Abstract: Tor network, as a representative of anonymous networks, offers strong privacy protection while also providing a breeding ground for cybercriminal activities. Therefore, conducting research on real-time and high-precision identification of Tor network traffic is of great practical significance. To address issues of weak generalization and poor real-time performance in existed research, a Tor network traffic identification method, called rtTorTIM, based on multi-modal feature fusion and Stacking ensemble learning technology is proposed. Specifically, the method firstly extracts features from three modalities: host-level, stream-level, and packet-level of Tor network traffic, and then constructs a feature dataset. Random forest, linear regression, and K-nearest neighbor methods are subsequently selected as base learners, along with a linear neural network for decision fusion, to construct a two-layer Stacking traffic classifier. Comparative experimental results based on ISCX Tor 2016 public dataset show that accuracy, precision, and recall  of the rtTorTIM method   are all 99% in Tor traffic identification, while also demonstrating better performance in terms of real-time classification.

Key words: Tor anonymous network, multi-modal feature extraction, real-time traffic identification, Stacking ensemble learning, machine learning