Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploring Dark Networks: From the Surface Web to the Dark Web

Published byRatna Kurniawan Modified over 6 years ago

Similar presentations

Presentation on theme: "Exploring Dark Networks: From the Surface Web to the Dark Web"— Presentation transcript:

1 Exploring Dark Networks: From the Surface Web to the Dark Web
Hsinchun Chen, Ph.D., University of Arizona Panel 3: Multi-Level, High-Dimensional Evolving and Emerging Networks (ML- HD-EEN) October 12, 2017 “Leveraging Advances in Social Network Thinking for National Security: A Workshop” Acknowledgements: NSF, DHS, DOJ, DOD

2 My Background Academic: Data/computational scientist; data/text/web mining, visualization; applied AI for security and health analytics Applications: Security analytics; dark networks Projects: COPLINK ( , gang/narcotic networks); Dark Web (2001-present, extremist/terrorist networks); Hacker Web (2009- present) SBE collaborators: M. Sageman, R. Breiger, T. Holt Agency collaborators: TPD, PPD, FBI, CIA, NSA, DHS (NSF, DOD)

3 From the Surface Web to the Dark Web
Deep Web Dark Web DarkNet Hacker Web

4 Springer, 2006 Springer, 2012

5 COPLINK: Crime Information Sharing & Data Mining

6 Merged i2 in 2009; acquired by IBM in 2011 for $500M
COPLINK: Crime Data Mining The New York Times, November 2, 2002 COPLINK assisted in DC sniper investigation ABC News  April 15, 2003 Google for Cops: Coplink software helps police search for cyber clues to bust criminals Washington Post, March 6, 2008 National dragnet is a click away! COPLINK in use in 3,500 police agencies in US! Merged i2 in 2009; acquired by IBM in 2011 for $500M ($10B, IT unicorn, 2015)

7 Border Security: High-risk Vehicle Identification (LPR + DM/SNA)  They are watching!
X X X

8 A Vehicle to Watch via its Networks?
Shape Indicates Object Type circles are people rectangles are vehicles Color Denotes Activity History Larger Size Indicates higher levels of activity Border Crossing Plates are outlined in Red Gang related Violent crimes Narcotics crimes Violent & Narcotics

9 COPLINK Identity Resolution and Criminal Network Analysis (DHS)

10 Dark Web Overview Dark Web: Terrorists’ and cyber criminals’ use of the Internet Collection: Web sites, forums, blogs, YouTube, etc. 20 TBs in size, with close to 10B pages/files/messages (the entire LOC collection: 15 TBs)

11 Dark Web Forum Crawler System: Probing the Hidden Web (Proxy, TOR)

12 CyberGate for Social Media Analytics: Ideational, Textual and Interpersonal Information

13 Arabic Writeprint Feature Set: Online Authorship Analysis

14 Arabic Feature Extraction Component
1 Incoming Message Count +1 Degree + 5 2 Elongation Filter Filtered Message Similarity Scores (SC) Root Dictionary 3 Root Clustering Algorithm max(SC)+1 All Remaining Features Values Generic Feature Extractor 4

15 CyberGate System Design: Writeprints

16 Author Writeprints Anonymous Messages Author A 10 messages Author B

17 AZ Forum Portal 13M messages (340K members) across 29 major Jihadi forums in English, Arabic, French, German and Russian (VBulletin) Linking members over time

18

19 Hacker Web Hackers and Hacker Assets Tutorial on how to create
malicious documents Forum post with source code to exploit Mozilla Firefox 3.5.3 Forum post with BlackPOS malware attachment.

20 Hacker Assets Portal V2.0 – Overview
(a) Home page, linking to (b & c) Assets, (d) Dashboard, and (e) Malware Families: (e) Malware Families, for depicting relationships among assets over time (Crypter Family shown) (b) Assets page, linking to Source Code and Attachments (c) Source Code page; sortable by asset name, exploit type, date, etc. (d) Dashboard for drill-down analysis of hackers & assets over time

21 Cyber Threat Intelligence (CTI) Example – Bank Exploits
1 2 Filtering on 2014, when BlackPOS was posted, shows assets and threat actors at that time. Filtering the actor who posted BlackPOS reveals that he posts other bank exploits (e.g., Zeus). Provides intelligence on which hacker to monitor.

22 Cyber Threat Intelligence (CTI) Example – Crypters
1 2 3 Filtering on a specific time point (highest peak): Filtering on a specific asset (crypters, a key technology for Ransomware) Filtering a specific crypter author (Cracksman) shows the trends and types of assets he posted.

23 Selected Challenges for ML-HD-EEN in Dark Networks
Identifying data Sources: availability (data stovepipes, data integration; RMS, RDBMS); web OSINT (surface web, deep web, dark web; TOR, ICT); data types (structured vs. unstructured; multi-lingual, multi-media; source code, attachment, tutorial), data biases (noise, deception, adversarial; vigilante, honeypot, APTs) Recognizing nodes: levels/dimensions (who/what/where/when/why/how); entity extraction and recognition (identity resolution, web authorship analysis, writeprint) Establishing links: linked by associations (labeled links, probabilistic links); linked by time/space (same-time-same-place; border crossing, hotspot); linked by conversations (linguistic cues and styles; ICT, forums) Analyzing network patterns: (many SNA techniques) Tracking changes over time: stream data collection & mining (update & alert; anomaly detection, concept drift; emerging cyber threats and DarkNet Markets

24 Selected Solutions & Directions for ML-HD EEN
Comprehensive & timely OSINT data collection: from the surface web to the dark web; across level/dimension, over time Data integration and SNA extraction: AI assisted entity/relationship recognition/integration; across level/dimension, over time Methodological foundations: dark networks, hidden networks; noise, deception, adversarial intent Data analytics: advanced social media analytics, stream data mining, adversarial machine learning, BIG DATA analytics; across level/dimension, over time

25 For questions and comments

Download ppt "Exploring Dark Networks: From the Surface Web to the Dark Web"

Similar presentations

Www.accessdata.com Digital Investigations of Any Kind ONE COMPANY Cyber Intelligence Response Technology (CIRT)

Digital Investigations of Any Kind ONE COMPANY Cyber Intelligence Response Technology (CIRT)
SAS solutions SAS ottawa platform user society nov 20th 2014.

SAS solutions SAS ottawa platform user society nov 20th 2014.
Privacy in Social Networks CSCE 201. Reading Dwyer, Hiltz, Passerini, Trust and privacy concern within social networking sites: A comparison of Facebook.

Privacy in Social Networks CSCE 201. Reading Dwyer, Hiltz, Passerini, Trust and privacy concern within social networking sites: A comparison of Facebook.
“White Hat Anonymity”: Current challenges security researchers face preforming actionable OSINT Christopher R. Barber, CISSP, C|EHv7 Threat Analyst Solutionary.

“White Hat Anonymity”: Current challenges security researchers face preforming actionable OSINT Christopher R. Barber, CISSP, C|EHv7 Threat Analyst Solutionary.
April 22, 20041 Text Mining: Finding Nuggets in Mountains of Textual Data Jochen Doerre, Peter Gerstl, Roland Seiffert IBM Germany, August 1999 Presenter:

April 22, Text Mining: Finding Nuggets in Mountains of Textual Data Jochen Doerre, Peter Gerstl, Roland Seiffert IBM Germany, August 1999 Presenter:
Text Mining: Finding Nuggets in Mountains of Textual Data Jochen Dijrre, Peter Gerstl, Roland Seiffert Presented by Huimin Ye.

Text Mining: Finding Nuggets in Mountains of Textual Data Jochen Dijrre, Peter Gerstl, Roland Seiffert Presented by Huimin Ye.
Text Mining: Finding Nuggets in Mountains of Textual Data Jochen Dijrre, Peter Gerstl, Roland Seiffert Presented by Drew DeHaas.

Text Mining: Finding Nuggets in Mountains of Textual Data Jochen Dijrre, Peter Gerstl, Roland Seiffert Presented by Drew DeHaas.
Overview of Web Data Mining and Applications Part I

Overview of Web Data Mining and Applications Part I
WHT/082311 HPCC Systems Flavio Villanustre VP, Products and Infrastructure HPCC Systems Risk Solutions.

WHT/ HPCC Systems Flavio Villanustre VP, Products and Infrastructure HPCC Systems Risk Solutions.
CS598CXZ Course Summary ChengXiang Zhai Department of Computer Science University of Illinois, Urbana-Champaign.

CS598CXZ Course Summary ChengXiang Zhai Department of Computer Science University of Illinois, Urbana-Champaign.
CSIAC is a DoD Information Analysis Center (IAC) sponsored by the Defense Technical Information Center (DTIC) Presentation to: Insider Threat SOAR Workshop.

CSIAC is a DoD Information Analysis Center (IAC) sponsored by the Defense Technical Information Center (DTIC) Presentation to: Insider Threat SOAR Workshop.
Data Mining as Pre-EDD Investigatory Tool Team 9.

Data Mining as Pre-EDD Investigatory Tool Team 9.
© 2008 IBM Corporation ® Atlas for Lotus Connections Unlock the power of your social network! Customer Overview Presentation An IBM Software Services for.

© 2008 IBM Corporation ® Atlas for Lotus Connections Unlock the power of your social network! Customer Overview Presentation An IBM Software Services for.
Introduction to Text and Web Mining. I. Text Mining is part of our lives.

Introduction to Text and Web Mining. I. Text Mining is part of our lives.
INTERACTIVE ANALYSIS OF COMPUTER CRIMES PRESENTED FOR CS-689 ON 10/12/2000 BY NAGAKALYANA ESKALA.

INTERACTIVE ANALYSIS OF COMPUTER CRIMES PRESENTED FOR CS-689 ON 10/12/2000 BY NAGAKALYANA ESKALA.
ARTIFICIAL INTELLIGENCE FOR HOME LAND SECURITY. THE AUTHORS Phd, Information Systems from New York University Management information systems, University.

ARTIFICIAL INTELLIGENCE FOR HOME LAND SECURITY. THE AUTHORS Phd, Information Systems from New York University Management information systems, University.
29-30 October, 2006, Estonia 1 IST4Balt Information analysis using social bookmarking and other tools IST4Balt Information analysis using social bookmarking.

29-30 October, 2006, Estonia 1 IST4Balt Information analysis using social bookmarking and other tools IST4Balt Information analysis using social bookmarking.
Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.
The Internet CSC 101 1.0 September 30, 2010. History of the Internet Developed for secure military communications Evolved from Advanced Research Projects.

The Internet CSC September 30, History of the Internet Developed for secure military communications Evolved from Advanced Research Projects.
AN INTELLIGENT AGENT is a software entity that senses its environment and then carries out some operations on behalf of a user, with a certain degree of.

AN INTELLIGENT AGENT is a software entity that senses its environment and then carries out some operations on behalf of a user, with a certain degree of.

Similar presentations

Ads by Google