Characterizing Activity on the Deep and Dark Web
This addresses the lack of systematic investigation into cyber crime hubs on the deep and dark web, though it is incremental in applying existing methods to new data.
The paper tackled the problem of systematically investigating illicit activities on the deep and dark web by analyzing a large corpus of messages from 80 forums over a year, using LDA and HMM to identify and model topic evolution, and showed that the approach surfaces hidden similarities and anomalous events.
The deep and darkweb (d2web) refers to limited access web sites that require registration, authentication, or more complex encryption protocols to access them. These web sites serve as hubs for a variety of illicit activities: to trade drugs, stolen user credentials, hacking tools, and to coordinate attacks and manipulation campaigns. Despite its importance to cyber crime, the d2web has not been systematically investigated. In this paper, we study a large corpus of messages posted to 80 d2web forums over a period of more than a year. We identify topics of discussion using LDA and use a non-parametric HMM to model the evolution of topics across forums. Then, we examine the dynamic patterns of discussion and identify forums with similar patterns. We show that our approach surfaces hidden similarities across different forums and can help identify anomalous events in this rich, heterogeneous data.