an analysis of cybercrime activity within an underground
play

An Analysis of Cybercrime Activity within an Underground Gaming - PowerPoint PPT Presentation

Aug 06, 2023 •538 likes •851 views

An Analysis of Cybercrime Activity within an Underground Gaming Forum Jack Hughes Cambridge Cybercrime Conference joh32@cam.ac.uk 11th July 2019 Background Research into the role of gaming as an entry point into cybercrime is growing

  1. An Analysis of Cybercrime Activity within an Underground Gaming Forum Jack Hughes Cambridge Cybercrime Conference joh32@cam.ac.uk 11th July 2019

  2. Background • Research into the role of gaming as an entry point into cybercrime is growing • Example: DDoS attacks-as-a-service can be used by gamers with little technical knowledge to gain an advantage over opponents • Exposure to, and use of, these services is believed to be a pathway into more serious cybercrime 2

  3. Figure from: National Crime Agency. (2015). Identify, Intervene, Inspire: Helping young people to pursue careers in cyber security, not cyber crime, 6. 3

  4. Related Work • Previous work by Pastrana et al. 1 : • Analysed Hack Forums , for predicting future key actors • Produced open-source research tools for analysis • Hack Forums is a general-purpose underground hacking forum • MPGH is specifically for multiplayer games • Both forums are available on the open web • Also available in the CrimeBB dataset, available for research use from the Cambridge Cybercrime Centre 1 Pastrana S., Hutchings A., Caines A., Buttery P. (2018) Characterizing Eve: Analysing Cybercrime Actors in a Large Underground Forum. In: Bailey M., Holz T., Stamatogiannakis M., Ioannidis S. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2018. Lecture Notes in Computer Science, vol 11050. Springer, Cham 4

  5. Ethics • This work has received approval from the Department of Computer Science & Technology’s ethics committee • Only carrying out analysis of collective behaviour, rather than identifying individuals 5

  6. Studying MPGH • Aim is not to carry out “predictive policing”, but towards identifying possible intervention points • This work combines prediction techniques to identify characteristics of key actors 6

  7. Key Actors Individuals who have released tools and tutorials on the forum, or have advertised cybercrime related services such as DDoS-for-hire. 7

  8. MPGH Dataset • Snapshot of forum activity • 764k threads, 9.36m posts, 132k members with >5 posts 8

  9. Method used by K-means Clustering Pastrana et al. Key Actor Social Selection Network Analysis Logistic Regression Feature Topic Key Actor Collection Analysis Predictions & Selection Input data Prediction Validation Output Techniques predictions 9

  10. Adapted method K-means Clustering for MPGH Key Actor Social Selection Network Analysis Logistic Regression Feature Topic Key Actor Collection Analysis Predictions Group- & based Selection Trajectory Modelling Decision Trees Additional NLP-derived variables 2 2 Caines, A., Pastrana, S., Hutchings, A., & Buttery, P. J. (2018). Neural Automatically identifying the function and intent of posts in Networks underground forums. Crime Science , 7 (1), 19. 10 https://doi.org/10.1186/s40163-018-0094-4

  11. Key Actor Selection • Manually selected 87 key actors, including: • Those who have released tools and tutorials on cracking, gaming and hacking forums • Those who have advertised DDoS-for-hire (booter/stresser) services • Those who are strongly connected to other key actors, and are involved in similar activities to key actors • No information relating to any arrests or offending are available for this forum • Therefore a manual selection process was used 11

  12. Feature Collection • Initial features include: • Social network analysis (eigenvector centrality, …) • Activity counts (thread count on marketplace, …) • Activity metrics (days spent on forum, …) • Interaction metrics (number of citations, …) • Impact metrics (h-index, i-10 index, …) • Additional features from NLP tools include (averaged over user’s posts): • Sentiment (quantitative measure of emotion) • Post types (information request, social, tutorial, …) • Post intents (positive, negative, aggressive, …) • Addressee types 12

  13. Feature Selection • Only members with more than 5 posts (‘active members’) are considered for analysis (~17% of all) • Features are iteratively removed until correlations are less than 80% • Some techniques and analysis rely on low multicollinearity of features • Features are scaled • Some techniques rely on normalised distances of features • Dataset is split into train-test-validation sets 13

  14. Key Actor Insights 14

  15. Changing Interests Over Time Start Middle End Lifetime of Key Actor on the Forum 15

  16. Logistic Regression 16

  17. Potential Key Actor Predictions 17

  18. K-means Clustering (All Members) • Placing members into (k=)5 groups • Proportion of key actors per group: 12 key 3 key 9 key 14 key 46 key actors of actors of actors of actors of actors of 47,437 3966 10545 21,406 588 members members members members members 0.03% 0.08% 0.09% 0.07% 7.82% Members used for prediction 18

  19. Social Network Analysis Red: General key actor Blue: Distributing tools and tutorials Yellow: Key actors found after interaction with other key actors Green: Other forum members 19

  20. Social Network Analysis Red: General key actor Blue: Distributing tools and tutorials Yellow: Key actors found after interaction with other key actors Green: Other forum members Pink: Predicted key actors 20

  21. Group-based trajectory modelling This sustainer trajectory contains 28% of all key actors , and is used for prediction 21

  22. post_hack <= 1.5 Random Forest gini = 0.5 samples = 33533 value = [16803, 16730] True False indegree_centrality <= 0.002 h <= 2.5 gini = 0.188 gini = 0.179 samples = 16928 samples = 16605 value = [15150, 1778] value = [1653, 14952] thread_hack <= 0.5 post_coding <= 0.5 gini = 0.035 gini = 0.36 gini = 0.074 gini = 0.115 samples = 1196 samples = 900 samples = 15732 samples = 15705 value = [21, 1175] value = [688, 212] value = [15129, 603] value = [965, 14740] post_games_hackforums_sandbox <= 33.5 thread_hack <= 0.5 gini = 0.496 gini = 0.063 gini = 0.027 gini = 0.333 samples = 724 samples = 13153 samples = 15008 samples = 2552 value = [329, 395] value = [426, 12727] value = [14800, 208] value = [539, 2013] thread_market <= 1.5 gini = 0.0 gini = 0.499 gini = 0.498 gini = 0.254 samples = 14606 samples = 402 samples = 413 samples = 2139 value = [14606, 0] value = [194, 208] value = [219, 194] value = [320, 1819] gini = 0.162 gini = 0.424 samples = 1540 samples = 599 value = [137, 1403] value = [183, 416] 22

  23. Inspecting Random Forest and Neural Network Models SHAP diagram explaining the prediction of one member 23

  24. Topic Analysis • Computationally expensive to compute for all members, but is used to verify prediction results Terms related directly to cybercrime, or to the creation of tools used for cybercrime 24

  25. Key Actor Predictions 49 members are predicted as key actors 25

  26. Summary: Key Actor Behaviour • Different techniques begin to explain the behaviour of key actors, showing they: • Have a higher h-index • Have been active on the forum for longer • Mostly well-connected with other key actors, and have high eigenvector centrality • Sustain low-frequency post activity on the marketplace, and high-frequency post activity in the gaming category 26

  27. Summary: Techniques • Techniques should be combined to produce better predictions and insights of potential key actors • Individual features used for prediction, including reputation , are not good indicators of key actors 27

  28. Wider Context • Finding common characteristics of key actor activities are useful in understanding behaviours • These can later be used to identify points of intervention, to deter and prevent individuals from progressing further into cybercrime • This could include law enforcement activity having a presence on the forum • Could include disrupting low-level sustaining activity on the marketplace 28

  29. Jack Hughes joh32@cam.ac.uk Data used is available from the Cambridge Cybercrime Centre: https://www.cambridgecybercrime.uk/process.html References 1 Pastrana S., Hutchings A., Caines A., Buttery P. (2018) Characterizing Eve: Analysing Cybercrime Actors in a Large Underground Forum. In: Bailey M., Holz T., Stamatogiannakis M., Ioannidis S. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2018. Lecture Notes in Computer Science, vol 11050. Springer, Cham 2 Caines, A., Pastrana, S., Hutchings, A., & Buttery, P. J. (2018). Automatically identifying the function and intent of posts in underground forums. Crime Science , 7 (1), 19. https://doi.org/10.1186/s40163-018-0094-4 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Underground Economy and Ecosystem of SMS Based Cybercrime Denis Maslennikov, Senior Malware

The Underground Economy and Ecosystem of SMS Based Cybercrime Denis Maslennikov, Senior Malware

The Underground Economy and Ecosystem of SMS Based Cybercrime Denis Maslennikov, Senior Malware Analyst, Kaspersky Lab 15.06.2011, 23 rd Annual FIRST Conference, Vienna, Austria Agenda SMS based threats Ransomware SMS Trojans The

1.39k views • 76 slides
Vitali Kremez Impact Agenda The Wind of Time Shakes the Underground | High- Tech Cybercrime

Vitali Kremez Impact Agenda The Wind of Time Shakes the Underground | High- Tech Cybercrime

How North Korean Hackers are Working with Eastern European Cybercriminals @VK_Intel Vitali Kremez Impact Agenda The Wind of Time Shakes the Underground | High- Tech Cybercrime &amp; APT | Most Sophisticated &amp; Resourceful Crimeware

509 views • 27 slides
Advertise publicly, trade privately? Analysing the Cybercrime-as-a-Service (CaaS) Offerings in

Advertise publicly, trade privately? Analysing the Cybercrime-as-a-Service (CaaS) Offerings in

Advertise publicly, trade privately? Analysing the Cybercrime-as-a-Service (CaaS) Offerings in Underground Forums Dr. Ugur Akyazi PostDoc Researcher Cyber Security Group - TPM Technical University of Delft 1 2 3 as-a-service model 4

314 views • 29 slides
Economics of Cybercrime The Influence of Perceived Cybercrime Risk on Online Service Adoption of

Economics of Cybercrime The Influence of Perceived Cybercrime Risk on Online Service Adoption of

W ESTFLISCHE W ILHELMS -U NIVERSITT M NSTER Economics of Cybercrime The Influence of Perceived Cybercrime Risk on Online Service Adoption of European Internet Users living knowledge WWU Mnster Markus Riek, June 23, 2014 Rainer

571 views • 40 slides
Measuring security and cybercrime Daniel R. Thomas Cambridge Cybercrime Centre, Department of

Measuring security and cybercrime Daniel R. Thomas Cambridge Cybercrime Centre, Department of

Measuring security and cybercrime Daniel R. Thomas Cambridge Cybercrime Centre, Department of Computer Science and Technology, University of Cambridge, UK SecHuman 2018 GPG: 5017 A1EC 0B29 08E3 CF64 7CCD 5514 35D5 D749 33D9

672 views • 40 slides
Measuring security and cybercrime Daniel R. Thomas Cambridge Cybercrime Centre, Department of

Measuring security and cybercrime Daniel R. Thomas Cambridge Cybercrime Centre, Department of

Measuring security and cybercrime Daniel R. Thomas Cambridge Cybercrime Centre, Department of Computer Science and Technology, University of Cambridge, UK SecHuman 2018 GPG: 5017 A1EC 0B29 08E3 CF64 7CCD 5514 35D5 D749 33D9

479 views • 37 slides
Survival analysis techniques for studying cybercrime Tyler Moore Computer Science &amp;

Survival analysis techniques for studying cybercrime Tyler Moore Computer Science &amp;

Notes Survival analysis techniques for studying cybercrime Tyler Moore Computer Science &amp; Engineering Department, SMU, Dallas, TX November 1, 2012 Case-control studies for analyzing data Survival analysis Notes Outline Case-control

401 views • 6 slides
STOPPING CYBERCRIME A presentation by the Financial Cybercrime Task Force of Kentucky KY Dept.

STOPPING CYBERCRIME A presentation by the Financial Cybercrime Task Force of Kentucky KY Dept.

STOPPING CYBERCRIME A presentation by the Financial Cybercrime Task Force of Kentucky KY Dept. of Financial Institutions DISCLAIMER The views expressed in this presentation are solely the presenters and are not binding upon any state

773 views • 20 slides
The Rule of Law in Cyberspace What it means for business GERONIMO L. SY Assistant Secretary /

The Rule of Law in Cyberspace What it means for business GERONIMO L. SY Assistant Secretary /

The Rule of Law in Cyberspace What it means for business GERONIMO L. SY Assistant Secretary / Head, Office of Cybercrime Department of Justice Outline Legal Framework on Cybercrime Updates on Cybercrime Priorities How we can work

79 views • 6 slides
From behind the keyboard to behind bars: Cybercrime arrests and prosecu6ons in the UK Dr Alice

From behind the keyboard to behind bars: Cybercrime arrests and prosecu6ons in the UK Dr Alice

From behind the keyboard to behind bars: Cybercrime arrests and prosecu6ons in the UK Dr Alice Hutchings Computer Laboratory, University of Cambridge Presenta&gt;on for the Inaugural Cybercrime Conference, 14 July 2016 Cambridge Computer

535 views • 32 slides
The not so Dark Side of the Darknet Dr. Victoria Wang (BSc; PhD) Senior Lecturer on Security and

The not so Dark Side of the Darknet Dr. Victoria Wang (BSc; PhD) Senior Lecturer on Security and

Cambridge Cybercrime Centre: Fourth Annual Cybercrime Conference The not so Dark Side of the Darknet Dr. Victoria Wang (BSc; PhD) Senior Lecturer on Security and Cybercrime Institute for Criminal Justice Studies (ICJS) University of Portsmouth

780 views • 24 slides
How Can We Collect Meaningful, Reliable Cybercrime Statistics? Thomas Holt (Michigan State)

How Can We Collect Meaningful, Reliable Cybercrime Statistics? Thomas Holt (Michigan State)

How Can We Collect Meaningful, Reliable Cybercrime Statistics? Thomas Holt (Michigan State) Tyler Moore (Tulsa) Background and Motivation Cybercrime scholars have called for better reporting mechanisms since 90s There remains no

177 views • 4 slides
The four-story, underground Capitol Extension in Austin, Texas for Capitol Building.

The four-story, underground Capitol Extension in Austin, Texas for Capitol Building.

July 26 th , 2017 To: Landmarks Preservation Board From: Ron Taylor/Structural Engineer Re. Answers to the questions: Going underground is not practical or feasible The construction challenges of going underground are not unusual. Many museums

533 views • 6 slides
Offline and Local: The Hidden Face of Cybercrime Jonathan Lusthaus &amp; Federico Varese

Offline and Local: The Hidden Face of Cybercrime Jonathan Lusthaus &amp; Federico Varese

Offline and Local: The Hidden Face of Cybercrime Jonathan Lusthaus &amp; Federico Varese Jonathan Lusthaus Commonwealth Bank Fellow Director of the Human Cybercriminal Project University of Oxford Background Cybercrime is a largely

698 views • 16 slides
Introductory Training of Trainers Course on Cybercrime and Electronic Evidence for Judges,

Introductory Training of Trainers Course on Cybercrime and Electronic Evidence for Judges,

Introductory Training of Trainers Course on Cybercrime and Electronic Evidence for Judges, Magistrates and Prosecutors of the ASEAN Region Cambodian Cybercrime Legislations Case Study Hacking Facebook Account Case: A Facebook account was

207 views • 9 slides
A voice for cybercrime victims Kristin Judge CEO/President CYBERCRIMESUPPORT.ORG Guiding

A voice for cybercrime victims Kristin Judge CEO/President CYBERCRIMESUPPORT.ORG Guiding

A voice for cybercrime victims Kristin Judge CEO/President CYBERCRIMESUPPORT.ORG Guiding Principles (1) bringing a voice to and serving the victims of cybercrime; (2) ensuring victims are connected to local, state and federal law

802 views • 34 slides
EU Exit Business Readiness Forum: Information for businesses on a no deal exit from the EU

EU Exit Business Readiness Forum: Information for businesses on a no deal exit from the EU

EU Exit Business Readiness Forum: Information for businesses on a no deal exit from the EU Thursday 11th April 2019 These slides reflect government policy as of 11th April 2019 Objectives for these forums Share the key information businesses

459 views • 21 slides
#Free Speech and #Public Records Considerations for Social Media Frayda Bluestein 1 Session

#Free Speech and #Public Records Considerations for Social Media Frayda Bluestein 1 Session

1/29/20 #Free Speech and #Public Records Considerations for Social Media Frayda Bluestein 1 Session Overview Part I: Elected Officials Use of Social Media Is your social media platform public or private? What are the legal

298 views • 7 slides
Bellevue School District BELLEVUE SCHOOL DISTRICT Fall Planning 2020 School Star art Fami

Bellevue School District BELLEVUE SCHOOL DISTRICT Fall Planning 2020 School Star art Fami

Bellevue School District BELLEVUE SCHOOL DISTRICT Fall Planning 2020 School Star art Fami amily Forum August 26, 2020 RISING TO THE CHALLENGE TOGETHER TOPICS OF DISCUSSION RISING TO THE CHALLENGE TOGETHER Your school day Activities

641 views • 28 slides
CoSADIE Data Centre Forum Summary and conclusions A forum for the

CoSADIE Data Centre Forum Summary and conclusions A forum for the

CoSADIE Data Centre Forum Summary and conclusions A forum for the data centre community Tell the story of what they do and of their relationship with

739 views • 18 slides
OCP: Wedge switch (open-source design) Switch chip! 3

OCP: Wedge switch (open-source design) Switch chip! 3

Programming the Forwarding Plane Nick McKeown Stanford University Programming the Forwarding Plane Why is there a blackbox in my whitebox? Nick McKeown Stanford University OCP: Wedge

953 views • 51 slides
Welcome Forum on the Wellbeing and Education of Urban Populations Teik C. Lim, Ph.D. Provost and

Welcome Forum on the Wellbeing and Education of Urban Populations Teik C. Lim, Ph.D. Provost and

THE UNIVERSITY OF TEXAS AT ARLINGTON Forum: The Wellbeing and Education of Urban Populations Welcome Forum on the Wellbeing and Education of Urban Populations Teik C. Lim, Ph.D. Provost and Vice President for Academic Affairs HIGHLIGHTS

696 views • 37 slides
Cyber Security, Threat Hunting and Defense Challenge in Taiwan Academic Network NCHC/TWCSIRT

Cyber Security, Threat Hunting and Defense Challenge in Taiwan Academic Network NCHC/TWCSIRT

Cyber Security, Threat Hunting and Defense Challenge in Taiwan Academic Network NCHC/TWCSIRT Research Fellow Yi-Lang Tsai 1 Google Me. Yi-Lang Tsai ( ) Research Fellow , NCHC (National Center for High-performance

781 views • 49 slides
Overview Attacks Handling Security Incidents Security Incidents Handling Security

Overview Attacks Handling Security Incidents Security Incidents Handling Security

Overview Attacks Handling Security Incidents Security Incidents Handling Security Incidents Incident management Methods and Tools Maintaining Incident Preparedness Chapter 7 Standard Incident Handling Procedures Learn

358 views • 7 slides

More recommend