Mining user interaction patterns in the darkweb to predict enterprise cyber incidents

TL;DR

This paper presents a framework that analyzes darkweb forum interactions, especially reply network structures, to predict enterprise cyber attacks, demonstrating that network-based features improve prediction accuracy over simple activity metrics.

Contribution

It introduces a novel approach using reply network structures from darkweb forums and combines unsupervised and supervised models for attack prediction.

Findings

Network-based features outperform posting statistics in prediction accuracy.

Reply path structures and community detection improve attack prediction.

Models successfully predict attacks across multiple security event types.

Abstract

With rise in security breaches over the past few years, there has been an increasing need to mine insights from social media platforms to raise alerts of possible attacks in an attempt to defend conflict during competition. In this study, we attempt to build a framework that utilizes unconventional signals from the darkweb forums by leveraging the reply network structure of user interactions with the goal of predicting enterprise related external cyber attacks. We use both unsupervised and supervised learning models that address the challenges that come with the lack of enterprise attack metadata for ground truth validation as well as insufficient data for training the models. We validate our models on a binary classification problem that attempts to predict cyber attacks on a daily basis for an organization. Using several controlled studies on features leveraging the network structure, we measure the extent to which the indicators from the darkweb forums can be successfully used to predict attacks. We use information from 53 forums in the darkweb over a span of 17 months for the task. Our framework to predict real world organization cyber attacks of 3 different security events, suggest that focusing on the reply path structure between groups of users based on random walk transitions and community structures has an advantage in terms of better performance solely relying on forum or user posting statistics prior to attacks.