Cream Skimming the Underground: Identifying Relevant Information Points from Online Forums

TL;DR

This paper introduces a machine learning system that automatically detects and classifies underground forum posts about vulnerabilities, achieving high accuracy and providing insights into hacking community behaviors.

Contribution

It presents a supervised random forest model for classifying forum posts related to CVEs, with high accuracy, and offers interpretability and community analysis insights.

Findings

Achieved over 0.99 accuracy, precision, and recall in classification.

Differentiated between weaponization and exploitation in forum discussions.

Provided insights into hacking community profits and behaviors.

Abstract

This paper proposes a machine learning-based approach for detecting the exploitation of vulnerabilities in the wild by monitoring underground hacking forums. The increasing volume of posts discussing exploitation in the wild calls for an automatic approach to process threads and posts that will eventually trigger alarms depending on their content. To illustrate the proposed system, we use the CrimeBB dataset, which contains data scraped from multiple underground forums, and develop a supervised machine learning model that can filter threads citing CVEs and label them as Proof-of-Concept, Weaponization, or Exploitation. Leveraging random forests, we indicate that accuracy, precision and recall above 0.99 are attainable for the classification task. Additionally, we provide insights into the difference in nature between weaponization and exploitation, e.g., interpreting the output of a decision tree, and analyze the profits and other aspects related to the hacking communities. Overall, our work sheds insight into the exploitation of vulnerabilities in the wild and can be used to provide additional ground truth to models such as EPSS and Expected Exploitability.