Soumajyoti Sarkar,Mohammad Almukaynizi,Jana Shakarian,Paulo Shakarian

DOI: https://doi.org/10.1007/s13278-019-0603-9

2019-09-30

Social Network Analysis and Mining

Abstract:With the rise in security breaches over the past few years, there has been an increasing need to mine insights from social media platforms to raise alerts of possible attacks in an attempt to defend conflict during competition. In this study, we attempt to build a framework that utilizes unconventional signals from the darkweb forums by leveraging the reply network structure of user interactions with the goal of predicting enterprise-related external cyber attacks. We use both unsupervised and supervised learning models that address the challenges that come with the lack of enterprise attack metadata for ground-truth validation as well as insufficient data for training the models. We validate our models on a binary classification problem that attempts to predict cyber attacks on a daily basis for an organization. Using several controlled studies on features leveraging the network structure, we measure the extent to which the indicators from the darkweb forums can be successfully used to predict attacks. We use information from 53 forums in the darkweb over a span of 17 months for the task. Our framework to predict real-world organization cyber attacks of three different security events suggests that focusing on the reply path structure between groups of users based on random walk transitions and community structures has an advantage in terms of better performance solely relying on forum or user posting statistics prior to attacks.

Xiuwen Liu,Jianming Fu,Yanjiao Chen

DOI: https://doi.org/10.1016/j.ins.2020.03.048

IF: 8.1

2020-01-01

Information Sciences

Abstract:The rich source of online reports and discussions on social media can be leveraged to investigate the widespread cyber-attacks. In this paper, we study the problem of cybersecurity event mining based on continuous tweet streams. In contrast to traditional static methods that do not consider event evolution, we explore relevance among historical and online events for cyber-attack event discovery and evolution detection. We propose CyberEM, a novel event evolution model with a special focus on cybersecurity events. A pattern clustering algorithm and an NMF-based (non-negative matrix factorization) event aggregation algorithm are devised for cyber-attack indicator extraction and event evolution detection. We leverage both the patterns that belong to the cybersecurity domain and the patterns of the semantic contexts of cybersecurity to refine evolutionary relevance of events across multiple time intervals. Furthermore, we design a dynamic event inference algorithm to discover cybersecurity events and update event aggregation in an online manner. Through extensive evaluations with a large-scale real-world tweet dataset, we demonstrate the superiority of the proposed CyberEM model over existing methods in identifying cybersecurity events and their evolutionary relevance.

Ashok Deb,Kristina Lerman,Emilio Ferrara

DOI: https://doi.org/10.3390/info9110280

2018-04-15

Abstract:Recent high-profile cyber attacks exemplify why organizations need better cyber defenses. Cyber threats are hard to accurately predict because attackers usually try to mask their traces. However, they often discuss exploits and techniques on hacking forums. The community behavior of the hackers may provide insights into groups' collective malicious activity. We propose a novel approach to predict cyber events using sentiment analysis. We test our approach using cyber attack data from 2 major business organizations. We consider 3 types of events: malicious software installation, malicious destination visits, and malicious emails that surpassed the target organizations' defenses. We construct predictive signals by applying sentiment analysis on hacker forum posts to better understand hacker behavior. We analyze over 400K posts generated between January 2016 and January 2018 on over 100 hacking forums both on surface and Dark Web. We find that some forums have significantly more predictive power than others. Sentiment-based models that leverage specific forums can outperform state-of-the-art deep learning and time-series models on forecasting cyber attacks weeks ahead of the events.

Computation and Language

Benjamin M. Ampel

DOI: https://doi.org/10.48550/arXiv.2012.14425

2020-12-26

Abstract:Cyberattacks conducted by malicious hackers cause irreparable damage to organizations, governments, and individuals every year. Hackers use exploits found on hacker forums to carry out complex cyberattacks, making exploration of these forums vital. We propose a hacker forum entity recognition framework (HackER) to identify exploits and the entities that the exploits target. HackER then uses a bidirectional long short-term memory model (BiLSTM) to create a predictive model for what companies will be targeted by exploits. The results of the algorithm will be evaluated using a manually labeled gold-standard test dataset, using accuracy, precision, recall, and F1-score as metrics. We choose to compare our model against state of the art classical machine learning and deep learning benchmark models. Results show that our proposed HackER BiLSTM model outperforms all classical machine learning and deep learning models in F1-score (79.71%). These results are statistically significant at 0.05 or lower for all benchmarks except LSTM. The results of preliminary work suggest our model can help key cybersecurity stakeholders (e.g., analysts, researchers, educators) identify what type of business an exploit is targeting.

Cryptography and Security,Machine Learning

Felipe Moreno-Vera,Mateus Nogueira,Cainã Figueiredo,Daniel Sadoc Menasché,Miguel Bicudo,Ashton Woiwood,Enrico Lovat,Anton Kocheturov,Leandro Pfleger de Aguiar

2023-08-04

Abstract:This paper proposes a machine learning-based approach for detecting the exploitation of vulnerabilities in the wild by monitoring underground hacking forums. The increasing volume of posts discussing exploitation in the wild calls for an automatic approach to process threads and posts that will eventually trigger alarms depending on their content. To illustrate the proposed system, we use the CrimeBB dataset, which contains data scraped from multiple underground forums, and develop a supervised machine learning model that can filter threads citing CVEs and label them as Proof-of-Concept, Weaponization, or Exploitation. Leveraging random forests, we indicate that accuracy, precision and recall above 0.99 are attainable for the classification task. Additionally, we provide insights into the difference in nature between weaponization and exploitation, e.g., interpreting the output of a decision tree, and analyze the profits and other aspects related to the hacking communities. Overall, our work sheds insight into the exploitation of vulnerabilities in the wild and can be used to provide additional ground truth to models such as EPSS and Expected Exploitability.

Cryptography and Security,Machine Learning

Victor Adewopo,Bilal Gonen,Nelly Elsayed,Murat Ozer,Zaghloul Saad Elsayed

DOI: https://doi.org/10.48550/arXiv.2202.01448

2022-02-03

Cryptography and Security

Abstract:In our current society, the inter-connectivity of devices provides easy access for netizens to utilize cyberspace technology for illegal activities. The deep web platform is a consummative ecosystem shielded by boundaries of trust, information sharing, trade-off, and review systems. Domain knowledge is shared among experts in hacker's forums which contain indicators of compromise that can be explored for cyberthreat intelligence. Developing tools that can be deployed for threat detection is integral in securing digital communication in cyberspace. In this paper, we addressed the use of TOR relay nodes for anonymizing communications in deep web forums. We propose a novel approach for detecting cyberthreats using a deep learning algorithm Long Short-Term Memory (LSTM). The developed model outperformed the experimental results of other researchers in this problem domain with an accuracy of 94\% and precision of 90\%. Our model can be easily deployed by organizations in securing digital communications and detection of vulnerability exposure before cyberattack.

Amy Sliva,Kai Shu,Huan Liu

DOI: https://doi.org/10.1007/978-3-319-94709-9_62

2018-06-27

Abstract:As networked and computer technologies continue to pervade all aspects of our lives, the threat from cyber attacks has also increased. However, detecting attacks, much less predicting them in advance, is a non-trivial task due to the anonymity of cyber attackers and the ambiguity of network data collected within an organization; often, by the time an attack pattern is recognized, the damage has already been done. Evidence suggests that the public discourse in external sources, such as news and social media, is often correlated with the occurrence of larger phenomena, such as election results or violent attacks. In this paper, we propose an approach that uses sentiment polarity as a sensor to analyze the social behavior of groups on social media as an indicator of cyber at-tack behavior. We developed an unsupervised sentiment prediction method that uses emotional signals to enhance the sentiment signal from sparse textual indicators. To explore the efficacy of sentiment polarity as an indicator of cyber-attacks, we performed experiments using real-world data from Twitter that corresponds to attacks by a well-known hacktivist group.

Chun-Ming Lai,Xiaoyun Wang,Yunfeng Hong,Yu-Cheng Lin,S. Felix Wu,Patrick McDaniel,Hasan Cam

DOI: https://doi.org/10.23919/CNSM.2017.8256040

2018-02-13

Abstract:Online social network (OSN) discussion groups are exerting significant effects on political dialogue. In the absence of access control mechanisms, any user can contribute to any OSN thread. Individuals can exploit this characteristic to execute targeted attacks, which increases the potential for subsequent malicious behaviors such as phishing and malware distribution. These kinds of actions will also disrupt bridges among the media, politicians, and their constituencies. For the concern of Security Management, blending malicious cyberattacks with online social interactions has introduced a brand new challenge. In this paper we describe our proposal for a novel approach to studying and understanding the strategies that attackers use to spread malicious URLs across Facebook discussion groups. We define and analyze problems tied to predicting the potential for attacks focused on threads created by news media organizations. We use a mix of macro static features and the micro dynamic evolution of posts and threads to identify likely targets with greater than 90% accuracy. One of our secondary goals is to make such predictions within a short (10 minute) time frame. It is our hope that the data and analyses presented in this paper will support a better understanding of attacker strategies and footprints, thereby developing new system management methodologies in handing cyber attacks on social networks.

Social and Information Networks

Zaid Almahmoud,Paul D Yoo,Omar Alhussein,Ilyas Farhat,Ernesto Damiani

DOI: https://doi.org/10.1038/s41598-023-35198-1

2023-05-17

Abstract:Traditionally, cyber-attack detection relies on reactive, assistive techniques, where pattern-matching algorithms help human experts to scan system logs and network traffic for known virus or malware signatures. Recent research has introduced effective Machine Learning (ML) models for cyber-attack detection, promising to automate the task of detecting, tracking and blocking malware and intruders. Much less effort has been devoted to cyber-attack prediction, especially beyond the short-term time scale of hours and days. Approaches that can forecast attacks likely to happen in the longer term are desirable, as this gives defenders more time to develop and share defensive actions and tools. Today, long-term predictions of attack waves are mostly based on the subjective perceptiveness of experienced human experts, which can be impaired by the scarcity of cyber-security expertise. This paper introduces a novel ML-based approach that leverages unstructured big data and logs to forecast the trend of cyber-attacks at a large scale, years in advance. To this end, we put forward a framework that utilises a monthly dataset of major cyber incidents in 36 countries over the past 11 years, with new features extracted from three major categories of big data sources, namely the scientific research literature, news, blogs, and tweets. Our framework not only identifies future attack trends in an automated fashion, but also generates a threat cycle that drills down into five key phases that constitute the life cycle of all 42 known cyber threats.

Rupinder Paul Khandpur,Taoran Ji,Steve Jan,Gang Wang,Chang-Tien Lu,Naren Ramakrishnan

DOI: https://doi.org/10.1145/3132847.3132866

2017-02-25

Abstract:Social media is often viewed as a sensor into various societal events such as disease outbreaks, protests, and elections. We describe the use of social media as a crowdsourced sensor to gain insight into ongoing cyber-attacks. Our approach detects a broad range of cyber-attacks (e.g., distributed denial of service (DDOS) attacks, data breaches, and account hijacking) in an unsupervised manner using just a limited fixed set of seed event triggers. A new query expansion strategy based on convolutional kernels and dependency parses helps model reporting structure and aids in identifying key event characteristics. Through a large-scale analysis over Twitter, we demonstrate that our approach consistently identifies and encodes events, outperforming existing methods.

Cryptography and Security,Human-Computer Interaction,Information Retrieval,Social and Information Networks

Emrah Budur,Seungmin Lee,Vein S. Kong

DOI: https://doi.org/10.48550/arXiv.1507.05739

2015-07-21

Social and Information Networks

Abstract:Analysis of criminal networks is inherently difficult because of the nature of the topic. Criminal networks are covert and most of the information is not publicly available. This leads to small datasets available for analysis. The available criminal network datasets consists of entities, i.e. individual or organizations, which are linked to each other. The links between entities indicates that there is a connection between these entities such as involvement in the same criminal event, having commercial ties, and/or memberships in the same criminal organization. Because of incognito criminal activities, there could be many hidden links from entities to entities, which makes the publicly available criminal networks incomplete. Revealing hidden links introduces new information, e.g. affiliation of a suspected individual with a criminal organization, which may not be known with public information. What will we be able to find if we can run analysis on a larger dataset and use link prediction to reveal the implicit connections? We plan to answer this question by using a dataset that is an order of magnitude more than what is used in most criminal networks analysis. And by using machine learning techniques, we will convert a link prediction problem to a binary classification problem. We plan to reveal hidden links and potentially hidden key attributes of the criminal network. With a more complete picture of the network, we can potentially use this data to thwart criminal organizations and/or take a Pareto approach in targeting key nodes. We conclude our analysis with an effective destruction strategy to weaken criminal networks and prove the effectiveness of revealing hidden links when attacking to criminal networks.

Lyudmyla Kirichenko,Tamara Radivilova,Anders Carlsson

DOI: https://doi.org/10.48550/arXiv.1805.06680

2018-05-17

Abstract:This article considers a short survey of basic methods of social networks analysis, which are used for detecting cyber threats. The main types of social network threats are presented. Basic methods of graph theory and data mining, that deals with social networks analysis are described. Typical security tasks of social network analysis, such as community detection in network, detection of leaders in communities, detection experts in networks, clustering text information and others are considered.

Social and Information Networks,Cryptography and Security,Computers and Society

Ziming Zhao,Gail-Joon Ahn,Hongxin Hu,Deepinder Mahi

2012-01-01

Abstract:Existing research on net-centric attacks has focused on the detection of attack events on network side and the removal of rogue programs from client side. However, such approaches largely overlook the way on how attack tools and unwanted programs are developed and distributed. Recent studies in underground economy reveal that suspicious attackers heavily utilize online social networks to form special interest groups and distribute malicious code. Consequently, examining social dynamics, as a novel way to complement existing research efforts, is imperative to systematically identify attackers and tactically cope with net-centric threats. In this paper, we seek a way to understand and analyze social dynamics relevant to net-centric attacks and propose a suite of measures called SocialImpact for systematically discovering and mining adversarial evidence. We also demonstrate the feasibility and applicability of our approach by implementing a proof-of-concept prototype Cassandra with a case study on real-world data archived from the Internet.

Hanjo D. Boekhout,Arjan A.J. Blokland,Frank W. Takes

2024-05-10

Abstract:In this work we focus on identifying key players in dark net cryptomarkets that facilitate online trade of illegal goods. Law enforcement aims to disrupt criminal activity conducted through these markets by targeting key players vital to the market's existence and success. We particularly focus on detecting successful vendors responsible for the majority of illegal trade. Our methodology aims to uncover whether the task of key player identification should center around plainly measuring user and forum activity, or that it requires leveraging specific patterns of user communication. We focus on a large-scale dataset from the Evolution cryptomarket, which we model as an evolving communication network. Results indicate that user and forum activity, measured through topic engagement, is best able to identify successful vendors. Interestingly, considering users with higher betweenness centrality in the communication network further improves performance, also identifying successful vendors with moderate activity on the forum. But more importantly, analyzing the forum data over time, we find evidence that attaining a high betweenness score comes before vendor success. This suggests that the proposed network-driven approach of modelling user communication might prove useful as an early warning signal for key player identification.

Social and Information Networks

Elijah Pelofske,Lorie M. Liebrock,Vincent Urias

2024-10-08

Abstract:Open source intelligence is a powerful tool for cybersecurity analysts to gather information both for analysis of discovered vulnerabilities and for detecting novel cybersecurity threats and exploits. However the scale of information that is relevant for information security on the internet is always increasing, and is intractable for analysts to parse comprehensively. Therefore methods of condensing the available open source intelligence, and automatically developing connections between disparate sources of information, is incredibly valuable. In this research, we present a system which constructs a Neo4j graph database formed by shared connections between open source intelligence text including blogs, cybersecurity bulletins, news sites, antivirus scans, social media posts (e.g., Reddit and Twitter), and threat reports. These connections are comprised of possible indicators of compromise (e.g., IP addresses, domains, hashes, email addresses, phone numbers), information on known exploits and techniques (e.g., CVEs and MITRE ATT&CK Technique ID's), and potential sources of information on cybersecurity exploits such as twitter usernames. The construction of the database of potential IoCs is detailed, including the addition of machine learning and metadata which can be used for filtering of the data for a specific domain (for example a specific natural language) when needed. Examples of utilizing the graph database for querying connections between known malicious IoCs and open source intelligence documents, including threat reports, are shown. We show three specific examples of interesting connections found in the graph database; the connections to a known exploited CVE, a known malicious IP address, and a malware hash signature.

Cryptography and Security

Raymond Y. K. Lau,Yunqing Xia,Yunming Ye

DOI: https://doi.org/10.1109/mci.2013.2291689

IF: 9.809

2014-01-01

IEEE Computational Intelligence Magazine

Abstract:There has been a rapid growth in the number of cybercrimes that cause tremendous financial loss to organizations. Recent studies reveal that cybercriminals tend to collaborate or even transact cyber-attack tools via the "dark markets" established in online social media. Accordingly, it presents unprecedented opportunities for researchers to tap into these underground cybercriminal communities to develop better insights about collaborative cybercrime activities so as to combat the ever increasing number of cybercrimes. The main contribution of this paper is the development of a novel weakly supervised cybercriminal network mining method to facilitate cybercrime forensics. In particular, the proposed method is underpinned by a probabilistic generative model enhanced by a novel context-sensitive Gibbs sampling algorithm. Evaluated based on two social media corpora, our experimental results reveal that the proposed method significantly outperforms the Latent Dirichlet Allocation (LDA) based method and the Support Vector Machine (SVM) based method by 5.23% and 16.62% in terms of Area Under the ROC Curve (AUC), respectively. It also achieves comparable performance as the state-of-the-art Partially Labeled Dirichlet Allocation (PLDA) method. To the best of our knowledge, this is the first successful research of applying a probabilistic generative model to mine cybercriminal networks from online social media.

Felipe Moreno-Vera

DOI: https://doi.org/10.1109/ICTC58733.2023.10393244

2024-05-07

Abstract:The increasing sophistication of cyber threats necessitates proactive measures to identify vulnerabilities and potential exploits. Underground hacking forums serve as breeding grounds for the exchange of hacking techniques and discussions related to exploitation. In this research, we propose an innovative approach using topic modeling to analyze and uncover key themes in vulnerabilities discussed within these forums. The objective of our study is to develop a machine learning-based model that can automatically detect and classify vulnerability-related discussions in underground hacking forums. By monitoring and analyzing the content of these forums, we aim to identify emerging vulnerabilities, exploit techniques, and potential threat actors. To achieve this, we collect a large-scale dataset consisting of posts and threads from multiple underground forums. We preprocess and clean the data to ensure accuracy and reliability. Leveraging topic modeling techniques, specifically Latent Dirichlet Allocation (LDA), we uncover latent topics and their associated keywords within the dataset. This enables us to identify recurring themes and prevalent discussions related to vulnerabilities, exploits, and potential targets.

Cryptography and Security,Artificial Intelligence,Computers and Society,Machine Learning

Raymond Y. K. Lau,Yunqing Xia

DOI: https://doi.org/10.7763/ijfcc.2013.v2.187

2013-01-01

International Journal of Future Computer and Communication

Abstract:Recent research reveals that the number of cyber-attacks has been doubled in the past three years. This is a devastating growth of the number of cyber-attacks, and it reveals a serious business problem around the world. Existing intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and anti-malware systems mainly rely on low-level network traffic features or program code signatures to detect cyber-attacks. However, since hackers can constantly change their attack tactics by, it is extremely difficult for existing security solutions to detect cyber-attacks. There are increasing more evidences showing that cybercriminals tend to exchange cybercrime knowledge and transact via online social media. Accordingly, it presents unprecedented opportunities for security intelligence experts to tap into online social media to extract the vital security intelligence for cyber-attack forensics. The main contributions of this paper are the design, development, and evaluation of a Latent Dirichlet Allocation (LDA)-based latent text mining model for cyber-attack forensics. Our preliminary evaluation of the proposed latent text mining model based on a real-world data set crawled from Twitter and Blog sites shows that it significantly outperforms the probabilistic latent semantic indexing (pLSI) method in terms of extracting more relevant and richer concepts describing real-world cyber-attack incidents.

Rasika Bhalerao,Maxwell Aliapoulios,Ilia Shumailov,Sadia Afroz,Damon McCoy

DOI: https://doi.org/10.48550/arXiv.1812.00381

2018-12-05

Abstract:Cybercrime forums enable modern criminal entrepreneurs to collaborate with other criminals into increasingly efficient and sophisticated criminal endeavors. Understanding the connections between different products and services can often illuminate effective interventions. However, generating this understanding of supply chains currently requires time-consuming manual effort. In this paper, we propose a language-agnostic method to automatically extract supply chains from cybercrime forum posts and replies. Our supply chain detection algorithm can identify 36% and 58% relevant chains within major English and Russian forums, respectively, showing improvements over the baselines of 13% and 36%, respectively. Our analysis of the automatically generated supply chains demonstrates underlying connections between products and services within these forums. For example, the extracted supply chain illuminated the connection between hack-for-hire services and the selling of rare and valuable `OG' accounts, which has only recently been reported. The understanding of connections between products and services exposes potentially effective intervention points.

Cryptography and Security,Computation and Language,Machine Learning

Hassan Halawa,Matei Ripeanu,Konstantin Beznosov,Baris Coskun,Meizhu Liu

DOI: https://doi.org/10.48550/arXiv.1801.08629

2018-01-26

Abstract:In the face of large-scale automated social engineering attacks to large online services, fast detection and remediation of compromised accounts are crucial to limit the spread of new attacks and to mitigate the overall damage to users, companies, and the public at large. We advocate a fully automated approach based on machine learning: we develop an early warning system that harnesses account activity traces to predict which accounts are likely to be compromised in the future and generate suspicious activity. We hypothesize that this early warning is key for a more timely detection of compromised accounts and consequently faster remediation. We demonstrate the feasibility and applicability of the system through an experiment at a large-scale online service provider using four months of real-world production data encompassing hundreds of millions of users. We show that - even using only login data to derive features with low computational cost, and a basic model selection approach - our classifier can be tuned to achieve good classification precision when used for forecasting. Our system correctly identifies up to one month in advance the accounts later flagged as suspicious with precision, recall, and false positive rates that indicate the mechanism is likely to prove valuable in operational settings to support additional layers of defense.

Cryptography and Security