Predict Enterprise Cyber Incidents by Social Network Analysis on Dark Web Forums

There has been a rise in security breaches over the past few years, prompting an increasing need to mine insights from external discussion and social media platforms to raise alerts of possible attacks that might cater to specific industries.  The dark web is one source of information on the internet where users can share information on software vulnerabilities and ways to exploit them.  However, it is difficult to track the intentions of these users, making it necessary to use data mining and learning to identify the discussions among the noise that could raise alerts on attacks on enterprises.

Most of the current research in this area has focused on vulnerability discussions on trading, exploitation in the underground forums, and related social media platforms (e.g., Twitter).  This research has focused primarily on two aspects, the first of which is analyzing the dynamics of the underground forums and the markets that drive it.  The second aspect is the prioritization of vulnerabilities using these social media platforms or binary file appearance logs of machines and using them to predict the risk state of machines or systems through exploitation of these vulnerabilities.  However, the existing research is lacking in the area where vulnerability exploitation is not a precursor towards attack prevention.

Researchers at Arizona State University have developed a novel framework that utilizes information from dark web forums by leveraging the reply network structure of user interactions in the forums with the goal of predicting enterprise related cyber-attacks.  This framework uses both supervised and unsupervised learning models that address the challenges that come with the lack of attack metadata and insufficient data for training the models.  This framework is validated on a binary classification problem that attempts to predict whether there would be an attack on any given day for an organization.  The high correlation between the weeks that exhibit large attacks, and the prediction results shows that network structure analytics can help generate alerts for cyber-attacks.

Initial tests have shown that focusing on the path structure between groups of users based on random walk transitions and community structures is better than solely relying on forum or user posting statistics prior to attack.

Related publication: Predicting enterprise cyber incidents using social network analysis on the darkweb hacker forums

Potential Applications:

  • Cyber-attack prediction and prevention
  • Organization-wide data analysis to predict likelihood of cyber-attacks

Benefits & Advantages:

  • Ability to accurately predict cyber threats using data from the dark web
  • High precision
  • Comparable recall (number of false positives are reduced)
  • Removes precursor of vulnerability exploitation for attack prevention