Extracting actionable information from Security Forums

Gharibshah, Joobin; Faloutsos, Michalis

doi:10.1145/3308560.3314197

Cited by 5 publications

(9 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There is a wealth of information that can be extracted from security forums, which motivates this research direction. Earlier work suggests that there is close to four times more malicious IP addresses in forums compared to established databases of such IP addresses [8]. At the same time, there are tens of thousands of IP addresses in the forums, as we will see later.…”

Section: Introductionmentioning

confidence: 63%

“…These features capture the behaviour of the author, including frequency of posting, average post length etc. These features were introduced by earlier work [8], with the rationale that profiling the author of a post can help us infer their intention and role and thus, improve the classification.…”

Section: The Ip Characterization Modulementioning

confidence: 99%

“…Extracting IP addresses from security forums. There two main efforts that focus on IP addresses and security forums [7,8] and neither provides the comprehensive solution that we propose here. The most relevant work [8] does not address the Identification problem, and sidesteps the problem of crossforum training by assuming training data for each forum.…”

Section: Related Workmentioning

confidence: 99%

“…There two main efforts that focus on IP addresses and security forums [7,8] and neither provides the comprehensive solution that we propose here. The most relevant work [8] does not address the Identification problem, and sidesteps the problem of crossforum training by assuming training data for each forum. The earlier work [7] focuses on the spatiotemporal properties of Canadian IP addresses in forums, but assumes that all identified addresses are suspicious and therefore they did not employ a classification method, which is the focus of our work.…”

Section: Related Workmentioning

confidence: 99%

See 3 more Smart Citations

RIPEx: Extracting Malicious IP Addresses from Security Forums Using Cross-Forum Learning

Gharibshah

Papalexakis

Faloutsos

2018

Advances in Knowledge Discovery and Data Mining

Self Cite

View full text Add to dashboard Cite

Is it possible to extract malicious IP addresses reported in security forums in an automatic way? This is the question at the heart of our work. We focus on security forums, where security professionals and hackers share knowledge and information, and often report misbehaving IP addresses. So far, there have only been a few efforts to extract information from such security forums. We propose RIPEx, a systematic approach to identify and label IP addresses in security forums by utilizing a cross-forum learning method. In more detail, the challenge is twofold: (a) identifying IP addresses from other numerical entities, such as software version numbers, and (b) classifying the IP address as benign or malicious. We propose an integrated solution that tackles both these problems. A novelty of our approach is that it does not require training data for each new forum. Our approach does knowledge transfer across forums: we use a classifier from our source forums to identify seed information for training a classifier on the target forum. We evaluate our method using data collected from five security forums with a total of 31K users and 542K posts. First, RIPEx can distinguish IP address from other numeric expressions with 95% precision and above 93% recall on average. Second, RIPEx identifies malicious IP addresses with an average precision of 88% and over 78% recall, using our cross-forum learning. Our work is a first step towards harnessing the wealth of useful information that can be found in security forums.

show abstract

Section: Introductionmentioning

confidence: 63%

Section: The Ip Characterization Modulementioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

RIPEx: Extracting Malicious IP Addresses from Security Forums Using Cross-Forum Learning

Gharibshah

Papalexakis

Faloutsos

2018

Advances in Knowledge Discovery and Data Mining

Self Cite

View full text Add to dashboard Cite

show abstract

“…Sundaresan et al extracted Skype handles from public posts and translated those to their actual IP address to characterize the location of users in underground forums [12]. Gharibshah et al presented a cross-correlation between the IP addresses that users post and the database from VirusTotal to understand and characterize malicious users [36]. Egele et al modeled message characteristics on Social Networks to detect compromised (hacked) accounts [37].…”

Section: Background and Related Workmentioning

confidence: 99%

A Methodology For Large-Scale Identification of Related Accounts in Underground Forums

Cabrero-Holgueras

Pastrana

2021

Computers & Security

View full text Add to dashboard Cite

An expert‐in‐the‐loop method for domain‐specific document categorization based on small training data

Han

Rezapour

Nakamura

et al. 2022

Asso for Info Science & Tech

View full text Add to dashboard Cite

Automated text categorization methods are of broad relevance for domain experts since they free researchers and practitioners from manual labeling, save their resources (e.g., time, labor), and enrich the data with information helpful to study substantive questions. Despite a variety of newly developed categorization methods that require substantial amounts of annotated data, little is known about how to build models when (a) labeling texts with categories requires substantial domain expertise and/or in-depth reading, (b) only a few annotated documents are available for model training, and (c) no relevant computational resources, such as pretrained models, are available. In a collaboration with environmental scientists who study the socio-ecological impact of funded biodiversity conservation projects, we develop a method that integrates deep domain expertise with computational models to automatically categorize project reports based on a small sample of 93 annotated documents. Our results suggest that domain expertise can improve automated categorization and that the magnitude of these improvements is influenced by the experts' understanding of categories and their confidence in their annotation, as well as data sparsity and additional category characteristics such as the portion of exclusive keywords that can identify a category.

show abstract

Extracting actionable information from Security Forums

Cited by 5 publications

References 15 publications

RIPEx: Extracting Malicious IP Addresses from Security Forums Using Cross-Forum Learning

RIPEx: Extracting Malicious IP Addresses from Security Forums Using Cross-Forum Learning

A Methodology For Large-Scale Identification of Related Accounts in Underground Forums

An expert‐in‐the‐loop method for domain‐specific document categorization based on small training data

Contact Info

Product

Resources

About