The Onion Router (TOR) Network, experiences an increasing number of users with an even more rapid increase in the volume of data usage. This leads to network congestion as well as a general decrease in end-user performance. TOR network is one of the solutions adopted by attackers that allows them to hide their identity through encryption. In this scenario, monitoring the applications and their traffic is a challenging task that can however bring relevant insights to network administrators and security teams. In this paper, we present a specially designed system to analyze the packet capture traffic of a network and classify each stream based on whether it is using the TOR network or not, as well as classifying the type of application using the TOR network. TOR Application detection with a Voting-classifier Critic (TAVo) uses a two-layer classifier that is combined with a specialized Critic model. The first layer aims at separating the Non-TOR from the TOR traffic, while the second layer determines the application that caused the TOR traffic. Whenever the second layer outputs a prediction with lower confidence the voting-classifier Critic is called to confirm or correct the predictions of these difficult cases. Through a set of experiments on a recent dataset, we show that TAVo has important advantages in terms of performance, achieving an average F1 score of 84% without the Critic model, and 91% with the Critic. Moreover, because the Critic model is only used for the cases where the base models face more difficulties, the overall system is efficient.
Article ID: 2023L21
Publisher: Canadian Artificial Intelligence Association