Classifying Tor traffic encrypted payload using machine learning

Research output: Contribution to journalArticlepeer-review

7 Downloads (Pure)


Tor, a network offering Internet anonymity, presented both positive and potentially malicious applications, leading to the need for efficient Tor traffic monitoring. While most current traffic classification methods rely on flow-based features, these can be unreliable due to factors like asymmetric routing, and the use of multiple packets for feature computation can lead to processing delays. Recognising the multi-layered encryption of Tor compared to nonTor encrypted payloads, our study explored distinct patterns in their encrypted data. We introduced a novel method using Deep Packet Inspection and machine learning to differentiate between Tor and nonTor traffic based solely on encrypted payload. In the first strand of our research, we investigated hex character analysis of the Tor and nonTor encrypted payloads through statistical testing across 8 groups of application types. Remarkably, our investigation revealed a significant differentiation rate of 94.53% between Tor and nonTor traffic. In the second strand of our research, we aimed to distinguish Tor and nonTor traffic using machine learning, based on encrypted payload features. This proposed feature-based approach proved effective, as evidenced by our classification performance, which attained an average accuracy rate of 95.65% across these 8 groups of applications. Thereby, this study contributes to the efficient classification of Tor and nonTor traffic through features derived solely from a single encrypted payload packet, independent of its position in the traffic flow.
Original languageEnglish
Pages (from-to)19418 - 19431
Number of pages14
JournalIEEE Access
Early online date19 Jan 2024
Publication statusPublished - 8 Feb 2024


  • network traffic classification
  • Tor network
  • machine learning
  • encrypted payload features
  • character analysis


Dive into the research topics of 'Classifying Tor traffic encrypted payload using machine learning'. Together they form a unique fingerprint.

Cite this