Photo-based Vendor Re-identification on Darknet Marketplaces using Deep Neural Networks

Wang, Xiangwen

January 2018

Darknet markets are online services behind Tor where cybercriminals trade illegal goods and stolen datasets. In recent years, security analysts and law enforcement start to investigate the darknet markets to study the cybercriminal networks and predict future incidents. However, vendors in these markets often create multiple accounts (i.e., Sybils), making it challenging to infer the relationships between cybercriminals and identify coordinated crimes. In this thesis, we present a novel approach to link the multiple accounts of the same darknet vendors through photo analytics. The core idea is that darknet vendors often have to take their own product photos to prove the possession of the illegal goods, which can reveal their distinct photography styles. To fingerprint vendors, we construct a series deep neural networks to model the photography styles. We apply transfer learning to the model training, which allows us to accurately fingerprint vendors with a limited number of photos. We evaluate the system using real-world datasets from 3 large darknet markets (7,641 vendors and 197,682 product photos). A ground-truth evaluation shows that the system achieves an accuracy of 97.5%, outperforming existing stylometry-based methods in both accuracy and coverage. In addition, our system identifies previously unknown Sybil accounts within the same markets (23) and across different markets (715 pairs). Further case studies reveal new insights into the coordinated Sybil activities such as price manipulation, buyer scam, and product stocking and reselling. / Master of Science / Taking advantage of the high anonymity of darknet, cybercriminals have set up underground trading websites such as darknet markets for trading illegal goods. To understand the relationships between cybercriminals and identify coordinated activities, it is necessary to identify the multiple accounts hold by the same vendor. Apart from manual investigation, previous studies have proposed methods for linking multiple accounts through analyzing the writing styles hidden in the users' online posts, which face key challenges in similar tasks on darknet markets. In this thesis, we propose a novel approach to link multiple identities within the same darknet market or across different markets by analyzing the product photos. We develop a system where a series of deep neural networks (DNNs) are used with transfer learning to extract distinct features from a vendor's photos automatically. Using real-world datasets from darknet markets, we evaluate the proposed system which shows clear advantages over the writing style based system. Further analysis of the results reported by the proposed system reveal new insights into coordinated activities such as price manipulation, buyer scam and product stocking and reselling for those vendors who hold multiple accounts.

Darknet Market

Sybil Detection

Image Analysis

Stylometry

Advanced Hardened Registration Process for Mobile Crowd Sensing / Avancerad Härdad registreringsprocess för Mobile Crowd Sensing

Li, Ronghua

January 2022

Mobile Crowd Sensing (MCS) or Participatory Sensing (PS) are two emerging systems as smart mobile devices become ubiquitous. One of the advantages of such a sensing system is that almost anyone with a mobile device can become a moving "sensor". However, despite the convenience, the openness of such systems is a double-edged sword: participants can misbehave and pose a threat. Usually, current MCS or PS systems are relatively weak and lack effective data sources selection mechanisms. As a result, fake or forged data can be collected, representing wrongly the sensed conditions on the surroundings, i.e. noise, moisture, etc. Therefore, a Hardened Registration Process (HRP) is proposed to provide a pre-examination on participants that are chosen to collect sensing data. There is one previous work on such a topic. It targets device examination (root, emulator, bot-net detection, etc.) for Android devices, preventing attackers from managing to register not actual but emulated devices and thus manage to effectively manipulate the collected data. The focus of this project is on enhancing the previous work and extending it with complementary mechanisms. We proposed a two-step HRP process, comprising a client detection for identifying malicious devices and server-side detection for revealing Sybil devices. We improve the previous HRP by implementing detection mechanisms in C (native) code and such an enhanced device examination process is the first step: client detection. In addition, to detect adversaries that can bypass the client detection method, we proposed an additional server-side detection to eliminate emulators and Sybil devices, adopting peer-to-peer interaction with Bluetooth Low Energy to corroborate the physical presence of the registered devices. With this enhancement, we achieve higher detection performance. Adversaries cannot easily bypass the client-side detection with rooted or emulated devices. Moreover, even if some adversaries can bypass the client-side detection, the server-side detection can prevent adversaries from registering Sybil devices more than the number of devices they own. / Mobile Crowd Sensing (MCS) eller Participatory Sensing (PS) är två framväxande system när smarta mobila enheter blir allestädes närvarande. En av fördelarna med ett sådant avkänningssystem är att nästan alla med en mobil enhet kan bli en rörlig sensor". Men trots bekvämligheten är öppenheten i sådana system ett tveeggat svärd: deltagare kan missköta sig och utgöra ett hot. Vanligtvis är nuvarande MCS- eller PS-system relativt svaga och saknar effektiva valmekanismer för datakällor. Som ett resultat kan falska eller förfalskade data samlas in, som felaktigt representerar de avkända förhållandena i omgivningen, d.v.s. buller, fukt, etc. Därför föreslås en förstärkt registreringsprocess för att ge en förundersökning av deltagare som väljs för att samla in avkänningsdata. Det finns ett tidigare arbete om ett sådant ämne. Det är inriktat på enhetsundersökning (root, emulator, bot-net-detektion, etc.) för Android-enheter, vilket förhindrar angripare från att lyckas registrera inte faktiska utan emulerade enheter och på så sätt lyckas effektivt manipulera den insamlade informationen. Fokus för detta projekt ligger på att förbättra det tidigare arbetet och utöka det med kompletterande mekanismer. Vi föreslog en tvåstegs HRP-process, som omfattar en klientdetektering för att identifiera skadliga enheter och detektering på serversidan för att avslöja Sybil-enheter. Vi förbättrar den tidigare HRP genom att implementera detekteringsmekanismer i C (native) kod och en sådan förbättrad enhetsundersökningsprocess är det första steget: klientdetektering. Dessutom, för att upptäcka motståndare som kan kringgå klientdetekteringsmetoden, föreslog vi en extra detektering på serversidan för att eliminera emulatorer och Sybil-enheter, genom att använda peer-to-peer-interaktion med Bluetooth Low Energy för att bekräfta den fysiska närvaron av de registrerade enheterna. Med denna förbättring uppnår vi högre detektionsprestanda. Motståndare kan inte lätt kringgå upptäckten på klientsidan med rotade eller emulerade enheter. Dessutom, även om vissa motståndare kan kringgå upptäckten på klientsidan, kan detekteringen på serversidan förhindra att motståndarna registrerar Sybil-enheter mer än antalet enheter de äger.

Mobile Crowd Sensing

Sybil detection

Android

Native coding

Bluetooth Low Energy

Mobil Crowd Sensing

Sybil detektering

Android

Native kodning

Bluetooth Low Energy

Computer and Information Sciences

Data- och informationsvetenskap