Special Issue "Darkweb Cyber Threat Intelligence Mining"

A special issue of Information (ISSN 2078-2489). This special issue belongs to the section "Information Systems".

Deadline for manuscript submissions: 1 June 2018

Special Issue Editor

Guest Editor
Prof. Paulo Shakarian

School of Computing, Informatics, and Decision Support Engineering,Arizona State University, Tempe, AZ, USA
Website | E-Mail
Interests: cyber security; artificial intelligence; data mining

Special Issue Information

Dear Colleagues,

Malicious hacker communities leverage the deepweb and darkweb to buy, sell, and trade malware, exploits, and stolen data. Because of this, many security researchers have leveraged this data to understand the activities of such groups with respect to ongoing cyber attacks—with the goal to identify emerging threats, support forensic investigations, and even predict cyber-attacks. However, the many challenges in obtaining, analysing, and updating such data in an automated and stealthy fashion—and do so at scale. This special issue focuses on new techniques for how darkweb/deepweb hacker data can be automatically obtained and transformed into actionable cyber threat intelligence—thereby aiding network defenders in avoiding cyber attacks, finding breached information, and, generally, understanding hacker communities. Topics include, but are not limited to:

  1. Mining the deepweb and darkweb
  2. Big data technologies for managing deepweb/darkweb data
  3. Cleaning deepweb/darkweb data
  4. Extracting information from deepweb/darkweb data
  5. Social network analysis on deepweb/darkweb hacker communities
  6. Alignment of deepweb/darkweb data with other data sources
  7. Prediction of cyber attacks using deepweb/darkweb data
  8. Social science studies of malicious hacker communities on the deepweb/darkweb
  9. Predicting software exploitability using deepweb/darkweb
  10. Game theoretic methods to model attacker behaviour using darkweb/deepweb data

Prof. Paulo Shakarian
Guest Editor

Manuscript Submission Information

Manuscripts should be submitted online at www.mdpi.com by registering and logging in to this website. Once you are registered, click here to go to the submission form. Manuscripts can be submitted until the deadline. All papers will be peer-reviewed. Accepted papers will be published continuously in the journal (as soon as accepted) and will be listed together on the special issue website. Research articles, review articles as well as short communications are invited. For planned papers, a title and short abstract (about 100 words) can be sent to the Editorial Office for announcement on this website.

Submitted manuscripts should not have been published previously, nor be under consideration for publication elsewhere (except conference proceedings papers). All manuscripts are thoroughly refereed through a single-blind peer-review process. A guide for authors and other relevant information for submission of manuscripts is available on the Instructions for Authors page. Information is an international peer-reviewed open access monthly journal published by MDPI.

Please visit the Instructions for Authors page before submitting a manuscript. The Article Processing Charge (APC) for publication in this open access journal is 850 CHF (Swiss Francs). Submitted papers should be well formatted and use good English. Authors may use MDPI's English editing service prior to publication or during author revisions.


  • Cyber security
  • Cyber threat intelligence
  • Darkweb
  • Deepweb

Published Papers

This special issue is now open for submission, see below for planned papers.

Planned Papers

The below list represents only planned manuscripts. Some of these manuscripts have not been received by the Editorial Office yet. Papers submitted to MDPI journals are subject to peer-review.

Title: The Darkweb - A Growing Risk for Military Operations?
Author: Koch Robert,
Abstract: A multitude of leaked data can be purchased through the Darkweb nowadays. Recent reports highlighted that the largest footprints of leaked data, which ranges from employee passwords to intellectual property, are linked to governmental institutions. According to OWL Cybersecurity, the U.S. Navy is most affected. As such leaked personal data can be used for social engineering attacks, credentials for system access or even worse, vulnerabilities of high-security systems for exploitation, this greatly endangers the ability to act of the armed forces.
Anyway, the actual impact, role, and dimension of information treated in the dark web are yet not fully analyzed. Is the available data authentic and useful? This is even more challenged, as several well-known cases of de-anonymization have been published during the past years, stressing the question if somebody really would use the Darkweb to sell highly sensitive information. In contrast, a lot of fake offers can be found, only set up to cheat possible buyers.
The paper analyzes the threat emerging by the Darkweb and affecting armed forces. Based on an extensive examination of anonymization techniques and the Darkweb, the real-world implications are discussed.

Title: The Potential and Limitations of Counting Sites as a Metric for Threat Trends on the Dark Web
Author: Eric Jardine, Email:
Affiliation: Virginia Tech, 220 Stanger Street, Blacksburg, VA 24061, USA
Abstract: Counting and categorizing available Dark Web sites as a measure for the size of a threat is a fairly common practice. Rid and Moore, for example, indexed and classified a total of 5,205 Tor-hosted hidden services [1]. Of this total, only 140 categorized sites involved political ‘extremism,’ leading the authors to conclude that there was a relative absence of Islamic extremist activity on the Dark Web [1]. Another industry report indexed 29,532 .onion urls. Based upon these data, the threat report concludes that over half (52%) of the machine coded sites were offering legal content, suggesting only about 48 percent of the Dark Web is hosting illegal material [2].
Counts of this sort are widely used as a metric for threat. But the utility of counts as a measure for either over time or cross category threats on the Dark Web remains unclear. In this paper, I argue that a count of sites faces a major limitation: the actual usage of a site might have little association with site frequency. In other words, very few sites might be widely used, suggesting a serious threat, while a great many sites might be infrequency used, suggesting that the scope of a problem is relatively small.
I further show that the utility of a count of Dark Web sites as a metric for threat analysis is conditional upon the underlying distribution of users. In the paper, I consider the utility, in descending order, of counting Dark Web sites when users are distributed uniformly, normally, bimodally and, finally, in a power law. These results suggest that there is some benefit to be had from counting sites, but that the ultimate usefulness of doing so depends upon how people, in aggregate, use these sites.
Lastly, I show that, while there is likely considerable variation in terms of the distribution of users across different site categories (i.e. drugs sites vs mafia services), the likelihood that users are distributed in a particular way is inversely related to the utility of site counts. Uniformly distributed users, for example, make site counts very useful as a metric for threats, but are also the least likely way in which users will distribute themselves across .onion urls. Indeed, if the user-base of .onion urls mirrors the use of the surface web, then power law distributions—where site counts are least useful—are probably the most likely way that users spread out across available Dark Web content [3-5]. In contrast, uniform distributions, where counting sites is highly effective, is also probably the least likely way in which the users of the Dark Web organize themselves.
Works Cited
1 Moore, D., and Rid, T.: ‘Cryptopolitik and the Darknet’, Survival, 2016, 58, (1), pp. 7-38
2 Intelliagg: ‘Deeplight: Shining a Light on the Dark Web’, in Editor (Ed.)^(Eds.): ‘Book Deeplight: Shining a Light on the Dark Web’ (2016, edn.), pp. 1-12
3 Barabási, A.-L., and Albert, R.: ‘Emergence of Scaling in Random Networks’, Science, 1999, 286, (5439), pp. 509-512
4 Barabási, A.-L.: ‘Linked: How Everything is Connected to Everything Else and What it Means for Business, Science, and Everyday Life’ (Basic Books, 2014. 2014)
5 Jardine, E.: ‘‘Something is rotten in the state of Denmark:’ Why the Internet’s advertising business model is broken’, 2017, 2017

Title: Novel Darknet Activities Monitoring System by Using Network Telescope
Author: Jiankun Hu and Chan Yeob Yeun
Abstract: Recently, many hosts are connected to the Internet worldwide. Those hosts are intentionally or even accidentally targeted on a daily basis by malicious activities. Thus, it is essential to monitor Darknet traffic to acquire the knowledge of the threats that are targeting computers and network systems. Cyber security experts initiated numerous approaches for monitoring traffic that includes malicious activities, and network telescopes were one of them. Network telescopes are valuable in the term of monitoring and gathering data associated with Internet attack activities. Analysis of traffic captured by network telescopes is an effective measure in characterizing evil traffic caused by worm propagation and distributed denial of service attacks. There has been limited work done in such an area. Thus we decided to elaborate more in the building, configuring and exploring the network telescope data. We had reviewed previously proposed telescopes and identified their strengths and weaknesses. We then suggested an enhanced version of the network telescope that will provide big data analysis, data mining, statistics and visualization and at last data simulation.

Back to Top