Xiaohui Han,Lianhai Wang,Shujiang Xu,Dawei Zhao,Guangqi Liu

DOI: https://doi.org/10.1007/978-3-030-01950-1_34

2018-01-01

Abstract:Online gambling has become a substantial global industry during the past two decades. However, it is explicitly prohibited or restricted by most countries in the world due to social problems caused by it. This results in rapid expansion of the illegal online gambling (IOG) market where players profits are under little protection. To fight against IOG, this paper addresses the IOG participant-role recognition (PRR) problem by learning a supervised classifier with monetary transaction data. We propose two sets of features, i.e., transaction statistical features and network structural features, to effectively represent participants. Based on the feature representation, we adopt an ensemble learning strategy in the training phase of a PRR classifier to reduce the impact of unbalanced data. Results of experiments performed on real-world IOG case data demonstrate the feasibility and validity of the proposed approach. The proposed approach could help investigators in a law enforcement agency find the key members of an IOG organization quickly and destroy the ecosystem efficiently.

Rui Wen,Jianyu Wang,Chunming Wu,Jian Xiong

DOI: https://doi.org/10.1145/3366424.3391266

2020-01-01

Abstract:Given a large graph with millions of vertices and different types, how can we spot anomalies and find potential adversaries in time? Most graph-based fraud detection algorithms focus on finding dense blocks, discovering local subgraphs, designing belief propagation, and latent factor models. However, as fraudsters in online social networks gradually become adversarial, distributed, and invisible, it is easy for them to evade traditional detection methods. Even worse, existing detection systems are fragile to the new attacks. Once attackers update their tragedies, they will be inefficient. Our focus is to detect potential adversaries as soon as possible. We design and propose ASA (Adversary Situation Awareness), a system that (a) uncovers potential adversaries in time, (b) utilizes heterogeneous information in the graph, and (c)is effective in real-world data. We do experiments on a heterogeneous graph including 198,541 nodes with five types and 224,384 edges. The result shows that ASA can spot potential adversaries and successfully recovers 60 of potential abnormal users within a few minutes. Additionally, after two months we deployed it, ASA could achieve 90 recall, which means ASA can well discover a small number of adversaries with a latent period in time.

Wanda Li,Zhiwei Xu,Yi Sun,Qingyuan Gong,Yang Chen,Aaron Yi Ding,Xin Wang,Pan Hui

DOI: https://doi.org/10.1109/tkde.2021.3091503

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Outstanding users (OUs) denote the influential, core or bridge users in the online community. How to accurately detect and rank them is an important problem for third-party online service providers and researchers. Conventional efforts, ranging from early graph-based algorithms to recent machine learning-based approaches, typically rely on an entire network's information or at least ego networks. However, for privacy-conscious users or newly-registered users, such information is not easily accessible. To address this issue, we present DeepPick, a novel framework that considers both the generalization and specialization in the detection task of OUs. For generalization, we introduce deep neural networks to capture nonlinear features. For specialization, we leverage the traditional well-defined metrics to preserve common features. Extensive experiments based on real-world datasets demonstrate that our approach achieves a high efficacy in terms of detection performance against the state-of-the-art.

Abdoul Nasser Hassane Amadou,Anas Motii,Saida Elouardi,EL Houcine Bergou

2024-11-08

Abstract:Underground forums serve as hubs for cybercriminal activities, offering a space for anonymity and evasion of conventional online oversight. In these hidden communities, malicious actors collaborate to exchange illicit knowledge, tools, and tactics, driving a range of cyber threats from hacking techniques to the sale of stolen data, malware, and zero-day exploits. Identifying the key instigators (i.e., key hackers), behind these operations is essential but remains a complex challenge. This paper presents a novel method called EUREKHA (Enhancing User Representation for Key Hacker Identification in Underground Forums), designed to identify these key hackers by modeling each user as a textual sequence. This sequence is processed through a large language model (LLM) for domain-specific adaptation, with LLMs acting as feature extractors. These extracted features are then fed into a Graph Neural Network (GNN) to model user structural relationships, significantly improving identification accuracy. Furthermore, we employ BERTopic (Bidirectional Encoder Representations from Transformers Topic Modeling) to extract personalized topics from user-generated content, enabling multiple textual representations per user and optimizing the selection of the most representative sequence. Our study demonstrates that fine-tuned LLMs outperform state-of-the-art methods in identifying key hackers. Additionally, when combined with GNNs, our model achieves significant improvements, resulting in approximately 6% and 10% increases in accuracy and F1-score, respectively, over existing methods. EUREKHA was tested on the Hack-Forums dataset, and we provide open-source access to our code.

Cryptography and Security,Computation and Language,Social and Information Networks

Wang Lidong,Zhang Yin,Hu Keyong

DOI: https://doi.org/10.1007/s10489-021-02716-5

IF: 5.3

2021-01-01

Applied Intelligence

Abstract:Recognizing identical users across different social networks remains challenging in recent years. Clearly, cross-platform user identification can play promising roles for many applications, such as user behavior prediction, public opinion analysis and e-commerce applications. Representation learning (RL) based methods have received more and more attention in recent years. However, most existing RL based methods only focus on the local structures (i.e., neighbors of vertices), and ignore label information and global structure patterns. Also, the current RL based methods tend to design the user identification and the embedding learning into two separate steps, which will neglect the complex correlations of different information sources. In this paper, we propose a novel approach, named as FEUI (Fusion Embedding for User Identification), by embedding the user-pair-oriented graph (UGP) through jointly integrating network structures, node attribute information and node labels to achieve robust embedding features and predict node labels simultaneously. The FEUI framework contains two modules, dual attribute embedding and joint embedding. These two modules leverage the strong representation ability of an extended auto-encoder and an one-input and two-outputs deep neural network to represent the complex correlations of different information sources. We evaluate our model on two social network datasets with collected user pairs. The experimental results show that the FEUI model can achieve better performance compared with the state-of-the-art approaches.

Wanda Li,Zhiwei Xu,Yi Sun,Qingyuan Gong,Yang Chen,Aaron Yi Ding,Xin Wang,Pan Hui

DOI: https://doi.org/10.1109/tkde.2021.3091503

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Outstanding users (OUs) denote the influential, “core” or “bridge” users in online social networks. How to accurately detect and rank them is an important problem for third-party online service providers and researchers. Conventional efforts, ranging from early graph-based algorithms to recent machine learning-based approaches, typically rely on an entire social network's information. However, for privacy-conscious users or newly-registered users, such information is not easily accessible. To address this issue, we present DeepPick, a novel framework that considers both the generalization and specialization in the detection task of OUs. For generalization, we introduce deep neural networks to capture dynamic features of the users. For specialization, we leverage the traditional descriptive features to make use of public information about users. Extensive experiments based on real-world datasets demonstrate that our approach achieves a high efficacy of detection performance against the state-of-the-art.

Jing Fan,Shaowen Gao,Yong Liu,Xinqiang Ma,Jiandang Yang,Changjie Fan

DOI: https://doi.org/10.1109/tsmc.2021.3066545

2022-01-01

Abstract:Extracting the specific category of the players, such as the malignant Bot, from the huge log data of the massive multiplayer online role playing games, denoted as MMORPGs, is an important basic task in game security and personal recommendation. In this article, we propose a parallel semisupervised framework to categorize specific game players with a few label-known target samples, which are denoted as bait players. Our approach first presents a feature representation model based on the players' level granularity, which can acquire aligned feature representations in the lower dimensional space from the players' original action sequences. Then, we propose a semisupervised clustering method, extended from the bisecting k-means model, to extract the specified players with the help of those bait players. Due to massive amounts of game log data, the computation complexity is an extreme challenge to implement our feature representation and semisupervised extraction approaches. We also propose a hierarchical parallelism framework, which allows the data to be computed horizontally and vertically simultaneously and enables varied parallel combinations for the steps of our semisupervised categorization approach. The comparable experiments on real-world MMORPGs' log data, containing more than 465 Gbytes and million players, are carried out to demonstrate the effectiveness and efficiency of our proposed approach compared with the state-of-the-art methods.

Zhibo Sun,Carlos E. Rubio-Medrano,Ziming Zhao,Tiffany Bao,Adam Doupe,Gail-Joon Ahn

DOI: https://doi.org/10.1145/3292006.3300036

2019-01-01

Abstract:The studies on underground forums and marketplaces have significantly advanced our understandings of cybercrime workflows and underground economies. Researchers of underground economies have conducted comprehensive studies on public interactions. However, little research focuses on private interactions. The lack of the investigation on private interactions may cause misunderstandings on underground economies, as users in underground forums and marketplaces tend to share the minimal amount of information in public interactions and resort to private messages for follow-up conversations. In this paper, we propose methods to investigate the underground private interactions and we analyze a recently leaked dataset from Nulled.io. We present analyses on the contents and purposes of private messages. In addition, we design machine learning-based models that only use the publicly available information to detect if two underground users privately communicate with each other. Finally, we perform adversarial analysis to evaluate the robustness of the detector to different types of attacks.

Yan Liu,Xi Chen

2019-01-01

Abstract:Peer influence, which means that an individual can directly influence his friends to be similar with him, is very important in social network analysis. However, peer influence effects are often confounded with latent homophily caused by unobserved similar characteristics. Scholars have designed randomized experiments or established mathematical models to control the latent homophily to get a more accurate effect of peer influence. However, the randomized experiments cannot utilize the valuable second-hand data and the mathematical models are always complex and time-consuming. In this paper, we propose a novel approach based on machine learning to estimate the peer influence effect. First, we use machine learning or deep learning algorithms to get node embeddings which imply the structural information of the nodes in a social network. Then we use the embeddings to act as a proxy variable of unobserved homophily factors in OLS regression models. To verify the feasibility of our approach, we design a simulation experiment. Finally, we implement our method to an empirical study and find that peer influence exists in online game social networks and using node embeddings as a proxy variable in regression can help estimate a more accurate peer influence effect. key words: peer influence, network embedding, GraRep, node2vec, SDNE

Kuo Zhao,Huajian Zhang,Jiaxin Li,Qifu Pan,Li Lai,Yike Nie,Zhongfei Zhang

DOI: https://doi.org/10.3390/e26070579

2024-07-07

Abstract:The rapid evolution of computer technology and social networks has led to massive data generation through interpersonal communications, necessitating improved methods for information mining and relational analysis in areas such as criminal activity. This paper introduces a Social Network Forensic Analysis model that employs network representation learning to identify and analyze key figures within criminal networks, including leadership structures. The model incorporates traditional web forensics and community algorithms, utilizing concepts such as centrality and similarity measures and integrating the Deepwalk, Line, and Node2vec algorithms to map criminal networks into vector spaces. This maintains node features and structural information that are crucial for the relational analysis. The model refines node relationships through modified random walk sampling, using BFS and DFS, and employs a Continuous Bag-of-Words with Hierarchical Softmax for node vectorization, optimizing the value distribution via the Huffman tree. Hierarchical clustering and distance measures (cosine and Euclidean) were used to identify the key nodes and establish a hierarchy of influence. The findings demonstrate the effectiveness of the model in accurately vectorizing nodes, enhancing inter-node relationship precision, and optimizing clustering, thereby advancing the tools for combating complex criminal networks.

Rebekah Overdorf,Carmela Troncoso,Rachel Greenstadt,Damon McCoy

DOI: https://doi.org/10.48550/arXiv.1805.04494

2018-05-12

Abstract:Underground forums where users discuss, buy, and sell illicit services and goods facilitate a better understanding of the economy and organization of cybercriminals. Prior work has shown that in particular private interactions provide a wealth of information about the cybercriminal ecosystem. Yet, those messages are seldom available to analysts, except when there is a leak. To address this problem we propose a supervised machine learning based method able to predict which public \threads will generate private messages, after a partial leak of such messages has occurred. To the best of our knowledge, we are the first to develop a solution to overcome the barrier posed by limited to no information on private activity for underground forum analysis. Additionally, we propose an automate method for labeling posts, significantly reducing the cost of our approach in the presence of real unlabeled data. This method can be tuned to focus on the likelihood of users receiving private messages, or \threads triggering private interactions. We evaluate the performance of our methods using data from three real forum leaks. Our results show that public information can indeed be used to predict private activity, although prediction models do not transfer well between forums. We also find that neither the length of the leak period nor the time between the leak and the prediction have significant impact on our technique's performance, and that NLP features dominate the prediction power.

Cryptography and Security

Yiyue Qian,Yiming Zhang,Yanfang Ye,Chuxu Zhang

2021-01-01

Abstract:Driven by the considerable profits, the crime of drug trafficking (a.k.a. illicit drug trading) has co-evolved with modern technologies, e.g., social media such as Instagram has become a popular platform for marketing and selling illicit drugs. The activities of online drug trafficking are nimble and resilient, which call for novel techniques to effectively detect, disrupt, and dismantle illicit drug trades. In this paper, we propose a holistic framework named MetaHG to automatically detect illicit drug traffickers on social media (i.e., Instagram), by tackling the following two new challenges: (1) different from existing works which merely focus on analyzing post content, MetaHG is capable of jointly modeling multimodal content and relational structured information on social media for illicit drug trafficker detection; (2) in addition, through the proposed meta-learning technique, MetaHG addresses the issue of requiring sufficient data for model training. More specifically, in our proposed MetaHG, we first build a heterogeneous graph (HG) to comprehensively characterize the complex ecosystem of drug trafficking on social media. Then, we employ a relation-based graph convolutional neural network to learn node (i.e., user) representations over the built HG, in which we introduce graph structure refinement to compensate the sparse connection among entities in the HG for more robust node representation learning. Afterwards, we propose a meta-learning algorithm for model optimization. A self-supervised module and a knowledge distillation module are further designed to exploit unlabeled data for improving the model. Extensive experiments based on the real-world data collected from Instagram demonstrate that the proposed MetaHG outperforms state-of-the-art methods.

Shiyi Yang,Hui Guo,Nour Moustafa

DOI: https://doi.org/10.48550/arXiv.2105.09157

2021-09-01

Abstract:Machine learning (ML)-based intrusion detection systems (IDSs) play a critical role in discovering unknown threats in a large-scale cyberspace. They have been adopted as a mainstream hunting method in many organizations, such as financial institutes, manufacturing companies and government agencies. However, existing designs achieve a high threat detection performance at the cost of a large number of false alarms, leading to alert fatigue. To tackle this issue, in this paper, we propose a neural-network-based defense mechanism named DarkHunter. DarkHunter incorporates both supervised learning and unsupervised learning in the design. It uses a deep ensemble network (trained through supervised learning) to detect anomalous network activities and exploits an unsupervised learning-based scheme to trim off mis-detection results. For each detected threat, DarkHunter can trace to its source and present the threat in its original traffic format. Our evaluations, based on the UNSW-NB15 dataset, show that DarkHunter outperforms the existing ML-based IDSs and is able to achieve a high detection accuracy while keeping a low false positive rate.

Cryptography and Security

Zhao Kangzhi,Zhang Yong,Xing Chunxiao,Li Weifeng,Chen Hsinchun

DOI: https://doi.org/10.1109/ISI.2016.7745450

2016-01-01

Abstract:With the rapid growth of online population, China has become the world's largest online market. This also gives rise to the Chinese underground market, which has facilitated many of the cybercrimes in China. Consequently, there is a need for research scrutinizing Chinese underground markets. One major challenge facing cybersecurity researchers is to understand the unfamiliar cybercriminal jargons. To this end, we are motivated to analyze jargons in Chinese underground market. Particularly, we utilize the recent advancements in unsupervised machine learning methods, word embedding and Latent Dirichlet Allocation. We evaluate our work on a research testbed encompassing 29 exclusive underground market QQ groups with 23,000 members. Specifically, we test the ability of the proposed approach to learn semantically similar words of known cybersecurity-related jargons. Results suggest the state-of-the-art unsupervised learning approaches can help better understand cybercriminal language, providing promising insights for future research on Chinese underground markets.

Hanjo D. Boekhout,Arjan A.J. Blokland,Frank W. Takes

2024-05-10

Abstract:In this work we focus on identifying key players in dark net cryptomarkets that facilitate online trade of illegal goods. Law enforcement aims to disrupt criminal activity conducted through these markets by targeting key players vital to the market's existence and success. We particularly focus on detecting successful vendors responsible for the majority of illegal trade. Our methodology aims to uncover whether the task of key player identification should center around plainly measuring user and forum activity, or that it requires leveraging specific patterns of user communication. We focus on a large-scale dataset from the Evolution cryptomarket, which we model as an evolving communication network. Results indicate that user and forum activity, measured through topic engagement, is best able to identify successful vendors. Interestingly, considering users with higher betweenness centrality in the communication network further improves performance, also identifying successful vendors with moderate activity on the forum. But more importantly, analyzing the forum data over time, we find evidence that attaining a high betweenness score comes before vendor success. This suggests that the proposed network-driven approach of modelling user communication might prove useful as an early warning signal for key player identification.

Social and Information Networks

Haruna Isah,Daniel Neagu,Paul Trundle

DOI: https://doi.org/10.1145/2808797.2808842

2015-10-08

Abstract:Certain crimes are hardly committed by individuals but carefully organised by group of associates and affiliates loosely connected to each other with a single or small group of individuals coordinating the overall actions. A common starting point in understanding the structural organisation of criminal groups is to identify the criminals and their associates. Situations arise in many criminal datasets where there is no direct connection among the criminals. In this paper, we investigate ties and community structure in crime data in order to understand the operations of both traditional and cyber criminals, as well as to predict the existence of organised criminal networks. Our contributions are twofold: we propose a bipartite network model for inferring hidden ties between actors who initiated an illegal interaction and objects affected by the interaction, we then validate the method in two case studies on pharmaceutical crime and underground forum data using standard network algorithms for structural and community analysis. The vertex level metrics and community analysis results obtained indicate the significance of our work in understanding the operations and structure of organised criminal networks which were not immediately obvious in the data. Identifying these groups and mapping their relationship to one another is essential in making more effective disruption strategies in the future.

Social and Information Networks,Physics and Society

YaJun Du,Qiaoyu Zhou,JiaXing Luo,XianYong Li,JinRong Hu

DOI: https://doi.org/10.1016/j.ins.2021.04.081

IF: 8.1

2021-09-01

Information Sciences

Abstract:There are three types of social network users: ordinary users, opinion leaders, and structural hole (SH) spanners. Opinion leaders and SH spanners are key circulators of information. SH spanners are the key figures of cross-community information propagation. By contrast, opinion leaders are more important to intra-community information dissemination. Moreover, according to the two-step flow theory, users prefer to connect with opinion leaders rather than ordinary users when connecting with users in other communities. Therefore, the detection of key figures should consider both the community structure and the relationship between opinion leaders and SH spanners. In this paper, we propose three algorithms. The first is an improved harmonic modularity algorithm based on Q-modularity gain (Q-HAM), which can infer community partitions and rank SH nodes. The second proposal is a model of social rank and community structure-regulated network embedding (RaComNE), which is based on the two-step flow theory and relies on the SH spanner ranks and community assignments to guide network representation learning and social rank inference in a supervised manner. Finally, we propose a key figure detection algorithm (KFDA), which integrates both Q-HAM and RaComNE into a single framework by adding a fine-tuning step. In addition to its usual outputs, KFDA outputs community assignments and network embeddings, which are convenient for visualization. Extensive experimentation demonstrated that Q-HAM and RaComNE improved key figure detection relative to state-of-the-art methods. Additionally, the KFDA experiments showed that integrating the two-step theory into the framework significantly improves both SH spanners and opinion leaders detection.

computer science, information systems

Felipe Moreno-Vera,Mateus Nogueira,Cainã Figueiredo,Daniel Sadoc Menasché,Miguel Bicudo,Ashton Woiwood,Enrico Lovat,Anton Kocheturov,Leandro Pfleger de Aguiar

2023-08-04

Abstract:This paper proposes a machine learning-based approach for detecting the exploitation of vulnerabilities in the wild by monitoring underground hacking forums. The increasing volume of posts discussing exploitation in the wild calls for an automatic approach to process threads and posts that will eventually trigger alarms depending on their content. To illustrate the proposed system, we use the CrimeBB dataset, which contains data scraped from multiple underground forums, and develop a supervised machine learning model that can filter threads citing CVEs and label them as Proof-of-Concept, Weaponization, or Exploitation. Leveraging random forests, we indicate that accuracy, precision and recall above 0.99 are attainable for the classification task. Additionally, we provide insights into the difference in nature between weaponization and exploitation, e.g., interpreting the output of a decision tree, and analyze the profits and other aspects related to the hacking communities. Overall, our work sheds insight into the exploitation of vulnerabilities in the wild and can be used to provide additional ground truth to models such as EPSS and Expected Exploitability.

Cryptography and Security,Machine Learning

Yuxiang Shan,Qin Ren,Gang Yu,Tiantian Li,Bin Cao

DOI: https://doi.org/10.1108/ijwis-02-2023-0025

2023-07-05

International Journal of Web Information Systems

Abstract:Purpose Internet marketing underground industry users refer to people who use technology means to simulate a large number of real consumer behaviors to obtain marketing activities rewards illegally, which leads to increased cost of enterprises and reduced effect of marketing. Therefore, this paper aims to construct a user risk assessment model to identify potential underground industry users to protect the interests of real consumers and reduce the marketing costs of enterprises. Design/methodology/approach Method feature extraction is based on two aspects. The first aspect is based on traditional statistical characteristics, using density-based spatial clustering of applications with noise clustering method to obtain user-dense regions. According to the total number of users in the region, the corresponding risk level of the receiving address is assigned. So that high-quality address information can be extracted. The second aspect is based on the time period during which users participate in activities, using frequent item set mining to find multiple users with similar operations within the same time period. Extract the behavior flow chart according to the user participation, so that the model can mine the deep relationship between the participating behavior and the underground industry users. Findings Based on the real underground industry user data set, the features of the data set are extracted by the proposed method. The features are experimentally verified by different models such as random forest, fully-connected layer network, SVM and XGBOST, and the proposed method is comprehensively evaluated. Experimental results show that in the best case, our method can improve the F1-score of traditional models by 55.37%. Originality/value This paper investigates the relative importance of static information and dynamic behavior characteristics of users in predicting underground industry users, and whether the absence of features of these categories affects the prediction results. This investigation can go a long way in aiding further research on this subject and found the features which improved the accuracy of predicting underground industry users.

Ziming Zhao,Gail-Joon Ahn,Hongxin Hu,Deepinder Mahi

2012-01-01

Abstract:Existing research on net-centric attacks has focused on the detection of attack events on network side and the removal of rogue programs from client side. However, such approaches largely overlook the way on how attack tools and unwanted programs are developed and distributed. Recent studies in underground economy reveal that suspicious attackers heavily utilize online social networks to form special interest groups and distribute malicious code. Consequently, examining social dynamics, as a novel way to complement existing research efforts, is imperative to systematically identify attackers and tactically cope with net-centric threats. In this paper, we seek a way to understand and analyze social dynamics relevant to net-centric attacks and propose a suite of measures called SocialImpact for systematically discovering and mining adversarial evidence. We also demonstrate the feasibility and applicability of our approach by implementing a proof-of-concept prototype Cassandra with a case study on real-world data archived from the Internet.