Skip to search boxSkip to navigationSkip to main content

Adaptive traffic fingerprinting for darknet threat intelligence

  • Hamish Haughey
    ,
  • Gregory Epiphaniou
    ,
  • Haider Al-Khateeb
    ,
  • Ali Dehghantanha
  • Northumbria University
    ,
  • University of Sheffield
Research Output: Chapter in Book/Report/Conference proceeding Chapter Peer-review

Open access

Sustainable Development Goals

  • SDG 16 - Peace, Justice and Strong Institutions
    SDG 16 Peace, Justice and Strong Institutions

Abstract

Darknet technology such as Tor has been used by various threat actors for organising illegal activities and data exfiltration. As such there is a case for organisations to block such traffic, or to try and identify when it is used and for what purposes. However, anonymity in cyberspace has always been a domain of conflicting interests. While it gives enough power to nefarious actors to masquerade their illegal activities, it is also the corner stone to facilitate freedom of speech and privacy. We present a proof of concept for a novel algorithm that could form the fundamental pillar of a darknet-capable Cyber Threat Intelligence platform. The solution can reduce anonymity of users of Tor, and considers the existing visibility of network traffic before optionally initiating targeted or widespread BGP interception. In combination with server HTTP response manipulation, the algorithm attempts to reduce the candidate data set to eliminate client-side traffic that is most unlikely to be responsible for server-side connections of interest. Our test results show that MITM manipulated server responses lead to expected changes received by the Tor client. Using simulation data generated by shadow, we show that the detection scheme is effective with false positive rate of 0.001, while sensitivity detecting non-targets was 0.016±0.127. Our algorithm could assist collaborating organisations willing to share their threat intelligence or cooperate during investigations.

Publication Information

Output type

Research Output: Chapter in Book/Report/Conference proceeding Chapter Peer-review

Original language

English

Pages from-to (Number of pages)

Pages 193-217

Publication milestones

  • Published - 24/04/2018

Publication status

Published - 24/04/2018

Volume

70

Publisher

Springer, Japan, India, Australia, Germany, United States, United Arab Emirates, Austria, Switzerland, Italy, China, United Kingdom, Netherlands, Brazil, France, Singapore
9783319739519

External Publication IDs

  • handle.net: 10547/624487
  • Scopus: 85046349617

Host publication title

Cyber Threat Intelligence