Victor A. Benjamin

Securing cyberspace: Identifying key actors in hacker communities

As the computer becomes more ubiquitous throughout society, the security of networks and information technologies is a growing concern. Recent research has found hackers making use of social media platforms to form communities where sharing of knowledge and tools that enable cybercriminal activity is common. However, past studies often report only generalized community behaviors and do not scrutinize individual members; in particular, current research has yet to explore the mechanisms in which some hackers become key actors within their communities. Here we explore two major hacker communities from the United States and China in order to identify potential cues for determining key actors. The relationships between various hacker posting behaviors and reputation are observed through the use of ordinary least squares regression. Results suggest that the hackers who contribute to the cognitive advance of their community are generally considered the most reputable and trustworthy among their peers. Conversely, the tenure of hackers and their discussion quality were not significantly correlated with reputation. Results are consistent across both forums, indicating the presence of a common hacker culture that spans multiple geopolitical regions.

Exploring threats and vulnerabilities in hacker web: Forums, IRC and carding shops

Cybersecurity is a problem of growing relevance that impacts all facets of society. As a result, many researchers have become interested in studying cybercriminals and online hacker communities in order to develop more effective cyber defenses. In particular, analysis of hacker community contents may reveal existing and emerging threats that pose great risk to individuals, businesses, and government. Thus, we are interested in developing an automated methodology for identifying tangible and verifiable evidence of potential threats within hacker forums, IRC channels, and carding shops. To identify threats, we couple machine learning methodology with information retrieval techniques. Our approach allows us to distill potential threats from the entirety of collected hacker contents. We present several examples of identified threats found through our analysis techniques. Results suggest that hacker communities can be analyzed to aid in cyber threat detection, thus providing promising direction for future work.

Descriptive Analytics: Examining Expert Hackers in Web Forums

In recent years, understanding the people behind cybercrime from a hacker-centric perspective has drawn increased attention. Preliminary exploration in online hacker social dynamics has found that hackers extensively exchange information with others in online communities, including vulnerabilities, stolen data, etc. However, there is a lack of research that explores automated identification and characterization of expert hackers within online communities. In this research, we identify expert hackers and characterize their specialties by devising a scalable and generalizable framework leveraging two categories of features to analyze hacker forum content. The framework encompasses text analytics for key hacker identification and analysis. In the Text Analytics module, we employ an interaction coherence analysis (ICA) framework, to extract interactions among the users in hacker communities as topological feature. In Expert Identification & Analysis, we characterize each hacker with content features extracted with lexicon matching and structural features from the ICA component. Results reveal an interaction network and content-based clustering of key actors within the studied hacker community. Our project contributes to both social media analytics and cybersecurity research as we provide a complete analytical framework to analyze the key hackers from both an interaction network perspective and discussion content perspective. This framework can benefit cyber security researchers and practitioners by offering an inclusive angle for analyzing hacker social dynamics.

Machine learning for attack vector identification in malicious source code

As computers and information technologies become ubiquitous throughout society, the security of our networks and information technologies is a growing concern. As a result, many researchers have become interested in the security domain. Among them, there is growing interest in observing hacker communities for early detection of developing security threats and trends. Research in this area has often reported hackers openly sharing cybercriminal assets and knowledge with one another. In particular, the sharing of raw malware source code files has been documented in past work. Unfortunately, malware code documentation appears often times to be missing, incomplete, or written in a language foreign to researchers. Thus, analysis of such source files embedded within hacker communities has been limited. Here we utilize a subset of popular machine learning methodologies for the automated analysis of malware source code files. Specifically, we explore genetic algorithms to resolve questions related to feature selection within the context of malware analysis. Next, we utilize two common classification algorithms to test selected features for identification of malware attack vectors. Results suggest promising direction in utilizing such techniques to help with the automated analysis of malware source code.

Evaluating text visualization: An experiment in authorship analysis

Analyzing authorship of online texts is an important analysis task in security-related areas such as cybercrime investigation and counter-terrorism, and in any field of endeavor in which authorship may be uncertain or obfuscated. This paper presents an automated approach for authorship analysis using machine learning methods, a robust stylometric feature set, and a series of visualizations designed to facilitate analysis at the feature, author, and message levels. A testbed consisting of 506,554 forum messages, in English and Arabic, from 14,901 authors was first constructed. A prototype portal system was then developed to support feasibility analysis of the approach. A preliminary evaluation to assess the efficacy of the text visualizations was conducted. The evaluation showed that task performance with the visualization functions was more accurate and more efficient than task performance without the visualizations.

Examining Hacker Participation Length in Cybercriminal Internet-Relay-Chat Communities

Abstract To further cybersecurity, there is interest in studying online cybercriminal communities to learn more about emerging cyber threats. Literature documents the existence of many online Internet Relay Chat (IRC) cybercriminal communities where cybercriminals congregate and share hacking tools, malware, and more. However, many cybercriminal community participants appear unskilled and have fleeting interests, making it difficult to detect potential long-term or key participants. This is a challenge for researchers and practitioners to quickly identify cybercriminals that may provide credible threat intelligence. Thus, we propose a computational approach to analyze cybercriminals IRC communities in order to identify potential long-term and key participants. We use the extended Cox model to scrutinize cybercriminal IRC participation for better understanding of behaviors exhibited by cybercriminals of importance. Results indicate that key cybercriminals may be quickly identifiable by assessing the scale of their interaction and networks with other participants.

Evaluating text visualization for authorship analysis

Methods and tools to conduct authorship analysis of web contents is of growing interest to researchers and practitioners in various security-focused disciplines, including cybersecurity, counter-terrorism, and other fields in which authorship of text may at times be uncertain or obfuscated. Here we demonstrate an automated approach for authorship analysis of web contents. Analysis is conducted through the use of machine learning methodologies, an expansive stylometric feature set, and a series of visualizations intended to help facilitate authorship analysis at the author, message, and feature levels. To operationalize this, we utilize a testbed containing 506,554 forum messages in English and Arabic, source from 14,901 authors that participated in an online web forum. A prototype portal system providing authorship comparisons and visualizations was then designed and constructed in order to support feasibility analysis and real world value of the automated authorship analysis approach. A preliminary user evaluation was performed to assess the efficacy of visualizations, with evaluation results demonstrating task performance accuracy and efficiency was improved through use of the portal.

Bridging the virtual and real: The relationship between web content, linkage, and geographical proximity of social movements

As the Internet becomes ubiquitous, it has advanced to more closely represent aspects of the real world. Due to this trend, researchers in various disciplines have become interested in studying relationships between real‐world phenomena and their virtual representations. One such area of emerging research seeks to study relationships between real‐world and virtual activism of social movement organization (SMOs). In particular, SMOs holding extreme social perspectives are often studied due to their tendency to have robust virtual presences to circumvent real‐world social barriers preventing information dissemination. However, many previous studies have been limited in scope because they utilize manual data‐collection and analysis methods. They also often have failed to consider the real‐world aspects of groups that partake in virtual activism. We utilize automated data‐collection and analysis methods to identify significant relationships between aspects of SMO virtual communities and their respective real‐world locations and ideological perspectives. Our results also demonstrate that the interconnectedness of SMO virtual communities is affected specifically by aspects of the real world. These observations provide insight into the behaviors of SMOs within virtual environments, suggesting that the virtual communities of SMOs are strongly affected by aspects of the real world.

Developing understanding of hacker language through the use of lexical semantics

The need for more research scrutinizing online hacker communities is a common suggestion in recent years. However, researchers and practitioners face many challenges when attempting to do so. In particular, they may encounter hacking-specific terms, concepts, tools, and other items that are unfamiliar and may be challenging to understand. For these reasons, we are motivated to develop an automated method for developing understanding of hacker language. We utilize the latest advancements in recurrent neural network language models (RNNLMs) to develop an unsupervised machine learning technique for learning hacker language. The selected RNNLM produces state-of-the-art word embeddings that are useful for understanding the relations between different hacker terms and concepts. We evaluate our work by testing the RNNLMs ability to learn relevant relations between known hacker terms. Results suggest that the latest work in RNNLMs can aid in modeling hacker language, providing promising direction for future research.

Identifying language groups within multilingual cybercriminal forums

Online cybercriminal communities exist in various geopolitical regions, including America, China, Russia, and more. Some multilingual forums exist where cybercriminals of differing geopolitical origin interact and exchange hacking knowledge and cybercriminal assets. Researchers can study such forums to better understand the global cybercriminal supply chain and cybercrime trends. However, little work has focused on identifying members of different language groups and geopolitical origin within such forums. One challenge is the necessity of a technique that scales across multiple languages. We are motivated to explore computational techniques that support automated and scalable categorization of cybercriminal forum participants into varying language groups. In particular, we make use of Paragraph Vectors, a state-of-the-art neural network language model to generate fixed-length vector representations (i.e., document embeddings) of messages posted by forum participants. Results indicate Paragraph Vectors outperforms traditional n-gram frequency approaches for generating document embeddings that are useful for clustering cybercriminals into language groups.