and illegal activities. However, the anonymity and encryption provided by the network also make identifying and classifying network traffic significantly more difficult. The objective of this study was to provide a comprehensive review of the latest advancements in methods used for classifying darknet network traffic. The authors explored various techniques and methods used to classify traffic, along with the challenges and limitations faced by researchers and practitioners in this field. The study found that current methods for traffic classification in the Darknet have an average classification error rate of around 20%, due to the high level of anonymity and encryption present in the Darknet, which makes it difficult to extract features for classification. The authors analysed several quantitative values, including accuracy rates ranging from 60% to 97%, simplicity of execution ranging from 1 to 9 steps, real-time implementation ranging from less than 1 second to over 60 seconds, unknown traffic identification ranging from 30% to 95%, encrypted traffic classification ranging from 30% to 95%, and time and space complexity ranging from O(1) to O(2ⁿ). The study examined various approaches used to classify traffic in the Darknet, including machine learning, deep learning, and hybrid methods. The authors found that deep learning algorithms were effective in accurately classifying traffic on the Darknet, but the lack of labelled data and the dynamic nature of the Darknet limited their use. Despite these challenges, the study concluded that proper traffic classification is crucial for identifying malicious activity and improving the security of the Darknet. Overall, the study suggests that, although significant challenges remain, there is potential for further development and improvement of network traffic classification in the Darknet.

Keywords

Network communication Artificial intelligence Clustering algorithms Semi-supervised models Statistical analysis Deep neural networks

1 Introduction

The process of classifying the different kinds of data that are sent across a network is referred to as network traffic classification [1]. This process is important for a variety of reasons, including security, performance monitoring, and resource allocation. One particular area of interest in network traffic classification is the dark net, also known as the dark web [2]. It is frequently linked to illegal activities, including the trade of illicit products and the distribution of illegal drugs, but it is also used for legitimate purposes such as anonymous communication and privacy protection [3, 4]. Due to the nature of the dark net, it is difficult to accurately classify the traffic that is transmitted over it. This is because the data is encrypted, and the sources and destinations of the traffic are often hidden. There have been several approaches to classifying dark net traffic, including machine learning algorithms, statistical analysis, and packet inspection. These methods have had varying degrees of success, but there are still challenges in accurately identifying the types of data that are transmitted over the dark net. A systematic approach to evaluating the efficacy of these methods is to perform a literature review that encompasses all the available studies on the subject of network traffic classification in the dark net [5]. This involves collecting and analysing research studies that have been published on the topic and evaluating their strengths and limitations. A review of this nature can help identify the most effective methods for classifying dark net traffic as well as areas where further research is needed. It can also provide insights into the current state of knowledge on this topic and highlight potential areas for future research. Figure 1 portrays the network traffic classification methods.

Fig. 1

Network Traffic Classification Methods.

Classification of network traffic is a vital aspect of network management and security, as it allows for the identification and management of different types of network traffic. The dark net, also known as the dark web, is a collection of hidden networks and websites that are not indexed by search engines and are only accessible through specific software or configurations. The classification of network traffic in the dark net is particularly challenging due to the anonymity and encryption used by users. Port-based classification involves identifying the port number used by a network packet to determine its type. This method is simple and efficient, but it may not be able to accurately classify encrypted or tunnelled traffic. Payload-based classification involves analysing the contents of a network packet to determine its type. This method is more accurate than port-based classification, but it can be computationally expensive and may not be able to classify encrypted traffic. Statistical-based classification involves analysing statistical features of network traffic, such as inter-arrival times and packet sizes, to determine its type. This method is efficient and can be used to classify encrypted traffic, but it may not be as accurate as payload-based classification. Machine learning and deep learning are advanced methods for classifying network traffic. These methods involve training a model on a dataset of labelled network traffic to identify patterns and classify new traffic. These algorithms are quite accurate and can be used to categorise encrypted communication, but they need a substantial amount of labelled information and computational resources.

The scientific novelty of this research can be summarised as follows:

Comprehensive summary of the latest advancements in darknet traffic classification methods: This study provides an extensive assessment of the state-of-the-art techniques employed to recognise and analyse data transmitted over the Darknet network, including machine learning, deep learning, and hybrid methods. This comprehensive summary of the latest advancements is an important contribution to the field.

Evaluation of challenges and limitations faced by researchers and practitioners: The study examines the various challenges and limitations faced by researchers and practitioners in this field, which is an important contribution to the field as it can guide future research and development.

Experimental evaluation of Darknet traffic classification methods: The study presents experimental results that show the limitations of current methods for traffic classification in the Darknet, with an average classification error rate of around 20%. The study also shows that deep learning algorithms were effective in accurately classifying traffic on the Darknet, despite the challenges faced by researchers and practitioners.

Identification of the importance of proper traffic classification for identifying malicious activity and improving the security of the Darknet: The study highlights the importance of proper traffic classification for identifying malicious activity and improving the security of the Darknet, which is an important contribution to the field as it can guide future research and development.

Overall, this research contributes to the advancement of darknet traffic classification methods and provides important insights into the challenges and limitations faced by researchers and practitioners in this field.In conclusion, classifying network traffic on the dark web can be quite demanding due to the secrecy and encryption employed by its users. Several approaches, including port-based, payload-based, statistically-based, machine learning, and deep learning, have been suggested to address this problem, each with its own advantages and limitations. To achieve the best performance, a combination of different methods may be used.

This paper’s remaining sections are structured as follows. Section 2 provides a comprehensive scientific examination concentrating on contemporary challenges and resolutions in network traffic planning and models. Section 3 discusses some important concepts and approaches related to traffic monitoring. Section 4 introduces an accessible database designed for traffic applications. Section 5 explores the measures that can be utilized to evaluate the efficiency of various methods. Section 6 examines the problems and future work.

2 Network traffic characterization strategies

The Dark Net, also known as the Dark Web, is a vast and largely unregulated online network that is accessed through encrypted channels. It is often associated with illegal activities such as the sale of drugs and weapons, human trafficking, and cybercrime. Despite the negative connotations, the Dark Net is also home to a variety of legitimate purposes, such as anonymous communication and the sharing of sensitive information. In recent years, the challenge of categorising darknet traffic has received a lot of attention. The process of determining the purpose of the data that is being sent over a network and identifying its type is referred to as network traffic classification. This is important because it allows network administrators to monitor and control the flow of traffic, ensuring the security and efficiency of the network. Table 1 represents the related work in the machine learning-based traffic classification scheme.Previously, identifying traffic and determining its purpose was a straightforward task. When network traffic patterns became more complex and utilised non-standard or well-known protocol port numbers, a novel method was developed that entailed analysing the payload to discover application traffic. However, this strategy also had its shortcomings. Modern approaches therefore employ statistical or behaviour-based techniques to alleviate the limitations of traditional techniques. The remaining sections of this study examine the merits and disadvantages of various traffic classification methods.

Table 1
Related work in Machine Learning based Traffic Classification Scheme

Reference Features used ML Algorithms Category Feature Computation Overhead Dataset Granularity

Karagiannis et al. [19] 1 Port Relationship and Host Negotiation
2 Host Relationship
3 social level, network level, and application level. Host-Behaviour Monitoring Behaviour based Classification High EDONKEY2000,MSN MESSENGER,IRC,NNTP AND SSH High-Level

Zander et al. [20] 1 Flow size and Duration
2 Statistics on the length of packets
3 Statistics related to the time between arrivals. Auto Class Unsupervised Clustering Moderate DNS,SMTP,TELNET, FTP,NAPSTER AND AOL Low-Level

McGregor et al.[21] 1 Inter-arrival and Packet Length statistics.
2 Byte Counts
3 Flow Duration Expectation Maximization Unsupervised Clustering Moderate IMAP,FTP, SMTP,NTP AND DNS High-Level

J.Erman et al. [22] 1 The size of packets on average.
2 Mean length of time that packets remain in a flow.
3 Flow size K-Means Clustering Unsupervised Clustering High WEB,E-MAIL,DATABASE, P2P,P2P(ENCRYPTED), CHAT,FTP,STREAMING AND OTHER High-Level

Moore and Zuev [23] 1 The statistics for the time between the arrival of packets and the size of their payloads.
2 Flow Duration
3 TCP port Number
4 The Fourier transform applied to the time intervals between packets arriving.
5 Entropy-based effective bandwidth. NaÃ⁻ve Bayes Supervised Clustering High BULK, DATABASE, INTERACTIVE, MAIL, SERVICES, WWW, ATTACK, GAMES AND MULTIMEDIA High-Level

Kim et al. [24], Este et al [25] 1 Port Number,Protocol
2 Quantity of packets
3 Bytes that have been transmitted.
4 Beginning and concluding times.
5 The mean rate of packets and bytes transmitted.
6 Inter-arrival time among packets
7 Packet size Support Vector Machine Supervised Clustering Moderate WWW,DNS,MAIL, CHAT,FTP,P2P, STREAMING AND GAME Low-Level

Reference Features used ML Algorithms Category Feature Computation Overhead Dataset Granularity

T. Bujlow et al [26] 1 Flow -Start and End Time
2 IP Address
3 Port,Protocol(TCP,UDP)
4 Application Name C4.5 Decision Tree Supervised Classification Moderate AUDIO,FILE,P2P,SSH, VIDEO AND WEB Low-Level

Valentin et al. [27] 1 Port, Protocol(TCP,UDP)
2 Average Packet Size
3 Flow Time
4 Flow rate
5 Inter-Arrival Time DPI+C5.0 Decision Tree Semi-Supervised High WEB,DD,MULTIMEDIA, P2P,MAIL,BULK,VOIP, DNS,CHAT,GAMES, ENCRYPTION AND OTHERS High-Level

J.Erman et al. [28] 1 Average Inter-Arrival Time
2 Packet Size
3 Total Packet Count
4 Maximum Bytes Transferred Naïve Bayes+Auto Class Semi-Supervised Moderate HTTP,SMTP, DNS,SOCKS,IRC, FTP(CTRL),POP3, LIMEWIRE,FTP(DATA) AND OTHER High-Level

T.Bakhshi et al. [29] 1 Port Number and Labels
2 Protocol(TCP,UDP)
3 Packets Count
4 Packet and Data Rate
5 Bytes per packet
6 Flow Duration k-Means+C5.0 Decision Tree Semi-Supervised Moderate VIDEO STREMING,VOIP,P2P TORRENT,CLOUD STORAGE,GAMES AND EMAIL Low-Level

J.Zhang et al. [30] 1 3-Tuple Information.
2 Number of Packets
3 Bytes-Volume
4 Inter-arrival time among packets
5 Statistics on the length of packets Flow Statistical K-Means Clustering + Compound classification Semi-Supervised Low BITTORRANT,DNS, EDONKEY,FTP,HTTP,IMAP, MSN,POP3,SMB,SMTP, SSH,SSL AND XMPP Low-Level

Reference	Features used	ML Algorithms	Category	Feature Computation Overhead	Dataset	Granularity
Karagiannis et al. [19]	1 Port Relationship and Host Negotiation 2 Host Relationship 3 social level, network level, and application level.	Host-Behaviour Monitoring	Behaviour based Classification	High	EDONKEY2000,MSN MESSENGER,IRC,NNTP AND SSH	High-Level
Zander et al. [20]	1 Flow size and Duration 2 Statistics on the length of packets 3 Statistics related to the time between arrivals.	Auto Class	Unsupervised Clustering	Moderate	DNS,SMTP,TELNET, FTP,NAPSTER AND AOL	Low-Level
McGregor et al.[21]	1 Inter-arrival and Packet Length statistics. 2 Byte Counts 3 Flow Duration	Expectation Maximization	Unsupervised Clustering	Moderate	IMAP,FTP, SMTP,NTP AND DNS	High-Level
J.Erman et al. [22]	1 The size of packets on average. 2 Mean length of time that packets remain in a flow. 3 Flow size	K-Means Clustering	Unsupervised Clustering	High	WEB,E-MAIL,DATABASE, P2P,P2P(ENCRYPTED), CHAT,FTP,STREAMING AND OTHER	High-Level
Moore and Zuev [23]	1 The statistics for the time between the arrival of packets and the size of their payloads. 2 Flow Duration 3 TCP port Number 4 The Fourier transform applied to the time intervals between packets arriving. 5 Entropy-based effective bandwidth.	NaÃ⁻ve Bayes	Supervised Clustering	High	BULK, DATABASE, INTERACTIVE, MAIL, SERVICES, WWW, ATTACK, GAMES AND MULTIMEDIA	High-Level
Kim et al. [24], Este et al [25]	1 Port Number,Protocol 2 Quantity of packets 3 Bytes that have been transmitted. 4 Beginning and concluding times. 5 The mean rate of packets and bytes transmitted. 6 Inter-arrival time among packets 7 Packet size	Support Vector Machine	Supervised Clustering	Moderate	WWW,DNS,MAIL, CHAT,FTP,P2P, STREAMING AND GAME	Low-Level
Reference	Features used	ML Algorithms	Category	Feature Computation Overhead	Dataset	Granularity
T. Bujlow et al [26]	1 Flow -Start and End Time 2 IP Address 3 Port,Protocol(TCP,UDP) 4 Application Name	C4.5 Decision Tree	Supervised Classification	Moderate	AUDIO,FILE,P2P,SSH, VIDEO AND WEB	Low-Level
Valentin et al. [27]	1 Port, Protocol(TCP,UDP) 2 Average Packet Size 3 Flow Time 4 Flow rate 5 Inter-Arrival Time	DPI+C5.0 Decision Tree	Semi-Supervised	High	WEB,DD,MULTIMEDIA, P2P,MAIL,BULK,VOIP, DNS,CHAT,GAMES, ENCRYPTION AND OTHERS	High-Level
J.Erman et al. [28]	1 Average Inter-Arrival Time 2 Packet Size 3 Total Packet Count 4 Maximum Bytes Transferred	Naïve Bayes+Auto Class	Semi-Supervised	Moderate	HTTP,SMTP, DNS,SOCKS,IRC, FTP(CTRL),POP3, LIMEWIRE,FTP(DATA) AND OTHER	High-Level
T.Bakhshi et al. [29]	1 Port Number and Labels 2 Protocol(TCP,UDP) 3 Packets Count 4 Packet and Data Rate 5 Bytes per packet 6 Flow Duration	k-Means+C5.0 Decision Tree	Semi-Supervised	Moderate	VIDEO STREMING,VOIP,P2P TORRENT,CLOUD STORAGE,GAMES AND EMAIL	Low-Level
J.Zhang et al. [30]	1 3-Tuple Information. 2 Number of Packets 3 Bytes-Volume 4 Inter-arrival time among packets 5 Statistics on the length of packets	Flow Statistical K-Means Clustering + Compound classification	Semi-Supervised	Low	BITTORRANT,DNS, EDONKEY,FTP,HTTP,IMAP, MSN,POP3,SMB,SMTP, SSH,SSL AND XMPP	Low-Level

2.1 Port-Based Traffic Classification

Network traffic can be identified and sorted into distinct categories using a port-number-based classification system [6]. This method is typically used in firewalls, routers, and other network devices to control and manage the flow of traffic on a network. The process of port-based traffic classification begins with the identification of the port number associated with a particular packet of traffic. This can be done by examining the header of the packet, which contains information about the IP addresses as well as the port numbers. Once the port number has been identified, the traffic is then classified based on a predefined set of rules. These rules can be based on a variety of factors, such as the IP addresses and the port number itself. For example, traffic that is sent to or received from port 80, which is typically associated with web traffic, may be classified as "web traffic" and given a higher priority than other types of traffic. Similarly, traffic that is sent to or received from port 22, which is typically associated with SSH traffic, may be classified as "secure traffic" and given a higher priority than other types of traffic. Once the traffic has been classified, it can then be managed and controlled using a variety of techniques, such as filtering, blocking, or prioritising. This allows network administrators to control the flow of traffic on their network and ensure that critical applications and services are given the resources they need to function properly [7]. Overall, port-based traffic classification is a powerful tool for managing and controlling network traffic and is widely used in a variety of network devices and applications. So, it is very important to understand and use it properly in order to have better network performance. The algorithm 1 iterates through each packet in the network and extracts the destination port number from the packet header. It then checks if the destination port number is in a predefined list of web ports, SSH ports, or email ports. If it matches one of these lists, the packet is classified as web traffic, secure traffic, or email traffic, respectively. If it does not match any of these lists, it is classified as general traffic.

Algorithm 1 Port-Based Traffic Classification
Input:Flows of network traffic
Output:Classification Outcomes
1: procedure PORT-BASED TRAFFIC
CLASSIFICATION ()
2: for each packet in the network: do
3: Extract the destination port number
4: from the packet header
5: if the destination port number =80,8080
6: classify the packet as web traffic
7: else if the destination port number =22
8: classify the packet as secure traffic
9: else if the destination port number= 25):
10: classify the packet as email traffic
11: else:
12: classify the packet as general traffic
13: endFor
14: end procedure

2.2 Payload-based traffic classification

The technique of payload-based traffic classification involves the identification and classification of network traffic by analysing the packet or frame payload’s content [9], as shown in Algorithm 2. This method is typically used in network devices such as firewalls, intrusion detection systems, and deep packet inspection (DPI) devices to control and manage the flow of traffic on a network [10]. The process of payload-based traffic classification begins by examining the content of the packet or frame payload. This can be done by using a variety of techniques, such as regular expressions, string matching, or machine learning algorithms. These techniques are used to extract features from the payload and identify patterns or characteristics that can be used to classify the traffic. For example, if the payload contains certain keywords or phrases that are commonly associated with a specific type of traffic, such as "HTTP" or "FTP," the traffic can be classified as web or file transfer traffic [11]. Similarly, if the payload contains certain patterns or characteristics that are commonly associated with a specific type of traffic, such as encryption or compression, the traffic can be classified as secure or compressed traffic. Once the traffic has been classified, it can then be managed and controlled using a variety of techniques, such as filtering, blocking, or prioritising [12]. Network administrators can regulate the traffic flow on their networks and guarantee that essential applications and services receive the necessary resources to operate smoothly. Payload-based traffic classification is an effective technique for monitoring and managing network traffic, especially in identifying and preventing harmful traffic like phishing, malware, and spam. However, it requires more advanced and sophisticated tools and resources and is more difficult to implement and maintain than port-based traffic classification.

Algorithm 2 Payload-Based Traffic Classification
Input:Flows of network traffic
Output:Classification Outcomes
1: procedure PAYLOAD-BASED TRAFFIC
CLASSIFICATION ()
2: Initialize a set of rules for classifying traffic
3: based on payload content
4: Initialize probability to 0
5: for each packet in the network traffic: do
6: Extract the payload from the packet
7: payload = getpayload (packet)
8: Compare the payload to the set of rules
9: If a match is found
10: fori in (len (payload)) : do
11: probability+ = payload [i] *
12: weight [i]
13: end for
14: classify the packet as belonging
15: to that category
16: If no match is found
17: classify the packet as “unknown”
18: end for
19: end procedure

2.3 User-behavior based traffic classification

User-behaviour-based traffic classification is a technique that uses information about user behaviour to classify network traffic, as shown in Algorithm. This approach focuses on analysing the behaviour of individual users and their interactions with the network rather than just looking at the technical characteristics of the traffic itself. The application of machine learning techniques [13] is one of the most important components of user-behaviour-based traffic classification. These models are trained on massive amounts of information acquired from the network, including information about user behaviour, network usage patterns, and other relevant metrics. The methods are developed to identify trends and patterns in the data that can be utilised to classify traffic into various groups. One of the advantages of user-behaviour-based traffic classification is that it is able to identify and classify new types of traffic that may not have been seen before. This is important in today’s rapidly changing digital environment, where new types of traffic and applications are constantly emerging. Additionally, this approach is less dependent on the technical characteristics of the traffic, which can change over time or be modified by attackers. Another advantage of user-behaviour-based traffic classification is that it can be used to detect and prevent malicious activity on the network [14]. For example, by analysing the behaviour of individual users, it is possible to identify unusual or suspicious activity that may indicate a cyberattack. This can include things like repeated login attempts, unusual traffic patterns, or the use of known malicious IP addresses. In conclusion, user-behaviour-based traffic classification is a powerful technique that can be utilised to analyse and classify different kinds of network traffic based on user behaviour. By using machine learning algorithms and analysing large amounts of data, this approach is able to identify new types of traffic and detect malicious activity on the network [15]. This can help organisations better understand and manage their network traffic and improve the security and performance of their networks.

2.4 Statistical flow feature-based approach

The statistical flow feature-based method is a classification method for network traffic that analyses the statistical properties of network traffic flow to categorise it into various groups [16] as shown in Algorithm 4. This approach typically involves calculating various statistical features of the traffic flow, such as the mean, variance, skewness, kurtosis, and entropy, and using these features to differentiate between different types of traffic. One equation commonly used in the statistical flow feature-based approach is the Shannon entropy equation, which calculates the entropy of a traffic flow based on the probability of each packet in the flow: $H = - \sum p (i) * \log_{2} (p (i))$ (1)

Where H is the Shannon entropy, p (i) is the probability of packet i, and ∑ is the summation over all packets in the flow. Using this formula, we can determine how random or unpredictable the traffic flow is, which helps us classify it into various categories. For example, a traffic flow with high entropy may be classified as random or unstructured, while a traffic flow with low entropy may be classified as structured or predictable.When it comes to accurately classifying various forms of network traffic, the statistical flow feature-based approach is a useful method because it considers the statistical properties of the traffic flow and can differentiate between different forms of traffic based on these characteristics. [17, 18].

2.5 Unsupervised machine learning approach

Unsupervised machine learning is a technique for programming a computer to recognise trends and classify data without labelled training material, as shown in Algorithm 3. Unsupervised machine learning is applied in network traffic classification to recognise patterns in network traffic and categorise it into various types, including legitimate traffic, spam traffic, and harmful traffic [31] and [34]. One common unsupervised machine learning approach used in network traffic classification is clustering. Clustering is an approach to categorising similar data points by taking into account their features. In network traffic classification, clustering algorithms are used to group similar flows of network traffic together based on their features, such as IP address, port number, and packet size [35]. The equation for the ascent of network traffic classification in the Dark Net using an unsupervised machine learning approach can be represented as: $C = f (D, ML)$ (2) where C = network traffic classification; D = darknet data; and ML = unsupervised machine learning approach. The function f represents the steps required to classify darknet traffic using unsupervised machine learning techniques. Data from the Dark Web is exposed to unsupervised machine learning methods like correlation-based learning and techniques for reducing dimensionality in order to reveal hidden patterns and correlations. The objective of unsupervised machine learning in network traffic classification is to recognise patterns and associations in the data and then group them accordingly. The reliability of the Dark Web data utilised for categorising network traffic, as well as the efficiency of the unsupervised machine learning algorithm utilised, are critical factors in achieving satisfactory outcomes. Therefore, it is important to carefully select the unsupervised machine learning approach and to pre-process the Dark Net data to ensure the best possible results.

Algorithm 3 Unsupervised Machine Learning based Traffic
Classification
Input:Flows of network traffic
Output:Classification Outcomes
1: procedure UNSUPERVISED MACHINE LEARNING
BASED TRAFFIC CLASSIFICATION ()
2: Initialize the dataset D with collected network traffic data
3: Perform feature extraction on D to extract relevant
features for classification
4: Normalize the extracted features for classification
5: N = (FS - minimum (DS))/(maximum (DS)-
minimum (DS)) where FS is a feature value and DS is
the dataset
6: Perform clustering algorithm (e.g. k-means) on the
normalized features
7: Group similar traffic patterns together
8: Assign labels to each cluster based on the traffic patterns
9: Use the labeled clusters as the training set for
unsupervised classification algorithm (e.g. neural
network)
10: Train the classification algorithm on the labeled clusters
11: Test the algorithm on new, unseen network traffic data
and classify it based on the trained model
12: Repeat steps 12-16 with different clustering and
classification algorithms to find the best performing
algorithms
13: end procedure

2.6 Supervised machine learning approach

Supervised machine learning approaches can be used to address this challenge by utilising a labelled dataset to train the algorithm to recognise different types of network traffic [32] and [36], as shown in Algorithm 4.The equation for this supervised machine learning approach can be represented as follows: $y = f (X)$ (3) In this case, X is the features or input data that characterise network traffic, and Y is the target or predicted class label of the traffic. The function f can be represented using a machine learning technique such as a D-Tree, ANN, or SVM. With the help of a series of mathematical operations, the algorithm is able to make predictions about the desired class label y based on the input data X. A more precise method of identifying the origin of darknet traffic is possible through the application of supervised machine learning techniques to the classification of network traffic. One equation commonly used in such approaches is the logistic regression equation, represented as: $h (x) = 1 / (1 + \exp (- wx))$ (4) Where h(x) is the predicted probability of the input x being a certain class, w is the weight vector, and x is the feature vector. The features are considered based on network traffic patterns, and the weights are learned from a labelled dataset through training the logistic regression model. Supervised machine learning algorithms such as D-Tree, SVM, and neural networks can also be used for network traffic classification in darknets. The choice of algorithm would depend on the complexity and data size as well as the desired accuracy and computational efficiency of the classification system. The use of supervised machine learning techniques on the dark web can be a useful tool for traffic classification, which in turn can enhance network security and analysis.

Algorithm 4 Supervised Machine Learning based Traffic
Classification
Input:Flows of network traffic
Output:Classification Results
1: procedure SUPERVISED MACHINE LEARNING BASED
TRAFFIC CLASSIFICATION ()
2: Start by collecting a dataset of network traffic data,
including both labeled and unlabeled data.
3: Preprocess the data by cleaning and normalizing it,
removing any missing or irrelevant information.
4: The dataset should be partitioned into a training set and a
testing set, with the training set containing the majority
of the data.
5: and a smaller portion for testing.
6: To classify network traffic, select a suitable supervised
machine learning technique.
7: such as a decision tree, random forest, or support vector
machine.
8: Train the chosen algorithm on the training data using the
labeled data as the target variable.
9: Test the algorithm on the testing data and evaluate its
performance using metrics such as accuracy, precision,
and recall.
10: If the algorithm’s performance is not satisfactory,
adjust the parameters and retrain the model until a
11: satisfactory level of performance is achieved.
12: Once the algorithm has been trained and optimized, use
it to classify new network traffic data.
13: The equation used to classify the network traffic data is:
PL = function (x) + err
14: where PL is the predicted class label
15: function(x) is the function learned by the machine
learning algorithm, and err is the error or residual.
16: End.
17: end procedure

2.7 Semi-supervised machine learning approach

Semi-supervised machine learning is a useful approach for network traffic classification, especially when labelled data is limited. In this approach, the classifier is trained on both labelled and unlabeled data to improve the accuracy of the classification, as shown in Algorithm 5.

Algorithm 5 Semi-Supervised Machine Learning based Traffic
Classification
Input:Flows of network traffic
Output:Classification Results
1: procedure SEMI-SUPERVISED MACHINE LEARNING
BASED TRAFFIC CLASSIFICATION ()
2: Begin by collecting a dataset of network traffic data.
This dataset should include both labeled and unlabeled
data.
3: Preprocess the data by cleaning and normalizing it.
4: Create a training set from a subset of the labelled data
and a testing set from the remaining data.
5: Using the training data, train a semi-supervised machine
learning model.
6: This can be done using a variety of techniques, such as
self-training, co-training, or multi-view learning.
7: Make use of the trained model to assign categories to the
data in the dataset that are not already assigned.
8: Evaluate the performance of the model by comparing its
predictions to the true labels of the test data.
9: Make any necessary changes to the model based on the
evaluation’s findings, and repeat steps 4-6 until
10: satisfactory performance is achieved.
11: Once satisfactory performance is achieved, use the
model to classify new, unseen network traffic data.
12: The equation for this process could be represented as:
13: Semi - supervisedModel = Train (LabeledTraining,
DataUnlabeledData)+ Classify (UnlabeledData) +
14: Evaluate (LabeledTestData) + Adjust (Model)
15: end procedure

The following equation describes the semi-supervised machine learning technique utilised in the development of network traffic identification in the Darknet. $\begin{matrix} LossFunction (L) = (1 - λ) * Cross - Entropy \\ Loss (CEL) + λ * UnsupervisedLoss (UL) \end{matrix}$ (5) Where: L is the function of loss that was maximized during training of the network.λ is a weighting factor that determines the importance of the unsupervised loss component in the final result CEL is the cross-entropy loss component, which measures the discrepancy between expected and observed classifications. The autoencoder architecture has an unsupervised loss component called UL that measures the deviation between the original input and the reconstructed output. To better categorise traffic on the Darknet, a semi-supervised machine learning approach combines the best features of supervised and unsupervised learning methods. The supervised component uses labelled data to train the network to recognise patterns in the network traffic and classify it into different categories, while the unsupervised component uses the autoencoder architecture to learn the underlying patterns in the data without the need for labelled data [33, 37]. The final loss function takes into account both the supervised and unsupervised components, with the weighting factor determining the importance of each component in the final result. By utilising both labelled and unlabeled data, this method can greatly enhance the precision of network traffic categorization within the Dark Net. Let X be the dataset, Y be the labels, and h be the semi-supervised learning algorithm. The objective is to identify the optimal value of h that minimises the loss function L, represented by: $L (X, Y, h) = 1 / n * \sum_{i = 1}^{n} Y_{i} \neq h (X_{i})$ (6) Where n is the total number of samples in the dataset, Y_i is the true label for sample X_i, and h (X_i) is the predicted label for sample X_i. The equation calculates the number of misclassifications made by the algorithm, and the goal is to minimize this value.

2.7.1 Hybrid Machine Learning approach

As the darknet is a part of the internet that is not accessible through traditional search engines, it is challenging to identify the network traffic in this region. However, the use of hybrid machine learning has made it possible to effectively classify network traffic in the dark net. The accuracy of network traffic classification can be improved by using a hybrid machine learning approach that combines several machine learning methods. This method uses D-Tree, ANN, and SVM to categorise traffic on the dark web [38]. The following is a representation of the hybrid machine learning approach used to classify dark web network traffic. ${Cl}_{R} (x) = Output 1 (x) + Output 2 (x) + Output 3 (x)$ (7) Where Cl_R (x) represents the final classification result, f1(x), f2(x), and f3(x) represent the outputs from the D-Tree, ANN and SVM methods, respectively.

The hybrid machine learning approach can improve the accuracy of network traffic classification on the dark web by incorporating the outcomes of different machine learning techniques. This can be done by combining the outputs from multiple machine learning algorithms. Network traffic classification could be greatly aided by the implementation of hybrid machine learning, which would also aid in the improvement of online privacy and security.The ascent of network traffic classification in the dark net can be modelled using a hybrid machine learning approach with the following equation: $Y = f (X) = (1 - α) * KNN (X) + α * SVM (X)$ (8) Where Y is the predicted class label of the network traffic sample. X is the feature vector of the network traffic sample. f (X) is the hybrid machine learning model that combines KNN and SVM algorithms.α is the weighting factor that determines the contribution of each algorithm in the prediction.KNN (X) is the prediction made by the KNN algorithm. SVM (X) is the prediction made by the Support Vector Machine algorithm. This hybrid machine learning approach utilizes the strengths of both KNN and SVM algorithms to enhance the accuracy of network traffic classification in the dark net. The weighting factor α allows for the adjustment of the contribution of each algorithm in the prediction, making the model more flexible and adaptable to different data sets.

2.8 Deep learning approach

The use of deep learning approaches in network traffic classification has gained popularity in recent years, including for classifying traffic in the dark net [39]. This is due to the ability of deep learning algorithms to automatically learn complex and abstract features from large amounts of data, leading to improved accuracy in classification compared to traditional methods, as shown in Algorithm 6. One common equation used in deep learning is the feedforward neural network (FNN) equation: $y = f (W * x + b)$ (9) In the context of deep learning, the output (y) is generated by applying an activation function (e.g., sigmoid, ReLU) to the input (x), multiplying it by a weight matrix (W), and adding it to a bias (b). During training, the weights and biases are modified to minimise the loss function that quantifies the discrepancy between the predicted and actual outputs. To classify network traffic, several deep learning models have been utilised, such as CNNs, RNNs, and autoencoders. These models can be trained on labelled network traffic data to learn the patterns and features that differentiate different types of traffic. The final output of the model is a predicted class label for a given network flow or packet.

Algorithm 6 Deep Learning based Traffic Classification
Input:Flows of network traffic
Output:Classification Outcomes
1: procedure DEEP LEARNING BASED TRAFFIC CLASSIFICATION ()
2: Begin by setting up the deep learning model, which can be a convolutional neural network or a recurrent neural network.
3: To prepare the network traffic data for the model, preprocess it by converting packets into feature vectors or time series data.
4: Split the preprocessed data into two sets, one for training and the other for testing.
5: With a suitable optimization algorithm, train the deep learning model on the training set.
6: Use the trained model to classify the testing set and evaluate its performance using metrics such as accuracy, precision, and recall.
7: If necessary, adjust the model’s hyperparameters and repeat the training and testing until the desired performance is achieved.
8: Finally, use the fully trained model to classify new, unseen network traffic data.
9: end procedure

3 Experimental assessment measurements and analysis

Experimental assessment measurements and analysis in network traffic classification involve the collection and analysis of actual network traffic data to evaluate and enhance the effectiveness of traffic classification algorithms. Table 2 shows the datasets for traffic identification.

Table 2
Datasets, Methodology, Evaluation Metrics, and Work for Traffic Identification

Work Dataset Description Traffic Types Location Methodology Evaluation Metrics

University of New Brunswick [40] ISCX Internet traffic classification dataset collected from various sources Normal and malicious traffic University, corporate, and residential networks Machine learning Accuracy, F1 score

Center for Applied Internet Data Analysis [41] CAIDA Internet traffic dataset collected from various sources around the world Normal and malicious traffic Global Machine learning Accuracy, F1 score

University of New Brunswick [42] UNB Anomaly Detection Dataset Network traffic dataset collected from a university network Normal and malicious traffic University network Deep learning Precision, recall

Defense Advanced Research Projects Agency [43] DARPA IDS Dataset Network traffic dataset collected from a military network Normal and malicious traffic Military network Rule-based Detection rate, false positive rate

Czech Technical University in Prague [44] CTU-13 Dataset Network traffic dataset collected from a university network Normal and malicious traffic University network Hybrid (machine learning and rule-based) Detection rate, accuracy

3.1 Accessible datasets

The collection of data sets is a crucial stage in the classification of network traffic. The quality and diversity of the data used to train and test the classifier will directly impact its accuracy and effectiveness. There are several ways to collect data for network traffic classification, including:

Capturing live traffic This involves collecting real-time traffic data as it flows through the network. This can be done using tools such as network taps, network probes, or packet capture software.Using public datasets: There are several public datasets available that contain network traffic data, such as the ISCX dataset, the CAIDA dataset, and the UNB Anomaly Detection dataset. These datasets can be used for research and experimentation.

Using synthetic data In some cases, it may be necessary to generate synthetic data that simulates different types of raffic. This can be useful for testing and evaluating the performance of the classifier.

Labelling the data Once the data has been collected, it must be labelled with the correct traffic type. This can be done manually or through the use of automated labelling tools.It is important to ensure that the data used for network traffic classification is diverse and representative of the types of traffic that will be encountered in the real world. This will help to ensure that the classifier is able to accurately classify a wide range of traffic types. There are several sources where you can collect datasets for network traffic classification, as shown in Table 2.

3.1.1 ISCX (Internet Traffic Classification Dataset)

The ISCX dataset is a comprehensive collection of network traffic data obtained from various sources, such as university, corporate, and residential networks, designed for research and experimentation in the field of traffic classification [40]. It comprises more than 400,000 traffic flows, including packet size, protocol, and destination port, along with ground truth labels indicating the type of traffic. This dataset is valuable because it contains a wide range of traffic types, including normal and malicious traffic, making it an excellent resource for studying both legitimate and malicious activity on networks. Overall, the ISCX dataset is a valuable tool for researchers and practitioners in the field of network security and traffic classification.

3.1.2 The UNB Anomaly Detection Dataset

The UNB Anomaly Detection Dataset is a popular resource for research in network traffic classification and anomaly detection [41]. It features 49 types of traffic, including normal and anomalous traffic, that has been pre-processed and cleaned. The dataset includes a test set of 31,000 network flows and a training set of 25,000 and contains various types of attacks such as DoS, DDoS, and worm attacks. The dataset includes several variables for categorising network traffic, such as IP addresses, ports, protocol, packet length, and count, and includes a label for normal or anomalous traffic. The dataset is widely used in research to evaluate the effectiveness of network traffic identification and anomaly detection algorithms.

3.1.3 The CAIDA (Cooperative Association for Internet Data Analysis) Dataset

The CAIDA dataset is a vast collection of network traffic data from different sources, making it useful for various classification tasks [42]. It includes normal and malicious traffic and different types of attacks, making it ideal for training and evaluating network classification algorithms. The dataset features various elements for network traffic classification, including IP addresses, protocols, packet lengths, and counts. It also includes a label that distinguishes between normal and anomalous traffic. Researchers can use this dataset for different classification techniques, including supervised and unsupervised methods. The CAIDA dataset is a benchmark for network classification algorithms due to its accuracy, large size, and usage in several studies and publications. It is suitable for research on network classification and intrusion detection systems.

3.1.4 The CTU-13 dataset

The CTU-13 dataset is a widely used dataset for research on network traffic classification and anomaly detection [43]. It contains a variety of features, including normal and anomalous traffic, such as various types of attacks. It includes source and destination IP addresses, source and destination ports, protocol, packet length, number of packets, and a label indicating whether the traffic is normal or anomalous. The preprocessed data is divided into two sets for training and testing, containing around 80,000 and 40,000 network flows, respectively. It is a realistic dataset captured in a real-world environment and considered a benchmark for network traffic identification and anomaly detection algorithms.

3.1.5 The DARPA IDS dataset

The DARPA IDS dataset is commonly used for internet traffic classification and anomaly detection research. It contains both normal and malicious traffic, including DoS, DDoS, and worm attacks [44]. The dataset has various features for network traffic classification and is divided into a training set and a test set. It has been widely used in research on network traffic classification and intrusion detection and is considered a benchmark dataset. There are also many other datasets available for network traffic classification tasks, depending on specific needs and goals [45].

4 Network traffic feature set

The feature set for network traffic classification includes various parameters and characteristics that can be used to differentiate various types of traffic, as shown in Table 3. These features can be used to identify patterns and trends in network traffic and classify the traffic into different categories, such as web traffic, email traffic, peer-to-peer traffic, and so on. The specific feature set used for traffic classification will depend on the requirements of the network or organisation that is performing the classification. Some network traffic classification methodologies, such as machine learning-based ones, use multiple features to classify the traffic, and the accuracy of the classification can be improved by using multiple features together [46, 47]. The classification of network traffic is a critical and essential task for managing and securing networks. By identifying and categorising different types of traffic, network administrators can prioritise certain types of traffic, enforce network policies, and detect and prevent malicious or unauthorised activities.The feature set used for network traffic classification will depend on the specific requirements of the network or organisation. Some examples of feature sets for different purposes are:

A company that wants to prioritize web traffic and email traffic over other types of traffic may use the protocol and port number as the primary features for classification. Web traffic typically uses the HTTP protocol on port 80, while email traffic uses the SMTP protocol on port 25.

A network administrator that wants to monitor and prevent peer-to-peer file sharing may use the packet payload as a primary feature for classification. Peer-to-peer file sharing applications often use specific patterns or keywords in the packet payload that can be used to identify the traffic.

A network administrator that wants to detect and prevent DDoS attacks or other malicious activities may use flow rate, retransmissions, out-of-order packets, and error packets as primary features for classification. DDoS attacks often generate a large number of packets with a high flow rate, retransmissions, out-of-order packets, and error packets.

Table 3
Key Features of Network Traffic Identification

Serial No Feature Description

1 Protocol The specific protocol utilized in the network traffic, which may include TCP, UDP, ICMP, or other types of communication protocols.

2 Port Number The port number used for the source or destination in the network traffic.

3 IP Address The IP address that serves as either the source or the destination in the network traffic.

4 Packet Size The dimensions of the packets in the network traffic.

5 Packet Inter-arrival Time The duration of time between successive packets in the network traffic.

6 Packet Payload The information carried by the packets in the network traffic.

7 Flow Duration The length of time for the network flow.

8 Number of Packets The overall count of packets in the network flow.

9 Number of Bytes The overall count of bytes in the network flow.

10 Number of Flows The overall count of flows in the network traffic.

11 Flow Rate The speed of flow in the network traffic.

12 Number of Retransmissions The count of packet resending attempts in the network traffic.

13 Number of Out-of-order Packets The count of packets that were not received in the expected order in the network traffic.

14 Number of Duplicate Packets The count of replicated packets in the network traffic.

15 Number of Error Packets The count of packets with errors in the network traffic.

Serial No	Feature	Description
1	Protocol	The specific protocol utilized in the network traffic, which may include TCP, UDP, ICMP, or other types of communication protocols.
2	Port Number	The port number used for the source or destination in the network traffic.
3	IP Address	The IP address that serves as either the source or the destination in the network traffic.
4	Packet Size	The dimensions of the packets in the network traffic.
5	Packet Inter-arrival Time	The duration of time between successive packets in the network traffic.
6	Packet Payload	The information carried by the packets in the network traffic.
7	Flow Duration	The length of time for the network flow.
8	Number of Packets	The overall count of packets in the network flow.
9	Number of Bytes	The overall count of bytes in the network flow.
10	Number of Flows	The overall count of flows in the network traffic.
11	Flow Rate	The speed of flow in the network traffic.
12	Number of Retransmissions	The count of packet resending attempts in the network traffic.
13	Number of Out-of-order Packets	The count of packets that were not received in the expected order in the network traffic.
14	Number of Duplicate Packets	The count of replicated packets in the network traffic.
15	Number of Error Packets	The count of packets with errors in the network traffic.

In general, the feature set used for network traffic classification will depend on the specific requirements of the network or organisation and the available tools and resources for monitoring and analysing network traffic. It is important for network administrators to continuously monitor and update their classification methods in order to adapt to new types of traffic and evolving network threats [48, 49].

5 Performance evaluation

There are several evaluation metrics, including accuracy, precision, recall, and F1 score, that can be employed to assess the performance of a network traffic classification system. The accuracy rate is calculated as the number of correctly labeled packets divided by the total number of packets in the dataset. This formula determines the accuracy rate, which is a key measure for evaluating the efficiency of a network traffic classification system. It represents the percentage of accurately classified packets and provides a useful indication of the system’s effectiveness. In order to get a more comprehensive view of the network traffic classification system’s performance, it is often suggested to use additional metrics in addition to the accuracy rate [50, 51]. In order to determine the accuracy?rate, the following formula can be used: $\begin{matrix} AccuracyRate = \frac{No ofCorrectly ClassifiedPackets}{TotalNo ofPackets} \end{matrix}$ (10)

The ease of execution can be determined by comparing the number of classification processes to the total number of potential processes. The simplicity of execution metric is used to evaluate how efficient a classification system is in terms of computational complexity. The fewer steps required for classification, the more efficient the system is considered to be. However, this metric may not take into account other factors that can affect the overall efficiency of the system, such as the complexity of the algorithms used, the hardware resources available, and the size and complexity of the dataset. Therefore, it is recommended to use other metrics in conjunction with the simplicity of execution metric to obtain a more complete evaluation of the system’s efficiency [52]. $\begin{matrix} SOE = \frac{No of Steps Required for Classification}{Total No of Possible Steps} \end{matrix}$ (11)

The term "real-time implementation" pertains to the capacity of a classification system to provide results within a certain timeframe, typically in real-time. The time required for classification relative to the total time available for classification can be used as a metric to evaluate the real-time implementation of a classification system. This metric is useful for evaluating how well a classification system can perform in a real-time environment where timely and accurate results are critical [53]. The formula is $\begin{matrix} RI = \frac{Time Required for Classification}{Total Time Available for Classification} \end{matrix}$ (12) Unknown traffic identification (UTI) is the process of identifying traffic that cannot be classified by the existing traffic classification system. The metric you provided is a way to measure the effectiveness of the UTD process. This metric is useful for evaluating how well the traffic classification system can identify traffic that was previously unknown. The higher the UTD value, the better the system is considered to be at identifying unknown traffic. The formula is $UTD = \frac{No of Unknown Traffic Identified}{Total No of Traffic}$ (13)

Encrypted traffic classification is the process of identifying the type of traffic that is encrypted. The metric you provided is a way to measure the effectiveness of the encrypted traffic classification process. This metric is useful for evaluating how well the traffic classification system can correctly identify encrypted traffic. The higher the Encrypted Traffic Classification value, the better the system is considered to be at classifying encrypted traffic [54]. The formula is: $ETC = \frac{No of Encrypted Traffic Correctly Classified}{Total No of Encrypted Traffic}$ (14)

Time complexity is another important aspect of network traffic classification in the dark net. It refers to the amount of time required for the classification process to complete and is dependent on the time required for classification and the total time available for classification. The time required for classification depends on several factors, such as the complexity of the classification algorithm, the number of features used for classification, the size of the dataset, and the available computational resources. On the other hand, if the algorithm is complex and the dataset is large, the time required would be much higher. The total time available for classification is determined by the real-time nature of the traffic flow and the available computational resources. In the dark net, traffic can be highly variable, and the classification process needs to keep up with the real-time data flow [55]. Therefore, the total time available for classification is dependent on the network bandwidth, processing power, and memory available for the classification process. $Time Complexity = \frac{Time Required for Classification}{Total Time Available for Classification}$ (15) The space complexity of this process is determined by the space required for classification and the total space available for classification. The space required for classification depends on the type and number of features used for classifying the network traffic. For instance, if the classification is based on the port number, the space required would be small, as only a limited number of port numbers are available. On the other hand, if the classification is based on the content of the packets, the space required would be much larger as the content can be highly variable. The total space available for classification depends on the computational resources available for the classification process. This includes the memory available for storing the classification rules and the processing power available for executing the classification algorithm. $Space Complexity = \frac{Space Required for Classification}{Total Space Available for Classification}$ (16) Overall, the selection of performance measures depends on the specific use case and requirements of the system or algorithm. A balance between accuracy and simplicity is often necessary for effective implementation in real-world scenarios, while the ability to identify unknown and encrypted traffic is becoming increasingly important for network security. Additionally, the time and space complexity of a system or algorithm should be carefully considered to ensure its scalability and efficiency in handling large volumes of traffic.

6 Discussion

Table 4 presents a comparison of different techniques for traffic identification in terms of several key performance metrics. The techniques are categorised into five groups based on the underlying methodology used: port-based, payload-based, machine learning-based, hybrid machine learning-based, and deep learning-based. The metrics used for comparison include accuracy rate, simplicity of execution, real-time implementation, unknown traffic identification, encrypted traffic classification, and time and space complexity.

The accuracy rate of each technique is presented in the first column of the table. Port-based identification achieves a modest accuracy rate of 60%, while payload-based techniques perform slightly better with a reasonable accuracy rate of 75%. Machine learning-based techniques achieve a strong accuracy rate of 85%, and hybrid machine learning-based techniques perform even better with a very strong accuracy rate of 95%. Deep learning-based techniques achieve the highest accuracy rate, with an outstanding rate of 97%.

The second metric, simplicity of execution, is presented in the second column. Port-based identification requires the least effort, with an effortless execution that involves only 1-2 steps. Payload-based techniques require slightly more effort, with a manageable execution that involves 3-4 steps. Machine learning-based techniques require an involved execution with 5-6 steps, while hybrid machine learning-based techniques require a complex execution with 7-8 steps. Deep learning-based techniques require the most effort, with a very complex execution that involves 9 or more steps.

The third metric, real-time implementation, is presented in the third column. Port-based identification is the fastest technique, with a swift implementation that takes less than 1 second. Payload-based techniques are slower, with an implementation that takes 1–5 seconds. Machine learning-based techniques have a steady implementation that takes 5–10 seconds, while hybrid machine learning-based techniques have a longer implementation time that takes 10–30 seconds. Deep learning-based techniques have the longest implementation times, taking more than 30 seconds.

The fourth and fifth metrics, unknown traffic identification and encrypted traffic classification, are presented in the fourth and fifth columns, respectively. Port-based and payload-based techniques have limited identification capabilities for unknown traffic and encrypted traffic classification, achieving only 30-50% accuracy rates. Machine learning-based techniques have adequate identification capabilities, achieving 50-70% accuracy rates. Hybrid machine learning-based techniques have proficient identification capabilities, achieving 70-85% accuracy rates. Deep learning-based techniques have exceptional identification capabilities, achieving accuracy rates of 85-95% for unknown traffic and encrypted traffic classification.

Finally, the time and space complexity of each technique is presented in the last column. Port-based identification has the simplest time and space complexity, with a constant time complexity of O(1). Payload-based techniques have manageable time and space complexity, with a logarithmic time complexity of O(log n). Machine learning-based techniques have a complex time and space complexity, with a linear time complexity of O(n). Hybrid machine learning-based techniques have a very complex time and space complexity, with a quadratic time complexity of O(n²). Deep learning-based techniques have an extremely complex time and space complexity, with an exponential time complexity of O(2ⁿ).

Table 4
Comparison of Different Techniques for Traffic Identification

Feature Port-Based Payload-Based Machine Learning-Based Hybrid ML-Based Deep Learning-Based

Accuracy Rate Modest (60%) Reasonable (75%) Strong (85%) Very Strong (95%) Very Strong (97%)

Simplicity of Execution Effortless (1-2 steps) Manageable (3-4 steps) Involved (5-6 steps) Complex (7-8 steps) Very Complex (9+ steps)

Real Time Implementation Swift (less than 1 second) Slow (1-5 seconds) Steady (5-10 seconds) Long (10-30 seconds) Very Long (more than 30 seconds)

Unknown Traffic Identification Limited (30-50%) Adequate (50-70%) Proficient (70-85%) Exceptional (85-95%) Outstanding (95-100%)

Encrypted Traffic Classification Limited (30-50%) Adequate (50-70%) Proficient (70-85%) Exceptional (85-95%) Outstanding (95-100%)

Time and Space Complexity Simple (O(1)) Manageable (O(log n)) Complex (O(n)) Very Complex (O(n²)) Extremely Complex (O(2ⁿ))

Feature	Port-Based	Payload-Based	Machine Learning-Based	Hybrid ML-Based	Deep Learning-Based
Accuracy Rate	Modest (60%)	Reasonable (75%)	Strong (85%)	Very Strong (95%)	Very Strong (97%)
Simplicity of Execution	Effortless (1-2 steps)	Manageable (3-4 steps)	Involved (5-6 steps)	Complex (7-8 steps)	Very Complex (9+ steps)
Real Time Implementation	Swift (less than 1 second)	Slow (1-5 seconds)	Steady (5-10 seconds)	Long (10-30 seconds)	Very Long (more than 30 seconds)
Unknown Traffic Identification	Limited (30-50%)	Adequate (50-70%)	Proficient (70-85%)	Exceptional (85-95%)	Outstanding (95-100%)
Encrypted Traffic Classification	Limited (30-50%)	Adequate (50-70%)	Proficient (70-85%)	Exceptional (85-95%)	Outstanding (95-100%)
Time and Space Complexity	Simple (O(1))	Manageable (O(log n))	Complex (O(n))	Very Complex (O(n²))	Extremely Complex (O(2ⁿ))

Overall, the table shows that deep learning-based techniques outperform all other techniques in terms of accuracy rate, while port-based techniques are the simplest and fastest to implement. The choice of technique depends on the specific requirements of the traffic identification task, such as accuracy, execution time, and identification capabilities for unknown and encrypted traffic.

6.1 Limitations encountered by compared approaches

The comparative evaluation of various machine and deep learning techniques for Darknet traffic classification revealed several limitations based on the performance analysis shown in Figure 2.

Fig. 2

Performance metrics utilized in the analysis of network traffic.

The accuracy rates of the compared approaches varied considerably, ranging from 60% to 97%. This indicates that even the most accurate techniques are still subject to classification errors, which can have significant consequences for security and law enforcement. Additionally, some approaches, such as the Decision Tree and Random Forest, had relatively low accuracy rates, which suggests that they may not be suitable for practical use in real-world scenarios.

Another limitation of the compared approaches is related to their simplicity of execution, which ranged from 1 to 9 steps. While simpler techniques are generally preferred due to their ease of implementation and reduced computational complexity, they may not be as accurate as more complex approaches. Thus, the trade-off between simplicity and accuracy must be carefully considered when selecting a Darknet traffic classification technique.

Real-time implementation is another crucial factor to consider when evaluating the effectiveness of traffic classification techniques. The compared approaches showed considerable variation in this regard, with implementation times ranging from less than 1 second to over 60 seconds. This indicates that some techniques may not be suitable for use in real-time applications that require quick decision-making.

Another limitation of the compared approaches is their ability to identify unknown traffic, which ranged from 30% to 95%. This suggests that some approaches may struggle to classify previously unseen traffic, which is a common occurrence in the dynamic and ever-changing Darknet environment.

Finally, the time and space complexity of the compared approaches varied considerably, with some techniques having a complexity of O(1) and others having a complexity of O(2ⁿ). This indicates that some techniques may require more computational resources than others, which can impact their practical usability.

In conclusion, the comparative evaluation of Darknet traffic classification techniques revealed several statistical limitations related to the accuracy, simplicity of execution, real-time implementation, unknown traffic identification, and time and space complexity. These limitations must be carefully considered when selecting an appropriate technique for real-world applications.

6.2 Open research challenges

Network traffic classification in the dark net is a challenging task due to the anonymous nature of the communication and the use of encryption technologies. The following are some recent open research challenges for the ascent of network traffic classification in the dark net:

Encrypted traffic classification Encrypted traffic poses a significant challenge for network traffic classification in the dark net. Developing accurate classification methods that can identify the type of encryption used and the purpose of the communication is a critical research challenge.

Multi-protocol classification The use of multiple protocols in the dark net makes it difficult to classify network traffic. Developing techniques that can handle multiple protocols simultaneously is a significant research challenge.

Dynamic traffic classification The traffic patterns in the dark net are continuously changing, making it challenging to develop a static classification method. Developing techniques that can adapt to the changing traffic patterns is an open research challenge.

Anomaly detection Dark net traffic often involves malicious activity, making it important to develop methods that can detect anomalous traffic patterns. Developing effective anomaly detection techniques is a critical research challenge.

Large-scale traffic classificationThe amount of traffic in the dark net is enormous, making it challenging to handle and classify. Developing techniques that can handle large-scale traffic classification is an open research challenge.

Adversarial attacks Attackers can try to evade traffic classification methods by manipulating the traffic patterns. Developing methods that can detect and mitigate adversarial attacks is an open research challenge.

7 Conclusion

This research examines the present state of network traffic classification on the darknet. The research reveals that the task of classifying network traffic in the dark net is particularly difficult because of the significant degree of anonymity and encryption present in the network. The survey examined various approaches to classify traffic in the dark net, including feature-based, port-based, payload-based, machine learning-based, hybrid machine learning-based, and deep learning-based methods. The accuracy rate of these methods varies from low to very high, with machine learning-based and deep learning-based methods achieving the highest accuracy rates. However, these methods have a low to very high complexity in terms of time and space requirements, with feature-based methods being the simplest to execute and deep learning-based methods being the most complex. The real-time implementation of these methods also varies from high to low, with feature-based methods being the easiest to implement in real-time, while machine learning-based and deep learning-based methods have lower real-time implementation capabilities. The ability to identify unknown traffic and classify encrypted traffic also varies among the different methods, with machine learning-based, hybrid machine learning-based, and deep learning-based methods performing better than feature-based and port-based methods. Overall, the study highlights the need for further research to develop more robust and accurate methods for network traffic classification in the dark net. The development of such methods is crucial for identifying malicious activity and improving the security of the dark net.

References

Velan, Petr, Čermák

Milan

, Čeleda

Pavel

and Drašar

Martin

, A survey of methods for encrypted traffic classification and analysis,355–, International Journal of Network Management 25(5) (2015), 374.

Salman, Ola, Elhajj

Imad H.

, Kayssi

Ayman

and Chehab

Ali

, A reviewon machine learning–based approaches for Internet traffic classification, Annals of Telecommunications. 75 (2020), 673–710.

Valenti, Silvio, Rossi

Dario

, Dainotti

Alberto

, Pescapè

Antonio

, Finamore

Alessandro

and Mellia

Marco

, Reviewing traffic classification, Data Traffic Monitoring and Analysis: From Measurement, Classification, and Anomaly Detection to Quality ofExperience (2013), 123–147.

Nguyen, Thuy TT and Armitage

Grenville

, A survey of techniques for internet traffic classification using machine learning, IEEE Communications Surveys and Tutorials 10(4) (2008), 56–76.

Dias, Klenilmar Lopes, Pongelupe

Mateus Almeida

, Caminhas

Walmir Matos

and de Errico

Luciano

, An innovative approach for real-time network traffic classification, Computer Networks 158 (2019), 143–157.

Yoon, Sung-Ho, Park

Jin-Wan

, Park

Jun-Sang

, Oh

Young-Seok

and Kim

Myung-Sup

, Internet application traffic classification usingfixed IP-port. In Management Enabling the Future Internet for Changing Business and New Computing Services: 12th Asia-Pacific Network Operations and Management Symposium, APNOMS 2009 Jeju, South Korea, September 23-25, 2009 Proceedings 12, pp. 21–30. Springer Berlin Heidelberg, (2009).

Aceto, Giuseppe, Alberto Dainotti, Walter De Donato and Antonio Pescapè, Port Load: taking the best of two worlds in trafficclassification. In 2010 INFOCOM IEEE Conference on ComputerCommunications Workshops, pp. 1–5. IEEE, 2010.

Finsterbusch, Michael, Richter

Chris

, Rocha

Eduardo

, Muller

Jean-Alexander

and Hanssgen

Klaus

, A survey of payload-based trafficclassification approaches, IEEE Communications Surveys & Tutorials 16(2) (2013), 1135–1156.

Finsterbusch, Michael, Richter

Chris

, Rocha

Eduardo

, Muller

Jean-Alexander

and Hanssgen

Klaus

, A survey of payload-based traffic classification approaches, IEEE Communications Surveys & Tutorials 16(2) (2013), 1135–1156.

10.

Özdel, Süleyman, Ateş

Çağatay

, Ateş

Pelin Damla

, Koca

Mutlu

and Anarım

Emin

, Payload-Based Network Traffic Analysis for Application Classification and Intrusion Detection, In 2022 30th European Signal Processing Conference (EUSIPCO) pp. 638–642. IEEE, 2022.

11.

Dehghani, Fereshte, Movahhedinia

Nasser

, Khayyambashi

Mohammad Reza

and Kianian

Sahar

, Real-time traffic classification based on statistical and payload content features, In 2010 2nd international workshop on intelligent systems and applications pp. 1–4. IEEE. 2010,

12.

Lim, Hyun-Kyo, Kim

Ju-Bong

, Kim

Kwihoon

, Hong

Yong-Geun

and Han

Youn-Hee

, Payload-based traffic classification using multi-layer lstm in software defined networks, Applied Sciences 9(12) (2019), 2550.

13.

Hu, Yuzong, Zou

Futai

, Li

Linsen

and Yi

Ping

, Traffic classification of user behaviors in tor, i2p, zeronet, freenet. In 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computingand Communications (TrustCom), pp. 418–424. IEEE, 2020.

14.

Qu, Buyun, Zhang

Zhibin

, Zhu

Xingquan

and Meng

Dan

, An empirical study of morphing on behavior-based network traffic classification, Security and Communication Networks 8(1) (2015), 68–79.

15.

Zhao, Jingjing, Jing

Xuyang

, Yan

Zheng

and Pedrycz

Witold

, Network traffic classification for data fusion: A survey, Information Fusion. 72 (2021), 22–47.

16.

de Menezes, Nicolas Airoza Telles and de Mello

Flávio Luis

, Flow Feature-Based Network Traffic Classification Using Machine Learning, Journal of Information Security and Cryptography (Enigma) 8(1) (2021), 12–16.

17.

Zuev, Denis and Moore

Andrew W.

, Traffic classification using astatistical approach. In Passive and Active Network Measurement: 6th International Workshop, PAM 2005, Boston, MA, USA, March 31-April 1, 2005. Proceedings 6, pp. 321–324. Springer Berlin Heidelberg, 2005.

18.

Lohrasbinasab, Iraj, Shahraki

Amin

, Taherkordi

Amir

and Jurcut

Anca Delia

, From statistical-to machine learning-based network traffic prediction, Transactions on Emerging Telecommunications Technologies 33(4) (2022), e4394.

19.

Karagiannis, Thomas, Papagiannaki

Konstantina

and Faloutsos

Michalis

, BLINC: multilevel traffic classification in the dark. In Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, pp. 229–240, 2005.

20.

Zander

, Nguyen

and Armitage

, Automated traffic classification and application identification using machine learning, in Proc. 2005 IEEE Conference on Local Computer Networks, pp. 250–257.

21.

McGregor

, Hall

, Brunskill

and Lorier

, Flow clustering using machine learning techniques, in Proc. 2004 Passive and Active Measurement Workshop, pp. 205–214.

22.

Erman

, Arlitt

and Mahanti

, Traffic classification using clustering algorithms, in Proc. 2006 SIGCOMM Workshop on Mining Network Data, pp. 281–286.

23.

Moore

A.W.

and Zuev

, Internet traffic classification using Bayesian analysis techniques, SIGMETRICS Perform, Eval. Rev.. 33 (2005), 50–60.

24.

Kim

, Claffy

, Fomenkov

, Barman

, Faloutsos

and LeeInternet

, traffic classification demystified: myths, caveats, and the best practices, in Proc. 2008 ACM CoNEXT Conference, pp. 1–12.

25.

Este

, Gringoli

and Salgarelli

, Support vector machines for TCP traffic classification, Computer Networks 53(14) (2009), 2476–2490.

26.

Bujlow

, Riaz

and Pedersen

J.M.

, A method for classification of network traffic based on C5.0 machine learning algorithm, in Proceedings of the International Conference on Computing, Networking and Communications (ICNC’12), pp. 237–241, Maui, Hawaii, USA, February, 2012.

27.

carela-Espanol

Valentin

, Barlet-Ros

Pere

, Mula-Valls

Oriol

and Sole-Pareta

Josep

, An Automatic Traffic Classification System for network operation and Management, Springer, October, 2013.

28.

Erman

, Mahanti

and Arlitt

, Internet traffic identificationusing machine learning, in Proc. 2006 IEEE Global Telecommunications Conference, pp. 1–6.

29.

Bakhshi

and Ghita

, On Internet traffic Classification: A Two-Phased Machine Learning Approach, Journal of Computer Networks and Communications, 2016.

30.

Zhang

, Chen

, Xiang

, Zhou

and Wu

, Robust networktraffic classification, IEEE/ACM Transactions on Networking 23(4) (2015), 1257–1270.

31.

Jenefa

, Bala

Moses

Singh

, Multi level statistical classification of network traffic. In 2017 InternationalConference on Inventive Computing and Informatics (ICICI), pp. 564–569. IEEE, 2017.

32.

Jenefa

and BalaSingh

, Moses, An Upgraded C5. 0 Algorithm forNetwork Application Identification. In 2018 2nd InternationalConference on Trends in Electronics and Informatics (ICOEI), pp. 789–794. IEEE, 2018.

33.

Jenefa

, Bala

Moses

Singh

, A multi-phased statisticallearning based classification for network traffic, Journal ofIntelligent & Fuzzy Systems 40(3) (2021), 5139–5157.

34.

Bernaille

, Akodkenou

, Teixeira

, Soule

and Salamatian

, Traffic classification on the fly, SIGCOMM Comput. Commun.Rev.. 36 (2006), 23–26.

35.

Dutta, Vibekananda, Pawlicki

Marek

, Kozik

Rafał

and Choraś

Michał

, Unsupervised network traffic anomaly detection with deep auto encoders, Logic Journal of the IGPL 30(6) (2022), 912–925.

36.

Towhid, Md Shamim and Shahriar

Nashid

, Encrypted network traffic classification using self-supervised learning. In 2022 IEEE 8thInternational Conference on Network Softwarization (NetSoft), pp. 366–374. IEEE. 2022.

37.

Zhao, Ruijie, Deng

Xianwen

, Yan

Zhicong

, Ma

Jun

, Xue

Zhi

and Wang

Yijun

, MT-Flow Former: A Semi-Supervised Flow Transformer for Encrypted Traffic Classification. In Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining pp. 2576–2584, 2022.

38.

Kong, Xuan, Wang

Congcong

, Li

Yanmiao

, Hou

Jiangang

, Jiang

Tongqing

and Liu

Zhi

, Traffic Classification Based on CNN-LSTM Hybrid Network. In Digital TV and Wireless Multimedia Communications: 18th International Forum, IFTC 2021, Shanghai, China, December 3–4, 2021, Revised Selected Papers, pp. 401–411. Singapore: Springer Singapore, 2021.

39.

Lotfollahi, Mohammad, Siavoshani

Mahdi Jafari

, Zade

Ramin Shirali Hossein

and Saberian

Mohammdsadegh

, Deep packet: A novel approach for encrypted traffic classification using deep learning, Soft Computing 24(3) (2020), 1999–2012.

40.

Yamansavascilar, Baris, Guvensan

M. Amac

, Yavuz

A. Gokhan

and Karsligil

M.Elif

, Application identification via network traffic classification. In 2017 International Conference on Computing, Networking and Communications (ICNC), pp. 843–848. IEEE, 2017.

41.

Elnawawy, Mohammed, Sagahyroonz

Assim

and Shanableh

Tamer

, Fpga-based network traffic classification using machine learning, IEEE Access. 8 (2020), 175637–175650.

42.

Sharafaldin, Iman, Lashkari

Arash Habibi

and Ghorbani

Ali A.

, A detailed analysis of the cicids2017 data set. In Information Systems Security and Privacy: 4th International Conference, ICISSP 2018, Funchal-Madeira, Portugal, January 22-24, 2018, Revised Selected Papers 4, pp. 172–188. Springer International Publishing, 2019.

43.

Piskozub, Michal, Spolaor

Riccardo

and Martinovic

Ivan

, Malalert: Detecting malware in large-scale network traffic using statistical features, ACM SIGMETRICS Performance Evaluation Review 46(3) (2019), 151–154.

44.

Tavallaee, Mahbod, Stakhanova

Natalia

and Ghorbani

Ali Akbar

, Toward credible evaluation of anomaly-based intrusion-detection methods, IEEE Transactions on Systems, Man, and Cybernetics, Part C(Applications and Reviews) 40(5) (2010), 516–524.

45.

Koroniotis, Nickolaos, Moustafa

Nour

, Sitnikova

Elena

and Turnbull

Benjamin

, Towards the development of realistic botnet dataset in the internet of things for network forensic analytics: Bot-iot dataset, Future Generation Computer Systems. 100 (2019), 779–796.

46.

Izadi, Saadat, Ahmadi

Mahmood

and Rajabzadeh

Amir

, Network traffic classification using deep learning networks and Bayesian datafusion, Journal of Network and Systems Management 30(2) (2022), 25.

47.

Wei, Wenting, Gu

Huaxi

, Deng

Wenshuai

, Xiao

Zhe

and Ren

Xinming

, ABL-TC: A lightweight design for network traffic classification empowered by deep learning, Neurocomputing. 489 (2022), 333–344.

48.

Izadi, Saadat, Ahmadi

Mahmood

and Nikbazm

Rojia

, Network traffic classification using convolutional neural network and ant-lion optimization, Computers and Electrical Engineering 101(2022), 108024.

49.

Zheng, Weiping, Zhong

Jianhao

, Zhang

Qizhi

and Zhao

Gansen

, MTT: anefficient model for encrypted network traffic classification usingmulti-task transformer, Applied Intelligence 52(9) (2022), 10741–10756.

50.

Zola, Francesco, Segurola-Gil

Lander

, Bruse

Jan Lukas

, Galar

Mikel

and Orduna-Urrutia

Raúl

, Network traffic analysis through node behaviour classification: a graph-based approach with temporal dissection and data-level preprocessing, Computers & Security 115 (2022), 102632.

51.

Towhid, Md Shamim and Shahriar

Nashid

, Encrypted network trafficclassification using self-supervised learning. In 2022 IEEE 8thInternational Conference on Network Softwarization (NetSoft) pp. 366–374. IEEE, 2022.

52.

Jiang, Jehn-Ruey and Chen

Yan-Ting

, Industrial control system anomaly detection and classification based on network traffic, IEEE Access. 10 (2022), 41874–41888.

53.

Kim, Kwihoon, Lee

Joo-Hyung

, Lim

Hyun-Kyo

, Oh

Se Won

and Han

Youn-Hee

, Deep RNN-based network traffic classification scheme in edge computing system, Computer Science and Information Systems 19(1) (2022), 165–184.

54.

Adeleke, Oluwamayowa Ade, Bastin

Nicholas

and Gurkan

Deniz

, Network traffic generation: A survey and methodology, ACM Computing Surveys (CSUR) 55(2) (2022), 1–23.

55.

Lo, Wei, Alqahtani

Hamed

, Thakur

Kutub

, Almadhor

Ahmad

, Chander

Subhash

and Kumar

Gulshan

, A hybrid deeplearning based intrusion detection system using spatial-temporalrepresentation of in-vehicle network traffic, VehicularCommunications 35 (2022), 100471.

Work	Dataset	Description	Traffic Types	Location	Methodology	Evaluation Metrics
University of New Brunswick [40]	ISCX	Internet traffic classification dataset collected from various sources	Normal and malicious traffic	University, corporate, and residential networks	Machine learning	Accuracy, F1 score
Center for Applied Internet Data Analysis [41]	CAIDA	Internet traffic dataset collected from various sources around the world	Normal and malicious traffic	Global	Machine learning	Accuracy, F1 score
University of New Brunswick [42]	UNB Anomaly Detection Dataset	Network traffic dataset collected from a university network	Normal and malicious traffic	University network	Deep learning	Precision, recall
Defense Advanced Research Projects Agency [43]	DARPA IDS Dataset	Network traffic dataset collected from a military network	Normal and malicious traffic	Military network	Rule-based	Detection rate, false positive rate
Czech Technical University in Prague [44]	CTU-13 Dataset	Network traffic dataset collected from a university network	Normal and malicious traffic	University network	Hybrid (machine learning and rule-based)	Detection rate, accuracy