Xiuwen Liu,Jianming Fu,Yanjiao Chen

DOI: https://doi.org/10.1016/j.ins.2020.03.048

IF: 8.1

2020-01-01

Information Sciences

Abstract:The rich source of online reports and discussions on social media can be leveraged to investigate the widespread cyber-attacks. In this paper, we study the problem of cybersecurity event mining based on continuous tweet streams. In contrast to traditional static methods that do not consider event evolution, we explore relevance among historical and online events for cyber-attack event discovery and evolution detection. We propose CyberEM, a novel event evolution model with a special focus on cybersecurity events. A pattern clustering algorithm and an NMF-based (non-negative matrix factorization) event aggregation algorithm are devised for cyber-attack indicator extraction and event evolution detection. We leverage both the patterns that belong to the cybersecurity domain and the patterns of the semantic contexts of cybersecurity to refine evolutionary relevance of events across multiple time intervals. Furthermore, we design a dynamic event inference algorithm to discover cybersecurity events and update event aggregation in an online manner. Through extensive evaluations with a large-scale real-world tweet dataset, we demonstrate the superiority of the proposed CyberEM model over existing methods in identifying cybersecurity events and their evolutionary relevance.

Weifeng Li,Hsinchun Chen,,

DOI: https://doi.org/10.25300/misq/2022/15642

IF: 7.3

2022-12-01

MIS Quarterly

Abstract:The prevalence and rapid growth of cybercrime are largely attributed to hacker communities on the dark web, where cybercriminals extensively exchange hacking resources, share hacking knowledge, and organize cyberattacks. Such streams of hacker-generated content constitute an invaluable data source for developing threat intelligence that can inform organizations of cybersecurity risks and facilitate proactive cyber defense. Drawing upon the design science paradigm, we propose a novel nonparametric emerging topic detection (NPETD) framework for detecting emerging topics in streams of hacker-generated content. Our framework extends the state-of-the-art nonparametric topic model to inductively model topics without having to specify the number of topics a priori. Moreover, our framework features an efficient algorithm to jointly infer topics and detect topic emergence. We conducted experiments to rigorously evaluate the effectiveness and efficiency of our framework in comparison with the state-of-the-art baseline methods. Our framework outperformed the baseline methods in detecting the listings of emerging threats in darknet marketplaces on recall, F-measure, topic coherence, and processor time. The practical utility of our framework is further demonstrated in a major hacker forum, where we identified several notable emerging topics with important implications for victim companies and law enforcement. The proposed framework contributes to cybersecurity, topic detection and tracking, and design science.

information science & library science,management,computer science, information systems

Yilin Zhao,Le Cheng

DOI: https://doi.org/10.1515/ijld-2024-2001

2024-01-01

International Journal of Legal Discourse

Abstract:As digital technology prevails in crimes, academic insights have expanded to diverse issues related to cybercrimes both in China and abroad. Various jurisdictions have made efforts to get cybercrime under control, in particular, fighting against the misuse of emerging technologies in cybercrimes. In the context of cross-border cybercrime, putting one region's criminal growth down could not live without cross-border or cross-sector cooperation. With such understanding, this paper aims to conduct a comparative study of cross-border cybercrime publications to see the research trends from the divergence and convergence of academic studies inside and outside China. Specifically, using CiteSpace (6.2.R6), this study presents an extensive bibliometric analysis of cross-border cybercrime research published during the past three decades in Web of Science Core Collections and China National Knowledge Infrastructure (CNKI). The findings indicate the typical features of publications in different phases. Among others, the keywords analysis including cluster mapping and strongest burst reveals the research trend, which indicates that cross-border cybercrime is featured as possessing a complete industrial chain of online black market, with increasing application of high-tech tools and more connection with illicit financial flow. This study also examines barriers and touches upon the implications in the efficient fight against cross-border cybercrime, as well as the existing approaches like public-private partnership, mutual legal assistance and police cooperation, and global pathways to reducing conflicts among jurisdictions.

Xin-Li Yang,David Lo,Xin Xia,Zhi-Yuan Wan,Jian-Ling Sun

DOI: https://doi.org/10.1007/s11390-016-1672-0

2016-01-01

Abstract:Security has always been a popular and critical topic. With the rapid development of information technology, it is always attracting people’s attention. However, since security has a long history, it covers a wide range of topics which change a lot, from classic cryptography to recently popular mobile security. There is a need to investigate security-related topics and trends, which can be a guide for security researchers, security educators and security practitioners. To address the above-mentioned need, in this paper, we conduct a large-scale study on security-related questions on Stack Overflow. Stack Overflow is a popular on-line question and answer site for software developers to communicate, collaborate, and share information with one another. There are many different topics among the numerous questions posted on Stack Overflow and security-related questions occupy a large proportion and have an important and significant position. We first use two heuristics to extract from the dataset the questions that are related to security based on the tags of the posts. And then we use an advanced topic model, Latent Dirichlet Allocation (LDA) tuned using Genetic Algorithm (GA), to cluster different security-related questions based on their texts. After obtaining the different topics of security-related questions, we use their metadata to make various analyses. We summarize all the topics into five main categories, and investigate the popularity and difficulty of different topics as well. Based on the results of our study, we conclude several implications for researchers, educators and practitioners.

Jack Hughes,Sergio Pastrana,Alice Hutchings,Sadia Afroz,Sagar Samtani,Weifeng Li,Ericsson Santana Marin

DOI: https://doi.org/10.1145/3639362

IF: 16.6

2024-02-24

ACM Computing Surveys

Abstract:In the last decade, cybercrime has risen considerably. One key factor is the proliferation of online cybercrime communities, where actors trade products and services, and also learn from each other. Accordingly, understanding the operation and behavior of these communities is of great interest, and they have been explored across multiple disciplines with different, often quite novel, approaches. This survey explores the challenges inherent to the field and the methodological approaches researchers used to understand this space. We note that, in many cases, cybercrime research is more of an art than a science. We highlight the good practices and propose a list of recommendations for future cybercrime community scholars, including taking steps to verify and validate results, establishing privacy and ethical research practices, and mitigating the challenge of ground truth data.

computer science, theory & methods

Felipe Moreno-Vera

DOI: https://doi.org/10.1109/ICTC58733.2023.10393244

2024-05-07

Abstract:The increasing sophistication of cyber threats necessitates proactive measures to identify vulnerabilities and potential exploits. Underground hacking forums serve as breeding grounds for the exchange of hacking techniques and discussions related to exploitation. In this research, we propose an innovative approach using topic modeling to analyze and uncover key themes in vulnerabilities discussed within these forums. The objective of our study is to develop a machine learning-based model that can automatically detect and classify vulnerability-related discussions in underground hacking forums. By monitoring and analyzing the content of these forums, we aim to identify emerging vulnerabilities, exploit techniques, and potential threat actors. To achieve this, we collect a large-scale dataset consisting of posts and threads from multiple underground forums. We preprocess and clean the data to ensure accuracy and reliability. Leveraging topic modeling techniques, specifically Latent Dirichlet Allocation (LDA), we uncover latent topics and their associated keywords within the dataset. This enables us to identify recurring themes and prevalent discussions related to vulnerabilities, exploits, and potential targets.

Cryptography and Security,Artificial Intelligence,Computers and Society,Machine Learning

Qing Hu,Zhengchuan Xu,Ali Alper Yayla

2013-01-01

Abstract:Computer hacking committed by young adults has become an epidemic that threatens the social and economic prosperity brought by information technology around the world. In this study, we extend previous studies on computer hackers with a cross cultural approach by comparing sources of influence on computer hacking in two countries: China and the United States. This comparative study yielded some significant insights about the contributing factors to the computer hacking phenomenon in these two countries. While some factors are consistent, others are distinctly different, across the two samples. We find that moral beliefs about computer hacking are the most consistent antidote against computer hacking intentions among the Chinese and the American college students. On the other hand, we find that playing computer games (team sports) significantly increases (decreases) the intention to computer hacking in the Chinese college students, but has no significant effect on the American college students. In addition, we find that hypotheses based on routine activity and selfcontrol theories are modestly supported by the two samples; however, each sample supports distinct dimensions of the two theories. Hofstede’s national cultural framework provides salient explanations to these differences in the two samples.

Yunteng Huang

2001-01-01

Abstract:With the development of computer technology,computer network become more complex,more and more peoples are involved in computer crimes. Hacker's attack on computer network is a new computer crime. I analyse here hacker's motives,their behaviors and technical methods in committing crimes. I bring forward here relevant countermeasures against hackers to secure the computer network.

Ziming Zhao,Gail-Joon Ahn,Hongxin Hu,Deepinder Mahi

2012-01-01

Abstract:Existing research on net-centric attacks has focused on the detection of attack events on network side and the removal of rogue programs from client side. However, such approaches largely overlook the way on how attack tools and unwanted programs are developed and distributed. Recent studies in underground economy reveal that suspicious attackers heavily utilize online social networks to form special interest groups and distribute malicious code. Consequently, examining social dynamics, as a novel way to complement existing research efforts, is imperative to systematically identify attackers and tactically cope with net-centric threats. In this paper, we seek a way to understand and analyze social dynamics relevant to net-centric attacks and propose a suite of measures called SocialImpact for systematically discovering and mining adversarial evidence. We also demonstrate the feasibility and applicability of our approach by implementing a proof-of-concept prototype Cassandra with a case study on real-world data archived from the Internet.

Zhao Kangzhi,Zhang Yong,Xing Chunxiao,Li Weifeng,Chen Hsinchun

DOI: https://doi.org/10.1109/ISI.2016.7745450

2016-01-01

Abstract:With the rapid growth of online population, China has become the world's largest online market. This also gives rise to the Chinese underground market, which has facilitated many of the cybercrimes in China. Consequently, there is a need for research scrutinizing Chinese underground markets. One major challenge facing cybersecurity researchers is to understand the unfamiliar cybercriminal jargons. To this end, we are motivated to analyze jargons in Chinese underground market. Particularly, we utilize the recent advancements in unsupervised machine learning methods, word embedding and Latent Dirichlet Allocation. We evaluate our work on a research testbed encompassing 29 exclusive underground market QQ groups with 23,000 members. Specifically, we test the ability of the proposed approach to learn semantically similar words of known cybersecurity-related jargons. Results suggest the state-of-the-art unsupervised learning approaches can help better understand cybercriminal language, providing promising insights for future research on Chinese underground markets.

Yi Zhou,Kai Chen,Li Song,Xiaokang Yang,Jianhua He

DOI: https://doi.org/10.1109/asonam.2012.133

2012-01-01

Abstract:In this poster we report our study on the microblog spammers with samples attracted by 50 honeyspots from two popular Chinese microblogging networks: Sina Weibo (weibo.com), and Ten cent Weibo (t.QQ.com) in seven months. We studied their features such as social information, activity, account age and spamming strategy. Several distinguishing characteristics of spammers on these two social network communities are observed, which can be helpful to the further study on automatic detection of microblog spammers. To our best knowledge our work is the first of its kind on the analysis of features of Chinese micloblog spammers.

WANG Bo,GUO Jie,QIU Weidong,HUANG Zheng

DOI: https://doi.org/10.11959/j.issn.2096-109x.2024041

2024-01-01

Abstract:With the widespread adoption of the Internet and an increase in the number of Internet users,the security of the network environment has been seriously threatened by Internet public hazards organizations,such as the In-ternet water army and the internet public hazards community.Given the characteristics of these organizations,which include being distant from domestic supervision and possessing strong concealment and camouflage abili-ties,a social network characteristic analysis method was proposed for Internet public hazards organizations.Ini-tially,at the user characteristic level,the influence distribution of group members was calculated through centrality measurement to identify the core users with the greatest influence,and an analysis of the anonymity characteristics of these core members was conducted.Subsequently,at the complex network characteristic level,the cluster status and resource distribution within the community were studied through the analysis of small-world effects and scale-free characteristics.Finally,at the temporal characteristic level,after preprocessing the post content of core mem-bers,BERTopic was utilized for dynamic topic modeling to ascertain the relationship between community themes and time.A large number of experimental performance analyses have verified the effectiveness of the proposed method.The research results can be utilized to analyze the characteristics of public hazard communities,track criminal activity trajectories,and provide theoretical references for the investigation and crackdown of public haz-ard organizations,as well as for the design of automated detection systems.

Maochao Xu,Kristin M. Schweitzer,Raymond M. Bateman,Shouhuai Xu

DOI: https://doi.org/10.1109/tifs.2018.2834227

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Analyzing cyber incident data sets is an important method for deepening our understanding of the evolution of the threat situation. This is a relatively new research topic, and many studies remain to be done. In this paper, we report a statistical analysis of a breach incident data set corresponding to 12 years (2005-2017) of cyber hacking activities that include malware attacks. We show that, in contrast to the findings reported in the literature, both hacking breach incident inter-arrival times and breach sizes should be modeled by stochastic processes, rather than by distributions because they exhibit autocorrelations. Then, we propose particular stochastic process models to, respectively, fit the inter-arrival times and the breach sizes. We also show that these models can predict the inter-arrival times and the breach sizes. In order to get deeper insights into the evolution of hacking breach incidents, we conduct both qualitative and quantitative trend analyses on the data set. We draw a set of cybersecurity insights, including that the threat of cyber hacks is indeed getting worse in terms of their frequency, but not in terms of the magnitude of their damage.

Abdoul Nasser Hassane Amadou,Anas Motii,Saida Elouardi,EL Houcine Bergou

2024-11-08

Abstract:Underground forums serve as hubs for cybercriminal activities, offering a space for anonymity and evasion of conventional online oversight. In these hidden communities, malicious actors collaborate to exchange illicit knowledge, tools, and tactics, driving a range of cyber threats from hacking techniques to the sale of stolen data, malware, and zero-day exploits. Identifying the key instigators (i.e., key hackers), behind these operations is essential but remains a complex challenge. This paper presents a novel method called EUREKHA (Enhancing User Representation for Key Hacker Identification in Underground Forums), designed to identify these key hackers by modeling each user as a textual sequence. This sequence is processed through a large language model (LLM) for domain-specific adaptation, with LLMs acting as feature extractors. These extracted features are then fed into a Graph Neural Network (GNN) to model user structural relationships, significantly improving identification accuracy. Furthermore, we employ BERTopic (Bidirectional Encoder Representations from Transformers Topic Modeling) to extract personalized topics from user-generated content, enabling multiple textual representations per user and optimizing the selection of the most representative sequence. Our study demonstrates that fine-tuned LLMs outperform state-of-the-art methods in identifying key hackers. Additionally, when combined with GNNs, our model achieves significant improvements, resulting in approximately 6% and 10% increases in accuracy and F1-score, respectively, over existing methods. EUREKHA was tested on the Hack-Forums dataset, and we provide open-source access to our code.

Cryptography and Security,Computation and Language,Social and Information Networks

Long Cheng,Lei Zhang,Jinchuan Wang

DOI: https://doi.org/10.1145/2380718.2380727

2012-01-01

Abstract:Human Flesh Search (HFS) is a phenomenon of collaborative researching with a purpose of exposing personal information details of a target who has committed some misbehaviors. With the steady growth of Internet population and the communication convenience brought by forums, SNS and micro-blogs, HFS is becoming more and more powerful and able to fulfill tasks which are "mission impossible" by other conventional means. Most existing research work on HFS focuses on legal or privacy issues, while we aim at building a mathematical model to understand the evolution of the search process and hence to evaluate and quantify the capability of this massive collaboration intelligence. By borrowing ideas from epidemics, we build a mathematical model which views the process of HFS as an analogy to the process of infectious disease spread. Experimental results show that our model matches real HFS cases very well. The contribution of this paper is as follows. First, it is the first attempt to develop mathematical models to quantitatively describe the capability of HFS. Second, it is the first time to examine the relationship between target information entropy and its impact on netizen response, which cast new light on the success/failure prediction of future HFS campaigns.

Chun-Ming Lai,Xiaoyun Wang,Yunfeng Hong,Yu-Cheng Lin,S. Felix Wu,Patrick McDaniel,Hasan Cam

DOI: https://doi.org/10.23919/CNSM.2017.8256040

2018-02-13

Abstract:Online social network (OSN) discussion groups are exerting significant effects on political dialogue. In the absence of access control mechanisms, any user can contribute to any OSN thread. Individuals can exploit this characteristic to execute targeted attacks, which increases the potential for subsequent malicious behaviors such as phishing and malware distribution. These kinds of actions will also disrupt bridges among the media, politicians, and their constituencies. For the concern of Security Management, blending malicious cyberattacks with online social interactions has introduced a brand new challenge. In this paper we describe our proposal for a novel approach to studying and understanding the strategies that attackers use to spread malicious URLs across Facebook discussion groups. We define and analyze problems tied to predicting the potential for attacks focused on threads created by news media organizations. We use a mix of macro static features and the micro dynamic evolution of posts and threads to identify likely targets with greater than 90% accuracy. One of our secondary goals is to make such predictions within a short (10 minute) time frame. It is our hope that the data and analyses presented in this paper will support a better understanding of attacker strategies and footprints, thereby developing new system management methodologies in handing cyber attacks on social networks.

Social and Information Networks

Jianwei Zhuge,Thorsten Holz,Chengyu Song,Jinpeng Guo,Xinhui Han,Wei Zou

DOI: https://doi.org/10.1007/978-0-387-09762-6_11

2008-01-01

Abstract:The World Wide Web gains more and more popularity within China with more than 1.31 million websites on the Chinese Web in June 2007. Driven by the economic profits, cyber criminals are on the rise and use the Web to exploit innocent users. In fact, a real underground black market with thousands of parti cipants has developed, which brings together malicious users who trade exploits, malware, virtual assets, stolen credentials, and more. In this chapter, we provide a detailed overview of this underground black market and present a model to describe the market. We substantiate our model with the help of measurement results within the Chinese Web. First, we show that the amount of virtual assets traded on this underground market is huge. Second, our research proves that a significant amount of websites within China’s part of the Web contain some kind of malicious content: our measurements reveal that about 1.49% of the examined sites contain malicious content that tries to attack the visitor’s browser.

Felipe Moreno-Vera,Mateus Nogueira,Cainã Figueiredo,Daniel Sadoc Menasché,Miguel Bicudo,Ashton Woiwood,Enrico Lovat,Anton Kocheturov,Leandro Pfleger de Aguiar

2023-08-04

Abstract:This paper proposes a machine learning-based approach for detecting the exploitation of vulnerabilities in the wild by monitoring underground hacking forums. The increasing volume of posts discussing exploitation in the wild calls for an automatic approach to process threads and posts that will eventually trigger alarms depending on their content. To illustrate the proposed system, we use the CrimeBB dataset, which contains data scraped from multiple underground forums, and develop a supervised machine learning model that can filter threads citing CVEs and label them as Proof-of-Concept, Weaponization, or Exploitation. Leveraging random forests, we indicate that accuracy, precision and recall above 0.99 are attainable for the classification task. Additionally, we provide insights into the difference in nature between weaponization and exploitation, e.g., interpreting the output of a decision tree, and analyze the profits and other aspects related to the hacking communities. Overall, our work sheds insight into the exploitation of vulnerabilities in the wild and can be used to provide additional ground truth to models such as EPSS and Expected Exploitability.

Cryptography and Security,Machine Learning

Chenyang Wang,Yi Shen,Yuwei Li,Min Zhang,Miao Hu,Jinghua Zheng

DOI: https://doi.org/10.1016/j.engappai.2023.106775

IF: 8

2023-01-01

Engineering Applications of Artificial Intelligence

Abstract:With the development of online transactions, the Chinese cyber black market is proliferating and facilitates many cybercrimes. It is difficult to understand the cyber black market due to the confusing jargon (called black keywords in this paper) used by criminals to conceal underground transactions. To discover black keywords automatically, some natural language processing based methods have been proposed by comparing the similarity of word vectors generated by word embedding models. Therefore, the quality of word vectors generated has a significant impact on black keyword discovery and it is necessary to evaluate different word embedding models in discovering black keywords. To this end, we design a Chinese black keyword discovery framework and conduct a systematic empirical study on six existing word embedding models including both static and dynamic types in discovering Chinese black keywords. In specific, we classify Chinese black keywords in four types: domain specific words (DSWs), new meaning words (NMWs), similar pronunciation words (SPWs), and similar glyph words (SGWs). We experimentally find that different word embedding models vary greatly in performance when discovering black keywords, e.g., dynamic models perform well in discovering DSWs and NMWs, static ones perform poorly in discovering NMWs. We improve the static word embedding model based NMW discovery algorithm by additionally comparing the differences in cross-corpus word nearest -neighbors before and after domain incremental training. For effectively discovering variant words like SPWs and SGWs, we additionally introduce Chinese pronunciation and glyph features. The experimental results demonstrate the effectiveness of the proposed Chinese black keyword discovery framework, with detection accuracies of over 90% for DSWs, 80% for NWMs, 90% for SPWs, and 61% for SGWs.

Liu Fanzhen,Li Zhao,Wang Baokun,Wu Jia,Yang Jian,Huang Jiaming,Zhang Yiqing,Wang Weiqiang,Xue Shan,Nepal Surya,Sheng Quan Z.

DOI: https://doi.org/10.1007/s00778-021-00723-z

2022-01-01

Abstract:In e-commerce scenarios, frauds events such as telecom fraud, insurance fraud, and fraudulent transactions, bring a huge amount of loss to merchants or users. Identification of fraudsters helps regulators take measures for targeted control. Given a set of fraudsters and suspicious users observed from victims’ reports, how can we effectively distinguish risky users closely related to them from the others for further investigation by human experts? Fraudsters take camouflage actions to hide from being discovered; complex features on users are hard to deal with; patterns of fraudsters are sometimes difficult to explain by human knowledge; and real-world applications involve millions of users. All this makes the question hard to answer. To this end, we design eRiskCom, an e-commerce risky community detection platform to detect risky groups containing identified fraudsters and other closely related users. With the hypothesis that users who interact frequently with fraudsters are more likely to come from the same “risky community,” we construct a connected graph expanded from the identified fraudsters and suspicious users. Next, graph partition is employed to get knowledge of assignment of identified users to potential risky communities, followed by pruning to discover the core members of each community. Finally, top- K users with a high risk score in the neighborhood of core members of each potential community form a final risky community. The extensive experiments are conducted to analyze the effect of our platform components on the alignment with requirements of practical scenarios, and experimental results further demonstrate that eRiskCom is effective and easy to deploy for real-world applications.