RIPEx: Extracting malicious IP addresses from security forums using cross-forum learning

TL;DR

RIPEx is a cross-forum learning system that automatically extracts and classifies malicious IP addresses from security forums, achieving high precision and recall without needing training data for each new forum.

Contribution

It introduces a novel cross-forum knowledge transfer approach for extracting and labeling malicious IP addresses in security forums, eliminating the need for per-forum training data.

Findings

Achieves over 95% precision and 93% recall in IP address identification.

Identifies malicious IPs with 88% precision and 78% recall.

Works effectively across multiple security forums without additional training.

Abstract

Is it possible to extract malicious IP addresses reported in security forums in an automatic way? This is the question at the heart of our work. We focus on security forums, where security professionals and hackers share knowledge and information, and often report misbehaving IP addresses. So far, there have only been a few efforts to extract information from such security forums. We propose RIPEx, a systematic approach to identify and label IP addresses in security forums by utilizing a cross-forum learning method. In more detail, the challenge is twofold: (a) identifying IP addresses from other numerical entities, such as software version numbers, and (b) classifying the IP address as benign or malicious. We propose an integrated solution that tackles both these problems. A novelty of our approach is that it does not require training data for each new forum. Our approach does knowledge transfer across forums: we use a classifier from our source forums to identify seed information for training a classifier on the target forum. We evaluate our method using data collected from five security forums with a total of 31K users and 542K posts. First, RIPEx can distinguish IP address from other numeric expressions with 95% precision and above 93% recall on average. Second, RIPEx identifies malicious IP addresses with an average precision of 88% and over 78% recall, using our cross-forum learning. Our work is a first step towards harnessing the wealth of useful information that can be found in security forums.