Research on Tor Traffic Classification Based on Improved Bidirectional  Memory Residual Network

Journal of Information Security Reserach ›› 2025, Vol. 11 ›› Issue (5): 447-.

Previous Articles Next Articles

Research on Tor Traffic Classification Based on Improved Bidirectional Memory Residual Network

Tang Yan1, Wang Heng1, Ma Ziqiang1,2, Teng Hailong1, Shi Ruohan1, and Zhang Ningning3#br#

#br#

1(School of Information Engineering, Ningxia University, Yinchuan 750021)
2(Ningxia Key Laboratory of Artificial Intelligence and Information Security for Channeling Computing Resources from the East to the West(Ningxia University), Yinchuan 750021)
3(Ningxia Branch of National Computer Network and Information Security Management Center, Yinchuan 750021)

Online:2025-06-03 Published:2025-06-03

基于改进双向记忆残差网络的Tor流量分类研究

唐妍1王恒1马自强1,2滕海龙1施若涵1张宁宁3

1(宁夏大学信息工程学院银川750021)
2(宁夏“东数西算”人工智能与信息安全重点实验室(宁夏大学)银川750021)
3(国家计算机网络与信息安全管理中心宁夏分中心银川750021)

通讯作者: 唐妍硕士研究生.主要研究方向为流量识别、模型安全. 2601568298@qq.com
作者简介:唐妍硕士研究生.主要研究方向为流量识别、模型安全. 2601568298@qq.com 王恒博士，教授.主要研究方向为网络空间安全、自然语言处理. wangh@nxu.edu.cn 马自强博士，副教授.主要研究方向为计算机系统安全、区块链应用安全. maziqiang@nxu.edu.cn 滕海龙硕士研究生.主要研究方向为流量识别. 1642146750@qq.com 施若涵主要研究方向为流量识别、网络空间安全. 3105372992@qq.com 张宁宁工程师. 主要研究方向为网络攻击流量特征识别、网络攻击应急响应及溯源取证. zhangnn@nxcert.org.cn

Abstract

Abstract: In order to solve the problem of difficulty in correctly classifying Tor traffic and regulating it due to the encryption characteristics of Tor links, a Tor traffic classification method based on an improved bidirectional memory residual neural network (CBAMBiMRNet) is proposed. Firstly, the SMOTETomek (SMOTE and Tomek links) comprehensive sampling algorithm is adopted to balance the dataset, so that the model could learn from the traffic data of all categories. Secondly, CBAM is used to assign greater weights to important features, combining 1D convolution with bidirectional long shortterm memory modules to extract temporal and local spatial features of Tor traffic data. Finally, by adding identity maps, the phenomenon of gradient vanishing and exploding caused by the increase in model layers was avoided, and the problem of network degradation was solved. The experimental results show that on the ISCXTor2016 dataset, the accuracy of our model for Tor traffic recognition reached 99.22%, and the accuracy for Tor traffic application service type classification reached 93.10%, proving that the model can effectively recognize and classify Tor traffic.

Key words: Tor traffic, residual network, traffic identification, integrated sampling, class imbalance

摘要： 为了解决Tor链路加密的特性导致模型难以对Tor流量进行正确分类导致监管困难的问题，提出了一种基于改进双向记忆残差网络(convolutional block attention modulebidirectional memory residual neural network, CBAMBiMRNet)的Tor流量分类方法.首先，采用SMOTETomek(SMOTE and tomek links)综合采样算法平衡数据集，使模型能够对各类流量数据进行充分学习.其次，采用CBAM为重要的特征赋予更大的权值，将1维卷积与双向长短期记忆模块结合起来，提取Tor流量数据的时间特征和局部空间特征.最后，通过添加恒等映射避免因模型层数的增加而出现的梯度消失和梯度爆炸现象，并且解决了网络退化问题.实验结果表明，在ISCXTor2016数据集上，该模型对Tor流量识别的准确率达到99.22%，对Tor流量应用服务类型分类的准确率达到93.10%，证明该模型能够有效地对Tor流量进行识别和分类.

关键词: Tor流量, 残差网络, 流量识别, 综合采样, 类别不平衡

CLC Number:

TP309

唐妍, 王恒, 马自强, 滕海龙, 施若涵, 张宁宁, . 基于改进双向记忆残差网络的Tor流量分类研究[J]. 信息安全研究, 2025, 11(5): 447-.

References

［1］Lashkari A H, Gil G D, Mamun M S I, et al. Characterization of Tor traffic using time based features［C］ Proc of Int Conf on Information Systems Security and Privacy. Setúbal, Portugal: SciTePress, 2017: 253262［2］Karagiannis T, Broido A, Faloutsos M, et al. Transport layer identification of P2P traffic［C］ Proc of the 4th ACM SIGCOMM Conf on Internet Measurement. New York: ACM, 2004: 121134［3］elebi M, zbilen A, Yavanolu U. A comprehensive survey on deep packet inspection for advanced network traffic analysis: Issues and challenges［J］. Nigde Omer Halisdemir University Journal of Engineering Sciences, 2023, 12(1): 129［4］Saputra F A, Nadhori I U, Barry B F. Detecting and blocking onion router traffic using deep packet inspection［C］ Proc of 2016 Int Electronics Symposium (IES). Piscataway, NJ: IEEE, 2016: 283288［5］He G, Yang M, Luo J, et al. Inferring application type information from Tor encrypted traffic［C］ Proc of the 2nd Int Conf on Advanced Cloud and Big Data. Piscataway, NJ: IEEE, 2014: 220227［6］Liang D, He Y. Obfs4 traffic identification based on multiplefeature fusion［C］ Proc of 2020 IEEE Int Conf on Power, Intelligent Computing and Systems (ICPICS). Piscataway, NJ: IEEE, 2020: 323327［7］王腾飞, 蔡满春, 岳婷, 等. HistogramXGBoost的Tor匿名流量识别［J］. 计算机工程与应用, 2021, 57(14): 110115［8］Shapira T, Shavitt Y. Flowpic: Encrypted internet traffic classification is as easy as image recognition［C］ Proc of IEEE Conf on Computer Communications Workshops (INFOCOM 2019). Piscataway, NJ: IEEE, 2019: 680687［9］Lan J, Liu X, Li B, et al. DarknetSec: A novel selfattentive deep learning method for darknet traffic classification and application identification［J］. Computers & Security, 2022, 116: 102663［10］He L, Wang L, Cheng K, et al. FlowMFD: Characterisation and classification of Tor traffic using MFD chromatographic features and spatialtemporal modelling［J］. IET Information Security, 2023, 17(4): 598615［11］黄岩. 基于残差网络的Tor匿名流量识别［D］. 银川: 宁夏大学, 2023［12］Qin J, Liu G, Duan K. A new imbalanced encrypted traffic classification model based on cbam and reweighted loss function［J］. Applied Sciences, 2022, 12(19): 9631［13］王曦锐, 芦天亮, 张建岭, 等. 基于加权Stacking集成学习的Tor匿名流量识别方法［J］. 信息网络安全, 2021, 21(12): 118125［14］Yao H, Liu C, Zhang P, et al. Identification of encrypted traffic through attention mechanism based long short term memory［J］. IEEE Trans on Big Data, 2019, 8(1): 241252［15］Swana E F, Doorsamy W, Bokoro P. Tomek link and SMOTE approaches for machine fault classification with an imbalanced dataset［J］. Sensors, 2022, 22(9): 3246［16］尹梓诺, 马海龙, 胡涛. 基于联合注意力机制和一维卷积神经网络双向长短期记忆网络模型的流量异常检测方法［J］. 电子与信息学报, 2023, 45(10): 37193728［17］张天月, 陈伟, 刘宇啸. 基于多尺度时空残差网络的入侵检测方法［J］. 信息安全研究, 2023, 9(11): 10451053［18］肖斌, 甘昀, 汪敏, 等. 基于端口注意力与通道空间注意力的网络异常流量检测［J］. 计算机应用, 2024, 44(4): 10271034［19］He Kaiming, Zhang Xiangyu, Ren Shaoqing, et al. Deep residual learning for image recognition［C］ Proc of the IEEE Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2016: 770778［20］Shaikh A A S, Bhargavi M S, Kumar C P. An optimised Darknet traffic detection system using modified locally connected CNNBiLSTM network［J］. International Journal of Ad Hoc and Ubiquitous Computing, 2023, 43(2): 8796［21］Lim H S, Lee S J. Classification of Tor network traffic using CNN［J］. Convergence Security Journal, 2021, 21(3): 3138［22］Singh D, Shukla A, Sajwan M. Deep transfer learning framework for the identification of malicious activities to combat cyberattack［J］. Future Generation Computer Systems, 2021, 125: 687697

[1]	. Research on Blockchain Anomaly Transaction Detection Technology Based on Stacking Ensemble Learning [J]. Journal of Information Security Reserach, 2023, 9(2): 98-.
[2]	. Intrusion Detection Method Based on Multiscale Spatialtemporal Residual Network [J]. Journal of Information Security Reserach, 2023, 9(11): 1045-.

Research on Tor Traffic Classification Based on Improved Bidirectional Memory Residual Network

基于改进双向记忆残差网络的Tor流量分类研究

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 2

Recommended Articles

Metrics