TenFor: A Tensor-Based Tool to Extract Interesting Events from Security Forums

TL;DR

TenFor is an unsupervised tensor-based tool that identifies important security forum events without prior knowledge, using clustering, profiling, and key user/thread detection, outperforming previous methods.

Contribution

We introduce TenFor, a novel tensor-based, unsupervised approach for extracting meaningful security events from forums, with a practical platform implementation.

Findings

83% of clusters capture meaningful events

More meaningful clusters than previous approaches

Effective unsupervised detection of forum activities

Abstract

How can we get a security forum to "tell" us its activities and events of interest? We take a unique angle: we want to identify these activities without any a priori knowledge, which is a key difference compared to most of the previous problem formulations. Despite some recent efforts, mining security forums to extract useful information has received relatively little attention, while most of them are usually searching for specific information. We propose TenFor, an unsupervised tensor-based approach, to systematically identify important events in a three-dimensional space: (a) user, (b) thread, and (c) time. Our method consists of three high-level steps: (a) a tensor-based clustering across the three dimensions, (b) an extensive cluster profiling that uses both content and behavioral features, and (c) a deeper investigation, where we identify key users and threads within the events of interest. In addition, we implement our approach as a powerful and easy-to-use platform for practitioners. In our evaluation, we find that 83% of our clusters capture meaningful events and we find more meaningful clusters compared to previous approaches. Our approach and our platform constitute an important step towards detecting activities of interest from a forum in an unsupervised learning fashion in practice.