Xiuwen Liu,Jianming Fu,Yanjiao Chen

DOI: https://doi.org/10.1016/j.ins.2020.03.048

IF: 8.1

2020-01-01

Information Sciences

Abstract:The rich source of online reports and discussions on social media can be leveraged to investigate the widespread cyber-attacks. In this paper, we study the problem of cybersecurity event mining based on continuous tweet streams. In contrast to traditional static methods that do not consider event evolution, we explore relevance among historical and online events for cyber-attack event discovery and evolution detection. We propose CyberEM, a novel event evolution model with a special focus on cybersecurity events. A pattern clustering algorithm and an NMF-based (non-negative matrix factorization) event aggregation algorithm are devised for cyber-attack indicator extraction and event evolution detection. We leverage both the patterns that belong to the cybersecurity domain and the patterns of the semantic contexts of cybersecurity to refine evolutionary relevance of events across multiple time intervals. Furthermore, we design a dynamic event inference algorithm to discover cybersecurity events and update event aggregation in an online manner. Through extensive evaluations with a large-scale real-world tweet dataset, we demonstrate the superiority of the proposed CyberEM model over existing methods in identifying cybersecurity events and their evolutionary relevance.

Raymond Y. K. Lau,Yunqing Xia,Yunming Ye

DOI: https://doi.org/10.1109/mci.2013.2291689

IF: 9.809

2014-01-01

IEEE Computational Intelligence Magazine

Abstract:There has been a rapid growth in the number of cybercrimes that cause tremendous financial loss to organizations. Recent studies reveal that cybercriminals tend to collaborate or even transact cyber-attack tools via the "dark markets" established in online social media. Accordingly, it presents unprecedented opportunities for researchers to tap into these underground cybercriminal communities to develop better insights about collaborative cybercrime activities so as to combat the ever increasing number of cybercrimes. The main contribution of this paper is the development of a novel weakly supervised cybercriminal network mining method to facilitate cybercrime forensics. In particular, the proposed method is underpinned by a probabilistic generative model enhanced by a novel context-sensitive Gibbs sampling algorithm. Evaluated based on two social media corpora, our experimental results reveal that the proposed method significantly outperforms the Latent Dirichlet Allocation (LDA) based method and the Support Vector Machine (SVM) based method by 5.23% and 16.62% in terms of Area Under the ROC Curve (AUC), respectively. It also achieves comparable performance as the state-of-the-art Partially Labeled Dirichlet Allocation (PLDA) method. To the best of our knowledge, this is the first successful research of applying a probabilistic generative model to mine cybercriminal networks from online social media.

Claudia Peersman,Matthew Edwards,Emma Williams,Awais Rashid

DOI: https://doi.org/10.48550/arXiv.2211.15784

2022-11-29

Abstract:Recent advances in text mining and natural language processing technology have enabled researchers to detect an authors identity or demographic characteristics, such as age and gender, in several text genres by automatically analysing the variation of linguistic characteristics. However, applying such techniques in the wild, i.e., in both cybercriminal and regular online social media, differs from more general applications in that its defining characteristics are both domain and process dependent. This gives rise to a number of challenges of which contemporary research has only scratched the surface. More specifically, a text mining approach applied on social media communications typically has no control over the dataset size, the number of available communications will vary across users. Hence, the system has to be robust towards limited data availability. Additionally, the quality of the data cannot be guaranteed. As a result, the approach needs to be tolerant to a certain degree of linguistic noise (for example, abbreviations, non-standard language use, spelling variations and errors). Finally, in the context of cybercriminal fora, it has to be robust towards deceptive or adversarial behaviour, i.e. offenders who attempt to hide their criminal intentions (obfuscation) or who assume a false digital persona (imitation), potentially using coded language. In this work we present a comprehensive survey that discusses the problems that have already been addressed in current literature and review potential solutions. Additionally, we highlight which areas need to be given more attention.

Cryptography and Security

Soumajyoti Sarkar,Mohammad Almukaynizi,Jana Shakarian,Paulo Shakarian

DOI: https://doi.org/10.1007/s13278-019-0603-9

2019-09-30

Social Network Analysis and Mining

Abstract:With the rise in security breaches over the past few years, there has been an increasing need to mine insights from social media platforms to raise alerts of possible attacks in an attempt to defend conflict during competition. In this study, we attempt to build a framework that utilizes unconventional signals from the darkweb forums by leveraging the reply network structure of user interactions with the goal of predicting enterprise-related external cyber attacks. We use both unsupervised and supervised learning models that address the challenges that come with the lack of enterprise attack metadata for ground-truth validation as well as insufficient data for training the models. We validate our models on a binary classification problem that attempts to predict cyber attacks on a daily basis for an organization. Using several controlled studies on features leveraging the network structure, we measure the extent to which the indicators from the darkweb forums can be successfully used to predict attacks. We use information from 53 forums in the darkweb over a span of 17 months for the task. Our framework to predict real-world organization cyber attacks of three different security events suggests that focusing on the reply path structure between groups of users based on random walk transitions and community structures has an advantage in terms of better performance solely relying on forum or user posting statistics prior to attacks.

Simran K,Prathiksha Balakrishna,Vinayakumar R,Soman KP

DOI: https://doi.org/10.48550/arXiv.2004.00503

2020-03-31

Computation and Language

Abstract:In recent days, the amount of Cyber Security text data shared via social media resources mainly Twitter has increased. An accurate analysis of this data can help to develop cyber threat situational awareness framework for a cyber threat. This work proposes a deep learning based approach for tweet data analysis. To convert the tweets into numerical representations, various text representations are employed. These features are feed into deep learning architecture for optimal feature extraction as well as classification. Various hyperparameter tuning approaches are used for identifying optimal text representation method as well as optimal network parameters and network structures for deep learning models. For comparative analysis, the classical text representation method with classical machine learning algorithm is employed. From the detailed analysis of experiments, we found that the deep learning architecture with advanced text representation methods performed better than the classical text representation and classical machine learning algorithms. The primary reason for this is that the advanced text representation methods have the capability to learn sequential properties which exist among the textual data and deep learning architectures learns the optimal features along with decreasing the feature size.

Alaric Hartsock,Luiz Manella Pereira,Glenn Fink

2024-11-12

Abstract:Threat hunting analyzes large, noisy, high-dimensional data to find sparse adversarial behavior. We believe adversarial activities, however they are disguised, are extremely difficult to completely obscure in high dimensional space. In this paper, we employ these latent features of cyber data to find anomalies via a prototype tool called Cyber Log Embeddings Model (CLEM). CLEM was trained on Zeek network traffic logs from both a real-world production network and an from Internet of Things (IoT) cybersecurity testbed. The model is deliberately overtrained on a sliding window of data to characterize each window closely. We use the Adjusted Rand Index (ARI) to comparing the k-means clustering of CLEM output to expert labeling of the embeddings. Our approach demonstrates that there is promise in using natural language modeling to understand cyber data.

Artificial Intelligence,Cryptography and Security,Machine Learning

Avanti Bhandarkar,Ronald Wilson,Anushka Swarup,Mengdi Zhu,Damon Woodard

2024-07-25

Abstract:In the era of generative AI, the widespread adoption of Neural Text Generators (NTGs) presents new cybersecurity challenges, particularly within the realms of Digital Forensics and Incident Response (DFIR). These challenges primarily involve the detection and attribution of sources behind advanced attacks like spearphishing and disinformation campaigns. As NTGs evolve, the task of distinguishing between human and NTG-authored texts becomes critically complex. This paper rigorously evaluates the DFIR pipeline tailored for text-based security systems, specifically focusing on the challenges of detecting and attributing authorship of NTG-authored texts. By introducing a novel human-NTG co-authorship text attack, termed CS-ACT, our study uncovers significant vulnerabilities in traditional DFIR methodologies, highlighting discrepancies between ideal scenarios and real-world conditions. Utilizing 14 diverse datasets and 43 unique NTGs, up to the latest GPT-4, our research identifies substantial vulnerabilities in the forensic profiling phase, particularly in attributing authorship to NTGs. Our comprehensive evaluation points to factors such as model sophistication and the lack of distinctive style within NTGs as significant contributors for these vulnerabilities. Our findings underscore the necessity for more sophisticated and adaptable strategies, such as incorporating adversarial learning, stylizing NTGs, and implementing hierarchical attribution through the mapping of NTG lineages to enhance source attribution. This sets the stage for future research and the development of more resilient text-based security systems.

Cryptography and Security,Computation and Language

Xiaofeng Wang,Matthew S. Gerber,Donald E. Brown

DOI: https://doi.org/10.1007/978-3-642-29047-3_28

2012-01-01

Abstract:Prior work on criminal incident prediction has relied primarily on the historical crime record and various geospatial and demographic information sources. Although promising, these models do not take into account the rich and rapidly expanding social media context that surrounds incidents of interest. This paper presents a preliminary investigation of Twitter-based criminal incident prediction. Our approach is based on the automatic semantic analysis and understanding of natural language Twitter posts, combined with dimensionality reduction via latent Dirichlet allocation and prediction via linear modeling. We tested our model on the task of predicting future hit-and-run crimes. Evaluation results indicate that the model comfortably outperforms a baseline model that predicts hit-and-run incidents uniformly across all days.

D. Paul Joseph,P. Viswanathan

DOI: https://doi.org/10.1109/access.2023.3234434

IF: 3.9

2023-01-13

IEEE Access

Abstract:Most traditional digital forensic techniques identify irrelevant files in a corpus using keyword search, frequent hashes, frequent paths, and frequent size methods. These methods are based on Message Digest and Secure Hash Algorithm-1, which result in a hash collision. The threshold criteria of files based on frequent sizes will lead to imprecise threshold values that result in an increased evaluation of irrelevant files. The blacklisted keywords used in forensic search are based on literal and non-lexical, thus resulting in increased false-positive search results and failure to disambiguate unstructured text. Due to this, many extraneous files are also being considered for further investigations, exacerbating the time lag. Moreover, the non-availability of standardized forensic labeled data results in time complexity during the file classification process. This research proposes a three-tier Keyword Metadata Pattern framework to overcome these significant concerns. Initially, Secure Hash algorithm-256 hash for the entire corpus is constructed along with custom regex and stop-words module to overcome hash collision, imprecise threshold values, and eliminate recurrent files. Then blacklisted keywords are constructed by identifying vectorized words that have proximity to overcome traditional keyword search's drawbacks and to overcome false positive results. Dynamic forensic relevant patterns based on massive password datasets are designed to search for unique, relevant patterns to identify the significant files and overcome the time lag. Based on tier-2 results, files are preliminarily classified automatically in O(log n) complexity, and the system is trained with a machine learning model. Finally, when experimentally evaluated, the overall proposed system was found to be very effective, outperforming the existing two-tier model in terms of finding relevant files - y automated labeling and classification in O(nlog n) complexity. Our proposed model could eliminate 223K irrelevant files and reduce the corpus by 4.1% in tier-1, identify 16.06% of sensitive files in tier-2, and classify files with 91% precision, 95% sensitivity, 91% accuracy, and 0.11% Hamming loss compared to the two-tier system.

computer science, information systems,telecommunications,engineering, electrical & electronic

Weifeng Li,Hsinchun Chen,Jay F. Nunamaker

DOI: https://doi.org/10.1080/07421222.2016.1267528

IF: 7.582

2016-10-01

Journal of Management Information Systems

Abstract:The past few years have witnessed millions of credit/debit cards flowing through the underground economy and ultimately causing significant financial loss. Examining key underground economy sellers has both practical and academic significance for cybercrime forensics and criminology research. Drawing on social media analytics, we have developed the AZSecure text mining system for identifying and profiling key sellers. The system identifies sellers using sentiment analysis of customer reviews and profiles sellers using topic modeling of advertisements. We evaluated the AZSecure system on eight international underground economy forums. The system significantly outperformed all benchmark machine-learning methods on identifying advertisement threads, classifying customer review sentiments, and profiling seller characteristics, with an average F-measure of about 80 percent to 90 percent. In our case study, we identified the famous carder, Rescator, who was affiliated with the Target breach, and captured important seller characteristics in terms of product type, payment options, and contact channels. Our research leverages social media analytics to probe into the underground economy in order to help law enforcement target key sellers and prevent future fraud. It also contributes to our understanding of the use of information technology in detecting deception in online systems.

information science & library science,management,computer science, information systems

Humaira Arshad,Saima Abdullah,Moatsum Alawida,Abdulatif Alabdulatif,Oludare Isaac Abiodun,Omer Riaz

DOI: https://doi.org/10.3390/s22031115

2022-02-01

Abstract:Currently, law enforcement and legal consultants are heavily utilizing social media platforms to easily access data associated with the preparators of illegitimate events. However, accessing this publicly available information for legal use is technically challenging and legally intricate due to heterogeneous and unstructured data and privacy laws, thus generating massive workloads of cognitively demanding cases for investigators. Therefore, it is critical to develop solutions and tools that can assist investigators in their work and decision making. Automating digital forensics is not exclusively a technical problem; the technical issues are always coupled with privacy and legal matters. Here, we introduce a multi-layer automation approach that addresses the automation issues from collection to evidence analysis in online social network forensics. Finally, we propose a set of analysis operators based on domain correlations. These operators can be embedded in software tools to help the investigators draw realistic conclusions. These operators are implemented using Twitter ontology and tested through a case study. This study describes a proof-of-concept approach for forensic automation on online social networks.

Chanwoo Bae,Guanhong Tao,Zhuo Zhang,Xiangyu Zhang

2024-04-18

Abstract:Cyber attacks cause over \$1 trillion loss every year. An important task for cyber security analysts is attack forensics. It entails understanding malware behaviors and attack origins. However, existing automated or manual malware analysis can only disclose a subset of behaviors due to inherent difficulties (e.g., malware cloaking and obfuscation). As such, analysts often resort to text search techniques to identify existing malware reports based on the symptoms they observe, exploiting the fact that malware samples share a lot of similarity, especially those from the same origin. In this paper, we propose a novel malware behavior search technique that is based on graph isomorphism at the attention layers of Transformer models. We also compose a large dataset collected from various agencies to facilitate such research. Our technique outperforms state-of-the-art methods, such as those based on sentence embeddings and keywords by 6-14%. In the case study of 10 real-world malwares, our technique can correctly attribute 8 of them to their ground truth origins while using Google only works for 3 cases.

Information Retrieval

Weifeng Li,Hsinchun Chen,,

DOI: https://doi.org/10.25300/misq/2022/15642

IF: 7.3

2022-12-01

MIS Quarterly

Abstract:The prevalence and rapid growth of cybercrime are largely attributed to hacker communities on the dark web, where cybercriminals extensively exchange hacking resources, share hacking knowledge, and organize cyberattacks. Such streams of hacker-generated content constitute an invaluable data source for developing threat intelligence that can inform organizations of cybersecurity risks and facilitate proactive cyber defense. Drawing upon the design science paradigm, we propose a novel nonparametric emerging topic detection (NPETD) framework for detecting emerging topics in streams of hacker-generated content. Our framework extends the state-of-the-art nonparametric topic model to inductively model topics without having to specify the number of topics a priori. Moreover, our framework features an efficient algorithm to jointly infer topics and detect topic emergence. We conducted experiments to rigorously evaluate the effectiveness and efficiency of our framework in comparison with the state-of-the-art baseline methods. Our framework outperformed the baseline methods in detecting the listings of emerging threats in darknet marketplaces on recall, F-measure, topic coherence, and processor time. The practical utility of our framework is further demonstrated in a major hacker forum, where we identified several notable emerging topics with important implications for victim companies and law enforcement. The proposed framework contributes to cybersecurity, topic detection and tracking, and design science.

information science & library science,management,computer science, information systems

Ruth Ikwu,Panos Louisvieris

DOI: https://doi.org/10.48550/arXiv.1907.02383

2019-07-04

Information Retrieval

Abstract:As the use of social platforms continues to evolve, in areas such as cyber-security and defence, it has become imperative to develop adaptive methods for tracking, identifying and investigating cyber-related activities on these platforms. This paper introduces a new approach for detecting cyber-related discussions in online social platforms using a candidate set of terms that are representative of the cyber domain. The objective of this paper is to create a cyber lexicon with cyber-related terms that is applicable to the automatic detection of cyber activities across various online platforms. The method presented in this paper applies natural language processing techniques to representative data from multiple social platform types such as Reddit, Stack overflow, twitter and cyberwar news to extract candidate terms for a generic cyber lexicon. In selecting the candidate terms, we introduce the APMIS Aggregated Pointwise Mutual Information Score in comparison with the Term Frequency-Term Degree Ratio (FDR Score) and Term Frequency-Inverse Document Frequency Score (TF-IDF Score). These scoring mechanisms are robust to account for term frequency, term relevance and mutual dependence between terms. Finally, we evaluate the performance of the cyber lexicon by measuring its precision of in classifying discussions as 'Cyber-Related' or 'Non-Cyber-Related'.

Yangyang Mei,Weihong Han,Shudong Li,Kaihan Lin,Zhihong Tian,Shumei Li

DOI: https://doi.org/10.1109/tits.2024.3360260

IF: 8.5

2024-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:The Internet now plays a pivotal role in the social and economic landspace, providing individuals and businesses with access to essential daily services and tasks. However, it has also become a breeding ground for conflicts. Advanced Persistent Threats (APTs) pose a formidable chanllenge when directed at organizations and governments, exposing the entire network to substantial security risks. Employing network fornesics for attributing cyber-attacks and acquiring timely, credible forensic results is a fundamental challenge in maintaining cyber security. This paper introduces a Deep Learning-based network forensics framework for digitally identifying and tracking network attacks, providing a comprehensive overview of the network forensics process. Specifically, we extract network traffic and employ encryption to ensure the integrity and security of data. Subsequently, we apply feature filtering techniques to retain essential traceability information, and Deep Learning model parameters are automatically optimized using hyperparameter optimization techniques. Lastly, we develop a Multi-Layer Perceptual Deep Neural Network (MLP DNN) model with perceptual capabilities for detecting anomalous events within the network. We evaluated the framework’s effectiveness using the UNSW-NB15 dataset. The experiments demonstrate that the proposed framework is applicable to APT attack forensics scenarios. In comparison to other AI methods, our framework excels in discovering and tracking network attack events with high performance.

engineering, electrical & electronic,transportation science & technology, civil

Edward Crowder,Jay Lansiquot

DOI: https://doi.org/10.48550/arXiv.2105.13957

2021-05-19

Abstract:Exploring the darknet can be a daunting task; this paper explores the application of data mining the darknet within a Canadian cybercrime perspective. Measuring activity through marketplace analysis and vendor attribution has proven difficult in the past. Observing different aspects of the darknet and implementing methods of monitoring and collecting data in the hopes of connecting contributions to the darknet marketplaces to and from Canada. The significant findings include a small Canadian presence, measured the product categories, and attribution of one cross-marketplace vendor through data visualization. The results were made possible through a multi-stage processing pipeline, including data crawling, scraping, and parsing. The primary future works include enhancing the pipeline to include other media, such as web forums, chatrooms, and emails. Applying machine learning models like natural language processing or sentiment analysis could prove beneficial during investigations.

Cryptography and Security

Yang Xin,Lingshuang Kong,Zhi Liu,Yuling Chen,Yanmiao Li,Hongliang Zhu,Mingcheng Gao,Haixia Hou,Chunhua Wang

DOI: https://doi.org/10.1109/access.2018.2836950

IF: 3.9

2018-01-01

IEEE Access

Abstract:With the development of the Internet, cyber-attacks are changing rapidly and the cyber security situation is not optimistic. This survey report describes key literature surveys on machine learning (ML) and deep learning (DL) methods for network analysis of intrusion detection and provides a brief tutorial description of each ML/DL method. Papers representing each method were indexed, read, and summarized based on their temporal or thermal correlations. Because data are so important in ML/DL methods, we describe some of the commonly used network datasets used in ML/DL, discuss the challenges of using ML/DL for cybersecurity and provide suggestions for research directions.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ashok Deb,Kristina Lerman,Emilio Ferrara

DOI: https://doi.org/10.3390/info9110280

2018-04-15

Abstract:Recent high-profile cyber attacks exemplify why organizations need better cyber defenses. Cyber threats are hard to accurately predict because attackers usually try to mask their traces. However, they often discuss exploits and techniques on hacking forums. The community behavior of the hackers may provide insights into groups' collective malicious activity. We propose a novel approach to predict cyber events using sentiment analysis. We test our approach using cyber attack data from 2 major business organizations. We consider 3 types of events: malicious software installation, malicious destination visits, and malicious emails that surpassed the target organizations' defenses. We construct predictive signals by applying sentiment analysis on hacker forum posts to better understand hacker behavior. We analyze over 400K posts generated between January 2016 and January 2018 on over 100 hacking forums both on surface and Dark Web. We find that some forums have significantly more predictive power than others. Sentiment-based models that leverage specific forums can outperform state-of-the-art deep learning and time-series models on forecasting cyber attacks weeks ahead of the events.

Computation and Language

Aaron Zimba,Mumbi Chishimba,Christabel Ngongola-Reinke,Tozgani Fainess Mbale

DOI: https://doi.org/10.48550/arXiv.2102.10634

2021-02-22

Abstract:Cryptocurrencies have emerged as a new form of digital money that has not escaped the eyes of cyber-attackers. Traditionally, they have been maliciously used as a medium of exchange for proceeds of crime in the cyber dark-market by cyber-criminals. However, cyber-criminals have devised an exploitative technique of directly acquiring cryptocurrencies from benign users' CPUs without their knowledge through a process called crypto mining. The presence of crypto mining activities in a network is often an indicator of compromise of illegal usage of network resources for crypto mining purposes. Crypto mining has had a financial toll on victims such as corporate networks and individual home users. This paper addresses the detection of crypto mining attacks in a generic network environment using dynamic network characteristics. It tackles an in-depth overview of crypto mining operational details and proposes a semi-supervised machine learning approach to detection using various crypto mining features derived from complex network characteristics. The results demonstrate that the integration of semi-supervised learning with complex network theory modeling is effective at detecting crypto mining activities in a network environment. Such an approach is helpful during security mitigation by network security administrators and law enforcement agencies.

Cryptography and Security