XAITrafficIntell: Interpretable Cyber Threat Intelligence for Darknet Traffic Analysis

Network traffic analysis is essential for enhancing network security and management. Integrating Machine Learning and Explainable Artificial Intelligence (XAI) offers a promising avenue for exploring darknet traffic. XAI’s integration into security domains paves the way to enriching our understanding of network traffic patterns and extracting valuable insights for security purposes. This investigation delves into the intricacies of darknet traffic classification by analyzing the datasets ISCXTor2016 and CIC-Darknet2020. By employing XAI techniques, we identify the most crucial features for accurate network traffic categorization. We conduct an in-depth analysis of darknet traffic models by utilizing explainable tools such as SHAP, LIME, Permutation Importance, and Counterfactual Explanations. Our experimental results highlight Protocol as the crucial factor in the ISXCTor2016 traffic classification, Source Port in the ISCXTor2016 application identification, and IdleMax in the CIC-Darknet2020 traffic classification. Additionally, our analysis encompassed the extraction of Cyber Threat Intelligence from the IP addresses within the network traffic. We explored the prevalent malware types and discerned specific targeted countries. Furthermore, a comprehensive exploration was conducted on the sophisticated attack techniques employed by adversaries. Our analysis identified T1071 as a frequently employed attack technique in which adversaries utilize OSI application layer protocols to communicate, strategically evading detection and network filtering measures.