隨著網路的高度發展，網路攻擊的情況也日益嚴重。近年來，許多駭客開始轉往暗網活動，並在其中交易和討論各種駭客技術。甚至，有報導懷疑某些現實世界的網路攻擊就是透過暗網發起的。在此篇研究中，我們將使用幾個跟攻擊行為較相關的關鍵字去篩選暗網中最大論壇之一的網頁資料。我們將每篇文章依照時間排序後，與Google Trends中同關鍵字的資料互相比較，以期望能夠發現其中是否有所關聯。初步的分析結果顯示，暗網中某些關鍵字的討論熱度，在時間順移後，的確與現實世界中同關鍵字的討論熱度有著中高度的關聯性。因此，除了一般所使用的防護手段，如防火牆和防毒軟體之外，將來也可以持續追蹤暗網的文章，以對網路威脅提供更全面的預警和防護。

With the rapid development of the Internet, the situation of cyber-attacks has become increasingly serious. In recent years, many hackers have begun moving to the dark web, where they trade and discuss various hacking techniques. Even, there are reports that some real-world cyber-attacks are initiated through the dark web. In this study, we will use several keywords that are more relevant to the attack behavior to filter the web page data of one of the largest forums in the dark web. We sort each article by time and compare it with the same keyword in Google Trends to observe the relation. The preliminary analysis shows that the trends of some keywords in the dark web, after time shifting, does have a high degree of correlation with the trends of the same keyword in the real world. Therefore, in addition to the commonly used protection methods, such as firewalls and anti-virus software, articles of the dark web must be continuously tracked in the future to provide more comprehensive warning and protection against cyberthreats.

1 Introduction . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Contribution . . . . . . . . . . . . . . . . . . . . . 2
1.3 Organization . . . . . . . . . . . . . . . . . . . . . 2

2 Background . . . . . . . . . . . . . . . . . . . . . . 3
2.1 Ransomware . . . . . . . . . . . . . . . . . . . . . . 3
2.1.1 Behavior . . . . . . . . . . . . . . . . . . . . . . 4
2.1.2 WannaCry . . . . . . . . . . . . . . . . . . . . . . 5
2.2 The Tor Network . . . . . . . . . . . . . . . . . . . 5
2.2.1 Tor Browser . . . . . . . . . . . . . . . . . . . 6
2.2.2 Dark Web . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Google Trends . . . . . . . . . . . . . . . . . . . . 8

3 Related works . . . . . . . . . . . . . . . . . . . . . 10

4 Proposed Method . . . . . . . . . . . . . . . . . . . . 11
4.1 Architecture . . . . . . . . . . . . . . . . . . . . . 11
4.2 Experiments . . . . . . . . . . . . . . . . . . . . . 12
4.2.1 Forum ”H” . . . . . . . . . . . . . . . . . . . . . 12
4.2.2 Data Collection . . . . . . . . . . . . . . . . . . 13
4.3 Data Analysis . . . . . . . . . . . . . . . . . . . . 14
4.3.1 Further Analysis . . . . . . . . . . . . . . . . . . 19
4.3.2 Results . . . . . . . . . . . . . . . . . . . . . . 22

5 Conclusion . . . . . . . . . . . . . . . . . . . . . . 23
5.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . 23
5.2 Future work . . . . . . . . . . . . . . . . . . . . . 24

6 Note . . . . . . . . . . . . . . . . . . . . . . . . . . 25

7 Bibliography . . . . . . . . . . . . . . . . . . . . . . 26

[1] GReAT: Wannacry ransomware used in widespread attacks all over the world (May 2017). https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/.

[2] Tarun Trivedi, Vinod Parihar, Manas Khatua, and B. M. Mehtre. Threat intelligence analysis of onion websites using sublinks and keywords. In Ajith Abraham, Paramartha Dutta, Jyotsna Kumar Mandal, Abhishek Bhattacharya, and Soumi Dutta, editors, Emerging Technologies in Data Mining and Information Security, pages 567–578, Singapore, 2019. Springer Singapore.

[3] Wikipedia: Ransomware. https://en.wikipedia.org/wiki/Ransomware.

[4] Wikipedia: Wannacry ransomware attack. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack.

[5] Wikipedia: Tor.
https://en.wikipedia.org/wiki/Tor_(anonymity_network).

[6] Wikipedia: Dark web. https://en.wikipedia.org/wiki/Dark_web.

[7] Wikipedia: Google Trends.
https://en.wikipedia.org/wiki/Google_Trends.

[8] P. H. O’neill: Bank thieves are using tor to hide their malware (Jun 2015). https://www.dailydot.com/crime/bank-malware-tor2web/.

[9] Dennis Brown: Resilient botnet command and control with tor (Jul 2010). https://www.defcon.org/images/defcon-18/dc-18-presentations/D.Brown/DEFCON-18-Brown-TorCnC.pdf.

[10] Derek Hutzler: Malware spread via tor exit node (Dec 2014).
https://www.opswat.com/blog/malware-spread-tor-exit-node.

[11] Tianjun Fu, Ahmed Abbasi, and Hsinchun Chen. A focused crawler for dark web forums. In Journal of the American Society for Information Science and Technology, volume 61, pages 1213–1231, New York, NY, USA, June 2010. John Wiley & Sons, Inc.

[12] Clement Guitton. A review of the available content on tor hidden services: The case against further development. In Computers in Human Behavior, volume 29, pages 2805–2815, Amsterdam, The Netherlands, The Netherlands, November 2013. Elsevier Science Publishers B. V.

[13] Yuki Kawaguchi, Akira Yamada, and Seiichi Ozawa. Ai web-contents analyzer for monitoring underground marketplace. In Derong Liu, Shengli Xie, Yuanqing Li, Dongbin Zhao, and El-Sayed M. El-Alfy, editors, Neural Information Processing, pages 888–896, Cham, 2017. Springer International Publishing.

[14] Wikipedia: Eternalblue. https://en.wikipedia.org/wiki/EternalBlue.