Darknet Traffic Classification with Machine Learning Algorithms and SMOTE Method

Abstract

The Darknet is a network that can be accessed with certain privileges and runs a non-standard communication protocol. The Darknet traffic that consists of data from several known networks such as Tor and the P2P is often used for criminal activities due to its anonymity. It is so critical to correctly classify Darknet traffic to differentiate the individual flows for security purposes. In this paper, we proposed three different machine learning (ML) based traffic classification approaches; the binary classification of Darknet and Benign traffic classes (Case 1); the quadruple classification of classes Tor, NonTor, VPN, and NonVpn (Case 2); an traffic classification of eight sub-traffic classes (Case 3). We further applied the SMOTE method for balancing the sizes of the classes in the traffic dataset and feature selection (FS) algorithms to identify the most effective attributes where the number of features in the original dataset were reduced from 63 to 8, 8 and 6 for Case 1, 2 and 3 respectively. For all three cases, classification was performed with six different machine learning algorithms with and without SMOTE, and the highest accuracy values were obtained with SMOTE method. The highest accuracy values were obtained with the Random Forest Algorithm as 97.22%, 97.16% and 85.99% for Case 1, 2 and 3, respectively.