Deep Neural Classification of Darknet Traffic Mahmoud Alimoradi a , Mahdieh Zabihimayvan b,1 , Arman Daliri c , Ryan Sledzik d , and Reza Sadeghi e a, c Independent researchers b,d Department of Computer Science, Central Connecticut State University, New Britain, CT, USA e School of Computer Science and Mathematics, Marist College, Poughkeepsie, NY, USA Abstract. Darknet is an encrypted portion of the internet for users who intend to hide their identity. Darknet’s anonymous nature makes it an effective tool for illegal online activities such as drug trafficking, terrorist activities, and dark marketplaces. Darknet traffic recognition is essential in monitoring and detection of malicious online activities. However, due to the anonymizing strategies used for the darknet to conceal users’ identity, traffic recognition is practically challenging. The state- of-the-art recognition systems are empowered by artificial intelligence techniques to segregate the Darknet traffic data. Since they rely on processed features and balancing techniques, these systems suffer from low performance, inability to discover hidden relations in data, and high computational complexity. In this paper, we propose a novel decision support system named Tor-VPN detector to classify raw darknet traffic into four classes of Tor, non-Tor, VPN, and non-VPN. The detector discovers complex non-linear relations from raw darknet traffic by our deep neural network architecture with 79 input artificial neurons and 6 hidden layers. To evaluate the performance of the proposed method, analyses are conducted on a benchmark dataset of DIDarknet. Our model outperforms the state-of-the-art neural network for darknet traffic classification with an accuracy of 96%. These results demonstrate the power of our model in handling darknet traffic without using any preprocessing techniques, like feature extraction or balancing techniques. Keywords. Darknet traffic, Machine learning, Decision support system, Deep neural network, Tor, Classification. 1. Introduction Anonymity networks complicate any possibility of tracking and tracing of users’ identity on the Web and rely on a worldwide network of volunteer Web servers. Darknets such as Tor and I2P are anonymity networks that prevent traffic analysis and activity monitoring using encryption schemes like onion routing [1]. The anonymity on darknets is indeed provided for both senders and receivers. This anonymous nature allows users to carry on illegal activities as dark hidden services. A web of such services on darknets such as Tor is called dark Web and there has been a great deal of work to analyze the content and application of hidden services on dark Web [2] [3]. However, the focus of this paper is on classification of network traffic on darknets, rather than investigation of dark Web. 1 Corresponding Author; E-mail: zabihimayvan@ccsu.edu. Artificial Intelligence Research and Development A. Cortés et al. (Eds.) © 2022 The authors and IOS Press. This article is published online with Open Access by IOS Press and distributed under the terms of the Creative Commons Attribution Non-Commercial License 4.0 (CC BY-NC 4.0). doi:10.3233/FAIA220323 105