Felipe Moreno-Vera

DOI: https://doi.org/10.1109/ICTC58733.2023.10393244

2024-05-07

Abstract:The increasing sophistication of cyber threats necessitates proactive measures to identify vulnerabilities and potential exploits. Underground hacking forums serve as breeding grounds for the exchange of hacking techniques and discussions related to exploitation. In this research, we propose an innovative approach using topic modeling to analyze and uncover key themes in vulnerabilities discussed within these forums. The objective of our study is to develop a machine learning-based model that can automatically detect and classify vulnerability-related discussions in underground hacking forums. By monitoring and analyzing the content of these forums, we aim to identify emerging vulnerabilities, exploit techniques, and potential threat actors. To achieve this, we collect a large-scale dataset consisting of posts and threads from multiple underground forums. We preprocess and clean the data to ensure accuracy and reliability. Leveraging topic modeling techniques, specifically Latent Dirichlet Allocation (LDA), we uncover latent topics and their associated keywords within the dataset. This enables us to identify recurring themes and prevalent discussions related to vulnerabilities, exploits, and potential targets.

Cryptography and Security,Artificial Intelligence,Computers and Society,Machine Learning

Rebekah Overdorf,Carmela Troncoso,Rachel Greenstadt,Damon McCoy

DOI: https://doi.org/10.48550/arXiv.1805.04494

2018-05-12

Abstract:Underground forums where users discuss, buy, and sell illicit services and goods facilitate a better understanding of the economy and organization of cybercriminals. Prior work has shown that in particular private interactions provide a wealth of information about the cybercriminal ecosystem. Yet, those messages are seldom available to analysts, except when there is a leak. To address this problem we propose a supervised machine learning based method able to predict which public \threads will generate private messages, after a partial leak of such messages has occurred. To the best of our knowledge, we are the first to develop a solution to overcome the barrier posed by limited to no information on private activity for underground forum analysis. Additionally, we propose an automate method for labeling posts, significantly reducing the cost of our approach in the presence of real unlabeled data. This method can be tuned to focus on the likelihood of users receiving private messages, or \threads triggering private interactions. We evaluate the performance of our methods using data from three real forum leaks. Our results show that public information can indeed be used to predict private activity, although prediction models do not transfer well between forums. We also find that neither the length of the leak period nor the time between the leak and the prediction have significant impact on our technique's performance, and that NLP features dominate the prediction power.

Cryptography and Security

Haishuai Wang,Peng Zhang,Ling Chen,Chengqi Zhang

DOI: https://doi.org/10.1007/978-3-319-19548-3_27

2015-01-01

Abstract:In this paper, we present our recent progress of designing a real-time system, SocialAnalysis, to discover and summarize emergent social events from social media data streams. In social networks era, people always frequently post messages or comments about their activities and opinions. Hence, there exist temporal correlations between the physical world and virtual social networks, which can help us to monitor and track social events, detecting and positioning anomalous events before their outbreakings, so as to provide early warning.The key technologies in the system include: (1) Data denoising methods based on multi-features, which screens out the query-related event data from massive background data. (2) Abnormal events detection methods based on statistical learning, which can detect anomalies by analyzing and mining a series of observations and statistics on the time axis. (3) Geographical position recognition, which is used to recognize regions where abnormal events may happen.

Felipe Moreno-Vera,Mateus Nogueira,Cainã Figueiredo,Daniel Sadoc Menasché,Miguel Bicudo,Ashton Woiwood,Enrico Lovat,Anton Kocheturov,Leandro Pfleger de Aguiar

2023-08-04

Abstract:This paper proposes a machine learning-based approach for detecting the exploitation of vulnerabilities in the wild by monitoring underground hacking forums. The increasing volume of posts discussing exploitation in the wild calls for an automatic approach to process threads and posts that will eventually trigger alarms depending on their content. To illustrate the proposed system, we use the CrimeBB dataset, which contains data scraped from multiple underground forums, and develop a supervised machine learning model that can filter threads citing CVEs and label them as Proof-of-Concept, Weaponization, or Exploitation. Leveraging random forests, we indicate that accuracy, precision and recall above 0.99 are attainable for the classification task. Additionally, we provide insights into the difference in nature between weaponization and exploitation, e.g., interpreting the output of a decision tree, and analyze the profits and other aspects related to the hacking communities. Overall, our work sheds insight into the exploitation of vulnerabilities in the wild and can be used to provide additional ground truth to models such as EPSS and Expected Exploitability.

Cryptography and Security,Machine Learning

Zhao Kangzhi,Zhang Yong,Xing Chunxiao,Li Weifeng,Chen Hsinchun

DOI: https://doi.org/10.1109/ISI.2016.7745450

2016-01-01

Abstract:With the rapid growth of online population, China has become the world's largest online market. This also gives rise to the Chinese underground market, which has facilitated many of the cybercrimes in China. Consequently, there is a need for research scrutinizing Chinese underground markets. One major challenge facing cybersecurity researchers is to understand the unfamiliar cybercriminal jargons. To this end, we are motivated to analyze jargons in Chinese underground market. Particularly, we utilize the recent advancements in unsupervised machine learning methods, word embedding and Latent Dirichlet Allocation. We evaluate our work on a research testbed encompassing 29 exclusive underground market QQ groups with 23,000 members. Specifically, we test the ability of the proposed approach to learn semantically similar words of known cybersecurity-related jargons. Results suggest the state-of-the-art unsupervised learning approaches can help better understand cybercriminal language, providing promising insights for future research on Chinese underground markets.

Zhibo Sun,Carlos E. Rubio-Medrano,Ziming Zhao,Tiffany Bao,Adam Doupe,Gail-Joon Ahn

DOI: https://doi.org/10.1145/3292006.3300036

2019-01-01

Abstract:The studies on underground forums and marketplaces have significantly advanced our understandings of cybercrime workflows and underground economies. Researchers of underground economies have conducted comprehensive studies on public interactions. However, little research focuses on private interactions. The lack of the investigation on private interactions may cause misunderstandings on underground economies, as users in underground forums and marketplaces tend to share the minimal amount of information in public interactions and resort to private messages for follow-up conversations. In this paper, we propose methods to investigate the underground private interactions and we analyze a recently leaked dataset from Nulled.io. We present analyses on the contents and purposes of private messages. In addition, we design machine learning-based models that only use the publicly available information to detect if two underground users privately communicate with each other. Finally, we perform adversarial analysis to evaluate the robustness of the detector to different types of attacks.

Raymond Y. K. Lau,Yunqing Xia

DOI: https://doi.org/10.7763/ijfcc.2013.v2.187

2013-01-01

International Journal of Future Computer and Communication

Abstract:Recent research reveals that the number of cyber-attacks has been doubled in the past three years. This is a devastating growth of the number of cyber-attacks, and it reveals a serious business problem around the world. Existing intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and anti-malware systems mainly rely on low-level network traffic features or program code signatures to detect cyber-attacks. However, since hackers can constantly change their attack tactics by, it is extremely difficult for existing security solutions to detect cyber-attacks. There are increasing more evidences showing that cybercriminals tend to exchange cybercrime knowledge and transact via online social media. Accordingly, it presents unprecedented opportunities for security intelligence experts to tap into online social media to extract the vital security intelligence for cyber-attack forensics. The main contributions of this paper are the design, development, and evaluation of a Latent Dirichlet Allocation (LDA)-based latent text mining model for cyber-attack forensics. Our preliminary evaluation of the proposed latent text mining model based on a real-world data set crawled from Twitter and Blog sites shows that it significantly outperforms the probabilistic latent semantic indexing (pLSI) method in terms of extracting more relevant and richer concepts describing real-world cyber-attack incidents.

Weiguo Fan,Jian Jiao

2013-01-01

Abstract:The Internet has revolutionized the way users share and acquire knowledge. As important and popular Web-based applications, online discussion forums provide interactive platforms for users to exchange information and report problems. With the rapid growth of social networks and an ever increasing number of Internet users, online forums have accumulated a huge amount of valuable user-generated data and have accordingly become a major information source for business intelligence. This study focuses specifically on product defects, which are one of the central concerns of manufacturing companies and service providers, and proposes a machine learning method to automatically detect product defects in the context of online forums. To complement the detection of product defects, we also present a product feature extraction method to summarize defect threads and a thread ranking method to search for troubleshooting solutions. To this end, we collected different data sets to test these methods experimentally. The results of the tests show that our methods are very promising. In fact, in most cases, they outperformed current state-of-the-art methods.

Soumajyoti Sarkar,Mohammad Almukaynizi,Jana Shakarian,Paulo Shakarian

DOI: https://doi.org/10.48550/arXiv.1811.06537

2018-11-16

Abstract:With rise in security breaches over the past few years, there has been an increasing need to mine insights from social media platforms to raise alerts of possible attacks in an attempt to defend conflict during competition. We use information from the darkweb forums by leveraging the reply network structure of user interactions with the goal of predicting enterprise cyber attacks. We use a suite of social network features on top of supervised learning models and validate them on a binary classification problem that attempts to predict whether there would be an attack on any given day for an organization. We conclude from our experiments using information from 53 forums in the darkweb over a span of 12 months to predict real world organization cyber attacks of 2 different security events that analyzing the path structure between groups of users is better than just studying network centralities like Pagerank or relying on the user posting statistics in the forums.

Social and Information Networks

Soumajyoti Sarkar,Mohammad Almukaynizi,Jana Shakarian,Paulo Shakarian

DOI: https://doi.org/10.1007/s13278-019-0603-9

2019-09-30

Social Network Analysis and Mining

Abstract:With the rise in security breaches over the past few years, there has been an increasing need to mine insights from social media platforms to raise alerts of possible attacks in an attempt to defend conflict during competition. In this study, we attempt to build a framework that utilizes unconventional signals from the darkweb forums by leveraging the reply network structure of user interactions with the goal of predicting enterprise-related external cyber attacks. We use both unsupervised and supervised learning models that address the challenges that come with the lack of enterprise attack metadata for ground-truth validation as well as insufficient data for training the models. We validate our models on a binary classification problem that attempts to predict cyber attacks on a daily basis for an organization. Using several controlled studies on features leveraging the network structure, we measure the extent to which the indicators from the darkweb forums can be successfully used to predict attacks. We use information from 53 forums in the darkweb over a span of 17 months for the task. Our framework to predict real-world organization cyber attacks of three different security events suggests that focusing on the reply path structure between groups of users based on random walk transitions and community structures has an advantage in terms of better performance solely relying on forum or user posting statistics prior to attacks.

Jingtian Jiang,Nenghai Yu

DOI: https://doi.org/10.1109/ICCSNT.2011.6182453

2011-01-01

Abstract:Web forums are important services where users can request and exchange information with others.Recently, there are more and more research works on mining knowledge from web forums due to the richness of information. In contrast, there is little work about discovering web forums. However, automatic web forum discovery is crucial for large-scale applications, e.g. a forum search engine. In this paper, we study how to discover web forums from browse log automatically. Although web forums have different layouts or styles, they always have similar implicit navigation paths leading users from their entry pages to thread pages. The implicit navigation paths make the user browsing behavior in web forums different from that in general sites. Thus we propose an efficient approach to discover web forums from browse log via detecting the specific user browsing behavior. We first build a browse map by clustering the browsed URLs, and then detect the browse behavior from the browse map. Next we adopt a few features to determine whether a site is a web forum or not. Experiment results on a large data set show that our approach is very effective and efficient.

Yichi Yang,Guang-chao Xu,Yifei Xu,ShuiGuang Deng

2017-01-01

Abstract:With the rapid development of infrastructure including power grids, managers in power industry these days are faced with an increasingly severe problem of theft of electricity. Theft of electricity has negative effects on many socioeconomic aspects, including impacting stable growth of economic for power enterprises and social development. The traditional anti-theft means require officers checking the integrity of kilowatt-hour meter and the correctness of wiring house by house, which requires enormous manpower and material resources. With the advancement of information collecting technology, power enterprises now possess relatively complete database of power consumption. As a result, performing data mining on existing database and identifying abnormal users has become a hot topic in the field of information technology. The purpose of this paper is to identify abnormal users with machine learning algorithms, providing power enterprises with means to detect theft of electricity at lower cost. The contributions of this paper are listed as follows: 1) Propose various features, providing means to describe users’ behaviors. First, monistic features (mean, difference, coefficient of variation, range, standard deviation), binary features (cosine similarity, Pearson product-moment correlation coefficient) and multivariate features are calculated based on user power consumption (monthly, seasonally, yearly, per holiday, per workday). Then principal component analysis is used to perform dimensionality reduction on the dataset. The dataset is finally scaled and oversampled to form the feature dataset. 2) Study various classification algorithms, optimize hyperparameters, providing models to detect theft of electricity. In this paper, the mechanism behind support vector machine, back-propagation neural network, random forest and XGBoost is studied and the hyperparameters are optimized. 3) Compare and evaluate different classifiers, and provide suggestions for real-world application. In this paper, different classifiers are evaluated with different metrics and the best classifier is recommended based on real-world dataset and different application scenarios.

Victor Adewopo,Bilal Gonen,Nelly Elsayed,Murat Ozer,Zaghloul Saad Elsayed

DOI: https://doi.org/10.48550/arXiv.2202.01448

2022-02-03

Cryptography and Security

Abstract:In our current society, the inter-connectivity of devices provides easy access for netizens to utilize cyberspace technology for illegal activities. The deep web platform is a consummative ecosystem shielded by boundaries of trust, information sharing, trade-off, and review systems. Domain knowledge is shared among experts in hacker's forums which contain indicators of compromise that can be explored for cyberthreat intelligence. Developing tools that can be deployed for threat detection is integral in securing digital communication in cyberspace. In this paper, we addressed the use of TOR relay nodes for anonymizing communications in deep web forums. We propose a novel approach for detecting cyberthreats using a deep learning algorithm Long Short-Term Memory (LSTM). The developed model outperformed the experimental results of other researchers in this problem domain with an accuracy of 94\% and precision of 90\%. Our model can be easily deployed by organizations in securing digital communications and detection of vulnerability exposure before cyberattack.

Lei Shi,Bai Sun,Liang Kong,Yan Zhang

DOI: https://doi.org/10.1109/cit.2009.53

2009-01-01

Abstract:As Web forum has become an enormous collection of highly valuable opinions and commentaries, more and more researchers express strong interests on it. However, most of them pay attention to the forum reviews rather than the posts themselves. In this paper we focus on recognizing the diversified opinions of different threads on the same topic from Chinese Web forums. First, we congregate the Web forum threads on the same topic into a cluster. In order to further distinguish different opinions for a topic, we propose a sentiment classification algorithm based on a probability word-list, which is constructed by us using a propagation method on the word graph with a seed set. Experimental results on a real data set show that our algorithm performs well with both high precision and efficiency, much better than traditional methods such as SVM and naive Bayes.

Weifeng Li,Hsinchun Chen,Jay F. Nunamaker

DOI: https://doi.org/10.1080/07421222.2016.1267528

IF: 7.582

2016-10-01

Journal of Management Information Systems

Abstract:The past few years have witnessed millions of credit/debit cards flowing through the underground economy and ultimately causing significant financial loss. Examining key underground economy sellers has both practical and academic significance for cybercrime forensics and criminology research. Drawing on social media analytics, we have developed the AZSecure text mining system for identifying and profiling key sellers. The system identifies sellers using sentiment analysis of customer reviews and profiles sellers using topic modeling of advertisements. We evaluated the AZSecure system on eight international underground economy forums. The system significantly outperformed all benchmark machine-learning methods on identifying advertisement threads, classifying customer review sentiments, and profiling seller characteristics, with an average F-measure of about 80 percent to 90 percent. In our case study, we identified the famous carder, Rescator, who was affiliated with the Target breach, and captured important seller characteristics in terms of product type, payment options, and contact channels. Our research leverages social media analytics to probe into the underground economy in order to help law enforcement target key sellers and prevent future fraud. It also contributes to our understanding of the use of information technology in detecting deception in online systems.

information science & library science,management,computer science, information systems

Ying-Chiang Cho,Jen-Yi Pan

DOI: https://doi.org/10.1155/2013/704865

2013-12-17

Abstract:Over the years, human dependence on the Internet has increased dramatically. A large amount of information is placed on the Internet and retrieved from it daily, which makes web security in terms of online information a major concern. In recent years, the most problematic issues in web security have been e-mail address leakage and SQL injection attacks. There are many possible causes of information leakage, such as inadequate precautions during the programming process, which lead to the leakage of e-mail addresses entered online or insufficient protection of database information, a loophole that enables malicious users to steal online content. In this paper, we implement a crawler mining system that is equipped with SQL injection vulnerability detection, by means of an algorithm developed for the web crawler. In addition, we analyze portal sites of the governments of various countries or regions in order to investigate the information leaking status of each site. Subsequently, we analyze the database structure and content of each site, using the data collected. Thus, we make use of practical verification in order to focus on information security and privacy through black-box testing.

Qi Zhang,Yang Shi,Xuanjing Huang,Lide Wu

DOI: https://doi.org/10.1145/1571941.1572132

2009-01-01

Abstract:This paper presents a novel work on the task of extracting data from Web forums. Millions of users contribute rich information to Web forum everyday, which has become an important resource for many Web applications, such as product opinion retrieval, social network analysis, and so on. The novelty of the proposed algorithm is that it can not only extract the pure text but also distinguish between the origin post and replies. Experimental results on a large number real Web forums indicate that the proposed algorithm can correctly extract data from websites with various styles in most cases.

Abdoul Nasser Hassane Amadou,Anas Motii,Saida Elouardi,EL Houcine Bergou

2024-11-08

Abstract:Underground forums serve as hubs for cybercriminal activities, offering a space for anonymity and evasion of conventional online oversight. In these hidden communities, malicious actors collaborate to exchange illicit knowledge, tools, and tactics, driving a range of cyber threats from hacking techniques to the sale of stolen data, malware, and zero-day exploits. Identifying the key instigators (i.e., key hackers), behind these operations is essential but remains a complex challenge. This paper presents a novel method called EUREKHA (Enhancing User Representation for Key Hacker Identification in Underground Forums), designed to identify these key hackers by modeling each user as a textual sequence. This sequence is processed through a large language model (LLM) for domain-specific adaptation, with LLMs acting as feature extractors. These extracted features are then fed into a Graph Neural Network (GNN) to model user structural relationships, significantly improving identification accuracy. Furthermore, we employ BERTopic (Bidirectional Encoder Representations from Transformers Topic Modeling) to extract personalized topics from user-generated content, enabling multiple textual representations per user and optimizing the selection of the most representative sequence. Our study demonstrates that fine-tuned LLMs outperform state-of-the-art methods in identifying key hackers. Additionally, when combined with GNNs, our model achieves significant improvements, resulting in approximately 6% and 10% increases in accuracy and F1-score, respectively, over existing methods. EUREKHA was tested on the Hack-Forums dataset, and we provide open-source access to our code.

Cryptography and Security,Computation and Language,Social and Information Networks

Fang Zhen,Zhao Xinyi,Wei Qiang,Chen Guoqing,Zhang Yong,Xing Chunxiao,Li Weifeng,Chen Hsinchun

DOI: https://doi.org/10.1109/ISI.2016.7745436

2016-01-01

Abstract:Chinese hacker communities are of interest to cybersecurity researchers and investigators. When examining Chinese hacker communities, researchers and investigators face many challenges, including understanding the Chinese language, detecting variations in topic evolution, and identifying key hackers with their specialty areas. Therefore, we are motivated to develop a framework for analyzing key hackers and emerging threats in Chinese hacker communities. Specifically, we develop a set of topic models for extracting popular topics, tracking topic evolution, and identifying key hackers with their specialty topics. We applied our framework to 19 major Chinese hacker communities. As a result, we identified five major popular topics, including trading, fraud prevention & identification, calling for cooperation, casual chat, and monetizing. Moreover, we found several trends related to new communication channels, new stolen cards of interest, and new operating mechanism. Further, we also found the key hackers in each extracted area. Our work contributes to the cybersecurity literature by providing an advanced and scalable framework for analyzing Chinese hacker communities.

Manabu Torii,Lanlan Yin,Thang Nguyen,Chand T. Mazumdar,Hongfang Liu,David M. Hartley,Noele P. Nelson

DOI: https://doi.org/10.1016/j.ijmedinf.2010.10.015

IF: 4.73

2011-01-01

International Journal of Medical Informatics

Abstract:PURPOSE: Early detection of infectious disease outbreaks is crucial to protecting the public health of a society. Online news articles provide timely information on disease outbreaks worldwide. In this study, we investigated automated detection of articles relevant to disease outbreaks using machine learning classifiers. In a real-life setting, it is expensive to prepare a training data set for classifiers, which usually consists of manually labeled relevant and irrelevant articles. To mitigate this challenge, we examined the use of randomly sampled unlabeled articles as well as labeled relevant articles.METHODS: Naïve Bayes and Support Vector Machine (SVM) classifiers were trained on 149 relevant and 149 or more randomly sampled unlabeled articles. Diverse classifiers were trained by varying the number of sampled unlabeled articles and also the number of word features. The trained classifiers were applied to 15 thousand articles published over 15 days. Top-ranked articles from each classifier were pooled and the resulting set of 1337 articles was reviewed by an expert analyst to evaluate the classifiers.RESULTS: Daily averages of areas under ROC curves (AUCs) over the 15-day evaluation period were 0.841 and 0.836, respectively, for the naïve Bayes and SVM classifier. We referenced a database of disease outbreak reports to confirm that this evaluation data set resulted from the pooling method indeed covered incidents recorded in the database during the evaluation period.CONCLUSIONS: The proposed text classification framework utilizing randomly sampled unlabeled articles can facilitate a cost-effective approach to training machine learning classifiers in a real-life Internet-based biosurveillance project. We plan to examine this framework further using larger data sets and using articles in non-English languages.

health care sciences & services,computer science, information systems,medical informatics