Mining actionable information from security forums: the case of malicious IP addresses

TL;DR

This paper presents a language-independent method to automatically identify malicious IP addresses from unstructured hacker forum posts by combining behavioral user features with textual analysis, achieving high accuracy and uncovering more threats than existing blacklists.

Contribution

The authors introduce a novel matrix decomposition approach that extracts behavioral features from forum users, enabling language-independent detection of malicious IPs without relying on advanced NLP techniques.

Findings

Over 88% precision in identifying malicious IPs across three forums

Detected up to three times more malicious IPs than VirusTotal blacklist

Collected approximately 600,000 posts from multiple forums for analysis

Abstract

The goal of this work is to systematically extract information from hacker forums, whose information would be in general described as unstructured: the text of a post is not necessarily following any writing rules. By contrast, many security initiatives and commercial entities are harnessing the readily public information, but they seem to focus on structured sources of information. Here, we focus on the problem of identifying malicious IP addresses, among the IP addresses which are reported in the forums. We develop a method to automate the identification of malicious IP addresses with the design goal of being independent of external sources. A key novelty is that we use a matrix decomposition method to extract latent features of the behavioral information of the users, which we combine with textual information from the related posts. A key design feature of our technique is that it can be readily applied to different language forums, since it does not require a sophisticated Natural Language Processing approach. In particular, our solution only needs a small number of keywords in the new language plus the users behavior captured by specific features. We also develop a tool to automate the data collection from security forums. Using our tool, we collect approximately 600K posts from 3 different forums. Our method exhibits high classification accuracy, while the precision of identifying malicious IP in post is greater than 88% in all three forums. We argue that our method can provide significantly more information: we find up to 3 times more potentially malicious IP address compared to the reference blacklist VirusTotal. As the cyber-wars are becoming more intense, having early accesses to useful information becomes more imperative to remove the hackers first-move advantage, and our work is a solid step towards this direction.