Proactive identification of exploits in the wild through vulnerability mentions online

Almukaynizi, Mohammed; Nunes, Eric; Dharaiya, Krishna; Senguttuvan, Manoj; Shakarian, Jana; Shakarian, Paulo

doi:10.1109/cyconus.2017.8167501

Cited by 56 publications

(37 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Hacking community on D2web.. While the hacking community in D2web sites has been widely investigated in the existing literature for applications such as analyzing the economics of D2web forums/markets [13], [14] and identifying future cyberthreats to mitigate risks [2], [15], none of these studies identify threats related to specific corporations or identify when in the future the predicted events may occur. DARKMENTION specifically predicts enterprise-targeted attacks and the periods in which those threats are predicted.…”

Section: Resultsmentioning

confidence: 99%

See 1 more Smart Citation

DARKMENTION: A Deployed System to Predict Enterprise-Targeted External Cyberattacks

Almukaynizi

Marin

Nunes

et al. 2018

2018 IEEE International Conference on Intelligence and Security Informatics (ISI)

Self Cite

View full text Add to dashboard Cite

Recent incidents of data breaches call for organizations to proactively identify cyber attacks on their systems. Darkweb/Deepweb (D2web) forums and marketplaces provide environments where hackers anonymously discuss existing vulnerabilities and commercialize malicious software to exploit those vulnerabilities. These platforms offer security practitioners a threat intelligence environment that allows to mine for patterns related to organization-targeted cyber attacks. In this paper, we describe a system (called DARKMENTION) that learns association rules correlating indicators of attacks from D2web to realworld cyber incidents. Using the learned rules, DARKMENTION generates and submits warnings to a Security Operations Center (SOC) prior to attacks. Our goal was to design a system that automatically generates enterprise-targeted warnings that are timely, actionable, accurate, and transparent. We show that DARKMENTION meets our goal. In particular, we show that it outperforms baseline systems that attempt to generate warnings of cyber attacks related to two enterprises with an average increase in F1 score of about 45% and 57%. Additionally, DARKMENTION was deployed as part of a larger system that is built under a contract with the IARPA Cyber-attack Automated Unconventional Sensor Environment (CAUSE) program. It is actively producing warnings that precede attacks by an average of 3 days.• timely: indicates the exact time-point in which a predicted attack will occur,• actionable: provides metadata/warning details, i.e., the target enterprise, type of attack, volume, and the software vulnerabilities/threat actor identified from the D2web discussions,• accurate: predicted unseen real-world attacks with an average increase in F1 of over 45% for one enterprise and 57% for the other, and• transparent: allows analysts to easily trace the warnings back to the rules that were triggered, discussions that fired the rules, etc.

show abstract

Section: Resultsmentioning

confidence: 99%

“…A 2017 Verizon investigation report stated that 75% of breaches were perpetrated by outsiders exploiting known vulnerabilities [1]. Monitoring the vulnerabilities that are of interest to malicious threat actors from the discussions on Darkweb/Deepweb (D2web) hacking sites is a key aspect of predicting cyber-attacks [2].…”

Section: Introductionmentioning

confidence: 99%

DARKMENTION: A Deployed System to Predict Enterprise-Targeted External Cyberattacks

Almukaynizi

Marin

Nunes

et al. 2018

2018 IEEE International Conference on Intelligence and Security Informatics (ISI)

Self Cite

View full text Add to dashboard Cite

show abstract

“…As mentioned earlier, this streaming nature of feature generation ensures we engineer the features relevant to the timeframe of attack prediction. For choosing the experts with an in-degree threshold, we select a threshold of 10 (we tried the values in the list [5,10,15,20]) to filter out users having in-degree less than 10 in G Hτ from exp τ . We obtain this threshold by manually investigating a few experts in terms of their content of posts and we find that beyond a threshold of 10, a lot of users get included whose posts are not relevant to any malicious information or signals.…”

Section: Parameter Settingsmentioning

confidence: 99%

Mining user interaction patterns in the darkweb to predict enterprise cyber incidents

Sarkar

Almukaynizi

Shakarian³

et al. 2019

Soc. Netw. Anal. Min.

Self Cite

View full text Add to dashboard Cite

With rise in security breaches over the past few years, there has been an increasing need to mine insights from social media platforms to raise alerts of possible attacks in an attempt to defend conflict during competition. In this study, we attempt to build a framework that utilizes unconventional signals from the darkweb forums by leveraging the reply network structure of user interactions with the goal of predicting enterprise related external cyber attacks. We use both unsupervised and supervised learning models that address the challenges that come with the lack of enterprise attack metadata for ground truth validation as well as insufficient data for training the models. We validate our models on a binary classification problem that attempts to predict cyber attacks on a daily basis for an organization. Using several controlled studies on features leveraging the network structure, we measure the extent to which the indicators from the darkweb forums can be successfully used to predict attacks. We use information from 53 forums in the darkweb over a span of 17 months for the task. Our framework to predict real world organization cyber attacks of 3 different security events, suggest that focusing on the reply path structure between groups of users based on random walk transitions and community structures has an advantage in terms of better performance solely relying on forum or user posting statistics prior to attacks.

show abstract

“…This method referred to as DarkEmbed learns the embeddings of Dark Web posts and then uses a trained exploit classifier to predicted which vulnerabilities in Dark Web posts might be exploited. • Dark-Mentions: Is an extension of [21] which predicts if a disclosed vulnerability will be exploited based on a variety of data sources in addition to the Dark Web using methods still being developed. These predictions are used to construct a rule based forecasting method based on keyword mentions in Dark Web forums and marketplaces.…”

Section: J External Signalsmentioning

confidence: 99%

Predicting Cyber-Events by Leveraging Hacker Sentiment

2018

View full text Add to dashboard Cite

Recent high-profile cyber attacks exemplify why organizations need better cyber defenses. Cyber threats are hard to accurately predict because attackers usually try to mask their traces. However, they often discuss exploits and techniques on hacking forums. The community behavior of the hackers may provide insights into groups' collective malicious activity. We propose a novel approach to predict cyber events using sentiment analysis. We test our approach using cyber attack data from 2 major business organizations. We consider 3 types of events: malicious software installation, malicious destination visits, and malicious emails that surpassed the target organizations' defenses. We construct predictive signals by applying sentiment analysis on hacker forum posts to better understand hacker behavior. We analyze over 400K posts generated between January 2016 and January 2018 on over 100 hacking forums both on surface and Dark Web. We find that some forums have significantly more predictive power than others. Sentiment-based models that leverage specific forums can outperform state-of-the-art deep learning and time-series models on forecasting cyber attacks weeks ahead of the events.

show abstract

Proactive identification of exploits in the wild through vulnerability mentions online

Cited by 56 publications

References 12 publications

DARKMENTION: A Deployed System to Predict Enterprise-Targeted External Cyberattacks

DARKMENTION: A Deployed System to Predict Enterprise-Targeted External Cyberattacks

Mining user interaction patterns in the darkweb to predict enterprise cyber incidents

Predicting Cyber-Events by Leveraging Hacker Sentiment

Contact Info

Product

Resources

About