511 lines
18 KiB
JSON
511 lines
18 KiB
JSON
{
|
||
"namespace": "dark-web",
|
||
"expanded": "Dark Web",
|
||
"description": "Criminal motivation and content detection the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project and extended by the JRC (Joint Research Centre) of the European Commission.",
|
||
"version": 6,
|
||
"predicates": [
|
||
{
|
||
"value": "topic",
|
||
"description": "Topic associated with the materials tagged",
|
||
"expanded": "Topic"
|
||
},
|
||
{
|
||
"value": "motivation",
|
||
"description": "Motivation with the materials tagged",
|
||
"expanded": "Motivation"
|
||
},
|
||
{
|
||
"value": "structure",
|
||
"description": "Structure of the materials tagged",
|
||
"expanded": "Structure"
|
||
},
|
||
{
|
||
"value": "service",
|
||
"description": "Information related to an Dark-Web service",
|
||
"expanded": "Service"
|
||
},
|
||
{
|
||
"value": "content",
|
||
"description": "Identifiable entities and information contained in a Dark-Web service",
|
||
"expanded": "Content"
|
||
}
|
||
],
|
||
"values": [
|
||
{
|
||
"predicate": "topic",
|
||
"entry": [
|
||
{
|
||
"value": "drugs-narcotics",
|
||
"expanded": "drugsNarcotics",
|
||
"description": "Illegal drugs/chemical compounds for consumption/ingestion - either via blanket unlawfulness (e.g. proscribed drugs) or via unlawful access (e.g. prescription-only/restricted medications sold without lawful accessibility)."
|
||
},
|
||
{
|
||
"value": "electronics",
|
||
"expanded": "electronics",
|
||
"description": "Electronics and high tech materials, described or to sell for example."
|
||
},
|
||
{
|
||
"value": "finance",
|
||
"expanded": "finance",
|
||
"description": "Any monetary/currency/exchangeable materials. Includes carding, Paypal etc."
|
||
},
|
||
{
|
||
"value": "finance-crypto",
|
||
"expanded": "cryptoFinance",
|
||
"description": "Any monetary/currency/exchangeable materials based on cryptocurrencies. Includes Bitcoin, Litecoin etc."
|
||
},
|
||
{
|
||
"value": "credit-card",
|
||
"expanded": "creditCard",
|
||
"description": "Credit cards and payments materials"
|
||
},
|
||
{
|
||
"value": "cash-in",
|
||
"expanded": "cashIn",
|
||
"description": "Buying parts of assets, conversion from liquid assets, currency, etc."
|
||
},
|
||
{
|
||
"value": "cash-out",
|
||
"expanded": "cashOut",
|
||
"description": "Selling parts of assets, conversion to liquid assets, currency, etc."
|
||
},
|
||
{
|
||
"value": "escrow",
|
||
"expanded": "escrow",
|
||
"description": "Third party keeping assets in behalf of two other parties making a transactions."
|
||
},
|
||
{
|
||
"value": "hacking",
|
||
"expanded": "hacking",
|
||
"description": "Materials relating to the illegal access to or alteration of data and/or electronic services."
|
||
},
|
||
{
|
||
"value": "identification-credentials",
|
||
"expanded": "identificationCredentials",
|
||
"description": "Materials used for providing/establishing identification with third parties. Examples include passports, driver licenses and login credentials."
|
||
},
|
||
{
|
||
"value": "intellectual-property-copyright-materials",
|
||
"expanded": "intellectualPropertyCopyrightMaterials",
|
||
"description": "Otherwise lawful materials stored, transferred or made available without consent of their legal rights holders."
|
||
},
|
||
{
|
||
"value": "pornography-adult",
|
||
"expanded": "pornographyAdult",
|
||
"description": "Lawful, ethical pornography (i.e. involving only consenting adults)."
|
||
},
|
||
{
|
||
"value": "pornography-child-exploitation",
|
||
"expanded": "pornographyChild(ChildExploitation)",
|
||
"description": "Child abuse materials (aka child pornography), including 'fantasy' fiction materials, CGI. Also includes the provision/offering of child abuse materials and/or activities"
|
||
},
|
||
{
|
||
"value": "pornography-illicit-or-illegal",
|
||
"expanded": "pornographyIllicitOrIllegal",
|
||
"description": "Illegal pornography NOT including children/child abuse. Includes bestiality, stolen/revenge porn, hidden cameras etc."
|
||
},
|
||
{
|
||
"value": "search-engine-index",
|
||
"expanded": "searchEngineIndex",
|
||
"description": "Site providing links/references to other sites/services. Referred to as a ‘nexus’ by (Moore and Rid, 2016)"
|
||
},
|
||
{
|
||
"value": "unclear",
|
||
"expanded": "unclear",
|
||
"description": "Unable to completely establish topic of material."
|
||
},
|
||
{
|
||
"value": "extremism",
|
||
"expanded": "extremism",
|
||
"description": "Illegal or ‘of concern’ levels of extremist ideology. Note this does not provide blanket coverage of fundamentalist ideologies and dogma - only those associated with illegal acts. Socialist/anarchist/religious materials (for example) will not be included unless inclusive or indicative of associated illegal conduct, such as hate crimes."
|
||
},
|
||
{
|
||
"value": "violence",
|
||
"expanded": "violence",
|
||
"description": "Materials relating to violence against persons or property."
|
||
},
|
||
{
|
||
"value": "weapons",
|
||
"expanded": "weapons",
|
||
"description": "Materials specifically associated with materials and/or items for use in violent acts against persons or property. Examples include firearms and bomb-making ingredients."
|
||
},
|
||
{
|
||
"value": "softwares",
|
||
"expanded": "softwares",
|
||
"description": "Illegal or armful software distribution"
|
||
},
|
||
{
|
||
"value": "counteir-feit-materials",
|
||
"expanded": "counterFeitMaterials",
|
||
"description": "Fake identification papers."
|
||
},
|
||
{
|
||
"value": "gambling",
|
||
"expanded": "gambling",
|
||
"description": "Games involving money"
|
||
},
|
||
{
|
||
"value": "library",
|
||
"expanded": "library",
|
||
"description": "Library or list of books"
|
||
},
|
||
{
|
||
"value": "other-not-illegal",
|
||
"expanded": "otherNotIllegal",
|
||
"description": "Material not of interest to law enforcement - e.g. personal sites, Facebook mirrors."
|
||
},
|
||
{
|
||
"value": "legitimate",
|
||
"expanded": "legitimate",
|
||
"description": "Legitimate websites"
|
||
},
|
||
{
|
||
"value": "chat",
|
||
"expanded": "chatsPlatforms",
|
||
"description": "Chats space or equivalent, which are not forums"
|
||
},
|
||
{
|
||
"value": "mixer",
|
||
"expanded": "mixer",
|
||
"description": "Anonymization tools for crypto-currencies transactions"
|
||
},
|
||
{
|
||
"value": "mystery-box",
|
||
"expanded": "mysteryBox",
|
||
"description": "Mystery Box seller"
|
||
},
|
||
{
|
||
"value": "anonymizer",
|
||
"expanded": "anonymizer",
|
||
"description": "Anonymization tools"
|
||
},
|
||
{
|
||
"value": "vpn-provider",
|
||
"expanded": "vpnProvider",
|
||
"description": "Provides VPN services and related"
|
||
},
|
||
{
|
||
"value": "email-provider",
|
||
"expanded": "emailProvider",
|
||
"description": "Provides e-mail services and related"
|
||
},
|
||
{
|
||
"value": "ponies",
|
||
"expanded": "ponies",
|
||
"description": "self-explanatory. It's ponies"
|
||
},
|
||
{
|
||
"value": "games",
|
||
"expanded": "games",
|
||
"description": "Flash or online games"
|
||
},
|
||
{
|
||
"value": "parody",
|
||
"expanded": "parodyOrJoke",
|
||
"description": "Meme, Parody, Jokes, Trolling, ..."
|
||
},
|
||
{
|
||
"value": "whistleblower",
|
||
"expanded": "whistleblower",
|
||
"description": "Exposition and sharing of confidential information with protection of the witness in mind"
|
||
},
|
||
{
|
||
"value": "ransomware-group",
|
||
"expanded": "ransomwareGroup",
|
||
"description": "Ransomware group PR or leak website"
|
||
}
|
||
]
|
||
},
|
||
{
|
||
"predicate": "motivation",
|
||
"entry": [
|
||
{
|
||
"value": "education-training",
|
||
"expanded": "educationTraining",
|
||
"description": "Materials providing instruction - e.g. ‘how to’ guides"
|
||
},
|
||
{
|
||
"value": "wiki",
|
||
"expanded": "wiki",
|
||
"description": "Wiki pages, documentation and information display"
|
||
},
|
||
{
|
||
"value": "forum",
|
||
"expanded": "forum",
|
||
"description": "Sites specifically designed for multiple users to communicate as peers"
|
||
},
|
||
{
|
||
"value": "file-sharing",
|
||
"expanded": "fileSharing",
|
||
"description": "General file sharing, typically (but not limited to) movie/image sharing"
|
||
},
|
||
{
|
||
"value": "hosting",
|
||
"expanded": "hosting",
|
||
"description": "Hosting providers, e-mails, websites, file-storage etc."
|
||
},
|
||
{
|
||
"value": "ddos-services",
|
||
"expanded": "ddosServices",
|
||
"description": "Stresser, Booter, DDoSer, DDoS as a Service provider, DDoS tools, etc."
|
||
},
|
||
{
|
||
"value": "general",
|
||
"expanded": "general",
|
||
"description": "Materials not covered by the other motivations. Typically, materials of a nature not of interest to law enforcement. For example, personal biography sites."
|
||
},
|
||
{
|
||
"value": "information-sharing-reportage",
|
||
"expanded": "InformationSharingReportage",
|
||
"description": "Journalism/reporting on topics. Can include biased coverage, but obvious propaganda materials are covered by Recruitment/Advocacy."
|
||
},
|
||
{
|
||
"value": "scam",
|
||
"expanded": "scam",
|
||
"description": "Intentional confidence trick to fraud people or group of people"
|
||
},
|
||
{
|
||
"value": "political-speech",
|
||
"expanded": "politicalSpeech",
|
||
"description": "Political, activism, without extremism."
|
||
},
|
||
{
|
||
"value": "conspirationist",
|
||
"expanded": "conspirationist",
|
||
"description": "Conspirationist content, fake news, etc."
|
||
},
|
||
{
|
||
"value": "hate-speech",
|
||
"expanded": "hateSpeech",
|
||
"description": "Racism, violent, hate... speech."
|
||
},
|
||
{
|
||
"value": "religious",
|
||
"expanded": "religious",
|
||
"description": "Religious, faith, doctrinal related content."
|
||
},
|
||
{
|
||
"value": "marketplace-for-sale",
|
||
"expanded": "marketplaceForSale",
|
||
"description": "Services/goods for sale, regardless of means of payment."
|
||
},
|
||
{
|
||
"value": "smuggling",
|
||
"expanded": "smuggling",
|
||
"description": "Information or trading of wild animals, prohibited goods, ... "
|
||
},
|
||
{
|
||
"value": "recruitment-advocacy",
|
||
"expanded": "recruitmentAdvocacy",
|
||
"description": "Propaganda"
|
||
},
|
||
{
|
||
"value": "system-placeholder",
|
||
"expanded": "systemPlaceholder",
|
||
"description": "Automatically generated content, not designed for any identifiable purpose other than diagnostics - e.g. “It Works” message provided by default by Apache2"
|
||
},
|
||
{
|
||
"value": "unclear",
|
||
"expanded": "unclear",
|
||
"description": "Unable to completely establish motivation of material."
|
||
}
|
||
]
|
||
},
|
||
{
|
||
"predicate": "structure",
|
||
"entry": [
|
||
{
|
||
"value": "incomplete",
|
||
"expanded": "incomplete",
|
||
"description": "Websites and pages that are unable to load completely properly"
|
||
},
|
||
{
|
||
"value": "captcha",
|
||
"expanded": "captcha",
|
||
"description": "Captchas and solvers elements"
|
||
},
|
||
{
|
||
"value": "login-forms",
|
||
"expanded": "loginForms",
|
||
"description": "Authentication pages, login page, login forms that block access to an internal part of a website."
|
||
},
|
||
{
|
||
"value": "contact-forms",
|
||
"expanded": "contactForms",
|
||
"description": "Forms to perform a contact request, send an e-mail, fill information, enter a password, ..."
|
||
},
|
||
{
|
||
"value": "encryption-keys",
|
||
"expanded": "encryptionKeys",
|
||
"description": "e.g. PGP Keys, passwords, ..."
|
||
},
|
||
{
|
||
"value": "police-notice",
|
||
"expanded": "policeNotice",
|
||
"description": "Closed websites, with police-equivalent banners"
|
||
},
|
||
{
|
||
"value": "legal-statement",
|
||
"expanded": "legalStatement",
|
||
"description": "RGPD statement, Privacy-policy, guidelines of a websites or forum..."
|
||
},
|
||
{
|
||
"value": "test",
|
||
"expanded": "test",
|
||
"description": "Test websites without any real consequences or effects"
|
||
},
|
||
{
|
||
"value": "videos",
|
||
"expanded": "videos",
|
||
"description": "Videos and streaming"
|
||
},
|
||
{
|
||
"value": "ransomware-post",
|
||
"expanded": "ransomwarePost",
|
||
"description": "Ransomware post published by a ransomware group"
|
||
},
|
||
{
|
||
"value": "unclear",
|
||
"expanded": "unclear",
|
||
"description": "Unable to completely establish structure of material."
|
||
}
|
||
]
|
||
},
|
||
{
|
||
"predicate": "service",
|
||
"entry": [
|
||
{
|
||
"value": "url",
|
||
"expanded": "url",
|
||
"description": "Uniform Resource Locator (URL) of a dark-web. The url should indicate a protocol (http), a hostname (www.example.com), and a file name (index.html). Example: http://www.example.com/index.html"
|
||
},
|
||
{
|
||
"value": "content-type",
|
||
"expanded": "contentType",
|
||
"description": "Content-Type representaton headerused to indicate the original media type of the resource (prior to any content encoding applied for sending). https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type"
|
||
},
|
||
{
|
||
"value": "path",
|
||
"expanded": "path",
|
||
"description": "The URL path is the string of information that comes after the top level domain name "
|
||
},
|
||
{
|
||
"value": "detection-date",
|
||
"expanded": "detectionDate",
|
||
"description": "Date in which the dark-web was detected. The date should be in ISO 8601 format. Example: 2019-01-01T00:00:00Z"
|
||
},
|
||
{
|
||
"value": "network-protocol",
|
||
"expanded": "networkProtocol",
|
||
"description": "Network protocol used to access the dark-web site (e.g., HTTP, HTTPS)"
|
||
},
|
||
{
|
||
"value": "port",
|
||
"expanded": "port",
|
||
"description": "Port number where the dark-web service is being offered"
|
||
},
|
||
{
|
||
"value": "network",
|
||
"expanded": "network",
|
||
"description": "Overlay network (darknet) that host the service or content"
|
||
},
|
||
{
|
||
"value": "found-at",
|
||
"expanded": "foundAt",
|
||
"description": "Domain or service where the dark-web where found at"
|
||
}
|
||
]
|
||
},
|
||
{
|
||
"predicate": "content",
|
||
"entry": [
|
||
{
|
||
"value": "sha1sum",
|
||
"expanded": "sha1sum",
|
||
"description": "SHA-1 (Secure Hash Algorithm 1) hash of the HTML or objectName content"
|
||
},
|
||
{
|
||
"value": "sha256sum",
|
||
"expanded": "sha256sum",
|
||
"description": "SHA-256 hash of the HTML or objectName content"
|
||
},
|
||
{
|
||
"value": "ssdeep",
|
||
"expanded": "ssdeep",
|
||
"description": "ssdeep fuzzy hash of the HTML or objectName content"
|
||
},
|
||
{
|
||
"value": "language",
|
||
"expanded": "language",
|
||
"description": "Detected language of the service in ISO 639‑1 Code. Example: en"
|
||
},
|
||
{
|
||
"value": "html",
|
||
"expanded": "html",
|
||
"description": "HyperText Markup Language (HTML) used in a website"
|
||
},
|
||
{
|
||
"value": "css",
|
||
"expanded": "css",
|
||
"description": "CSS (Cascading Style Sheets) used in a dark-web site"
|
||
},
|
||
{
|
||
"value": "text",
|
||
"expanded": "text",
|
||
"description": "Content of the dark-web service without HTML tags"
|
||
},
|
||
{
|
||
"value": "page-title",
|
||
"expanded": "pageTitle",
|
||
"description": "HTML <title> tag content of a dark-web site"
|
||
},
|
||
{
|
||
"value": "phone-number",
|
||
"expanded": "phoneNumber",
|
||
"description": "Phone number identified in the dark-web site"
|
||
},
|
||
{
|
||
"value": "creditCard",
|
||
"expanded": "creditCard",
|
||
"description": "Credit card identified in the dark-web site"
|
||
},
|
||
{
|
||
"value": "email",
|
||
"expanded": "email",
|
||
"description": "Email address identified in the dark-web site"
|
||
},
|
||
{
|
||
"value": "pgp-public-key-block",
|
||
"expanded": "pgpPublicKeyBlock",
|
||
"description": "PGP public key block identified in the dark-web site"
|
||
},
|
||
{
|
||
"value": "country",
|
||
"expanded": "country",
|
||
"description": "Associated country detected on the code of the dark-web site, following ISO 3166-1 alpha-2"
|
||
},
|
||
{
|
||
"value": "company-name",
|
||
"expanded": "companyName",
|
||
"description": "Company name identified in a dark-web site"
|
||
},
|
||
{
|
||
"value": "company-link",
|
||
"expanded": "companyLink",
|
||
"description": "Company link identified in a dark-web site"
|
||
},
|
||
{
|
||
"value": "victim-address",
|
||
"expanded": "victimAddress",
|
||
"description": "Business address identified in a dark-web site"
|
||
},
|
||
{
|
||
"value": "victim-TLD",
|
||
"expanded": "victimTLD",
|
||
"description": "Business Top Level Domain (TLD) of a company identified in a dark-web site"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|