Collecting Threat Intelligence from Tor Netwok

Collecting Threat Intelligence from Tor Netwok

Collecting Threat Intelligence From Tor Netwok A Thesis Submitted in Partial Fulfillment of the Requirements for the Degree of Master of Science in Cyber Security by Tarun Trivedi 14/MS/027 Under the Supervision of Dr. B. M. Mehtre (Associate Professor) Center For Cyber Security Institute For Development And Research In Banking Technology, Hyderabad (Established by Reserve Bank Of India) COMPUTER SCIENCE AND ENGINEERING DEPARTMENT SARDAR PATEL UNIVERSITY OF POLICE, SECURITY AND CRIMINAL JUSTICE JODHPUR – 342304, INDIA May, 2016 UNDERTAKING I declare that the work presented in this thesis titled “Collect- ing Threat Intelligence From Tor Netwok”, submitted to the Computer Science and Engineering Department, Sardar Patel Uni- versity of Police, Security and Criminal Justice, Jodhpur, for the award of the Master of Science degree in Cyber Security, is my original work. I have not plagiarized or submitted the same work for the award of any other degree. In case this undertaking is found in- correct, I accept that my degree may be unconditionally withdrawn. May, 2016 Jodhpur (Tarun Trivedi) ii CERTIFICATE Certified that the work contained in the thesis titled “Collecting Threat Intelligence From Tor Netwok”, by Tarun Trivedi, Registra- tion Number 14/MS/027 has been carried out under my supervision and that this work has not been submitted elsewhere for a degree. (Dr. B. M. Mehtre) (Associate Professor) Center For Cyber Security, Institute For Development And Research In Banking Technology, Hyderabad (Established by Reserve Bank Of India) May, 2016 iii Acknowledgment I would like to take this opportunity to express my deep sense of gratitude to all who helped me directly or indirectly during this thesis work. First, I would like to thank my supervisor, Associate Professor Dr. B.M. Mehtre, for being a great mentor and the best adviser I could ever have. His advise, encouragement and critics are source of innovative ideas, inspiration and causes behind the successful completion of this dissertation. The confidence shown on me by him was the biggest source of inspiration for me. It has been a privilege working with him from last five months. He gave me many opportunities to explore inner me. I wish to express my sincere gratitude to Dr. Bhupendra Singh , Vice Chancellor and Sh. M.L. Kumawat (Former), Vice Chancellor, for providing me all the facilities required for the completion of this thesis work. I would like to express my sincere appreciation and gratitude towards faculty mem- bers at S.P.U.P., Jodhpur, especially Mr. Arjun Choudhary & Mr.Vikas Sihag, for their encouragement, consistent support and invaluable suggestions. I thanks to Mr. Vinod Parihar, who helped me, guided me at the time I needed the most. Whenever I get ner- vous, I used to talk with my colleagues. They always tried to encourage me, without all mentioned above, this work could not have achieved its goal. iv Finally, I am grateful to my father Mr.Mangilal Trivedi , my mother Mrs. Usha Trivedi for their support. It was impossible for me to complete this thesis work without their love, blessing and encouragement. Tarun Trivedi v Biographical Sketch Tarun Trivedi 8B Badi Brhmpuri PIN-306401 E-Mail: [email protected], Contact. No. +91- 7737939573 Father’s Name : Mr. Mangilal Trivedi Mother’s Name : Mrs. Usha Trivedi Education • Pursuing Master of Science in Cyber Security, Computer Science & Engineering branch from S.P.U.P., Jodhpur,2016 • B.Tech. in Computer Science and Engineering from Rajasthan Technical Univer- sity,Kota with 64% in 2010. • Intermediate from MBM School,Pali with 62% in 2006. • High School from Bangur School,Pali with 53% in 2003. vi Dedicated to My Loving Family for their kind love & support. To my friends for showing confidence in me. vii }Genius is one percent inspiration, ninety-nine percent perspiration.~ -Thomas Edison viii Synopsis Threat intelligence is evidence-based data and information for detecting and preventing attacks. It includes context, keywords, and indicator’s, etc. about the attack and advance information to predict what will happen in the real world. Many sources like- chats, com- ments, blogs, etc. are helpful to the intelligence agency in decision making. Intelligence agencies monitor the dark world for how the attackers plan and engineer attacks. The main aim of threat intelligence is to find out different types of attacks such as hacking, anonymity, hidden services, etc. in the dark world. The onion sites in the dark world provide resources devoted to hacking, security, anonymity, fake IDs, weapons, services, drugs, pornography, and other malicious services. Well-known browsers such as Google chrome, Internet explorer, Mozilla Firefox, etc. can not access the onion sites, whereas Tor browser is capable of accessing onion sites. Government and intelligence agencies monitor the hidden services in the dark world. Essentially, they look for the hidden networks and their connection to the dark world. To use Tor browser there is need to create an account on the onion site and then start monitoring the comments, blogs, Question and Answer etc. We proposed a scheme for collecting threat intelligence from Tor network. First, we monitored the activities of more than 200 onion sites in the dark world which are used for hacking, attacking, and tracing. Secondly, we extracted the information about attacks from the onion sites. This is based on the discussion on various attacks that would be happening in the group. The discussion ix of a particular attack acts as an indicator that on some malicious users are interested in the particular attack. Based on this information, we would be finding out vulnerable sites (for this attack) and will inform that the site could be under attack. Threat intelligence is not just restricted in predicting the attacks, but also to discover the attack that have already happened. Our focus is on both the above stated goals. We have developed a TNT Tool(Threat intelligence tool) for extracting the keywords from the onion sites using Tor proxy. Our tool collects all the keywords related to attacks such as hacking, tracing, tracking, bandwidth, etc. from the onion sites. After collecting keywords our Tool identifies URL’s of onion sites whenever the keywords are found. Once URL’s extracted, we have sent an email to the owner of the onion site as a client. The onion site owner replied the mail and then we got Email header. Finally we have located the geographical location of the site and IP as well from the Email header.Thus, we can locate enhance in the Darkworld. x Contents Acknowledgment v Biographical Sketch vii Synopsis x 1 Introduction 1 1.1 The Threat intelligence . 1 1.2 The Onion Routing(Tor) . 2 1.3 The onion sites . 3 1.4 Problem statement . 3 1.5 Organization of thesis . 3 2 Literature survey 5 2.1 Tor...................................... 5 2.1.1 Anonimity of Tor . 5 2.1.2 Working of TOR . 6 2.2 Deep web onion services . 9 2.2.1 What is Deep web onion sites? . 9 2.2.2 The Dark Web versus the Deep Web . 10 xi 2.2.3 Number of onion sites in the dark world . 10 2.2.4 How deep web onion sites work? . 12 2.2.5 Why the onion site owner take payment in Bitcoin ? . 12 3 Methodology 13 3.1 Working of the Tool . 14 3.1.1 Application is running through Tor proxy . 15 3.1.2 Searching keyword on an onion site . 16 3.1.3 If URL link is present . 16 3.1.4 Apply text mining tool . 16 3.1.5 Collecting keyword related to the threat intelligence . 16 3.1.6 When a keyword is found, pick up a complete sentence . 16 3.1.7 Show URL address of the onion site . 17 3.2 List of onion sites use for Hacking . 17 4 Results and Discussions 36 4.1 How we can trace the owner of an onion site ? . 36 5 Conclusions and future work 43 References 46 xii List of Figures 1 Selection of nodes in a Tor network. 2 2 Anonimity layer in an OSI Model. 6 3 Tor client request to Directory server to establish connection. 7 4 Tor client connected to server through Tor node. 7 5 Tor client chooses different random path for establishing connection for next time. 8 6 Working of Diffie-Hillman key exchange algorithm. 9 7 List of items selling in the dark world. 10 8 Details of item in the Dark world . 11 9 Protocols found in the Deep Web apart from HTTP/HTTPS. 11 10 Flowchart of working of the Tool. 15 11 Reply mail by [email protected](owner of the onion site). 37 12 Trace E-mail header of a [email protected][23](owner of the onion site). 37 13 Reply mail by [email protected](owner of the onion site). 38 14 Trace E-mail header of a [email protected][23](owner of the onion site). 38 xiv 15 Reply mail by [email protected](owner of the onion site). 39 16 Trace E-mail Header of a [email protected][23](owner of the onion site). 39 17 Reply mail by [email protected][23](owner of the onion site). 40 18 Trace E-mail Header of a [email protected][23](owner of the onion site). 40 19 Reply mail by [email protected](owner of the onion site). 41 20 Trace E-mail of a [email protected][23](owner of the onion site). 41 xv Chapter 1 Introduction 1.1 The Threat intelligence The main aim of Threat intelligence is detecting and preventing attacks in the dark world.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    62 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us