{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,3]],"date-time":"2026-06-03T15:22:54Z","timestamp":1780500174249,"version":"3.54.1"},"reference-count":44,"publisher":"MDPI AG","issue":"10","license":[{"start":{"date-parts":[[2022,9,24]],"date-time":"2022-09-24T00:00:00Z","timestamp":1663977600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"National Natural Science Foundation of China","award":["U1736216"],"award-info":[{"award-number":["U1736216"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Symmetry"],"abstract":"<jats:p>The anonymous system Tor uses an asymmetric algorithm to protect the content of communications, allowing criminals to conceal their identities and hide their tracks. This malicious usage brings serious security threats to public security and social stability. Statistical analysis of traffic flows can effectively identify and classify Tor flow. However, few features can be extracted from Tor traffic, which have a weak representational ability, making it challenging to combat cybercrime in real-time effectively. Extracting and utilizing more accurate features is the key point to improving the real-time detection performance of Tor traffic. In this paper, we design an efficient and real-time identification scheme for Tor traffic based on the time window method and bidirectional statistical characteristics. In this paper, we divide the network traffic by sliding the time window and then calculate the relative entropy of the flows in the time window to identify Tor traffic. We adopt a sequential pattern mining method to extract bidirectional statistical features and classify the application types in the Tor traffic. Finally, extensive experiments are carried out on the UNB public dataset (ISCXTor2016) to validate our proposal\u2019s effectiveness and real-time property. The experiment results show that the proposed method can detect Tor flow and classify Tor flow types with an accuracy of 93.5% and 91%, respectively, and the speed of processing and classifying a single flow is 0.05 s, which is superior to the state-of-the-art methods.<\/jats:p>","DOI":"10.3390\/sym14102002","type":"journal-article","created":{"date-parts":[[2022,9,29]],"date-time":"2022-09-29T01:23:16Z","timestamp":1664414596000},"page":"2002","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["Bidirectional Statistical Feature Extraction Based on Time Window for Tor Flow Classification"],"prefix":"10.3390","volume":"14","author":[{"given":"Hongping","family":"Yan","sequence":"first","affiliation":[{"name":"School of Computer Science and Communication Engineering, Jiangsu University, Zhenjiang 212013, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Liukun","family":"He","sequence":"additional","affiliation":[{"name":"School of Computer Science and Communication Engineering, Jiangsu University, Zhenjiang 212013, China"},{"name":"Nanjing Huafei Data Technology Co., Ltd., Nanjing 210019, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Xiangmei","family":"Song","sequence":"additional","affiliation":[{"name":"School of Computer Science and Communication Engineering, Jiangsu University, Zhenjiang 212013, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Wang","family":"Yao","sequence":"additional","affiliation":[{"name":"School of Computer Science and Communication Engineering, Jiangsu University, Zhenjiang 212013, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Chang","family":"Li","sequence":"additional","affiliation":[{"name":"School of Computer Science and Communication Engineering, Jiangsu University, Zhenjiang 212013, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Qiang","family":"Zhou","sequence":"additional","affiliation":[{"name":"School of Computer Science and Communication Engineering, Jiangsu University, Zhenjiang 212013, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2022,9,24]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Dingledine, R., Mathewson, N., and Syverson, P. (2004). Tor: The Second-Generation Onion Router, Naval Research Lab.","DOI":"10.21236\/ADA465464"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Sirinam, P., Imani, M., Juarez, M., and Wright, M. (2018, January 15\u201319). Deep fingerprinting: Undermining website fingerprinting defenses with deep learning. Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), Toronto, ON, Canada.","DOI":"10.1145\/3243734.3243768"},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"2662","DOI":"10.1109\/TNSM.2020.3025131","article-title":"Predicting network flow characteristics using deep learning and real-world network flow","volume":"17","author":"Hardegen","year":"2020","journal-title":"IEEE Trans. Netw. Serv. Manag."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"1999","DOI":"10.1007\/s00500-019-04030-2","article-title":"Deep packet: A novel approach for encrypted flow classification using deep learning","volume":"24","author":"Lotfollahi","year":"2020","journal-title":"Soft Comput."},{"key":"ref_5","first-page":"105","article-title":"Research on network traffic classification based on machine learning and deep learning","volume":"37","author":"Gu","year":"2021","journal-title":"Telecommun. Sci."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Saghezchi, F.B., Mantas, G., Violas, M.A., Duarte, A.M.O., and Rodriguez, J. (2022). Machine learning for DDoS attack detection in industry 4.0 CPPSs. Electronics, 11.","DOI":"10.3390\/electronics11040602"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"152","DOI":"10.1016\/j.knosys.2015.03.002","article-title":"Robust application identification methods for P2P and VoIP flow classification in backbone networks","volume":"82","author":"Qin","year":"2015","journal-title":"Knowl.-Based Syst."},{"key":"ref_8","first-page":"12","article-title":"Entropy, relative entropy and mutual information","volume":"2","author":"Cover","year":"1991","journal-title":"Elem. Inf. Theory"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Hegland, M. (2007). The apriori algorithm\u2014A tutorial. Math. Comput. Imaging Sci. Inf. Process., 209\u2013262.","DOI":"10.1142\/9789812709066_0006"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"2324","DOI":"10.1109\/COMST.2018.2816042","article-title":"Load balancing in data center networks: A survey","volume":"20","author":"Zhang","year":"2018","journal-title":"IEEE Commun. Surv. Tutorials"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Wang, L., Dyer, K.P., Akella, A., Ristenpart, T., Shrimpton, T., and Assoc Comp, M. (2015, January 12\u201316). Seeing through Network-Protocol Obfuscation. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA.","DOI":"10.1145\/2810103.2813715"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Draper-Gil, G., Lashkari, A.H., Mamun, M.S.I., and Ghorbani, A.A. (2016, January 19\u201321). Characterization of encrypted and vpn flow using time-related. Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP), Rome, Italy.","DOI":"10.5220\/0005740704070414"},{"key":"ref_13","unstructured":"Wagner, A., and Plattner, B. (2005, January 13\u201315). Entropy based worm and anomaly detection in fast IP networks. Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE\u201905), Linkoping, Sweden."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"502","DOI":"10.1016\/j.future.2019.12.017","article-title":"A privacy-preserving approach to prevent feature disclosure in an IoT scenario","volume":"105","author":"Nicolazzo","year":"2020","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_15","first-page":"10","article-title":"A model for detecting tor encrypted flow using supervised machine learning","volume":"7","author":"Almubayed","year":"2015","journal-title":"Int. J. Inf. Secur."},{"key":"ref_16","unstructured":"Lashkari, A.H., Draper-Gil, G., Mamun, M.S.I., and Ghorbani, A.A. (2017, January 19\u201321). Characterization of Tor flow using time based features. Proceedings of the 3rd International Conference on Information Systems Security and Privacy (ICISSP), Porto, Portugal."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"1079","DOI":"10.1109\/TII.2020.2988870","article-title":"Multilevel identification and classification analysis of Tor on mobile and PC platforms","volume":"17","author":"Wang","year":"2020","journal-title":"IEEE T. Ind. Inform."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Bonifazi, G., Cauteruccio, F., Corradini, E., Marchetti, M., Terracina, G., Ursino, D., and Virgili, L. (2022). Representation, detection and usage of the content semantics of comments in a social platform. J. Inf. Sci.","DOI":"10.1177\/01655515221087663"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"101979","DOI":"10.1016\/j.datak.2022.101979","article-title":"Extraction and analysis of text patterns from NSFW adult content in Reddit","volume":"138","author":"Cauteruccio","year":"2022","journal-title":"Data Knowl. Eng."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"102663","DOI":"10.1016\/j.cose.2022.102663","article-title":"DarknetSec: A novel self-attentive deep learning method for darknet flow classification and application identification","volume":"116","author":"Lan","year":"2022","journal-title":"Comput. Secur."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Shapira, T., and Shavitt, Y. (May, January 29). Flowpic: Encrypted internet flow classification is as easy as image recognition. Proceedings of the IEEE INFOCOM 2019-IEEE Conference on Computer Communications Workshops, Paris, France.","DOI":"10.1109\/INFCOMW.2019.8845315"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Okonkwo, Z., Foo, E., Li, Q., and Hou, Z. (2022). A CNN Based Encrypted Network Traffic Classifier. Australasian Computer Science Week 2022, Association for Computing Machinery.","DOI":"10.1145\/3511616.3513101"},{"key":"ref_23","unstructured":"Wang, T., Goldberg, I., and Assoc, U. (2017, January 16\u201318). Walkie-Talkie: An Efficient Defense Against Passive Website Fingerprinting Attacks. Proceedings of the 26th USENIX Security Symposium, Vancouver, BC, Canada."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Cuzzocrea, A., Martinelli, F., Mercaldo, F., and Vercelli, G. (2017, January 11\u201314). Tor flow analysis and detection via machine learning techniques. Proceedings of the 2017 IEEE International Conference on Big Data (Big Data), Boston, MA, USA.","DOI":"10.1109\/BigData.2017.8258487"},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"592","DOI":"10.1007\/s12083-017-0566-4","article-title":"Tor anonymous flow identification based on gravitational clustering","volume":"11","author":"Rao","year":"2018","journal-title":"Peer Peer Netw. Appl."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Petagna, E., Laurenza, G., Ciccotelli, C., and Querzoni, L. (2019, January 26\u201328). Peel the onion: Recognition of android apps behind the tor network. Proceedings of the International Conference on Information Security Practice and Experience, Kuala Lumpur, Malaysia.","DOI":"10.1007\/978-3-030-34339-2_6"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Korczynski, M., and Duda, A. (May, January 27). Markov chain fingerprinting to classify encrypted flow. Proceedings of the IEEE INFOCOM 2014\u2014IEEE Conference on Computer Communications, Toronto, ON, Canada.","DOI":"10.1109\/INFOCOM.2014.6848005"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Panchenko, A., Lanze, F., Pennekamp, J., Engel, T., Zinnen, A., Henze, M., and Wehrle, K. (2016, January 21\u201324). Website Fingerprinting at Internet Scale. Proceedings of the NDSS, San Diego, CA, USA.","DOI":"10.14722\/ndss.2016.23477"},{"key":"ref_29","first-page":"44","article-title":"Application of deep learning on the characterization of tor flow using time-based features","volume":"11","author":"Johnson","year":"2021","journal-title":"J. Internet Serv. Inf. Secur."},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Lingyu, J., Yang, L., Bailing, W., Hongri, L., and Guodong, X. (2017, January 6\u20138). A hierarchical classification approach for tor anonymous flow. Proceedings of the 2017 IEEE 9th International Conference on Communication Software and Networks, Guangzhou, China.","DOI":"10.1109\/ICCSN.2017.8230113"},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3457904","article-title":"A survey on encrypted network traffic analysis applications, techniques, and countermeasures","volume":"54","author":"Papadogiannaki","year":"2021","journal-title":"ACM Comput. Surv."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"108535","DOI":"10.1016\/j.comnet.2021.108535","article-title":"Bytesgan: A semi-supervised generative adversarial network for encrypted traffic classification in SDN edge gateway","volume":"200","author":"Wang","year":"2021","journal-title":"Comput. Netw."},{"key":"ref_33","first-page":"7045823","article-title":"Design and implementation of an anomaly net-work traffic detection model integrating temporal and spatial features","volume":"2021","author":"Li","year":"2021","journal-title":"Secur. Commun. Netw."},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"e5097","DOI":"10.1002\/dac.5097","article-title":"A novel network traffic combination prediction model","volume":"35","author":"Tian","year":"2022","journal-title":"Int. J. Commun. Syst."},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"107974","DOI":"10.1016\/j.comnet.2021.107974","article-title":"TSCRNN: A novel classification scheme of encrypted traffic based on flow spatio-temporal features for efficient management of IIoT","volume":"190","author":"Lin","year":"2021","journal-title":"Comput. Netw."},{"key":"ref_36","unstructured":"Thijs, V.E., Bortolameotti, R., Continella, A., Ren, J.J., Dubois, D.J., Lindorfer, M., Choffnes, D., Steen, M.V., and Peter, A. (2020, January 23\u201326). Flowprint:semi-supervised mobile-app fingerprinting on encrypted network traffic. Proceedings of the 2020 Network and Distributed System Security Symposium, San Diego, CA, USA."},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Towhid, M.S., and Shahriar, N. (July, January 27). Encrypted network traffic classification using self-supervised learning. Proceedings of the 2022 IEEE 8th International Conference on Network Softwarization (NetSoft), Milan, Italy.","DOI":"10.1109\/NetSoft54395.2022.9844044"},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"109017","DOI":"10.1016\/j.comnet.2022.109017","article-title":"From traffic classes to content: A hierarchical approach for encrypted traffic classification","volume":"212","author":"Li","year":"2022","journal-title":"Comput. Netw."},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"108188","DOI":"10.1016\/j.dib.2022.108188","article-title":"Encrypted web traffic dataset: Event logs and packet traces","volume":"42","author":"Velan","year":"2022","journal-title":"Data Brief"},{"key":"ref_40","first-page":"20","article-title":"Detecting network covert channels using machine learning, data mining and hierarchical organisation of frequent sets","volume":"12","author":"Nowakowski","year":"2021","journal-title":"J. Wirel. Mob. Netw. Ubiquitous Comput. Dependable Appl."},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1155\/2021\/5594663","article-title":"Network traffic statistics method for resource-constrained industrial project group scheduling under big data","volume":"2021","author":"Huo","year":"2021","journal-title":"Wirel. Commun. Mob. Comput."},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Gowtham Akshaya Kumaran, P., and Amritha, P.P. (2021, January 4\u20135). Real-time segregation of encrypted data using entropy. Proceedings of the Congress on Intelligent Systems, Bengaluru, India.","DOI":"10.1007\/978-981-16-9113-3_61"},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Zhao, Y., Chen, J., Wu, D., Teng, J., and Yu, S. (2019, January 4\u20136). Multi-task network anomaly detection using federated learning. Proceedings of the Tenth International Symposium on Information and Communication Technology, Ha Long Bay, Vietnam.","DOI":"10.1145\/3368926.3369705"},{"key":"ref_44","doi-asserted-by":"crossref","first-page":"540","DOI":"10.3724\/SP.J.1001.2013.04253","article-title":"Online identification of tor anonymous communication traffic","volume":"24","author":"He","year":"2014","journal-title":"J. Softw."}],"container-title":["Symmetry"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-8994\/14\/10\/2002\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T00:38:42Z","timestamp":1760143122000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-8994\/14\/10\/2002"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,9,24]]},"references-count":44,"journal-issue":{"issue":"10","published-online":{"date-parts":[[2022,10]]}},"alternative-id":["sym14102002"],"URL":"https:\/\/doi.org\/10.3390\/sym14102002","relation":{},"ISSN":["2073-8994"],"issn-type":[{"value":"2073-8994","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,9,24]]}}}