KR101852107B1 - System and Method for analyzing criminal information in dark web - Google Patents

Abstract

The present invention relates to a system and method for analyzing dark web crime information, and more particularly, to a dark web crime information analyzing system and method for analyzing scanned information of a dark web to perform crime profiling.
According to an embodiment of the present invention, the system for analyzing a dark web crime information includes information of a dark web page scanned in combination with a dark web crime dictionary information constructed in advance by using information scanned from a dark web as source data, A DWCPA unit for extracting and storing crime characteristic information; And a DWCPP unit for reconstructing preliminary information through extraction of additional association data by re-searching the general web based on the extracted crime characteristic information and performing criminal profiling to use as data for crime tracking occurring in the dark web; And a shared repository in which the scanned information of the dark web is stored, wherein the stored scanned information is dark web collection information collected through a dark web crime site search system.

Description

[0001] The present invention relates to a system and method for analyzing a dark web crime information,

The present invention relates to a system and method for analyzing dark web crime information, and more particularly, to a dark web crime information analyzing system and method for analyzing scanned information of a dark web to perform crime profiling.

Recently, the usage of dark web crime has been increasing due to anonymity guarantee and bitcoin transaction activation. Dark Web refers to web pages dealing with crime, illegal content and transactions among deep web pages (Deep Web, deep web) that are difficult to access with traditional browsers. : Tor) should be used. Cryptography and connection IP anonymization techniques, such as washing, can not identify users or servers in a common way, and is used mainly for crime. The Drug Alcohol Research Group (GDS) in London, UK, also doubled drug purchases through the Dark Web in June 2017, the main reason for the revitalization of the Bitcoin deal. The reason why criminals favor bitcoin among many virtual currencies is due to their high level of security and anonymity. Because it is based on block-chain technology, the risk of forgery is low and it is a P2P method in which individuals and individuals trade, and nobody knows who has done business with anyone other than the parties. Darkweb is becoming more active with encrypted money, network, and anonymity enhancement, and the underground market that exists in Dark Web provides various services that cybercriminals can enjoy.

The number of illegal sites in the dark web has increased and the proportion of transactions has increased sharply. By 2016, illegal sites on the dark web are on the rise, and there are 423 drug-trading sites, 327 illegal bank accounts, 198 illegal (198), extreme (140), illegal pornography (122), and so on. According to the October 16th report of the National Diet, the Seoul Metropolitan Police Agency arrested about 80 people who traded drugs through the Dark Web in October of last year, but the government has pointed out that they can not even grasp the criminal situation through the Dark Web. According to the Ministry of the Future, the world's average access to the world's dark web browser, Tor, is 200,000, which is 6,000 to 10,000 in Korea. Dark Web is abused as a cyber criminal means, but Korea is pointed out that it is nothing. In 2016, the largest US drug sold on the Dark Web is a drug worth about 5.7 billion won a month, and sellers are made up of about 890 people. As the number of Dark Web users (Tor) exceeds 2 million, it is difficult to find or access related information through general search, and it is not possible to trace users. Therefore, illegal transaction distribution ratio is increasing, and it is illegal for agencies like FBI and DARPA The trading route after deal cracking is also in various directions. In the future, illegal transactions in the dark web are expected to continue to expand due to the activation of the dark web market and the increase of users, and it is required to prepare technical measures to effectively cope with the illegal transactions.

Dark Web is a web site that conducts commerce through 'Bitcoin', a virtual currency, which uses an encrypted browser that can not be found as a general search site and can not be traced to users. It becomes a hotbed of cyber crime have. Deep Web (Deep Web) is a web that can be retrieved by a general search engine such as Naver. It is called a "surface web". Therefore, deep web includes dark web. Tor stands for "The Onion Routing" and refers to a network that makes traffic analysis or IP address tracking impossible in an online system and eventually anonymity. There are similar things such as Freenet, I2P, Ultrasurf and so on, but Tor is a global trend. Cryptography is a type of virtual currency that uses a hash function for security to generate a new coin and verify the transaction history. At the forefront of the bit coin developed in 2009, there are ciphers with completely different source codes such as Bitcoin's simple fork, light coin, ripple, and Ethereum.

Below, we will look at trends in profiling technology for criminals using Dark Web. 1) There is a node analysis technique in an anonymous network. Research team of a university in Korea is actively studying node analysis and IP address collection and tracking to cope with cyber attack using anonymous network. KAIST is conducting research on security routing of anonymous networks and Korea Internet & Security Agency (KISA) is analyzing the technology through cases of distribution of malicious codes related to Tor. 2) Open Source Intelligence (OSINT) collection and analysis technology. Open Source Information (OSINT) is an information gathering and analysis system using public information, which is known to be the most effective and effective method for identifying terrorist and criminal general activities in cyber space at present. Data collection on the Deep Web is an important part of OSINT's main activity areas. In Korea, the Korea Communications Commission and the police agency's own monitoring system use open source information (OSINT) to detect illegal harmful information. The National Police Agency has recently held a special meeting under the auspices of the Cyber Security Bureau and has been aware of the seriousness of the dark net and is keenly observing the crime concerned, and related research is being conducted in the digital forensic part.

Korean Patent Registration No. 10-1672791 (Title of the Invention: Vulnerability Detection Method and System in Mobile Web Application Environment) Korean Patent Laid-Open Publication No. 10-2012-0065761, entitled " URI " analyzing apparatus and method for collecting MIME type information,

SUMMARY OF THE INVENTION It is an object of the present invention to provide a dark web crime information analysis system and a method thereof.

However, the object of the present invention is not limited to the above-mentioned objects, and other objects not mentioned can be clearly understood by those skilled in the art from the following description.

According to an aspect of the present invention, there is provided a system for analyzing a dark web crime information, the system comprising: a dark web page, which is scanned in combination with dark web crime dictionary information, A DWCPA unit for classifying and analyzing information into plural forms and extracting and storing crime characteristic information; A DWCPP unit for reconstructing preliminary information through extraction of additional association data by re-searching the general web based on the extracted crime characteristic information, and using the extracted information as data for crime tracking occurring in the dark web by performing crime profiling; And a shared storage in which information scanned by the dark web is stored, wherein the stored scanned information is dark web collection information collected through a dark web crime site search system.

Here, the DWCPA unit may include a collection target loading unit for loading page contents collected from the dark web stored in the shared storage, structuring the loaded collected page contents, and temporarily storing the collected contents in the internal memory; A control unit for loading environment setting information for a collection target loading unit, which is a collection analyzer, and controlling execution of a collection target loading unit; A profile syntax analyzing unit for extracting at least one of a crime target term, bit coin address pattern information, and wallet identifier ID pattern information; And a profiling information DB for storing terms used in the dark web, storing profile information analysis data, and storing environment setting information, wherein the profile parsing unit analyzes the loaded page content (collection information) A parsing and lexical parsing module for parsing and morpheme analysis for Korean syntax and lexical analysis; A harmful information validity checking module that performs validity checking to determine whether parsing information is available as criminal profile information; A category classification module for classifying categories of information after validation; A criminal characteristic information recognition module for judging and recognizing value as criminal characteristic information in morphological analysis information; A profile information configuration module for finally configuring the criminal profile information; And a profile information storage module for storing the configured profile information in the DB.

The DWCPP unit further includes a user interface for providing the criminal characteristics information extracted by the DWCPP unit as a meaningful analysis result to the criminal investigator. The DWCPP unit analyzes the OSINT-based general web link analysis result, the criminal ID-based analysis result, One or more of the activity-based crossover analysis results.

In addition, the OSINT-based general web interworking analysis module provides an OSINT-based general web interworking analysis result through a user interface. The OSINT-based general web interworking analysis module scans the dark web when new data is generated in the dark web, Extracts the characteristic information, re-searches the characteristic information extracted through the general web, provides search through each characteristic or combination of the characteristic information, provides the search by receiving additional information based on experience and know-how of the criminal investigator , The search result is stored in the profile information DB by receiving an input as to whether or not to store the search result in the profile information DB, and the extracted characteristic information includes at least one of a collection URL, a collection domain, an author ID, a crime type, And may include one or more.

The criminal ID centric analysis module provides the criminal ID centric analysis result by the criminal ID centric analysis module. The criminal ID centric analysis module analyzes the stored analysis information through the DWCPA module and the analyzed information stored through the OSINT based general web pertinent analysis module The criminal investigation of criminals can be carried out by providing the result of analyzing criminal activity information centering on criminals ID.

Also, the criminal activity-based crosstalk analysis module is provided by the criminal activity-based crosstalk analysis module through a user interface, and the criminal activity-based crosstalk analysis module is stored through the OSINT-based general web interoperation analysis module with the analysis information stored through the DWCPA module And the analysis is a crosstalk analysis of the criminal activity information associated with the same feature, and the criminal activity-based crosstalk module has the same or similar characteristics The crossover analysis provides information that can be obtained and obtained from the criminal characteristics information that can be traced through the crossover analysis of the criminals having the criminal who has the criminal information, Domain analysis and ID analysis with the same crime type, Crime related terms It may be one or more of domain analysis and ID analysis according to usage pattern (similarity).

The method of analyzing the dark web crime information according to an embodiment of the present invention is a method of analyzing the information of the dark web page scanned in combination with the dark web crime dictionary information constructed in advance by using the information scanned from the dark web as the source data by the DWCPA A crime profile analysis step of extracting and storing crime characteristic information; And the DWCPP unit re-constructs the preliminary information through the extraction of the additional association data by re-searching the general web based on the extracted crime characteristic information and performs the criminal profiling, Web crime expert profiling phase; And a dark web collecting step of storing information that the shared repository has scanned the dark web, wherein the stored scanned information is dark web collection information collected through a dark web crime site search system.

The dark web crime profile analyzing step may include loading the collected page contents from the dark web stored in the shared repository, structuring the loaded collected page contents and temporarily storing the structured contents in the internal memory, A control step of loading environment setting information for a collection target loading unit, which is a collection analyzer, and controlling execution of a collection target loading unit; A profile syntax analysis step of extracting at least one of a crime target term, bit coin address pattern information, and wallet identifier ID pattern information; And a profiling information DB storing step of storing terms used in the dark web, storing profile information analysis data, or storing environment setting information, wherein the profile parsing step includes: Information) and lexical analysis for parsing and morphological analysis for lexical analysis; A harmful information validation process of performing validation to determine whether parsing information is available as criminal profile information; A category classification process for classifying the category of information after validation; A criminal characteristic information recognition process for judging and recognizing value as criminal characteristic information in morphological analysis information; A profile information constituting step of finally constituting the information with crime profile information; And a profile information storing process for storing the configured profile information in the DB.

The dark web crime expert profiling step further comprises a user interface providing step of providing the extracted crime characteristic information as a meaningful analysis result to the criminal investigator, and the user interface providing step is a step of providing the user interface with the OSINT- As a result of the analysis, it is possible to provide at least one of the criminal ID-based analysis result and the criminal activity-based crossover analysis result.

In addition, the dark web crime profiling profiling step may further include an OSINT-based general web interworking analysis step. In the OSINT-based general web interworking analysis step, when the OSINT-based general web interworking analysis module generates new data in the dark web, Retrieving the crime characteristic information by scanning the web, and re-searching the characteristic information extracted through the general web; A storing step of receiving an input as to whether to store the search result in the profile information DB and storing the search result; And an OSINT-based general web interworking analysis module, wherein the OSINT-based general web interworking analysis result is provided through a user interface, and wherein the re-searching process comprises: And provides the search based on the experience and know-how of the criminal investigator, and the extracted characteristic information includes at least one of a collection URL, a collection domain, an author ID, a crime type, a writing article, And may include one or more.

And the dark web crime expert profiling step further comprises a criminal ID centric analysis step, wherein the criminal ID centric analysis module analyzes the analysis information stored through the DWCPA module and the OSINT-based general web interface analysis module Based on the stored analysis information, the analysis result of the criminal activity centered on the criminal ID is provided to the criminal investigator, so that the criminal identification method of criminals corresponding to the ID is deduced. May be provided through the user interface.

In addition, the dark web crime profiling profiling step may further include a criminal activity based crossover analysis step, wherein the criminal activity based crosstalk analyzing step is a step in which the criminal activity based crosstalk analysis module analyzes the analysis information stored through the DWCPA and the OSINT- Wherein the criminal activity centered crosstalk analysis result is provided by a criminal activity centered crosstalk module through a user interface to provide a criminal activity centered crosstalk analysis result to the criminal investigator based on the analysis information stored through the analysis module, The analysis is a crossover analysis of the criminal activity information associated with the same feature, and the criminal activity-based crosstalk module is an analogy of the criminal characteristics information that can be traced through crosstab analysis of criminals having the same or similar features And information available to the criminal investigator. The domain of the crosstalk analysis is domain analysis and ID analysis, domains analysis and ID analysis having the same crime type, and domains according to crime related usage pattern (similarity) It may be one or more of an analysis and an ID analysis.

A computer-readable recording medium having recorded thereon a program according to an embodiment of the present invention may execute a method of analyzing dark web crime information.

As described above, the dark web crime information analysis system and method of the present invention can be utilized for criminal investigation of crime investigators by establishing dark web crime profiling for tracking dark web crime, It can be used as core information in analyzing information of Dark Web Operation Server Nodes and it can be used as key information in criminal tracking through tracking the flow of password money transactions used for crime.

FIG. 1 is a block diagram illustrating a system for analyzing a dark web crime according to an exemplary embodiment of the present invention. Referring to FIG.
FIG. 2 shows a block diagram of a dark web crime site search system.
FIG. 3 illustrates a profiling procedure for extracting characteristic information by OSINT-based general Web interworking analysis.
FIG. 4 shows an example of the criminal ID-based analysis.
Figure 5 shows an example of an activity-based crossover analysis.
FIG. 6 illustrates a method of analyzing dark web crime information according to another embodiment of the present invention.
FIG. 7 is a detailed process of a dark web crime profile analysis step of the dark web crime information analysis method according to another embodiment of the present invention.
8 shows a detailed process of the profile syntax analysis step.
9 is a detailed process of the dark web crime expert profiling step of the dark web crime information analysis method according to another embodiment of the present invention.
FIG. 10 shows a detailed process of the OSINT-based general web linkage analysis step.

BRIEF DESCRIPTION OF THE DRAWINGS The present invention is capable of various modifications and various embodiments, and specific embodiments are illustrated in the drawings and described in detail in the detailed description. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the term "comprising" or "comprising" or the like is intended to specify the presence of stated features, integers, But do not preclude the presence or addition of features, numbers, steps, operations, components, parts, or combinations thereof.

According to an embodiment of the present invention, the system for analyzing a dark web crime information includes information of a dark web page scanned in combination with a dark web crime dictionary information constructed in advance by using information scanned from a dark web as source data, Based on the results of the analysis, re-constructing the preliminary information by extracting additional related data by re-searching the general web based on the analyzed results, and performing the profiling of the crime by using the dark web crime Information analysis system.

FIG. 1 is a block diagram illustrating a system for analyzing a dark web crime according to an exemplary embodiment of the present invention. Referring to FIG. 1, the dark web crime information analyzing system 1000 of the present invention includes a shared repository 100, a Dark Web Criminal Profile Analyzer (DWCPA) 200, and a Dark Web Criminal Profiler (DWCPP) Lt; / RTI >

The shared storage 100 stores the information scanned in the dark web as source data. The stored scanned information may be dark web gathering information collected through a dark web crime site search system.

The DWCPA 200 categorizes and analyzes the information of the dark web pages scanned in combination with the dark web criminal dictionary information constructed in advance by using the information scanned from the dark web stored in the shared repository as source data, And extracts and stores the information.

The DWCPP 300 reconstructs the prior information by extracting additional association data by re-searching the general web based on the extracted crime characteristic information, and carries out the criminal profiling to thereby generate data for the crime tracking occurring in the dark web It is used.

Hereinafter, the detailed components of the dark web crime information analysis system according to an embodiment of the present invention will be described in detail.

The shared repository 100 is a repository in which information scanned through the dark web is stored. The shared repository 100 stores the stored dark web collection information through the dark web crime site search system. FIG. 2 shows a block diagram of a dark web crime site search system. As shown in FIG. 2, the dark web crime site search system 2000 collects Dark Web 600 information on the Deep Web 500 from the Dark Web CRAWLER 400, The system for storing the web gathering information means that the system for analyzing the dark web crime information 1000 of the present invention utilizes the stored information through the dark web crime site searching system. The Dark Web includes crime sites, cryptographic transactions, and more.

The DWCPA (Dark Web Criminal Profile Analyzer) 200 is a part corresponding to an engine for establishing profiling, and extracts and stores actual crime characteristic values. The DWCPA 200 may include a control unit 210, a collection target loading unit 220, a profile syntax analysis unit 230, and a profiling information DB 240.

The control unit 210 includes a collection analyzer setting loading module 211 and a collection analyzer control module 212, which correspond to the environment setting. The collection analyzer setting loading module 211 is a module for loading configuration information for the collection target loading unit, which is a collection analyzer. The collection analyzer control module 212 is an execution control module of the collection target loading section which is a collection analyzer.

The loading target 220 includes a collection information loading module 221 and a collection information structure module 222. The collection information loading module 221 is a module for loading page contents collected from the stored dark web of the shared repository. The collection information structuring module 222 is a module for structuring the page contents collected from the collection information loading module and temporarily storing the contents in the internal memory.

The lexical analysis-profile information 230 extracts crime subject terms, bit coin address pattern information, wallet identifier ID pattern information, and the like. The lexical analysis-profile information 230 includes a syntax and vocabulary parsing analysis module 231, A category information module 232, a category classification module 233, a crime characteristic information recognition module 234, a profile information configuration module 235, and a profile information storage module 236. The syntax and vocabulary parsing module 231 parses and parses the loaded collection information (collected page contents) for syntax and lexical analysis. It is a module for analyzing morphemes. The harmful information validity checking module 232 is an inspection module that performs validity checking to determine whether the parsing information is information available as criminal profile information. The category classification module 233 is a module for classifying categories of information after validation. The crime characteristic information recognition module 234 is a module for judging the criminal characteristic value from the morphological analysis information and recognizing and processing the value. The profile information configuration module 235 is a module that constitutes the final configuration with the criminal profile information. The profile information storage module 236 is a module for storing the configured profile information in the DB.

The profiling information DB 240 stores profiling related information and may be configured to include a knowledge dictionary (DB) 241, an information analysis (DB) 242, and a configuration (DB) have. The knowledge dictionary (DB) 241 stores terms used in the dark web. The information analysis (DB) 242 stores profile information analysis data. The environment setting (DB) 243 stores environment setting information.

The DWCPP (Dark Web Criminal Professional Profiler) 300 provides a function having a user interface that provides the criminal characteristics information extracted by the DWCPA 200 as a meaningful analysis result to the criminal investigator. The DWCPP 300 may include an OSINT-based general web interworking analysis module 310, a criminal ID centric analysis module 320, and a criminal activity centric crosstalk analysis module 330.

FIG. 3 illustrates a profiling procedure for extracting characteristic information by OSINT-based general Web interworking analysis. Profiling refers to collecting data, but criminal type analysis is used in the investigation. It is a rhetorical technique that analyzes crime scenes and deduces criminals' habits, age, personality, occupation, and crime methods and then finds criminals based on them. As shown in FIG. 3, the OSINT-based general web interworking analysis module 310 extracts the characteristic information by extracting the crime characteristic information based on the dark web information. As shown in FIG. 3, in the first step S100, new data is generated in the dark web. In the second step S200, the dark web is scanned to extract the crime characteristic information. The extracted characteristic information includes a collection URL, a collection domain, a creator ID, a crime type, a writing article, a preparation date, a keyword, and a memo. In the third step (S300), the criminal investigator re-searches the characteristic information extracted through the general web for the purpose of extracting more characteristic information and improving the accuracy of the criminal information. At this time, the search method provides search for each characteristic or combination thereof. Manual Analysis Info provides search through input of additional information by experience and know-how of criminal investigator. And determines the storage management in the profile information DB 240 of the search result according to the judgment of the criminal investigation agency.

FIG. 4 shows an example of the criminal ID-based analysis. As shown in FIG. 4, in the criminal ID-based analysis module 320, based on the analysis information stored through the DWCPA 200 and the analysis information stored through the OSINT-based general web interworking analysis module 310, the criminal ID is centered on the criminal investigator A criminal investigator is a criminal investigator who has been informed of criminal activity in criminal activity, criminal activity mainly in the dark web, activity site in dark web, activity time, etc., I will infer the technique.

Figure 5 shows an example of an activity-based crossover analysis. 5, the criminal activity-based crossover analysis module 330 detects a criminal activity based on the analysis information stored through the DWCPA 200 and the analysis information stored through the OSINT-based general web interworking analysis module 310, Provide crossover analysis results. Cross-sectional analysis of the criminal activity information related to the same feature is performed. The crosstalk analysis is performed on domain analysis and ID analysis, domain analysis with the same crime type, and ID analysis , Domain analysis and ID analysis according to crime related usage pattern (similarity). Provide criminal investigators with information that enables them to infer and obtain traceable criminal characteristics information through crossover analysis of criminals with the same or similar features.

FIG. 6 illustrates a method of analyzing dark web crime information according to another embodiment of the present invention. As shown in FIG. 6, the method for analyzing the dark web crime information may include a dark web collecting step S1100, a dark web crime profile analyzing step S1200, and a dark web crime expert profiling step S1300.

In the dark web collection step S1100, the shared repository stores the information scanned through the dark web. The stored scanned information may be dark web gathering information collected through a dark web crime site search system.

In the dark web crime profile analysis step (S1200), the DWCPA unit classifies the dark web page information scanned in combination with the dark web crime dictionary information preliminarily constructed using the information scanned from the dark web as source data, And extracts and stores the crime characteristic information.

In the Dark Web Crime Expert profiling step (S1300), the DWCPP unit re-constructs the pre-information through the extraction of the additional association data by re-searching the general web based on the extracted crime characteristic information and performs the criminal profiling, It is used as data for crime tracking.

FIG. 7 is a detailed process of a dark web crime profile analysis step of the dark web crime information analysis method according to another embodiment of the present invention. As shown in FIG. 7, in the analysis step of the dark web crime profile, the page contents collected from the dark web stored in the shared repository are loaded, and the collected collected page contents are structured and temporarily stored in the internal memory S1210 ); A control step (S1220) of loading environment setting information for a collection target loading unit, which is a collection analyzer, and controlling execution of the collection target loading unit; A profile syntax analysis step (S1230) of extracting at least one of a crime target term, a bit coin address pattern information, and a wallet identifier ID pattern information; And a profiling information DB storing step (S1240) for storing terms used in the dark web, storing profile information analysis data, and storing environment setting information.

8 shows a detailed process of the profile syntax analysis step. As shown in FIG. 8, the profile parsing step S1230 parses the loaded collected page contents (collection information) for syntactic and lexical analysis. A syntax and vocabulary parsing analysis process for analyzing the morpheme (S1231); A harmful information validation process (S1232) for performing validation to determine whether the parsing information is information available as criminal profile information; A category classification process (S1233) for classifying categories of information after validation; A criminal characteristic information recognition process (S1234) for judging and recognizing the value as criminal characteristic information in the morphological analysis information; A profile information organizing step (S1235) of organizing the information into criminal profile information; And a profile information storing process (S1236) for storing the configured profile information in the DB.

9 is a detailed process of the dark web crime expert profiling step of the dark web crime information analysis method according to another embodiment of the present invention. As shown in FIG. 9, the dark web crime expert profiling step S1300 includes a user interface providing step S1310, an OSINT-based general web interworking analysis step S1320, a criminal ID centric analysis step S1330, And a crosstalk analysis step S1340. The dark web crime expert profiling step S1300 may include an OSINT-based general web interoperability analysis step S1320, a criminal ID-based analysis step S1330, and a criminal activity centering step S1330 using the user interface provided in the user interface providing step S1310. The OSINT-based general Web interoperability analysis step S1320, the criminal ID-based analysis step S1330, and the criminal activity-based crossover analysis step S1340 may provide the processing result in the crosstab analysis step S1340 independently of each other .

The user interface providing step (S1310) provides the extracted crime characteristic information as a meaningful analysis result to the criminal investigator. The user interface providing step S1310 may provide at least one of an OSINT-based general web interworking analysis result, a criminal ID-based analysis result, and a criminal activity-based crosstalk analysis result through a user interface.

FIG. 10 shows a detailed process of the OSINT-based general web linkage analysis step. As shown in FIG. 10, in the OSINT-based general web interworking analysis step S1320, when the OSINT-based general web interworking analysis module generates new data in the dark web, it extracts the crime characteristic information by scanning the dark web, (S1321) for re-searching the extracted characteristic information, and a storing step (S1322) for receiving an input as to whether to store the search result in the profile information DB and storing the search result. And a linkage analysis result providing step (S1323) in which an OSINT-based general web linkage analysis result is provided through a user interface by the OSINT-based general web linkage analysis module. The re-searching process (S1321) provides a search through each combination or combination of the characteristic information, and provides a search by receiving additional information based on experiences and know-how of the criminal investigator. The extracted characteristic information includes at least one of a collection URL, a collection domain, a creator ID, a crime type, a writing article, a preparation date, a keyword and a memo.

The criminal ID centric analysis step S1330 is a step in which the criminal ID centric analysis module analyzes criminal activity based on the analysis information stored through the DWCPA module and the analysis information stored through the OSINT based general web link analysis module, The result of analyzing the information is provided so that the crime method of the criminal corresponding to the ID can be deduced by the criminal ID centric analysis module.

The criminal activity-based crossover analysis step (S1340) is a step in which the criminal activity-based crosstalk analysis module analyzes criminal activity-based crosstalk analysis results based on the analysis information stored through the DWCPA and the analysis information stored through the OSINT- And the criminal activity centered crosstalk analysis result is provided by the criminal activity centered crosstalk module through the user interface. The criminal activity centered crosstalk is a crosstalk analysis of the criminal activity information associated with the same feature, and the criminal activity centered crosstalk module is capable of tracking through crosstalk analysis for criminals with the same or similar features. Provide criminal investigators with information that can be used to obtain and obtain information on crime characteristics. The crossover analysis includes analysis of domain (domain) and identification (ID) analysis, domain analysis and ID analysis with same crime type, domain analysis according to crime related usage pattern (similarity) ID analysis. ≪ / RTI >

Meanwhile, the method for analyzing dark web crime information according to an embodiment of the present invention may be implemented in a form of a program command that can be executed through a variety of means for processing information electronically and recorded in a storage medium. The storage medium may include program instructions, data files, data structures, and the like, alone or in combination.

Program instructions to be recorded on the storage medium may be those specially designed and constructed for the present invention or may be available to those skilled in the art of software. Examples of storage media include magnetic media such as hard disks, floppy disks and magnetic tape, optical media such as CD-ROMs and DVDs, magneto-optical media such as floptical disks, magneto-optical media and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as devices for processing information electronically using an interpreter or the like, for example, a high-level language code that can be executed by a computer.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention as defined in the appended claims. It will be understood that the invention may be varied and varied without departing from the scope of the invention.

Claims (13)

In a dark web crime information analysis system,
A DWCPA unit for extracting and storing crime characteristic information by classifying and analyzing information of a dark web page scanned in combination with a dark web crime dictionary information constructed in advance by using the information scanned from the dark web as source data;
A DWCPP unit for reconstructing preliminary information through extraction of additional association data by re-searching the general web based on the extracted crime characteristic information, and using the extracted information as data for crime tracking occurring in the dark web by performing crime profiling; And
And a shared storage in which information scanned by the dark web is stored,
The DWCPP unit
And a user interface for providing the extracted crime characteristic information as a meaningful analyzed result to the criminal investigator,
The DWCPP unit provides at least one of an OSINT-based general web interworking analysis result, a criminal ID-based analysis result, and a criminal activity-based crossover analysis result through the user interface,
Wherein the scanned information stored in the shared repository is dark web collection information collected through a dark web crime site search system.
The method according to claim 1,
The DWCPA unit,
A collection destination loading unit loading page contents collected from a dark web stored in a shared repository, structuring the loaded collected page contents and temporarily storing the contents in the internal memory;
A control unit for loading environment setting information for a collection target loading unit, which is a collection analyzer, and controlling execution of a collection target loading unit;
A profile syntax analyzing unit for extracting at least one of a crime target term, bit coin address pattern information, and wallet identifier ID pattern information; And
And a profiling information DB for storing terms used in the dark web, storing profile information analysis data, and storing environment setting information,
The profile parsing unit
A parsing and lexical parsing module for parsing and morpheme analysis for syntax and lexical analysis of loaded page contents (collection information);
A harmful information validity checking module that performs validity checking to determine whether parsing information is available as criminal profile information;
A category classification module for classifying categories of information after validation;
A criminal characteristic information recognition module for judging and recognizing value as criminal characteristic information in morphological analysis information;
A profile information configuration module for finally configuring the criminal profile information; And
And a profile information storage module for storing the configured profile information in the DB. delete The method according to claim 1,
OSINT-based general web interworking analysis module provides OSINT-based general web interworking analysis result through user interface,
The OSINT-based general web interworking analysis module extracts crime characteristic information by scanning the dark web when new data is generated in the dark web, re-searches the characteristic information extracted through the general web,
Providing search through each or each combination according to the characteristic information,
Provide search by receiving additional information input by experience and know-how of criminal investigator,
Receives an input as to whether or not to store the search result in the profile information DB, stores the search result,
Wherein the extracted characteristic information includes at least one of a collection URL, a collection domain, an author ID, a crime type, a written article, a creation date, a keyword, and a memo. The method according to claim 1,
The criminal ID-based analysis module provides the criminal ID-based analysis result through the user interface,
The criminal ID centric analysis module provides a result of analyzing the criminal activity information based on the criminal ID to the criminal investigator based on the analysis information stored through the DWCPA module and the analysis information stored through the OSINT based general web link analysis module, Of the criminal's criminal code. The method according to claim 1,
The criminal activity centered crosstalk module provides criminal activity centered crosstalk results through the user interface,
The criminal activity-based crosstalk analysis module provides the criminal activity-based crosstalk analysis result to the criminal investigator based on the analysis information stored through the DWCPA module and the analysis information stored through the OSINT-based general web interoperability analysis module,
The analysis is a crosstab analysis of the criminal activity information associated with the same feature,
The criminal activity centered crosstalk module provides the criminal investigator with information capable of analogy and acquisition of crime characteristic information that can be traced through crossover analysis of criminals having the same or similar features,
The crossover analysis includes analysis of domain (domain) and identification (ID) analysis, domain analysis and ID analysis with same crime type, domain analysis according to crime related usage pattern (similarity) ID analysis of the dark web. In the dark web crime information analysis method,
DWCPA combines the dark web scanned information with the dark web crime dictionary information preliminarily constructed with the scanned dark web information as the source data and classifies and analyzes the information of the dark web pages into multiple forms to extract and store the crime characteristic information. Crime profile analysis phase; And
The DWCPP part re-constructs the preliminary information by extracting the additional association data by re-searching the general web based on the extracted crime characteristic information and performs the profiling of the crime by the dark web, Crime profiling profiling phase; And
A dark web collection step in which the shared repository stores information that has scanned the dark web,
The Dark Web Crime Expert profiling step
And a user interface providing step of providing the extracted crime characteristic information as a meaningful analysis result to the criminal investigator,
The user interface providing step
It provides one or more of OSINT-based general web linkage analysis result, criminal ID partial response analysis result and criminal activity activity crossover analysis result through user interface,
Wherein the scanned information stored by the dark web gathering step is dark web gathering information collected through a dark web crime site search system. 8. The method of claim 7,
The Dark Web Crime Profile Analysis step
A collection target loading step of loading page contents collected from a dark web stored in a shared storage, structuring the loaded collected page contents and temporarily storing the contents in the internal memory;
A control step of loading environment setting information for a collection target loading unit, which is a collection analyzer, and controlling execution of a collection target loading unit;
A profile syntax analysis step of extracting at least one of a crime target term, bit coin address pattern information, and wallet identifier ID pattern information; And
And a profiling information DB storing step of storing terms used in the dark web, storing profile information analysis data, and storing environment setting information,
The profile parsing step
A parsing and vocabulary parsing analysis process for parsing and morpheme analysis for the syntax and vocabulary analysis of the loaded collected page contents (collection information);
A harmful information validation process of performing validation to determine whether parsing information is available as criminal profile information;
A category classification process for classifying the category of information after validation;
A criminal characteristic information recognition process for judging and recognizing value as criminal characteristic information in morphological analysis information;
A profile information constituting step of finally constituting the information with crime profile information; And
And a profile information storing step of storing the configured profile information in the DB. delete 8. The method of claim 7,
The Dark Web Crime Expert profiling step further includes an OSINT based general Web interaction analysis step,
The OSINT-based general web interaction analysis step
The OSINT-based general web linkage analysis module retrieves crime characteristics information by scanning the dark web when new data is generated in the dark web, and re-searches the characteristic information extracted through the general web;
A storing step of receiving an input as to whether to store the search result in the profile information DB and storing the search result; And
And a linkage analysis result providing process in which an OSINT-based general web linkage analysis result is provided through a user interface by an OSINT-based general web linkage analysis module,
The re-searching process provides searching through each characteristic or combination of the characteristic information, provides search by receiving additional information based on experiences and know-how of the criminal investigator,
Wherein the extracted characteristic information includes at least one of a collection URL, a collection domain, a creator ID, a crime type, a written article, a creation date, a keyword, and a memo. 8. The method of claim 7,
The Dark Web Crime Expert profiling step further includes a criminal ID centric analysis step,
The criminal ID-based analysis module analyzes the criminal activity information centered on the criminal ID based on the analysis information stored through the DWCPA module and the analysis information stored through the OSINT-based general web linkage analysis module Wherein the criminal ID-based analysis module provides the criminal ID-based analysis result through the user interface so as to deduce the criminal's criminal procedure corresponding to the ID by providing a result. 8. The method of claim 7,
The Dark Web Crime Expert profiling step further comprises a criminal activity based crosstalk phase,
The criminal activity-based crosstalk analysis module provides the criminal activity-based crosstalk analysis result to the criminal investigator based on the analysis information stored through the DWCPA module and the analysis information stored through the OSINT-based general web interoperability analysis module The criminal activity centered crosstalk module is provided by the criminal activity centered crosstalk module through the user interface,
The criminal activity centered crosstalk is a crosstalk analysis of the criminal activity information associated with the same feature,
The criminal activity centered crosstalk module provides the criminal investigator with information capable of analogy and acquisition of crime characteristic information that can be traced through crossover analysis of criminals having the same or similar features,
The crossover analysis includes analysis of domain (domain) and identification (ID) analysis, domain analysis and ID analysis with same crime type, domain analysis according to crime related usage pattern (similarity) And analyzing the identity of the dark web. A computer-readable recording medium having recorded thereon a program for executing the method of any one of claims 7, 8 and 10 to 12.

Images