Farkhund Iqbal

A unified data mining solution for authorship analysis in anonymous textual communications

The cyber world provides an anonymous environment for criminals to conduct malicious activities such as spamming, sending ransom e-mails, and spreading botnet malware. Often, these activities involve textual communication between a criminal and a victim, or between criminals themselves. The forensic analysis of online textual documents for addressing the anonymity problem called authorship analysis is the focus of most cybercrime investigations. Authorship analysis is the statistical study of linguistic and computational characteristics of the written documents of individuals. This paper is the first work that presents a unified data mining solution to address authorship analysis problems based on the concept of frequent pattern-based writeprint. Extensive experiments on real-life data suggest that our proposed solution can precisely capture the writing styles of individuals. Furthermore, the writeprint is effective to identify the author of an anonymous text from a group of suspects and to infer sociolinguistic characteristics of the author.

Towards an integrated e-mail forensic analysis framework

Due to its simple and inherently vulnerable nature, e-mail communication is abused for numerous illegitimate purposes. E-mail spamming, phishing, drug trafficking, cyber bullying, racial vilification, child pornography, and sexual harassment are some common e-mail mediated cyber crimes. Presently, there is no adequate proactive mechanism for securing e-mail systems. In this context, forensic analysis plays a major role by examining suspected e-mail accounts to gather evidence to prosecute criminals in a court of law. To accomplish this task, a forensic investigator needs efficient automated tools and techniques to perform a multi-staged analysis of e-mail ensembles with a high degree of accuracy, and in a timely fashion. In this article, we present our e-mail forensic analysis software tool, developed by integrating existing state-of-the-art statistical and machine-learning techniques complemented with social networking techniques. In this framework we incorporate our two proposed authorship attribution approaches; one is presented for the first time in this article.

e-mail authorship verification for forensic investigation

The Internet provides a convenient platform for cyber criminals to anonymously conduct their illegitimate activities, such as phishing and spamming. As a result, in recent years, authorship analysis of anonymous e-mails has received some attention in the cyber forensic and data mining communities. In this paper, we study the problem of authorship verification: given a set of e-mails written by a suspect along with an e-mail dataset collected from the sample population, we want to determine whether or not an anonymous e-mail is written by the suspect. To address the problem of authorship verification of textual documents and employ detection measures that are more suited in the context of forensic investigation, we borrow the NISTs speaker recognition evaluation (SRE) framework. Our experimental results on real world e-mail dataset suggest that the employed framework addresses the e-mail authorship verification problem with a matching success as in case of speaker verification. The proposed framework produces an average equal error rate of 15--20% and minDCF equal to 0.0671 (with 10-fold cross validation technique) in correctly verifying the author of a malicious e-mail.

Investigating the dark cyberspace: Profiling, threat-based analysis and correlation

An effective approach to gather cyber threat intelligence is to collect and analyze traffic destined to unused Internet addresses known as darknets. In this paper, we elaborate on such capability by profiling darknet data. Such information could generate indicators of cyber threat activity as well as providing in-depth understanding of the nature of its traffic. Particularly, we analyze darknet packets distribution, its used transport, network and application layer protocols and pinpoint its resolved domain names. Furthermore, we identify its IP classes and destination ports as well as geo-locate its source countries. We further investigate darknet-triggered threats. The aim is to explore darknet embedded threats and categorize their severities. Finally, we contribute by exploring the inter-correlation of such threats, by applying association rule mining techniques, to build threat association rules. Specifically, we generate clusters of threats that co-occur targeting a specific victim. Such work proves that specific darknet threats are correlated. Moreover, it provides insights about threat patterns and allows the interpretation of threat scenarios.

Mining Criminal Networks from Chat Log

Cyber criminals exploit opportunities for anonymity and masquerade in web-based communication to conduct illegal activities such as phishing, spamming, cyber predation, cyber threatening, blackmail, and drug trafficking. One way to fight cyber crime is to collect digital evidence from online documents and to prosecute cyber criminals in the court of law. In this paper, we propose a unified framework using data mining and natural language processing techniques to analyze online messages for the purpose of crime investigation. Our framework takes the chat log from a confiscated computer as input, extracts the social networks from the log, summarizes chat conversations into topics, identifies the information relevant to crime investigation, and visualizes the knowledge for an investigator. To ensure that the implemented framework meets the needs of law enforcement officers in real-life investigation, we closely collaborate with the cyber crime unit of a law enforcement agency in Canada. Both the feedback from the law enforcement officers and experimental results suggest that the proposed chat log mining framework is effective for crime investigation.

Fuzzy Logic-Based Guaranteed Lifetime Protocol for Real-Time Wireless Sensor Networks.

Few techniques for guaranteeing a network lifetime have been proposed despite its great impact on network management. Moreover, since the existing schemes are mostly dependent on the combination of disparate parameters, they do not provide additional services, such as real-time communications and balanced energy consumption among sensor nodes; thus, the adaptability problems remain unresolved among nodes in wireless sensor networks (WSNs). To solve these problems, we propose a novel fuzzy logic model to provide real-time communication in a guaranteed WSN lifetime. The proposed fuzzy logic controller accepts the input descriptors energy, time and velocity to determine each node’s role for the next duration and the next hop relay node for real-time packets. Through the simulation results, we verified that both the guaranteed network’s lifetime and real-time delivery are efficiently ensured by the new fuzzy logic model. In more detail, the above-mentioned two performance metrics are improved up to 8%, as compared to our previous work, and 14% compared to existing schemes, respectively.

Graph-theoretic characterization of cyber-threat infrastructures

In this paper, we investigate cyber-threats and the underlying infrastructures. More precisely, we detect and analyze cyber-threat infrastructures for the purpose of unveiling key players (owners, domains, IPs, organizations, malware families, etc.) and the relationships between these players. To this end, we propose metrics to measure the badness of different infrastructure elements using graph theoretic concepts such as centrality concepts and Google PageRank. In addition, we quantify the sharing of infrastructure elements among different malware samples and families to unveil potential groups that are behind specific attacks. Moreover, we study the evolution of cyber-threat infrastructures over time to infer patterns of cyber-criminal activities. The proposed study provides the capability to derive insights and intelligence about cyber-threat infrastructures. Using one year dataset, we generate notable results regarding emerging threats and campaigns, important players behind threats, linkages between cyber-threat infrastructure elements, patterns of cyber-crimes, etc.

E-mail authorship attribution using customized associative classification

E-mail communication is often abused for conducting social engineering attacks including spamming, phishing, identity theft and for distributing malware. This is largely attributed to the problem of anonymity inherent in the standard electronic mail protocol. In the literature, authorship attribution is studied as a text categorization problem where the writing styles of individuals are modeled based on their previously written sample documents. The developed model is employed to identify the most plausible writer of the text. Unfortunately, most existing studies focus solely on improving predictive accuracy and not on the inherent value of the evidence collected. In this study, we propose a customized associative classification technique, a popular data mining method, to address the authorship attribution problem. Our approach models the unique writing style features of a person, measures the associativity of these features and produces an intuitive classifier. The results obtained by conducting experiments on a real dataset reveal that the presented method is very effective.

Speaker verification from partially encrypted compressed speech for forensic investigation

Speaker verification has recently been introduced to the forensic field as a new and complimentary approach to other forensic methods. With the advancement in speech communication technologies including voice over IP and wireless multimedia applications, speech is seldom sent between two parties in plain, it is at least partially encrypted before transmission. We present automatic speaker verification techniques based on hidden Markov and Gaussian mixture models from partially encrypted speech from the perceptually less relevant speech features which are unencrypted. An equal error rate (EER) of 23% and minimum detection cost value of 8% has been achieved on a database of 84 speakers using adapted Gaussian mixture modeling. Comparison between different modeling techniques and effect of Gaussian mixture densities are also carried out and results are tabulated. The results suggest that partial or selective encryption techniques may provide content protection but will not protect the speakers identity.

A Glance of Child’s Play Privacy in Smart Toys

A smart toy is defined as a device consisting of a physical toy component that connects to one or more toy computing services to facilitate gameplay in the Cloud through networking and sensory technologies to enhance the functionality of a traditional toy. A smart toy in this context can be effectively considered an Internet of Things (IoT) with Artificial Intelligence (AI) which can provide Augmented Reality (AR) experiences to users. Referring to the direction of the United States Federal Trade Commission Children’s Online Privacy Protection Act (COPPA) and the European Union Data Protection Directive (EUDPD), this study adopts the definition of a child to be an individual under the age of 13 years old. In this study, the first assumption is that children do not understand the concept of privacy. The second assumption is that children will disclose as much information to smart toys as they can trust. Breaches of privacy can result in physical safety of child user, e.g., child predators. While the parents/legal guardians of a child strive to ensure their child’s physical and online safety and privacy, there is no common approach for these parents/guardians to study the information flow between their child and the smart toys they interact with. This paper discusses related privacy requirements for smart toys in a toy computing environment with a case study on a commercial smart toy called Hello Barbie from Mattel.