Javier Pastor-Galindo,Hông-Ân Sandlin,Félix Gómez Mármol,Gérôme Bovet,Gregorio Martínez Pérez

2024-01-24

Abstract:The dark web has become notorious for its association with illicit activities and there is a growing need for systems to automate the monitoring of this space. This paper proposes an end-to-end scalable architecture for the early identification of new Tor sites and the daily analysis of their content. The solution is built using an Open Source Big Data stack for data serving with Kubernetes, Kafka, Kubeflow, and MinIO, continuously discovering onion addresses in different sources (threat intelligence, code repositories, web-Tor gateways, and Tor repositories), downloading the HTML from Tor and deduplicating the content using MinHash LSH, and categorizing with the BERTopic modeling (SBERT embedding, UMAP dimensionality reduction, HDBSCAN document clustering and c-TF-IDF topic keywords). In 93 days, the system identified 80,049 onion services and characterized 90% of them, addressing the challenge of Tor volatility. A disproportionate amount of repeated content is found, with only 6.1% unique sites. From the HTML files of the dark sites, 31 different low-topics are extracted, manually labeled, and grouped into 11 high-level topics. The five most popular included sexual and violent content, repositories, search engines, carding, cryptocurrencies, and marketplaces. During the experiments, we identified 14 sites with 13,946 clones that shared a suspiciously similar mirroring rate per day, suggesting an extensive common phishing network. Among the related works, this study is the most representative characterization of onion services based on topics to date.

Distributed, Parallel, and Cluster Computing,Information Retrieval

Justin F. Brunelle,Ryan Farley,Grant Atkins,Trevor Bostic,Marites Hendrix,Zak Zebrowski

DOI: https://doi.org/10.48550/arXiv.2107.04070

2021-07-08

Digital Libraries

Abstract:We present a framework for web-scale archiving of the dark web. While commonly associated with illicit and illegal activity, the dark web provides a way to privately access web information. This is a valuable and socially beneficial tool to global citizens, such as those wishing to access information while under oppressive political regimes that work to limit information availability. However, little institutional archiving is performed on the dark web (limited to the Archive.is dark web presence, a page-at-a-time archiver). We use surface web tools, techniques, and procedures (TTPs) and adapt them for archiving the dark web. We demonstrate the viability of our framework in a proof-of-concept and narrowly scoped prototype, implemented with the following lightly adapted open source tools: the Brozzler crawler for capture, WARC file for storage, and pywb for replay. Using these tools, we demonstrate the viability of modified surface web archiving TTPs for archiving the dark web.

Philgeun Jin,Namjun Kim,Sangjin Lee,Doowon Jeong

DOI: https://doi.org/10.1007/s10207-023-00745-4

2023-08-24

International Journal of Information Security

Abstract:The Dark Web is notorious for being a huge marketplace that promotes illegal products such as indecent images of children, drug, private data, and stolen financial data. To track criminals on the Dark Web, several challenges, arising from the Dark Web's nature, must be overcome. Dark websites frequently change domain names, so investigators find little evidence of criminals when using a common crawling method. Furthermore, disturbing material on the Dark Web threatens investigators' mental health and decreases the effectiveness of investigations. Above all, given the anonymity of the Dark Web, few clues remain to track criminals. To address these challenges, this article presents an advanced crawler to collect data considering the Dark Web ecosystem. Machine learning models that detect disturbing content are implemented to protect investigators' mental health. This article also describes tracking code and status module, pivotal clues that can strip the anonymity of perpetrators along with the cryptocurrency transactions studied in previous works. In this article, the current state of the Dark Web is introduced by analyzing 14,993 crawled dark websites. By presenting three case studies, it is proved that our proposed investigative methodology can identify operators of illegal dark websites by connecting dark websites with the corresponding surface websites.

computer science, information systems, theory & methods, software engineering

Jesper Bergman,Oliver B. Popov

DOI: https://doi.org/10.1109/access.2023.3255165

IF: 3.9

2023-04-14

IEEE Access

Abstract:Strong encryption algorithms and reliable anonymity routing have made cybercrime investigation more challenging. Hence, one option for law enforcement agencies (LEAs) is to search through unencrypted content on the Internet or anonymous communication networks (ACNs). The capability of automatically harvesting web content from web servers enables LEAs to collect and preserve data prone to serve as potential leads, clues, or evidence in an investigation. Although scientific studies have explored the field of web crawling soon after the inception of the web, few research studies have thoroughly scrutinised web crawling on the "dark web", or ACNs, such as I2P, IPFS, Freenet, and Tor. The current paper presents a systematic literature review (SLR) that examines the prevalence and characteristics of dark web crawlers. From a selection of 58 peer-reviewed articles mentioning crawling and the dark web, 34 remained after excluding irrelevant articles. The literature review showed that most dark web crawlers were programmed in Python, using either Selenium or Scrapy as the web scraping library. The knowledge gathered from the systematic literature review was used to develop a Tor-based web crawling model into an already existing software toolset customised for ACN-based investigations. Finally, the performance of the model was examined through a set of experiments. The results indicate that the developed crawler was successful in scraping web content from both clear and dark web pages, and scraping dark marketplaces on the Tor network. The scientific contribution of this paper entails novel knowledge concerning ACN-based web crawlers. Furthermore, it presents a model for crawling and scraping clear and dark websites for the purpose of digital investigations. The conclusions include practical implications of dark web content retrieval and archival, such as investigation clues and evidence, and related future research topics.

computer science, information systems,telecommunications,engineering, electrical & electronic

Paris Koloveas,Thanasis Chantzios,Christos Tryfonopoulos,Spiros Skiadopoulos

DOI: https://doi.org/10.48550/arXiv.2109.06932

2021-09-14

Cryptography and Security

Abstract:The clear, social, and dark web have lately been identified as rich sources of valuable cyber-security information that -given the appropriate tools and methods-may be identified, crawled and subsequently leveraged to actionable cyber-threat intelligence. In this work, we focus on the information gathering task, and present a novel crawling architecture for transparently harvesting data from security websites in the clear web, security forums in the social web, and hacker forums/marketplaces in the dark web. The proposed architecture adopts a two-phase approach to data harvesting. Initially a machine learning-based crawler is used to direct the harvesting towards websites of interest, while in the second phase state-of-the-art statistical language modelling techniques are used to represent the harvested information in a latent low-dimensional feature space and rank it based on its potential relevance to the task at hand. The proposed architecture is realised using exclusively open-source tools, and a preliminary evaluation with crowdsourced results demonstrates its effectiveness.

Daniel De Pascale,Giuseppe Cascavilla,Damian A. Tamburri,Willem-Jan Van Den Heuvel

2024-05-10

Abstract:Dark web crawling is a complex process that involves specific methodologies and techniques to navigate the Tor network and extract data from hidden services. This study proposes a general dark web crawler designed to extract pages handling security protocols, such as captchas, efficiently. Our approach uses a combination of seed URL lists, link analysis, and scanning to discover new content. We also incorporate methods for user-agent rotation and proxy usage to maintain anonymity and avoid detection. We evaluate the effectiveness of our crawler using metrics such as coverage, performance and robustness. Our results demonstrate that our crawler effectively extracts pages handling security protocols while maintaining anonymity and avoiding detection. Our proposed dark web crawler can be used for various applications, including threat intelligence, cybersecurity, and online investigations.

Cryptography and Security

Massimo Bernaschi,Alessandro Celestini,Marco Cianfriglia,Stefano Guarino,Flavio Lombardi,Enrico Mastrostefano

DOI: https://doi.org/10.48550/arXiv.2101.08194

2021-01-20

Social and Information Networks

Abstract:Tor is an anonymity network that allows offering and accessing various kinds of resources, known as hidden services, while guaranteeing sender and receiver anonymity. The Tor web is the set of web resources that exist on the Tor network, and Tor websites are part of the so-called dark web. Recent research works have evaluated Tor security, evolution over time, and thematic organization. Nevertheless, few information are available about the structure of the graph defined by the network of Tor websites. The limited number of Tor entry points that can be used to crawl the network renders the study of this graph far from being simple. In this paper we aim at better characterizing the Tor Web by analyzing three crawling datasets collected over a five-month time frame. On the one hand, we extensively study the global properties of the Tor Web, considering two different graph representations and verifying the impact of Tor's renowned volatility. We present an in depth investigation of the key features of the Tor Web graph showing what makes it different from the surface Web graph. On the other hand, we assess the relationship between contents and structural features. We analyse the local properties of the Tor Web to better characterize the role different services play in the network and to understand to which extent topological features are related to the contents of a service.

Michalis Kallitsis,Vasant Honavar,Rupesh Prajapati,Dinghao Wu,John Yen

DOI: https://doi.org/10.48550/arXiv.2108.00079

2021-08-06

Abstract:Network telescopes or "Darknets" provide a unique window into Internet-wide malicious activities associated with malware propagation, denial of service attacks, scanning performed for network reconnaissance, and others. Analyses of the resulting data can provide actionable insights to security analysts that can be used to prevent or mitigate cyber-threats. Large Darknets, however, observe millions of nefarious events on a daily basis which makes the transformation of the captured information into meaningful insights challenging. We present a novel framework for characterizing Darknet behavior and its temporal evolution aiming to address this challenge. The proposed framework: (i) Extracts a high dimensional representation of Darknet events composed of features distilled from Darknet data and other external sources; (ii) Learns, in an unsupervised fashion, an information-preserving low-dimensional representation of these events (using deep representation learning) that is amenable to clustering; (iv) Performs clustering of the scanner data in the resulting representation space and provides interpretable insights using optimal decision trees; and (v) Utilizes the clustering outcomes as "signatures" that can be used to detect structural changes in the Darknet activities. We evaluate the proposed system on a large operational Network Telescope and demonstrate its ability to detect real-world, high-impact cybersecurity incidents.

Cryptography and Security,Machine Learning

Mohamed Chahine Ghanem,Patrick Mulvihill,Karim Ouazzane,Ramzi Djemai,Dipo Dunsin

DOI: https://doi.org/10.3390/jcp3040036

2023-11-15

Journal of Cybersecurity and Privacy

Abstract:The use of the unindexed web, commonly known as the deep web and dark web, to commit or facilitate criminal activity has drastically increased over the past decade. The dark web is a dangerous place where all kinds of criminal activities take place, Despite advances in web forensic techniques, tools, and methodologies, few studies have formally tackled dark and deep web forensics and the technical differences in terms of investigative techniques and artefact identification and extraction. This study proposes a novel and comprehensive protocol to guide and assist digital forensic professionals in investigating crimes committed on or via the deep and dark web. The protocol, named D2WFP, establishes a new sequential approach for performing investigative activities by observing the order of volatility and implementing a systemic approach covering all browsing-related hives and artefacts which ultimately resulted in improving the accuracy and effectiveness. Rigorous quantitative and qualitative research has been conducted by assessing the D2WFP following a scientifically sound and comprehensive process in different scenarios and the obtained results show an apparent increase in the number of artefacts recovered when adopting the D2WFP which outperforms any current industry or opensource browsing forensic tools. The second contribution of the D2WFP is the robust formulation of artefact correlation and cross-validation within the D2WFP which enables digital forensic professionals to better document and structure their analysis of host-based deep and dark web browsing artefacts.

computer science, information systems, interdisciplinary applications, software engineering

Abdul Hadi M. Alaidi,Roa'a M. Al_airaji,Haider Th.Salim Alrikabi,Ibtisam A. Aljazaery,Saif Hameed Abbood

DOI: https://doi.org/10.3991/ijim.v16i10.30209

2022-05-24

International Journal of Interactive Mobile Technologies (iJIM)

Abstract:Dark web is a canopy concept that denotes any kind of illicit activities carried out by anonymous persons or organizations, thereby making it difficult to trace. The illicit content on the dark web is constantly updated and changed. The collection and classification of such illegal activities are challenging tasks, as they are difficult and time-consuming. This problem has in recent times emerged as an issue that requires quick attention from both the industry and academia. To this end, efforts have been made in this article a crawler that is capable of collecting dark web pages, cleaning them, and saving them in a document database, is proposed. The crawler carries out an automatic classification of the gathered web pages into five classes. The classifiers used in classifying the pages include Linear Support Vector Classifier (SVC), Naïve Bayes (NB), and Document Frequency (TF-IDF). The experimental results revealed that an accuracy rate of 92% and 81% were achieved by SVC and NB, respectively.

Victor Adewopo,Bilal Gonen,Said Varlioglu,Murat Ozer

DOI: https://doi.org/10.48550/arXiv.2001.02300

2020-01-07

Cryptography and Security

Abstract:The availability of sophisticated technologies and methods of perpetrating criminogenic activities in the cyberspace is a pertinent societal problem. Darknet is an encrypted network technology that uses the internet infrastructure and can only be accessed using special network configuration and software tools to access its contents which are not indexed by search engines. Over the years darknets traditionally are used for criminogenic activities and famously acclaimed to promote cybercrime, procurements of illegal drugs, arms deals, and cryptocurrency markets. In countries with oppressive regimes, censorship of digital communications, and strict policies prompted journalists and freedom fighters to seek freedom using darknet technologies anonymously while others simply exploit it for illegal activities. Recently, MIT's Lincoln Laboratory of Artificial Intelligence augmented a tool that can be used to expose illegal activities behind the darknet. We studied relevant literature reviews to help researchers to better understand the darknet technologies, identify future areas of research on the darknet and ultimately to optimize how data-driven insights can be utilized to support governmental agencies in unraveling the depths of darknet technologies. This paper focuses on the use of the internet for crimes, deanonymization of TOR-services, darknet a new digital street for illicit drugs, research questions and hypothesis to guide researchers in further studies. Finally, in this study, we propose a model to examine and investigate anonymous online illicit markets.

Ali Fayzi,Mohammad Fayzi,Kourosh Dadashtabar Ahmadi

DOI: https://doi.org/10.48550/arXiv.2306.07980

2023-05-30

Information Retrieval

Abstract:In contemporary times, people rely heavily on the internet and search engines to obtain information, either directly or indirectly. However, the information accessible to users constitutes merely 4% of the overall information present on the internet, which is commonly known as the surface web. The remaining information that eludes search engines is called the deep web. The deep web encompasses deliberately hidden information, such as personal email accounts, social media accounts, online banking accounts, and other confidential data. The deep web contains several critical applications, including databases of universities, banks, and civil records, which are off-limits and illegal to access. The dark web is a subset of the deep web that provides an ideal platform for criminals and smugglers to engage in illicit activities, such as drug trafficking, weapon smuggling, selling stolen bank cards, and money laundering. In this article, we propose a search engine that employs deep learning to detect the titles of activities on the dark web. We focus on five categories of activities, including drug trading, weapon trading, selling stolen bank cards, selling fake IDs, and selling illegal currencies. Our aim is to extract relevant images from websites with a ".onion" extension and identify the titles of websites without images by extracting keywords from the text of the pages. Furthermore, we introduce a dataset of images called Darkoob, which we have gathered and used to evaluate our proposed method. Our experimental results demonstrate that the proposed method achieves an accuracy rate of 94% on the test dataset.

Dvir Cohen,Yisroel Mirsky,Yuval Elovici,Rami Puzis,Manuel Kamp,Tobias Martin,Asaf Shabtai

DOI: https://doi.org/10.48550/arXiv.2003.02575

2020-03-05

Cryptography and Security

Abstract:Trillions of network packets are sent over the Internet to destinations which do not exist. This 'darknet' traffic captures the activity of botnets and other malicious campaigns aiming to discover and compromise devices around the world. In order to mine threat intelligence from this data, one must be able to handle large streams of logs and represent the traffic patterns in a meaningful way. However, by observing how network ports (services) are used, it is possible to capture the intent of each transmission. In this paper, we present DANTE: a framework and algorithm for mining darknet traffic. DANTE learns the meaning of targeted network ports by applying Word2Vec to observed port sequences. Then, when a host sends a new sequence, DANTE represents the transmission as the average embedding of the ports found that sequence. Finally, DANTE uses a novel and incremental time-series cluster tracking algorithm on observed sequences to detect recurring behaviors and new emerging threats. To evaluate the system, we ran DANTE on a full year of darknet traffic (over three Tera-Bytes) collected by the largest telecommunications provider in Europe, Deutsche Telekom and analyzed the results. DANTE discovered 1,177 new emerging threats and was able to track malicious campaigns over time. We also compared DANTE to the current best approach and found DANTE to be more practical and effective at detecting darknet traffic patterns.

Edward Crowder,Jay Lansiquot

DOI: https://doi.org/10.48550/arXiv.2105.13957

2021-05-19

Abstract:Exploring the darknet can be a daunting task; this paper explores the application of data mining the darknet within a Canadian cybercrime perspective. Measuring activity through marketplace analysis and vendor attribution has proven difficult in the past. Observing different aspects of the darknet and implementing methods of monitoring and collecting data in the hopes of connecting contributions to the darknet marketplaces to and from Canada. The significant findings include a small Canadian presence, measured the product categories, and attribution of one cross-marketplace vendor through data visualization. The results were made possible through a multi-stage processing pipeline, including data crawling, scraping, and parsing. The primary future works include enhancing the pipeline to include other media, such as web forums, chatrooms, and emails. Applying machine learning models like natural language processing or sentiment analysis could prove beneficial during investigations.

Cryptography and Security

Ashwini Dalvi,Swapneel Paranjpe,Riddhi Amale,Sarvesh Kurumkar,Faruk Kazi,S.G. Bhirud

DOI: https://doi.org/10.1109/icsccc51823.2021.9478098

2021-05-21

Abstract:The researchers established that there exists a portion of the hidden web known as the "Dark Web". The nature of the Dark web intrigued researchers to collect information and present inferences about the information spread and communication taking place on this dark side of the internet. The presented work SpyDark is one such attempt to collect information from the surface and dark web. The user is required to enter the search query, the number of web pages to visit, and specify which network to be accessed (surface or dark web). The crawler traverses all the web pages and extracts information on that page, such as text data, images, hyperlinks, etc. The hyperlinks are stored in the database and later visited by the crawler. The text data is fed to a pre-trained NLP (Natural Language Processing) model, and the output is used to quantify the relevance score. The page is categorized as relevant or irrelevant.

Kate Connolly,Anna Klempay,Mary McCann,Paul Brenner,Dr. Paul Brenner

DOI: https://doi.org/10.1145/3615666

2023-08-15

Digital Threats: Research and Practice

Abstract:The dark web has become an increasingly important landscape for the sale of illicit cyber goods. Given the prevalence of malware and tools that are used to steal data from individuals on these markets, it is crucial that every company, governing body, and cyber professional be aware of what information is sold on these marketplaces. Knowing this information will allow these entities to protect themselves against cyber attacks and from information breaches. In this paper, we announce the public release of a data set on dark web marketplaces' cybersecurity-related listings. We spent multiple years seeking out websites that sold illicit digital goods and collected data on the available products. Due to the marketplaces' varied and complex layers of security, we leveraged the flexible Selenium WebDriver with Python to navigate the web pages and collect data. We present analysis of categories of malicious cyber goods sold on marketplaces, prices, persistent vendors, ratings, and other basic information on marketplace storefronts. Additionally, we share the tools and techniques we've compiled, enabling others to scrape dark web marketplaces at a significantly lower risk. We invite professionals who opt to gather data from the dark web to contribute to the publicly shared threat intelligence resource.

Randa Basheer,Bassel Alkhatib

DOI: https://doi.org/10.1155/2024/2775236

IF: 2.3

2024-02-15

Complexity

Abstract:Social networks on the Internet have become a home that attracts all types of human thinking to exchange knowledge and ideas and share businesses. On the other hand, it has also become a source for researchers to analyze this knowledge and frame it in patterns that define types of thoughts circulating on these networks and representing the communities around them. In particular, some social networks on the Dark Web attract a special kind of thinking centered around the malicious and illegal activities disseminated on websites and marketplaces on the Dark Web. These networks involve discussions to exchange and discourse information, tips, and advice on performing such business. Studying social networks on the Dark Web is still in its infancy. In this paper, we present a methodology for analyzing the content of social networks on the Dark Web using topic modeling methods. We demonstrate the needed stages for the topic modeling process, beginning with data preprocessing and feature extraction to topic modeling algorithms. We utilize and discuss the following four topic models: LDA, CTM, PAM, and PTM. We discuss the following four topic coherence measures as evaluation metrics: UMass, UCI, CNPMI, and CV, demonstrating the selection of the best number of topics for each model according to the most coherent produced topics. Furthermore, we discuss the limitations, challenges, and future work. Our proposed approach highlights the ability to discover the latent thematic patterns in conversations and messages in the common language used in social networks on the Dark Web, constructing topics as groups of terms and their associations. This paper provides researchers with a leading methodology for analyzing thought patterns on the Dark Web.

mathematics, interdisciplinary applications,multidisciplinary sciences

Abhineet Gupta,Sean B Maynard,Atif Ahmad

DOI: https://doi.org/10.48550/arXiv.2104.07138

2021-04-14

Cryptography and Security

Abstract:The internet can be broadly divided into three parts: surface, deep and dark. The dark web has become notorious in the media for being a hidden part of the web where all manner of illegal activities take place. This review investigates how the dark web is being utilised with an emphasis on cybercrime, and how law enforcement plays the role of its adversary. The review describes these hidden spaces, sheds light on their history, the activities that they harbour including cybercrime, the nature of attention they receive, and methodologies employed by law enforcement in an attempt to defeat their purpose. More importantly, it is argued that these spaces should be considered a phenomenon and not an isolated occurrence to be taken as merely a natural consequence of technology. This paper contributes to the area of dark web research by serving as a reference document and by proposing a research agenda.

Andrei Manolache,Florin Brad,Antonio Barbalau,Radu Tudor Ionescu,Marius Popescu

DOI: https://doi.org/10.48550/arXiv.2207.03477

2022-07-07

Computation and Language

Abstract:The DarkWeb represents a hotbed for illicit activity, where users communicate on different market forums in order to exchange goods and services. Law enforcement agencies benefit from forensic tools that perform authorship analysis, in order to identify and profile users based on their textual content. However, authorship analysis has been traditionally studied using corpora featuring literary texts such as fragments from novels or fan fiction, which may not be suitable in a cybercrime context. Moreover, the few works that employ authorship analysis tools for cybercrime prevention usually employ ad-hoc experimental setups and datasets. To address these issues, we release VeriDark: a benchmark comprised of three large scale authorship verification datasets and one authorship identification dataset obtained from user activity from either Dark Web related Reddit communities or popular illicit Dark Web market forums. We evaluate competitive NLP baselines on the three datasets and perform an analysis of the predictions to better understand the limitations of such approaches. We make the datasets and baselines publicly available at https://github.com/bit-ml/VeriDark