(IJCSIS) International Journal of Computer Science and Information Security, Vol. 14, No. 7, July 2016 Defending Against Attacks from the Dark Web Using Neural Networks and Automated Malware Analysis eng. Mihai-Gabriel IONITA* Computer Sciences and Information Technology Doctoral School Military Technical Academy Bucharest, Romania mihai_ionita01@hotmail.com Prof. Victor-Valeriu PATRICIU Computer Sciences and Information Technology Doctoral School Military Technical Academy Bucharest, Romania vip@mta.ro Abstract— In an Internet connected world, cyber security assurance is critical for protecting an organization’s critical infrastructures. For this task, we propose a connected infrastructure that offers various types of malware analysis capabilities. This infrastructure’s architecture is based on customized open-source projects. This proposed implementation has been integrated into an already built platform that aims to protect an organization’s geographically distributed network. Our proposed implementation is based on software defined network components, and it uses artificial neural networks for protecting these critical infrastructures. The malware analysis component is based upon three sub-components that perform static and behavioural analysis against suspected pieces of code, documents or traffic. In addition, when attacks that involve zombie computers come from the Dark Web, the proposed platform tries to uncover their true source, so it can inform the unsuspecting users or defer them to justice. As detecting Tor traffic is not a trivial task, the platform includes a dedicated module for scanning and making a risk assessment of inbound and outbound connections. An intelligent firewall separates the protected infrastructure from malicious internet traffic by telling apart malevolent Tor traffic from other benign traffic flows. The platform also offers added protection against 0-day vulnerabilities and APT attacks by using its behavioural analysis techniques. Keywords- cyber security, artificial neural networks, automated malware analysis, Tor, dark-web I. INTRODUCTION When discussing about the Dark Web we refer to the services and the content exchanged over darknets such as Tor, through overlay networks or local friend-to-friend networks. As cyber criminals tend to move their operations to the Dark Web for added anonymity and protection, the face of cyber security will change completely. Privacy seeking users, which are scared of the government spying on them, also try to use the Dark Web, in some cases being infected with malware, or being targeted by government investigations, because of their anonymity seeking actions. In today’s cyber security context, everything is changing. From the 2013 Distributed Denial of Service (DDoS) attack on Spamhaus [1], which generated an unearthly 300Gbps traffic, the DDoS attack against BBC [2] servers generated a hardly measurable 602Gbps figure, which makes the former attack seem like child’s play. Other problems appear from the malware campaigns used to take down public utilities or factories, which bring financial harm or even physical injury to human beings by the so-called kinetic cyber-attacks. Such an example involves the malware campaign [3], where the Black Energy framework was used to target the Ukrainian power plant Prykarpattyaoblenergo. A similar incident took place when the now famous Stuxnet malware was used to sabotage Iran’s nuclear program. These kinds of targeted malware campaigns are impossible to detect with traditional antimalware applications. Classical antimalware applications, such as antivirus products, rely on comparing pieces of analysed code against malicious code definitions that are provided when an analyst detects a piece of code as being malicious, or infections are reported. The same situation appears for web security applications where they also block only known malicious websites or domains. To make matters worse, attackers started using the Dark Web and Tor nodes for Denial of Service attacks and for spreading malware. This predicament slows down any effort of identifying the aggressors by forensic investigators and law enforcement teams. A. Concerns regarding the future of SCADA systems in utility monitoring and control which could lead to kinetic cyber-attacks Unfortunately, a recent study [4], produced by the security company Tripwire, states that over 80% of the respondents have seen an increase in the successful cyberattacks over the past year. Alarmingly, the study has highlighted the fact that for the majority 53 percent of the surveyed companies in this business sector, the number of attacks has even doubled over the past year. On the bright side of things, at least 69% of the questioned employees have said that their company does not detect all cyber-attacks and for over 72% of the involved companies a single executive has security responsibility for both IT and operational technologies (OT). As this information is not a pleasant one, it is important that high- level executives from these companies understand their