FlowMFD: Characterisation and classification of tor traffic using MFD chromatographic features and spatial–temporal modelling

Abstract Tor traffic tracking is valuable for combating cybercrime as it provides insights into the traffic active on the Tor network. Tor‐based application traffic classification is one of the tracking methods, which can effectively classify Tor application services. However, it is not effective in classifying specific applications due to more complicated traffic patterns in the spatial and temporal dimensions. As a solution, the authors propose FlowMFD, a novel Tor‐based application traffic classification approach using amount‐frequency‐direction (MFD) chromatographic features and spatial‐temporal modelling. Expressly, FlowMFD mines the interaction pattern between Tor applications and servers by analysing the time series features (TSFs) of different size packets. Then MFD chromatographic features (MFDCF) are designed to represent the pattern. Those features integrate multiple low‐dimensional TSFs into a single plane and retain most pattern information. In addition, FlowMFD utilises a cascaded model with a two‐dimensional convolutional neural network (2D‐CNN) and a bidirectional gated recurrent unit to capture spatial‐temporal dependencies between MFDCF. The authors evaluate FlowMFD under the public ISCXTor2016 dataset and the self‐collected dataset, where we achieve an accuracy of 92.1% (4.2%↑) and 88.3% (4.5%↑), respectively, outperforming state‐of‐the‐art comparison methods.