LowPTor: A lightweight method for detecting extremely low-proportion darknet traffic

Abstract

The darknet’s accessibility has increased significantly in recent years, making it more susceptible to exploitation by cybercriminals. The darknet’s inherent characteristics of high concealment, strong anonymity, and resistance to tracing have created a fertile ground for illicit activities, which are becoming increasingly prevalent. Deep learning models’ complex computations in high-dimensional feature spaces result in significant computational overhead and prolonged inference times, hindering their deployment in backbone networks where real-time detection is crucial. Dealing these challenges requires innovative solutions for efficient traffic sampling, feature engineering, model simplification, memory optimization and inference acceleration. Therefore, this paper introduces a collaborative filtering algorithm, an extensible channel-wise feature group, and a lightweight detection algorithm, designed to optimize performance through operator fusion and channel alignment. The proposed algorithm combines the advantages of lightweight CNNs (Convolutional Neural Networks), leverages GPU (Graphics Processing Unit) parallelism, and reduces memory allocation overhead, resulting in a CUDA (Compute Unified Device Architecture) core-optimized neural network model that achieves significant inference speedup. We utilize extensible channel-wise feature group derived from short traffic packet sequences to improve detection accuracy. Our approach targets the detection and prevention of illicit darknet traffic during the connection phase, rather than interfering with data transmission. By integrating rule-based filtering with small flow sampling within collaborative filtering, we facilitate early detection while maintaining minimal complexity overhead. To the best of our knowledge, the methodology proposed in this paper is the first to be designed based on operator fusion and channel alignment strategies, specifically aimed at detecting extremely low-proportion darknet traffic within backbone networks. Our approach synthesizes three extremely low-proportion darknet traffic datasets, utilizing the self-built, CIC-Darknet2020, and TCUB datasets as Tor sources. Notably, our approach achieves a 45.79% reduction in actual inference time compared to current state-of-the-art (SOTA) method, while maintaining SOTA detection accuracy. Furthermore, our method exhibits the capability to filter out up to 91.26% (with a minimum of 78.01%) of the packets to be processed, without compromising any flows.