Content uploaded by Imen Bouazzi
Author content
All content in this area was uploaded by Imen Bouazzi on Oct 30, 2024
Content may be subject to copyright.
Available via license: CC BY-NC-ND 4.0
Content may be subject to copyright.
Received 1 October 2024, accepted 11 October 2024, date of publication 14 October 2024, date of current version 25 October 2024.
Digital Object Identifier 10.1109/ACCESS.2024.3480330
Active-Darknet: An Iterative Learning Approach
for Darknet Traffic Detection and Categorization
SIDRA ABBAS 1, (Graduate Student Member, IEEE), IMEN BOUAZZI 2,3,
GABRIEL AVELINO SAMPEDRO 4, (Member, IEEE), SHTWAI ALSUBAI 5,
AHMAD S. ALMADHOR 6, ABDULLAH AL HEJAILI7,
AND NATALIA KRYVINSKA 8
1Department of Computer Science, COMSATS University Islamabad, Islamabad 45550, Pakistan
2Department of Industrial Engineering, College of Engineering, King Khalid University, Abha 62521, Saudi Arabia
3Center for Engineering and Technology Innovations, King Khalid University, Abha 61421, Saudi Arabia
4Department of Computer Science, University of the Philippines Diliman, Quezon 1101, Philippines
5College of Computer Engineering and Sciences, Prince Sattam bin Abdulaziz University, Al-Kharj 16273, Saudi Arabia
6Department of Computer Engineering and Networks, College of Computer and Information Sciences, Jouf University, Sakaka 72388, Saudi Arabia
7Faculty of Computers & Information Technology, Computer Science Department, University of Tabuk, Tabuk 71491, Saudi Arabia
8Department of Information Management and Business Systems, Faculty of Management, Comenius University in Bratislava, 82005 Bratislava, Slovakia
Corresponding authors: Natalia Kryvinska (natalia.kryvinska@uniba.sk) and Sidra Abbas (sidraabbas@ieee.org)
This work was supported by the Deanship of Research and Graduate Studies, King Khalid University, through the Small Group Research
Project RGP.1/338/45.
ABSTRACT Darknet refers to a significant portion of the internet that is hidden and not indexed by traditional
search engines. It is often associated with illicit activities such as the trafficking of illicit goods, such as drugs,
weapons, and stolen data. To keep our online cyber spaces safe in this era of rapid technological advancement
and global connectivity, we should analyse and recognise darknet traffic. Beyond cybersecurity, this attention
to detail includes safeguarding intellectual property, stopping illegal activity, and following the law. In order
to improve accuracy and precision in identifying illicit activities, this study presents a novel approach named
Active-Darknet that uses an active learning-based machine learning model for detecting darknet traffic.
In order to guarantee high-quality analysis, our methodology includes extensive data preprocessing, such
as numerically encoding categorical labels and improving the representation of minority classes using data
balancing. In addition to machine learning models, we also use Deep Neural Networks (DNN), Bidirectional
Long Short-Term Memory (BI-LSTM) and Flattened-DNN for experimentation. The majority of models
exhibited encouraging outcomes; however, the models that utilised active learning, specifically the Random
Forest (RF) and Decision Tree (DT) models, attained promising accuracy levels of 87%, rendering them the
most efficient in detecting darknet traffic. Large traffic analysis is greatly enhanced by this method, which
also increases the detection process’s robustness and effectiveness.
INDEX TERMS Active learning, darknet, anonymity, encrypted networks, encrypted traffic, machine
learning, virtual private network (VPN).
I. INTRODUCTION
A major part of the internet that is hidden and not indexed by
conventional search engines is referred to as the ‘‘darknet.’’
It is frequently linked to illegal activities like the trafficking
of illegal goods, including weapons, drugs, and stolen
data [1],[2]. Darknet websites usually run on encrypted
The associate editor coordinating the review of this manuscript and
approving it for publication was Olarik Surinta .
networks and need special software or configurations to
access; this gives users anonymity and makes it harder for
law authorities to track their movements [3]. It is important
to remember, though, that not everything done on the Darknet
is prohibited; there are respectable forums and services
there that value anonymity and privacy [4]. Darknet activity
detection greatly enhances cybersecurity by assisting in the
detection and prevention of illicit activities like fraud, drug
trafficking, and illegal trading [5]. This feature protects
VOLUME 12, 2024
2024 The Authors. This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License.
For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/ 151987
S. Abbas et al.: Active-Darknet: An Iterative Learning Approach for Darknet Traffic Detection and Categorization
intellectual property by making sure that private data and
assets are shielded from theft and unwanted access. It also
helps companies to meet standards and regulations, which
helps them stay out of trouble with the law and save money.
Taking proactive measures to reduce the risks linked to
darknet activities also improves overall security posture [6].
In the end, these initiatives discourage illicit activity and help
to create a more secure and safe online environment for all
users. Figure 1depicts the overall working of the darknet
operations.
FIGURE 1. Mechanism to access darknet.
A. MOTIVATION
In the age of technological innovation and global connec-
tivity, identifying darknet traffic is essential to protecting
our online spaces. Recognising covert online activity is
crucial since cyber threats are constantly changing and
multiplying [7]. This watchfulness goes beyond just cyber-
security and includes protecting the integrity of intellectual
property, foiling unlawful activities, and adhering to legal
requirements. Through proactive monitoring and mitigation
of illicit online behaviour, organisations can strengthen their
security, safeguard confidential information, and promote a
more secure and safe digital environment for all [8]. The
drive to identify darknet traffic originates from a shared
dedication to maintaining the authenticity and safety of online
environments. Proactively identifying illicit online activity
is crucial to stopping criminal activities, protecting sensitive
data, and maintaining ethical standards because cyber
threats are becoming more complex and widespread [9].
Organisations that monitor darknet traffic with vigilance and
proactivity safeguard not only their interests but also aid in
the larger fight against cybercrime and maintain user trust and
safety in online environments [10].
Darknet traffic is routinely encrypted, anonymous, and
evolutionary, and therefore, it is not feasible to manually
annotate large amounts of data. This is something that active
learning achieves due to its inherent mechanism, which only
chooses the most informative data to be labelled. Focusing
on high-value samples increases the overall efficiency of
training Machine learning and deep learning models and
hence provides faster adaptation to new changing threats.
This also makes models generalise better to mimic the real
darknet environment, especially as the labelled data is rare.
B. CONTRIBUTIONS
This paper makes the following contributions:
•This study presents a novel approach named Active-
Darknet that uses an active learning-based machine
learning model for detecting and classifying darknet
traffic. This method entails examining closely the traffic
in question to enhance precision and accuracy and
enhance large traffic analysis, which also renders the
detection process honourable and effective.
•In order to guarantee high-quality analysis, our method-
ology includes extensive data preprocessing, such as
numerically encoding categorical labels and utilising the
Synthetic Minority Over-sampling Technique (SMOTE)
for data balancing. In addition to machine learning mod-
els (i.e., XGBoost (XGB), RF, and DTs), we use DNN,
BI-LSTM, and Flattened-DNN for experimentation.
•The majority of models exhibited encouraging out-
comes; however, the models that utilised active learning,
specifically the RF and DT models, attained promising
accuracy levels of 87%, rendering them the most effi-
cient in detecting darknet traffic. Large traffic analysis
is greatly enhanced by this method, which also increases
the detection process’s robustness and effectiveness.
C. ORGANIZATION
Consequently, there are considerable innovation benefits to
this study, which is organised into five main sections. In the
first section, the authors introduce the darknet I, and secondly,
it provides the literature review regarding the detection of the
darknet traffic II. After that, the following is the proposed
approach of darknet traffic in III for the detection of darknet
traffic. Finally, experimental result IV and conclusion Vof
detecting the darknet traffic are given.
II. RELATED WORK
Authors in [11] unveiled to stop illicit activity on the Darknet.
Using machine learning techniques and a large dataset of
darknet traffic, DarkDetect finds important features that
are necessary for detection. It achieves outstanding results
by utilising the powerful Convolutional Long Short-Term
Memory (CNN-LSTM) model, demonstrating 96% accuracy
in detecting darknet traffic and 89% accuracy in classifying
it. These results represent a significant improvement over
existing approaches and a positive development in the
ongoing fight against illegal online activity. Authors in [12]
used machine learning techniques for traffic classification to
prioritise the analysis of network data features over content,
focusing on traffic patterns, thereby advancing the fight
against darknet activity. These models have demonstrated
exceptional performance in differentiating between regular
and Darknet traffic, with training datasets covering both types
of traffic and accuracies that have exceeded 98% in prior
research. It emphasises how machine learning has enormous
potential to protect our digital spaces from illegal activity.
Authors in [13] suggest a novel method for spotting
illicit activity on the Darknet. The two stages of the
151988 VOLUME 12, 2024
S. Abbas et al.: Active-Darknet: An Iterative Learning Approach for Darknet Traffic Detection and Categorization
method’s operation are as follows: first, it extracts important
features from darknet traffic data, probably using TF-IDF
or other techniques to highlight terms specific to the
Darknet. It then analyses these features and flags criminal
activity using LightGBM, a very accurate machine-learning
algorithm for classification. Authors in [14] presented an
approach that uses deep learning to identify activity on the
Darknet. It uses DeepImage, a deep neural network that
can analyse raw traffic data directly without the need for
manual feature selection, in contrast to traditional methods.
This breakthrough produced amazing results, outperforming
existing techniques with a 96% classification accuracy rate
for darknet traffic. The triumph of DeepImage highlights
its potential as a potent instrument for identifying darknet
traffic, indicating increased resilience and flexibility in
countering unlawful online activities. Authors in [15] provide
important insights into the ongoing efforts to combat illicit
online activities by highlighting both effective strategies and
enduring difficulties, such as managing anonymised traffic
and gaining access to limited real-world data.
Authors in [16] explore how finding Onion Services is
affected by modified Tor anonymisation. Researchers hope to
identify distinctive patterns by comparing traffic directed to
Onion Services with regular Tor traffic. Though success rates
are not stated, the study’s focus on whether these changes
make it more difficult to detect criminal activity on the
Darknet offers important insights for improving detection
methods. This research has aided the continued development
of more precise techniques for monitoring and recognising
illegal activity in darknet environments. The author in
this [17] paper ensemble machine learning method for
darknet traffic classification is presented in ‘‘Darknet Traffic
Analysis and Classification System Based on Modified
Stacking Ensemble Learning Algorithms’’. Through the
analysis of large amounts of darknet data, the system finds
important differentiators and feeds them into an ensemble
model with two layers. This novel approach, which combines
several machine learning algorithms, produces outstanding
outcomes, outperforming 97% accuracy in both detection
and classification. This study represents a breakthrough in
detection methodologies by highlighting the effectiveness of
ensemble learning as a powerful tool in countering darknet
activity.
Authors in [18] reviewed deep active learning (DAL),
a technique that incorporates deep learning and active
learning to lessen the costs of labelling data. To review
DAL methods, it grouped them by query strategies and types
of uncertainty measurement, compared their applications in
several fields, and offered potential topics for further investi-
gation. The author in this paper [19] provides rich information
about the active learning strategies where the prominent
goal is to address the problem of cost-effectiveness in data
labelling while focusing on the selection of informative
samples to label. Active learning is described with a focus
on different query strategies, measures of uncertainty, and
problems that may be encountered. Also, the paper points to
new developments in the field and studies the possibilities
for further research. In any case, it is a useful source for
researchers and practitioners who search for applications and
constraints of active learning concepts.
Some of the discussed papers describe the use of
other new methods in machine learning and deep learning
to detect and classify traffic on the darknets with high
accuracy. Other authors, namely Sarwar and his group of
authors, used a CNN-LSTM model with the respective
detection and classification of accuracy 96% and 89%.
Recursive Iliadis et al. focused on traffic patterns only
very methodically and reached an accuracy level of 98%
and above. Rawat et al. have used two-stage methods
incorporating LightGBM, out of which the accuracy touched
98% frequently. In another study specifically, Alimoradi
et al. employed DeepImage for deep neural classification
of radiotherapy medical images for up to 96% accuracy.
Moreira originally constructed intelligent sampling and
colleagues for real-time sampling. In terms of trends and
challenges, Saleem et al. carried out, and in the case of Tor
anonymisation, Karunanayake et al. intended to determine the
detection effect. Different authors have made a number of
contributions, such as Al-Momani et al.’s proposed stacking
ensemble learning. It has been reported that the method
was able to achieve an accuracy of over 97%. However,
the following issues persist: dealing with anonymised traffic,
obtaining actual data, and the possibility of introducing an
improved level of efficiency and accuracy using real-time
technologies and applications such as SCA.
III. PROPOSED APPROACH
A new way of detecting and classifying darknet traffic flow
has been designed, concentrating on improving the accuracy
and precise identification of suspicious traffic as shown in
Figure 2. This method is well suited to analyse a large
amount of traffic in order to enhance the capability of
detecting anomalous behaviours as well as enhancing the
flow of the entire network. Thus, the proposed approach not
only improves the possibility of monitoring and identifying
unusual traffic but also increases the effectiveness of the
used solutions when handling a large amount of traffic data,
thus protecting networks from illicit activity. Through the
integration of active learning with machine learning, the
method injects robustness into the classification process,
hence the ability to fine-tune the detection ability of the model
as more data is processed. The integration of active learning
that is able to generate questions and re-estimate uncertain
regions in the data with ML’s classification capabilities
guarantees that compared to other networks, the traffic in
the Darknet can be identified more comprehensively and
accurately.
Some computational Complexity-related information
about the proposed framework of active learning could
help refine the explanation. Here, rescanning of a number
of DTs is entailed in iterative training of the RF model,
which escalates the computational load when applied to large
VOLUME 12, 2024 151989
S. Abbas et al.: Active-Darknet: An Iterative Learning Approach for Darknet Traffic Detection and Categorization
FIGURE 2. WorkFlow of proposed approach for darknet traffic detection.
data sets. Sorting operations are needed in order to choose
the most uncertain samples as Web data according to the
predicted probabilities, and this step has a complexity of
O(nlogn), where n is the number of test samples that one
would like to use to reduce classification error. This is also
applicable to each iteration where RF needs to be re-trained
on an expanding dataset that adds up to the computational
burden. It would be useful to specify how many parameters
scale, how much memory is utilised per iteration, how much
time complexity per iteration the framework is, and how the
proposed framework performs for large datasets.
One of the major issues associated with darknet traffic
identification is the unavailability of an authentic source of
the dataset because the traffic collected from the Darknet
is encrypted and thus difficult to classify. Besides, there is
the problem of data misclassification and the existence of
unprocessed data sets, which are some of the things that
hinder the detection process. To tackle these challenges,
we used the CIC-Darknet2020 dataset, which is created
by a two-level classification process. The first level of
filtering works traffic as either benign or Darknet, and
the second level of filtering works the darknet traffic as
categories like Audio-Stream, Browsing, Chat, Email, P2P,
Transfer, Video-Stream, VOIP, etc. In order to be consistent
and valid with other datasets such as ISCXTor2016 and
ISCXVPN2016, VPN and Tor traffic were included in the
respective classes of the Darknet. Data preprocessing was
usefully applied to unprocessed data at some stages of data
analysis. Some of the procedures applied are label encoding,
which turns the categorical labels into numerical data for
the machine learning algorithm, and data balancing with
the help of SMOTE. SMOTE created new samples for the
minority class so as to eliminate pre-deterministic reduced
element selections leading to biased predictions. These
classificational and dataset problems were solved by those
mentioned above, as well as all-sided abstract preprocessing
and data balancing, which greatly improved the quality of the
dataset and formed the basis for model training and analysis.
A. DATASET SELECTION
The CIC-Darknet2020 [20] has been explored to detect
traffic on the Darknet and is generated by a two-layered
process. In the first layer of the classification system, benign
and Darknet traffic are produced. In contrast, the second
layer classifies generative Darknet traffic into Audio-Stream,
Browsing, Chat, Email, P2P, Transfer, Video-Stream and
VOIP. In order to create a dataset with complete similarity
and validity with the previous datasets ISCXTor2016 and
ISCXVPN2016, the VPN and Tor traffic generated from these
two datasets were added to the respective Darknet classes. It is
equally noted that the dataset documentation contains a table
detailing the different categories of darknet traffic highlighted
in this research and the applications used to produce this
network traffic.
B. DATA PREPROCESSI NG
It involved cleaning the data to ensure that it is of high quality
for analysis and enhancing the quality of the data needed for
analysis. The following, among others, were implemented.
They included steps like encoding the label column, which is
a way of transforming categorical label data into numerical
form in order to improve compatibility with the machine
learning program. Further, to improve the accuracy of the
prediction, the label data was balanced using the Synthetic
Minority Over-sampling Technique (SMOTE) [21], which
balanced the dataset by creating synthetic samples of the
minority class. Thus, applying both label encoding and data
balancing to the gathered set of data helped to achieve
a significantly stronger database for the further steps of
modelling and data analysis. The process of data balancing is
151990 VOLUME 12, 2024
S. Abbas et al.: Active-Darknet: An Iterative Learning Approach for Darknet Traffic Detection and Categorization
a vital component in the preprocessing of datasets, especially
when dealing with imbalanced classes, which are classes with
a small number of data points. A skewed distribution of data
leads to models that are skewed in their decision-making
and very poor on the minority class. To this end, the
Synthetic Minority Over-sampling Technique (SMOTE) is
utilised. SMOTE is an over-sampling technique where new
samples are formed in the feature space by interpolating
between the minority samples. More specifically, it randomly
chooses two or more like instances in the feature space and
generates new instances on the straight lines linking them.
It improves the inclusion of the minority class data and
results in a balanced data set for use in machine learning to
enhance the speed, efficiency, and accuracy of prediction for
all classes.
C. ACTIVE LEARNING MODELS
Active learning is the process of maximizing a model’s
predictive performance gain while annotating the fewest
samples possible [18]. To identify darknet traffic, we used
models with active learning, such as RFs, DTs, Extreme
Gradient Boosting (XGB), and GRU. Further, we used Deep
Neural Network (DNN, which encompasses standard as well
as flattened) and Bi-directional Long Short-Term Memory
(Bi-LSTM). These distinct phases allowed for conducting a
wide-ranging examination and the identification of anomalies
based on both the characteristics of classical active learning
and the features of progressive deep learning. In the broad
fields of machine learning, the concept of Active Learning
denotes a certain paradigm where an algorithm itself chooses
what data samples it wishes to get labelled by an ‘oracle’ in a
certain round [22]. This methodology will focus on boosting
the performance of a model while at the same time reducing
the amount of labelled data, thereby enhancing its efficiency
and reducing the costs incurred in the data training process.
Active learning is most beneficial when labelled data is either
rare or very costly to obtain [23].
The problem of general darknet traffic identification
can be solved by creating such an approach that would
provide efficiency and stability in identifying encrypted and
rather concealed darknet traffic. Using the CIC-Darknet2020
dataset and with the help of preprocessing techniques like
label encoding and SMOTE for data balancing, we were
able to develop a sound framework that would entitle
accurate classification. Adding active learning into the
process of machine learning has been one of the critical
factors that have helped enhance performance and accuracy.
Selective sampling enabled the model to choose to query
the most informative data points from the time when it
was not very confident and hence enabled the use of lesser
labelled data. Although much of this adaptation was done
reactively, this effectively helped the model to learn faster
as well as adapt to changes in traffic not seen during the
training process. The integration of the proposed approach
with active learning benefits from the integration with
machine learning, or, as in this case, reaping better results
for detecting darknet traffic with improved accuracy rates and
adaptability.
1) ACTIVE LEARNING BASED RF
RF-based active learning entails utilising the RF model to
find and select the most informative samples for annotation.1
It works in rounds where specific samples with ambi-
guity or misclassification are attended to enhance the
overall accuracy with less labelling. This technique works
best in applications where data labelling is a tiresome
process.
ˆy=mode{hi(x)}N
i=1(1)
This equation for predicting the final predicted output
using an RF classifier is shown in Equation 1, where y is the
predicted output.
2) ACTIVE LEARNING BASED XGb
Active learning with XGBoost (XGb)2is a technique in
which the XGB model identifies new samples that are more
effective in providing more information or where there is
more uncertainty as new samples are labelled. This approach
specifically tries to improve the model accuracy through
samples that give out the most learning values, reducing
the amount of labelled data. It is most helpful in cases
where one needs help to afford many examples annotated,
for instance, in low-shot learning situations. This process
represents the final output using the XGB, as shown in
Equation 2.
ˆy=F(x)=
K
X
k=1
fk(x) (2)
3) ACTIVE LEARNING BASED DT
By using active learning, a new specification, such as a DT,3
is applied to choose informative data points to be labelled.
This family of strategies works with samples that need to
be clarified or misclassified to refine successive iterations
with fewer labelled samples. What makes transfer learning
particularly effective is the fact that it is especially useful
when there is scarce or expensive labelled data. The equation
represents the final output of a single DT as shown in
Equation 3.
ˆy=h(x)=
J
X
j=1
wjI(x∈Rj) (3)
D. DEEP LEARNING MODELS
Deep learning is a subset of machine learning that uses neural
networks with many layers that can extract more information
1https://scikit-learn.org/stable/modules/generated/sklearn.ensemble.
RandomForestClassifier.html
2https://xgboost.readthedocs.io/en/latest/python/sklearn_estimator.html
3https://scikit-learn.org/stable/modules/tree.html
VOLUME 12, 2024 151991
S. Abbas et al.: Active-Darknet: An Iterative Learning Approach for Darknet Traffic Detection and Categorization
on their own from the data. It can do image and speech
recognition, natural language processing, and game playing
through learning hierarchal representation. CNNs and RNNs,
for example, are computationally complex and dependent
on big data and computational power. This approach has
led to the development of great applications of artificial
intelligence.
1) DEEP NEURAL NETWORK (DNN)
A deep neural network is an artificial neural network that
contains many layers of neurons between the input layer
and the output layer [24]. These layers allow the network to
extract a temporal representation from input by feeding the
previous layer through non-linearity functions. For instance,
DNNs are applied in image and speech recognition, NLP, and
self-driving systems, among others, due to their capability
to relate complex relations and characteristics in big data.
The predicted output of a DNN can be calculated using
Equation 4.
Z=W0+W1X1+W2X2+. . . +WnXn(4)
2) FLATTEN DEEP NEURAL NETWORK (FLATTEN-FDNN)
The reduction of a complicated or large model into a more
simplified or manageable form is defined as flattening a
DNN [24]. This step is important in the transition from
the convolutional layers that handle 2 dimensions to the
FC layer, which requires 1 dimension. Cutting off all the
spatial dimensions may lead to zero divergence, or in other
words, the system has no divergence. It is due to flattening,
which collapses the multi-dimensional vector (features here,
including height, width, and depth) into a single vector so
that it can be compatible with the dense layers. The predicted
output of the Flattened-DNN is given by equation as shown
in Equation 5.
ˆy=f(WL·((f(W2·f(W1·Flatten(x)
+b1)+b2). . .)+bL−1)+bL) (5)
3) BIDIRECTIONAL LONG SHORT-TERM MEMORY (BI-LSTM)
BI-LSTM is an improved version of RNN that considerably
enhances the effectiveness of the learning process since
the data are processed both in forward and backward
directions [25]. In a Bi-directional LSTM, two separate
LSTM layers are employed: One of them generates the next
token from the start point till the end, and the other one does
the vice versa, starting from the endpoint till the start. The
aggregates resulting from both directions are then combined
so that the network can capture contextual information
from both the past and the future at the same time. It has
bi-directional processing capability, favouring it in areas
where information flow is forward and backward; this
makes the model great for sequence prediction problems and
language modelling. The LSTM input and output activation
is given by Equation 6.
ft=σ(Wf·[ht−1,xt]+bf)
it=σ(Wi·[ht−1,xt]+bi)
˜ct=tanh(Wc·[ht−1,xt]+bc)
ct=ft⊙ct−1+it⊙ ˜ct
ot=σ(Wo·[ht−1,xt]+bo)
ht=ot⊙tanh(ct) (6)
IV. EXPERIMENTAL ANALYSIS AND RESULTS
This section focuses on methods of identifying the Internet
traffic necessary to maintain network security. It includes
active learning with RF, active learning with DT, active
learning with XGB, DNN, Flatten-FDNN and bidirectional
LSTM. The work pays great attention to analysing the
effectiveness of these methods, focusing on each’s strengths
and weaknesses. The findings of this work will be useful
in detecting darknet traffic for better cyberspace. The
performance measures that are applied to the models of
machine learning assist in defining the degree of accuracy
with which the model is likely to predict the given data. The
most widely used evaluation criteria are the level of accuracy,
precision, recall, and F1 score. These parameters indicate
to what extent the traffic on the Darknet can be identified
with the help of the given model. They also elaborate on
abilities to transfer the knowledge gained from their training
phase to new scenarios, another aspect critical to ensure the
optimal identification of traffic over the Darknet. Employing
measures of performance also assists the researchers in
evaluating the results of the model concerned from a factual
perspective. It will assist those who are the policymakers
in the network in finding out the best ways to enhance
security in the network. More significantly, such a framework
gives a robust guarantee to the stakeholders that the detected
darknet traffic models not only conform to but surpass
the most rigorous security benchmarks of darknet traffic,
thereby entertaining the desired confidence and calm to the
stakeholders.
In this work, much attention has been paid to guaranteeing
that the experimental validation corresponds to the work’s
claims by using strict and possibly irrelevant methods.
In particular, all the data used for training and testing were
shuffled. They were not visible to each other in order to
exclude cases of data leakage or overfitting to unseen data.
In this experiment, we used 70% of the data for training
while the other 30% was used in the testing phase. The
findings were also in line with one another. Clearly, they
showed an improvement or at least the sustainability of
accuracy with each round of the training, thereby providing
strong support for our contribution to the amelioration
of detecting darknet traffic with elevated accuracy rates.
This goes a long way in proving the efficiency of the
proposed method on unseen darknet traffic. Consequently,
the model does not rely on specific patterns found in the
151992 VOLUME 12, 2024
S. Abbas et al.: Active-Darknet: An Iterative Learning Approach for Darknet Traffic Detection and Categorization
training set. However, it can generalise well across different
traffic patterns, hence the flexibility of different and dynamic
darknet traffic. This generalisation is especially useful for
real-world applications since new kinds of darknet utilisation
might appear in the future. In addition, when trained multiple
times, the percentage of detections obtained in each of the
rounds indicates that the model does not degrade over time
and, as such, confirms that our approach presents a sound
framework for identifying darknet traffic across different
trainings.
Deep Neural Network (DNN) combines many layers of
dense connections with dropout and batch normalisation after
each layer to avoid overfitting and stabilise learning accord-
ingly. The architecture is built of the input layer equal in size
to the feature dimensions, further hidden layers of decreasing
size (256, 128, 64 neurons), incorporating ReLU activation
functions as shown in Figure 3. At the last layer, data is pro-
cessed using softmax activation to distinguish between 8 cate-
gories, thus ideal for multi-class classification. This architec-
ture employs dropout layers with a dropout rate of 0.3 and
batch normalisation layers to improve generality and the
learning rate.
FIGURE 3. DNN architecture.
Another model named Flatten-FDNN contains two dense
beginnings from the input layer and two separate dense
branches with 128 neurons in each and the ReLU activation
function. These branches are concatenated, and they are
subsequently passed through a number of fully connected
layers, followed by a flattened layer to produce a single vector
instead. The output layer is the final layer and employs the
smear function for multi-class classification across several
classes, which are 8 here, as shown in Figure 4. This
architecture is based on parallel processing and a feature mix
of different dense branches, making the model effective in
identifying unclear manifestations in the data set.
FIGURE 4. Flatten-FDNN architecture.
The Bi-LSTM model was created for Sequential Data
Analysis and is thus appropriate for tasks that are related to
time series or sequences. The input data is then reshaped for
the LSTM layers that have to be incorporated in the model
as shown below: The architecture applied Bi-LSTM layers
of neuron size 128, 64 and 32 with a dropout rate of 0. 5 in
order to minimise the overfitting of the network as shown
in Figure 5. The Bi-LSTM layers have a future and a past
direction to address the dependency of the words within the
sentence. The final fully connected layer applies a softmax
activation function to categorise the input into 8 categories.
This setup also makes it possible for the model to learn
long-term temporal dependencies and other sophisticated
patterns.
A. RESULTS AND ANALYSIS
As for the active learning models, the best results were
obtained using the RF model as well as the DT model; both
of them have a high accuracy of 87%, as shown in Figure 6.
On the same note, another algorithm, known as the XGB,
performed relatively worse by achieving an accuracy of 80%.
VOLUME 12, 2024 151993
S. Abbas et al.: Active-Darknet: An Iterative Learning Approach for Darknet Traffic Detection and Categorization
FIGURE 5. Bi-LSTM architecture.
The AUC values of the ROC curves similarly provide
support to the high level of accuracy of the RF and DT,
therefore making them the most suitable classifiers for active
learning, as shown in Figure 7. It shows that both RF and
DT are more accurate for the task with high accuracy and
a reasonable degree of classification within the scope of
evaluated studies.
Of all the deep learning models that have been tested on the
dataset, two of the models stood out, the first being the Deep
Neural Network (DNN), the second being the Bi-directional
Long Short-Term Memory (Bi-LSTM), both attaining an
accuracy of 0. 43. Compared to that, the Flattened-DNN
algorithm identified with a relatively lower accuracy of 0. 12.
These findings are also evidenced by the ROC curves such
that the proposed DNN and especially the Bi-LSTM ones are
more suitable for the tasks under consideration as compared
with the Flattened-DNN. Hence, the findings point toward
DNN and Bi-LSTM as the better selection in that landscape
for anyone employing deeper learning mechanisms.
Among all the deep learning models tested on the dataset,
two models stood out: the DNN and the Bi-LSTM, both
achieving an accuracy of 43% (Figure 8). In contrast, the
Flattened-DNN algorithm was identified with a relatively
lower accuracy of 12%, as shown in Table 1. These findings,
which are further supported by the ROC curves, provide
strong evidence that the proposed DNN and Bi-LSTM models
are more suitable for the tasks under consideration compared
to the Flattened-DNN as shown in Figure 9. Therefore,
the findings robustly point towards DNN and Bi-LSTM as
the better selection in that landscape for anyone employing
deeper learning mechanisms, reassuring the audience about
the validity of the recommendations. However, two other
DNN and Bi-LSTM only achieved a mean accuracy of 43%,
as shown in Figure 10.
TABLE 1. Result evaluation of experimented classifiers (%).
B. DISCUSSION
The dataset used in this study is CIC-Darknet2020, which
is used to detect traffic on the Darknet generated by a
two-layered process. Active learning, as well as machine
learning models, have been used for binary classification in
the context of darknet traffic detection. RF, DT, and XGB
have been applied, and deep learning models like DNN
and Flattened-DNN have come across impressive results,
except for BiLSTM. Here, more precisely, active learning
models that belonged to the RF and DT algorithms were
described to work with higher accuracy levels of 87% for
darknet traffic detection. When comparing active learning
models and deep learning models in detecting darknet traffic,
the efficiency of both RF and DT models soars to about
87%. This suggests that these active learning-based machine
learning models could be more effective in real-world
darknet traffic detection scenarios. However, two other DNN
and Bi-LSTM only achieved a mean accuracy of 43%.
The Flattened-DNN performed even worse at 12%. This
is because flattening the DNN architecture makes them
more complex and takes more time to train the same.
However, when we consider the substantial improvement
in classification accuracy, it becomes clear that the overall
active learning models, as well as, more specifically, the
models using the RF and DT algorithms, are, in general, more
efficient in identifying the darknet traffic based on the results
of the above accuracy comparison. This robust comparison of
various models provides a strong foundation for the reliability
of our findings, reassuring the audience about the robustness
of our research. This paper has established that deep learning
models that are responsible for the detection of darknet
traffic have the following limitations. A big problem is the
requirement for large datasets in order to fine-tune such
models, and those could be hard to come by in the Darknet
due to the encrypted and anonymised nature of the traffic.
Moreover, normally, deep learning models do not have a
high generalisation ability to counter attacks with different
network conditions and attack patterns, which results in low
accuracy in real-world environments. The models also come
151994 VOLUME 12, 2024
S. Abbas et al.: Active-Darknet: An Iterative Learning Approach for Darknet Traffic Detection and Categorization
FIGURE 6. Confusion matrix of active learning-based ML classifiers.
FIGURE 7. ROC for active learning-based ML classifiers.
FIGURE 8. Training and validation accuracies for deep learning classifiers.
FIGURE 9. Training and validation losses for deep learning classifiers.
with a high computational cost and, therefore, need a huge
amount of processing time. Finally, they are susceptible to
adversarial attacks under which even slight modifications of
inputs can deceive the model, causing reliability issues in
detection. These limitations underscore the challenges and
complexities of our research. First, the traffic in the Darknet
is dissimilar to the traffic in the traditional network in the
following ways: While normal traffic has rather distinct paths
and is commonly controlled or even recorded for different
reasons, the Darknet has very low visibility: the traffic is
VOLUME 12, 2024 151995
S. Abbas et al.: Active-Darknet: An Iterative Learning Approach for Darknet Traffic Detection and Categorization
FIGURE 10. ROC curves for deep learning classifiers.
anonymised by using the networks such as Tor. Normal
network traffic is well organised and has specific traffic and
can, therefore, be easily processed, while darknet traffic is
heavily encrypted, which makes it hard to track or even
monitor. However, in comparison to conventional traffic,
darknet traffic also has decentralised communication, which
makes the identification and analysis process much more
tedious. These classifications are important in establishing
how the Darknet works under the referenceless spot of
conventional controlling mechanisms.
The comparisons of the classifiers for detecting Darknet
traffic are presented below in Table 2. RF in the active
learning model shows better results of accuracy of 87%,
precision of 87%, recall, and F1-score of 87%. However,
the results that were obtained by Habibi et al. are generally
lower, with an accuracy of 73%, precision of 74%, recall of
73% and F1-score of 73%. This asserts the efficiency of the
active learning using the RF model to detect and categorise
the darknet traffic accurately much more than the method
used by Habibi et al., making it superior when it comes to
identifying unlawful conduct on the Darknet.
TABLE 2. Comparison with existing approach.
V. CONCLUSION AND FUTURE SCOPE
This investigation provides a novel angle for identifying the
pattern of darknet traffic utilising ML and DL. Based on the
preliminary checks, several models, such as RF, XGB, DT,
and deep learning models, such as DNN, Flattened-DNN,
and Bi-LSTM, were employed after exhausting trials. This
analysis revealed active learning models, RF, and DT showed
elevated accuracy rates were refined at 87% and XGB refined
to 80% accuracy rates. The DNN deep learning model and
the Bi-LSTM deep learning model determined 43% accuracy,
making the Flattened-DNN model the poorest in its efficiency
with an accuracy rate of 12%. The performance of the RF and
DT models promises better outcomes in predicting darknet
traffic more effectively; hence, these approaches will help in
the global fight against the accommodation of illicit activities
in online environments. Nevertheless, the results achieved by
the deep learning models indicate the expression of potential
when it could be further enhanced and the need for more
profound architectural patterns or more than one form of
architecture. Future research should concentrate on lever-
aging larger datasets for better generalisation, developing
real-time detection systems, and optimising deep learning
models through sophisticated feature extraction and advanced
architectures. Furthermore, guaranteeing adversarial robust-
ness will strengthen the model’s resistance to attempts at
evasion. These developments will strengthen cybersecurity
protocols throughout digital networks by improving the
detection of darknet activity.
REFERENCES
[1] A. Adel and M. Norouzifard, ‘‘Weaponization of the growing cybercrimes
inside the dark net: The question of detection and application,’’ Big Data
Cognit. Comput., vol. 8, no. 8, p. 91, Aug. 2024.
[2] J. Saleem, R. Islam, and M. A. Kabir, ‘‘The anonymity of the dark web:
A survey,’’ IEEE Access, vol. 10, pp. 33628–33660, 2022.
[3] P. Kühn, K. Wittorf, and C. Reuter, ‘‘Navigating the shadows: Manual and
semi-automated evaluation of the dark web for cyber threat intelligence,’’
IEEE Access, vol. 12, pp. 118903–118922, 2024.
[4] V. Benjamin, J. S. Valacich, and H. Chen, ‘‘DICE-E: A framework for
conducting darknet identification, collection, evaluation with ethics,’’ MIS
Quart., vol. 43, no. 1, pp. 1–22, Jan. 2019.
[5] R. Rawat, O. Ayodele Oki, S. Sankaran, H. Florez, and S. A. Ajagbe,
‘‘Techniques for predicting dark web events focused on the delivery of
illicit products and ordered crime,’’ Int. J. Electr. Comput. Eng., vol. 13,
no. 5, p. 5354, Oct. 2023.
[6] S. Samtani, Y. Chai, and H. Chen, ‘‘Linking exploits from the dark
web to known vulnerabilities for proactive cyber threat intelligence:
An attention-based deep structured semantic model,’’ MIS Quart., vol. 46,
no. 2, pp. 911–946, May 2022.
[7] A. Ali and M. Qasim, Dark World: A Book on the Deep Dark Web. Boca
Raton, FL, USA: CRC Press, 2023.
[8] Y. Perwej, S. Q. Abbas, J. P. Dixit, N. Akhtar, and A. K. Jaiswal,
‘‘A systematic literature review on the cyber security,’’ Int. J. Sci. Res.
Manage., vol. 9, no. 12, pp. 669–710, 2021.
[9] R. Smith, Crime in the Digital Age: Controlling Telecommunications and
Cyberspace Illegalities. Evanston, IL, USA: Routledge, 2018.
[10] G. Sarkar and S. K. Shukla, ‘‘Behavioral analysis of cybercrime: Paving the
way for effective policing strategies,’’ J. Econ. Criminol., vol. 2, Dec. 2023,
Art. no. 100034.
[11] M. B. Sarwar, M. K. Hanif, R. Talib, M. Younas, and M. U. Sarwar,
‘‘DarkDetect: Darknet traffic detection and categorization using mod-
ified convolution-long short-term memory,’’ IEEE Access, vol. 9,
pp. 113705–113713, 2021.
[12] L. A. Iliadis and T. Kaifas, ‘‘Darknet traffic classification using machine
learning techniques,’’ in Proc. 10th Int. Conf. Mod. Circuits Syst. Technol.
(MOCAST), Jul. 2021, pp. 1–4.
151996 VOLUME 12, 2024
S. Abbas et al.: Active-Darknet: An Iterative Learning Approach for Darknet Traffic Detection and Categorization
[13] R. Rawat, V. Mahor, S. Chirgaiya, R. N. Shaw, and A. Ghosh, ‘‘Analysis
of darknet traffic for criminal activities detection using TF-IDF and
light gradient boosted machine learning algorithm,’’ in Innovations in
Electrical and Electronic Engineering. Cham, Switzerland: Springer,
2021, pp. 671–681.
[14] M. Alimoradi, M. Zabihimayvan, A. Daliri, R. Sledzik, and R. Sadeghi,
‘‘Deep neural classification of darknet traffic,’’ in Artificial Intelligence
Research and Development. Amsterdam, The Netherlands: IOS Press,
2022, pp. 105–114.
[15] J. Saleem, R. Islam, and M. Z. Islam, ‘‘Darknet traffic analysis: A system-
atic literature review,’’ IEEE Access, vol. 12, pp. 42423–42452, 2024.
[16] I. Karunanayake, N. Ahmed, R. Malaney, R. Islam, and S. K. Jha,
‘‘Darknet traffic analysis: Investigating the impact of modified tor
traffic on onion service traffic classification,’’ IEEE Access, vol. 11,
pp. 70011–70022, 2023.
[17] A. Almomani, ‘‘Darknet traffic analysis, and classification system based
on modified stacking ensemble learning algorithms,’’ Inf. Syst. E-Business
Manage., pp. 1–32, Feb. 2023.
[18] P. Ren, Y. Xiao, X. Chang, P.-Y. Huang, Z. Li, B. B. Gupta, X. Chen, and
X. Wang, ‘‘A survey of deep active learning,’’ ACM Comput. Surv., vol. 54,
no. 9, pp. 1–40, Oct. 2021.
[19] A. Tharwat and W. Schenck, ‘‘A survey on active learning: State-of-the-art,
practical challenges and research directions,’’ Mathematics, vol. 11, no. 4,
p. 820, Feb. 2023.
[20] A. Habibi Lashkari, G. Kaur, and A. Rahali, ‘‘DIDarknet: A contemporary
approach to detect and characterize the darknet traffic using deep image
learning,’’ in Proc. 10th Int. Conf. Commun. Netw. Secur., Nov. 2020,
pp. 1–13.
[21] N. V. Chawla, K. W. Bowyer, L. O. Hall, and W. P. Kegelmeyer, ‘‘SMOTE:
Synthetic minority over-sampling technique,’’ J. Artif. Intell. Res., vol. 16,
pp. 321–357, Jun. 2002.
[22] A. Kirsch, ‘‘Advancing deep active learning & data subset selec-
tion: Unifying principles with information-theory intuitions,’’ 2024,
arXiv:2401.04305.
[23] B. Settles, ‘‘From theories to queries: Active learning in practice,’’ in Proc.
Active Learn. Exp. Design Workshop Conjunction With AISTATS, 2011,
pp. 1–18.
[24] H. Yi, S. Shiyu, D. Xiusheng, and C. Zhigang, ‘‘A study on deep neural
networks framework,’’ in Proc. IEEE Adv. Inf. Manage., Communicates,
Electron. Autom. Control Conf. (IMCEC), Oct. 2016, pp. 1519–1522.
[25] D. Das, A. K. Kolya, A. Basu, and S. Sarkar, Computational Intelli-
gence Applications for Text and Sentiment Data Analysis. Amsterdam,
The Netherlands: Elsevier, 2023.
SIDRA ABBAS (Graduate Student Member, IEEE) received the B.S.
degree from the Department of Computer Science, COMSATS University
Islamabad, Pakistan. Her research interests include but are not limited
to computer forensics, machine learning, criminal profiling, software
watermarking, intelligent systems, and data privacy protection.
IMEN BOUAZZI was born in Kasserine, Tunisia, in 1988. She received the
Engineering degree in applied science in technology (specialty-electronic
and microelectronics) from the Higher Institute of Computer Science and
Mathematics of Monastir, Tunisia, in 2013, and the Ph.D. degree in science
and technology from the University of Monastir, Tunisia, in 2018. She
is currently with the Department of Industrial Engineering, King Khalid
University, Saudi Arabia. Her research interest includes wireless technology
management.
GABRIEL AVELINO SAMPEDRO (Member,
IEEE) received the Ph.D. degree in IT convergence
engineering from Kumoh National Institute of
Technology, South Korea, in 2023. He is currently
an Assistant Professor with the University of the
Philippines Diliman, specializing in blockchain,
artificial intelligence (AI), and the Internet of
Things (IoT). He is also the Founder and the CEO
of the Philippine Coding Camp, a training ins-
titute focused on advancing digital literacy and
promoting emerging technologies in the Philippines. Additionally, he serves
as the Chairperson of the Philippine Section for Korean Institute of
Communications and Information Sciences (KICS). His research interests
include blockchain technologies, AI applications, and the IoT-basedsystems.
SHTWAI ALSUBAI is currently with the College
of Computer Engineering and Sciences, Prince
Sattam bin Abdulaziz University, Saudi Arabia.
His current research interests include the Internet
of Things, federated learning, distributed comput-
ing, and artificial intelligence.
AHMAD S. ALMADHOR received the B.S.E.
degree in computer science from Jouf University
(formerly Aljouf College), Al Jowf, Saudi Arabia,
in 2005, the M.E. degree in computer science and
engineering from the University of South Carolina,
Columbia, SC, USA, in 2010, and the Ph.D. degree
in electrical and computer engineering from the
University of Denver, Denver, CO, USA, in 2019.
From 2006 to 2008, he was a Teaching Assistant,
the College of Sciences Manager, and a Lecturer,
from 2011 to 2012, with Jouf University. Then, he became a Senior
Graduate Assistant and a Tutor Advisor with the University of Denver, in
2013 and 2019. He is currently an Assistant Professor in CEN and VD
with the Computer and Information Science College, Jouf University. His
research interests include AI, blockchain, networks, smart and microgrid
cyber security, integration, image processing, video surveillance systems,
PV, EV, machine, and deep learning. His awards and honors include the
Jouf University Scholarship (Royal Embassy of Saudi Arabia in D.C.) and
Al-Jouf’s Governor Award for Excellency.
ABDULLAH AL HEJAILI received the bachelor’s
degree in computer science from the Tabuk
Teachers College, Saudi Arabia, in 2007, and the
master’s degree in computer science from CLU,
USA, in 2011. He is currently pursuing the Ph.D.
degree with the Informatics School, University of
Sussex. He is currently a Lecturer in computer
science with the University of Tabuk. His research
interests include technology-enhanced learning,
image processing, virtual and augmented reality,
motion capture, and education applications.
NATALIA KRYVINSKA received the Ph.D. degree
in electrical and IT engineering from the Vienna
University of Technology, Austria, and the Habil-
itation (Docent Title) degree in management
information systems from Comenius University,
Bratislava, Slovakia. She got her a Professor Title
and was appointed to the professorship by the
President of the Slovak Republic. She is currently
a Full Professor and the Head of the Information
Systems Department, Faculty of Management,
Comenius University. Previously, she was an University Lecturer and a
Senior Researcher with the e-Business Department, School of Business
Economics and Statistics, University of Vienna. Her current research
interests include complex service systems engineering, service analytics, and
applied mathematics.
VOLUME 12, 2024 151997
