Social Media Analytics: From Security Informatics to Business

Report
Cybersecurity Research Overview
Victor
1/6/2014
1
Outline

Introduction
 Types of Research
 Systems Research
 Malware Analysis
 Botnets
 Digital Forensics
 Hacker Forum Research
 IRC Channel Research
 Conclusion
2
Introduction

As computers become more ubiquitous throughout society, the
security of networks and information systems is a growing concern.



An increasing amount of critical infrastructure relies on computers and
information technologies
Advancing technologies have enabled hackers to commit cybercrime much
more easily now than in the past.
At the same time, accessibility to technologies and methods to
commit cybercrime has grown (Radianti & Gonzalez, 2009)


Availability of technologies and methods to commit cybercrime have become
more available (Moore & Clayton, 2009)
Legitimate services such as such as DNS servers and search engines have
uses to promote cybercriminal activity
3
Introduction

With growing importance of cybersecurity, researchers have taken
interest in both areas of cybersecurity research



Studies to improve system security and malware analysis techniques
New research on observing and analyzing hackers within their communities
Here we discuss the various forms of cybersecurity research


Both technical- and hacker community-focused studies
Including discussions of tools used to conduct your own analyses and
research
4
Types of Research

There are various forms of cybersecurity research ranging from
technical research to sociological studies:







Systems & Network Security
Malware Analysis
Botnet Research
Digital Forensics
Hacker Forums
Hacker IRC Networks
Traditional cybersecurity research has focused on technological challenges and
improvements to mitigate cyberattacks (Hopper et al, 2009; Holt & Kilger, 2012)



Systems and security research for purposes such as intrusion detection systems, autonomous
networks, etc. (Garcίa-Teodoro et al, 2009; Dsouza et al, 2013)
Improved malware analysis techniques to detect more advanced malware that may be
obfuscated or previously unknown (Cova et al, 2010; Ismail & Zainal, 2012)
Botnet tracking and identification (Lu & Ghorbani, 2009; Zhang et al, 2011)
5
Types of Research

Such focus on technological improvements to enhance security has been
largely dominated past cybersecurity research

However, in comparison to more technical works, there is little research
done to investigate hackers themselves and the human element behind
cybercrime


More research on black hat hackers, i.e. cybercriminals, would offer new knowledge
on securing cyberspace against those with malicious intent (Siponen et al, 2010)
Specifically, developing “methods to model adversaries” is one of the critical but
unfulfilled research needs recommended in the “Trustworthy Cyberspace” report by
the National Science and Technology Council. (National Science and Technology
Council, 2011)
6
Types of Research

As a result, many recent studies in cyber security have taken different paths to
study cyber adversaries



Hacker social media, such as forums and IRC channels, are important resources for
many cybercriminals




Content and topological analysis of hacker forums
Observation of hacker Internet Relay Chat (IRC) chat interactions
Since hacking knowledge is not typically found in formal education, the use of web-based
resources to advance skills and knowledge is common among both black and white hats
Hackers often utilize forums and IRC channels to disseminate hacking knowledge(Radianti et al,
2009; Motoyama et al, 2011)
Forums and IRC channels also serve as black markets, where cybercriminal assets are traded and
sold (Radianti et al, 2009; Holt & Lampke, 2010)
Each type of research is valuable in and necessary to improve the overall security
of cyber infrastructure
7
Systems Security

Improving security mechanisms incorporated into systems
and networks has been a traditional focus of security research



Automated and integrated management of cyber infrastructure, including
intrusion detection systems and autonomous networks (Chen et al, 2007; Aydin
et al, 2009)
Protocol-level security to mitigate known security vulnerabilities (Pervaiz et al,
2010)
Research often consists of collecting data and performing
experiments by simulating networks and systems


For example, collecting network traffic data under normal operations and
comparing it to network traffic data during simulated cyber attacks can help
anomaly detection methods (García-Teodoro et al, 2009)
Wireshark (http://www.wireshark.org/) is a tool commonly used for packet
capturing and analysis
8
Systems Security
Automated and Integrated Management (AIM) Methodology (Dong et al, 2003):
Close Ports
Change Policies
Isolate router
Monitoring
Automated
Semi
Automated
Actions
Feature
Selection
Cyberinfrastructure
Risk and
Impact
Analysis
Aggregate
and
Correlate
Anomaly
Behavior
Analysis
Systems Security
Distribution of Normal vs Abnormal System Calls for Anomaly Detection (Qu et al, 2005)
Fault Injection
Point
Time
Abnormal Transaction
Normal Transaction
SysCall
10
Systems Security

Systems security research is becoming increasingly important as
computers become more prevalent throughout society



Security concerns over SCADA systems, or systems that control the electric grid,
water distribution, and other industrial systems, is growing as these systems are
increasingly reliant on cyber infrastructure (Goel, 2011)
Cloud services and infrastructure have grown rapidly in recent years, necessitating
increased security practices (Ramgovind et al, 2010; Rong et al, 2013)
In particular, these areas present a new set of challenges for
security researchers



SCADA systems often run custom firmware or other software requiring specialized
knowledge or new skillsets for researchers
Cloud services and service-oriented architecture (SOA) are of great concern due to
their exposure on the Internet and necessity to remain online
Port scanners such as NMAP (http://nmap.org) are often used in security audits on
such systems
11
Systems Security

Growing interest in further developing:


Resilient systems that can automatically mitigate and circumvent cyber attacks
(Dsouza et al, 2013)
Moving Target Defense, or evolving defenses that can counter changing and
improving cyber attacks (Carvalho et al, 2012)

While improving system and network security can help cyber
infrastructure mitigate and recover from cyber attacks, research in other
areas of security would be fruitful

Understanding more about the malware deployed against cyber
infrastructure could aid in development of effective cyber defenses
12
Malware Analysis

To improve systems security, some researchers are interested in
developing better defenses against malware (Shabtai et al, 2011;
Sahs & Kahn, 2012)



Increasingly advanced malware variants appearing in the wild
Affecting servers, computers, mobile phones, etc.
Two forms of malware analysis (Willems et al, 2007; Ismail & Zainal,
2012)


Dynamic analysis - Executing malware and observing run-time behaviors,
system calls, registry edits, etc.
Static analysis – Studying malware source code or opcode (operation code)
without malware execution
13
Malware Analysis

By its nature, dynamic analysis will lead to malware infection of computers
used for analysis




Conversely, static analysis does not require malware execution




Requires controls and security measures to avoid malware spread on network
Can be time and resource intensive
May miss hidden execution behaviors if malware does not execute full source code
Source code or opcode can be analyzed without malware execution
Full malware source can be analyzed, revealing code that could be hidden and only
executed under special circumstances
However, code that is obfuscated can be difficult to analyze and understand
Both techniques are equally useful in different contexts, complementing
each other well
14
Malware Analysis

Data is often collected through the use of honeypots

Honeypots are computers or clients that are setup with the purpose of
attracting and logging cyber-attacks in real time



Often emulate or are exposed to live security vulnerabilities in order to capture malware
and monitor cyberattacks
Can be used to better understand threats “in the wild”
Two types of honeypots exist (Zhuge et al, 2008; Cova et al, 2010):


Low-interaction honey pots: Emulate known vulnerabilities to capture malware
payloads and hacker behavior. Honey pot machine is not actually compromised, and
thus only a limited amount of data is captured. Multiple low-interaction honeypots can be
hosted simultaneously on one machine.
High-interaction honey pots: Allow full operating system to be compromised in order to
gather more data on cyberattacker patterns. Can reveal previously unknown exploits as
honeypot does not rely on emulating already known vulnerabilities. However, real
infection increases security risks, and more computing resources are required for highinteraction honeypots.
15
Malware Analysis

Many honeypot tools are developed and made available by The Honeynet
Project - http://www.honeynet.org/




All projects are open sourced and available for free



International team of volunteer security researchers and practitioners
Investigate cyberattacks, discover new exploits
Develop to improve Internet security
Low-interaction and high-interaction honeypots
Tools for other security applications
Open source tools provided by the Honeynett Project, as well as other
sources, can be utilized to implement honeypot systems
16
Malware Analysis

To build a low-interaction honeypot with malware capturing capabilities,
deploy the following tools simultaneously on a Linux-based machine:
Tool Name
Description
URL
Argus
A layer 2+ (i.e. OSI model) auditing tool which helps in
collecting network flow information. Can help with network
traffic analysis.
http://nsmwiki.org/index.php?title
=Argus#Introduction
Dionaea
A honeypot which emulates various services with the aim of
trapping malware and shellcode, malicious code remotely
executed through security exploits. Captured payloads can
be further analyzed for research.
http://dionaea.carnivore.it/
Kippo
SSH honeypot meant to trap, view, and record malicious
activity. Can allow hackers to log into a simulated SSH
environment where attempts of more advanced operations
may be observed.
http://code.google.com/p/kippo/
p0f
Tool to passively fingerprint different attackers behind
TCP/IP communications. May help reveal advanced
persistent threats (APTs)
http://lcamtuf.coredump.cx/p0f3/
Snort
Network intrusion detection system, allows for detailed
network packet capture of cyberattacks
http://www.snort.org/
17
Malware Analysis

Unfortunately, high-interaction honeypot tools are scarce




Popular high-interaction honeypot packages: Capture-HPC




Much more complicated than low-interaction honeypots
Require significantly more resources to implement and maintain
Strict safeguards must be built around honeypot to ensure network security
Developed by the Honeynet project
Problem: last updated in 2008
Runs virtual machines as honeypot systems, but has trouble interfacing with latest virtualization
software (e.g. VMWare, VirtualBox) due to lack of recent updates
One can build their own high-interaction honeypot by deploying
vulnerable machines with system-level logging



System-level logging generally requires operating system kernel hooks
Difficult to implement for most individuals
Many researchers and practitioners opting for low-interaction honeypots with
malware capture capability
18
Malware Analysis

Preliminary study presented at IEEE Intelligence and Security Informatics,
2013 (Benjamin & Chen, 2013)
 Both low-interaction and high-interaction honeypots can be configured to
capture shellcode samples used by cyber attackers
When deploying several honeypots, potential to capture large volume of shellcode
samples
 Can become difficult to analyze samples as volume increases
We collected nearly 4,000 malicious source code and shellcode samples from a
exploit-sharing website
 Four distinct attack vector categories: local memory attacks, remote code execution
attacks, web application exploits, and denial of service
 Several shellcode samples similar to potential honeypot captures



Motivated to develop automated technique to classify samples by attack
vector category
19
Malware Analysis
Program loads library for
network communications
Shellcode
Low-level instructions to access vulnerable
application’s memory space
An example of a Perl exploit that attempts a remote buffer overflow attack on a popular enterprise Windows and Unix mailserver
software. Malicious code such as this can be difficult for researchers to interpret in their explorations. Automated static
analysis tools can help in such scenarios.
20
Malware Analysis

Research cites feature selection for malware analysis is difficult



We utilize a hybrid-GA approach by pairing a genetic algorithm with a classifier to
select features based on their helpfulness to accurately classify samples
Features based semantic contents of sample files
Samples are run through a series of classification experiments


Compared SVM and C4.5 decision tree algorithms for classification using a series of experiment
configurations; accuracy averaged 86%
Experiment could be extended to include true honeypot shellcode samples, more robust GA or
feature selection technique
21
Botnets

Malware captured by honeypots can sometimes reveal botnets

Outbound network traffic generated by malware may be connecting to a botnet
command and control (C&C) channel

These channels are used by cybercriminal “botmasters” to give
commands to collections of malware-infected computers that covertly
join the IRC channel and wait for instruction.
22
Botnets

C&C identification techniques have generally utilized
honeypots




Honeypots are systems that are configured to simulate computer
systems with software vulnerabilities
Can allow wild malware to intentionally exploit honeypot
vulnerabilities; malware behaviors can be captured and studied in a
sandboxed environment (Rajab et al, 2006; Lu et al, 2009).
All code execution, system changes, and network traffic are tracked
and logged within a honeypot (Mielke & Chen, 2008; Zhu et al, 2008).
By observing outbound network traffic generated by malware,
researchers may potentially reveal botnet C&C channels and other
hacker-related web addresses.
23
Botnets

There are two common techniques used to collect IRC chat data, but both
involve logging of real-time chat.



Several strategies can be taken to effectively use bots and ensure
comprehensive data collection (Fallmann et al, 2010):



Logging IRC chat in real-time manually or using automated bots. (Fallman et al, 2010)
Scraping IRC packet contents generated by a honeypot’s local network traffic (Lu et
al, 2009)
Swap strategy – Some IRC channels will automatically disconnect users who appear idle. Thus, it
can be useful to occasionally rotate bots into different IRC channels for logging, avoiding some
problems with idling
Use of multiple bots in the same channel can be used to help ensure comprehensive collection in
case some bots get disconnected
Packet scraping requires the use of network traffic analyzer software

Wireshark can be used for this purpose
24
Botnets

Different forms of analysis should be used depending on research goals
and data. For example, the goals and methods used for analysis would be
different in:


Botnet research with data from command & control channels
Research on IRC channels affiliated with hacker forums or acting as social hubs

The simplest method of analysis, much like hacker forums, is to manually
sift through data (Franklin et al, 2007; Fallmann et al. 2010; Motoyama et al.
2011)

Automated content and network analyses could be extended to IRC
datasets as well when studying hacker IRC channels


Can reveal emerging threats, popular tools and methods
May help with attack attribution
25
Botnets

For botnet C&C channels, there common themes for analysis

Characterizing botmaster activity



Paxton et al, 2011 investigate the different operational styles used by
botmasters by computing some usage statistics per botnet master
Mielke & Chen, 2008 use clustering to identify potential collaboration
between botmasters based on their participation across different known
C&C channels
Identifying botnets based on network traffic


Much research is spent analyzing honeypot captures and network logs to
develop new techniques to combat evolving botnets (Lu et al, 2009; Choi &
Lee, 2012)
Botnets are becoming increasingly more sophisticated in evading detection
26
Botnets

Published in IEEE Intelligence and Security Informatics, 2008 (Mielke & Chen, 2008)

A botnet monitoring group, the ShadowServer Foundation, provided the AI Lab with
logs from multiple botnet IRC command & control channels.

Text mining techniques were used to differentiate bot masters from connected zombie
computers

Bot master names were tracked across all channels

Several names appeared frequently across the data set

By clustering bot masters according to their channel
participation, potential collaboration between bot masters
can be identified

The roles of individuals within each group,
and the overall operational style of each group
can be identified by further analyzing C&C logs

Additionally, logs could be used to identify C&C activity patterns; this could help
automatically identify future C&C channels
27
Digital Forensics

As increasingly complex malware and cyber attacks are deployed
by individuals and groups, advancements in digital forensics
becomes necessary to investigate computer crime

Digital forensics entails identification of security failures within a
system, and also the prevention of future incidents (Hay et al,
2011, Sridhar et al, 2012)



Conducting “postmortem” analysis on cybercrime
Can reveal information concerning cyber attackers
Usually paired with other malware and botnet analysis techniques
28
Digital Forensics

Often requires examining file systems, RAM\volatile memory, and
network traffic for for traces of data pertaining to cyber attack


Recovered data often used in persecution of cybercriminals or to identify advanced
persistent threats
Research opportunity: there exist only a few standards and
benchmarks for existing digital forensics investigations (Yates &
Chi, 2011)




Increase of computing platforms has lead to lack of standard practices, no
established “science” for forensics on newer operating systems and cyber
infrastructure
Growing importance in cloud, mobile, and SCADA systems
Emerging challenges due to growing usage of complex encryption and data
obfuscation techniques
Much research focuses on new practices and standards
29
Digital Forensics

For hands-on experience, SANS Institute offers a version of Linux preloaded with digital forensics tools (http://computerforensics.sans.org/community/downloads)

Other tools:
Name
Platform
URL
Blacklight
Windows/Mac
https://www.blackbagtech.com/
EnCase
Windows
https://www.encase.com/
DumpZilla
Windows/Linux Mozilla Browsers
(e.g. Firefox)
http://www.dumpzilla.org/
The Sleuth Kit
Linux/Windows
http://www.sleuthkit.org/
30
Hacker Forum Research
Hackhound.org
Hacking tool
interface
Description of code
functionality
Hacker’s
Reputation
Score
Embedded
sample of code
Attached Hacking
Tool
Unpack.cn
Left: A cybercriminal on hackhound.org publishes the latest version of his hacking tool meant to help others steal
cached passwords on victims’ computers Right: A hacker of the Chinese community Unpack.cn posts sample code
demonstrating how to reverse engineer software written in the Microsoft .NET framework
31
Hacker Forum Research

Hacker forums can be useful to researchers for various reasons:





Asses emerging threats and their prevalence in hacker social media
Observing black market activity
Tracking the cybercriminal supply chain and how assets move throughout the global
hacker community
Allow researchers to study hackers across different geopolitical regions
Unfortunately, hacker forum data is hard to obtain as many hacker
communities employ anti-crawling features (Fallman et al, 2010; Goel,
2011)



No hacker forum datasets available to researchers
Anti-crawling measures, such as bandwidth monitoring or detection of bot-like behaviors,
prevent many researchers from using automated techniques to build a dataset
Thus, most current studies utilize manual data collection (Holt, 2010; Yip 2011).
32
Hacker Forum Research

To employ automated collection, anti-crawling measures must be
circumvented



Reduce bot-like behaviors during collection
Practice identify obfuscation
We may also want to mask our true identity

Reducing crawling rate is useful for circumventing anti-crawling
measures that monitor bandwidth usage or page views

To mask our identity, we can utilize proxy servers or peer-to-peer
networks to route traffic through



Lets us even regain access to forums than ban us via IP bans
Stand-alone web proxies can be used for traffic routing and identity obfuscation
Peer-to-peer networks, such as the Tor Network, offer similar services as standalone web proxies with added capabilities
33
Hacker Forum Research
Traditional proxy server configuration
34
Hacker Forum Research
35
Hacker Forum Research
36
Hacker Forum Research
37
Hacker Forum Research
Various screenshots of the
graphical Tor controller Vidalia.
Left: A map allows users to
view the locations of all
published Tor relay nodes
Middle: A real-time log of Tor
network events allows users to
monitor Tor activity. The Tor
client automatically handles
many Tor networking functions
Right: A basic interface that
allows Tor users to quickly
assume a new identity by
routing traffic through a new
circuit. Applications such as
web browsers and crawlers
can utilize the Tor network by
routing their network traffic to
the local Tor client.
38
Hacker Forum Research
Proxy Servers
Tor Network
The Tor network client (~9MB)
Requirements
None
Protocol
Typically HTTP or SOCKS
SOCKS only
Usage
Send local network traffic to proxy server for re-routing to
destination server
Tunnel local network traffic to local Tor client;
Tor client automatically handles peer-to-peer
networking and routing traffic to the destination
server
Assuming a new
identity?
A new proxy server must be used in replacement of current
the current proxy
Tor client can automatically select new relay
nodes when a new identity is needed
Finding new
servers?
Lists of public proxy servers exist across various websites
that can be identified through keyword searches (e.g.
“public proxies”)
The Tor client will automatically find new relays
for the user. Selection parameters can be used
to only use or exclude relays from specific
countries
What does hacker
community server
see?
Proxy server IP address
IP address of the last Tor relay used to route
your message to the destination server
39
Hacker Forum Research

After hacker forum contents are collected, they can be analyzed using
traditional social media techniques



Can make use of commonly used text mining tools
Content analysis would be useful for understanding the discuss and information
inside hacker social media
Topological analyses often aim to observe hacker forum structure and the
relationships between forum participants (Motoyama et al, 2011, Holt et al, 2012)
40
Hacker Forum Research
Description of
attached hacking
tutorial
Password to open
attached file
Password-protected file
containing tutorial
documents
Hacker forum
reputation system
Iranian hacker forum participant ‘elvator’ is sharing a tutorial on shellcode, which refers to cyberattack payloads that grant
hackers unauthorized access over compromised machines. This hacker has gained a total of 20,305 reputation points from his
peers over 1,641 messages posted, which is above average for Ashyane.org.
41
Hacker Forum Research
Hacker forum
reputation score
Screenshot of
vulnerability scanning
tool
Tool download link
Participant explicitly asks
others to give him
reputation points
A forum participant of the Russian hacker forum Xekapok.net shares a vulnerability scanning tool with others. This participant’s
message is relatively “media rich” compared to other forum posts due to the usage of images, font styling, and attachments.
Additionally, they possess high reputation and thus appear to be well-established in the Xekapok.net community.
42
Hacker Forum Research

Preliminary hacker reputation study presented at IEEE Intelligence and
Security Informatics, 2012 (Benjamin & Chen, 2012)
 Collected two hacker communities from the United States and China to
examine the mechanisms in which key actors arise within forums



Both communities featured reputation systems
How did hackers earn high levels of reputation among their peers?
Found that hackers who participated frequently and contributed the
most towards the cognitive advance of their community had the highest
reputation
43
Hacker Forum Research

Main challenges in hacker forum research are:




Identifying data sources
Collecting complete datasets
If not a security expert, some subject matter may be difficult to interpret
After collection of data, hacker forum research can utilize the
same text mining techniques as traditional social media research




Topic modeling
Forum participant analysis
Social network analysis
Etc.
44
IRC Channel Research

Internet Relay Chat (IRC) is a protocol for real-time, multi-user text chat

IRC channels are used by hackers to communicate in real-time through
text chat (Mielke & Chen, 2008, Motoyama et al, 2011)




IRC is comprised of three major components:




Sometimes affiliated directly with hacker forums
Other times are independent communities only accessible through IRC
Contents can be analyzed through traditional text mining techniques
IRC Networks (i.e. servers)
Chat channels existing within IRC networks
IRC Clients, or users
Understanding these three components is important for developing
data collection methods
45
IRC Channel Research

IRC Networks






Usually defined by an address such as irc.domain.com
An IRC network is generally comprised of one server, or a
network of servers directly connected to one another
Servers share information with one another such as user
information, existing channels, chat information, etc.
New servers can be added to an existing network to scale-up
network capacity
Different IRC networks are completely independent of one
another
Every IRC channel exists within an IRC network
46
IRC Channel Research

Public vs Private networks




Network accessibility has many implications for data collection
If hackers decide to host their channel on a public network, it is theoretically
possible to collect data from that channel by volunteering a server to support
the network; many public networks are entirely volunteer-run
One limitation to volunteering a server to a public IRC network is that public
IRC networks often require very significant bandwidth capacity (hundreds of
GBs of transfer per month)
Conversely, if a hacker-related IRC channel is hosted within a
private network, it is unlikely that we will be able to volunteer
a server to the network. Client-bots can be used to collect
data from such channels
47
IRC Channel Research

IRC Channels



IRC Channels are usually times separated by topic
Channel naming convention is #ChannelName
Each channel exists within a single IRC network




Two channels with the same name but different networks are two
different channels
Two channels within the same network cannot share the same name
A list of all users connected to a particular channel is provided to
each channel participant
User-chat is broadcasted to everyone within a channel
48
IRC Channel Research
An example of a hacker IRC channel. A list of users, their messages, and timestamps
for each message can be seen. The participants are discussing sqlmap, a tool for
automated SQL injection and database hijacking, as well as programming concepts.
The top header also includes links to other IRC channels affiliated with this one.
49
IRC Technical Information

IRC Users



Connect to IRC servers, can join multiple channels simultaneously
Can broadcast messages to all other users within channels
Can initiate private messages with other users that are hidden
from all other chat participants


Such private messages cannot be collected with the client-bot
method of collection
They can be collected when hosting a server, though many public
IRC networks have privacy rules that prohibit server operators from
such behavior
50
IRC Channel Research

Data must be captured in real-time as chat data is not archived



Can use automated bots to monitor and log IRC channels



Unlike forums, IRC is not a medium that supports natural archiving of data
If a message is not received by your client at the moment the message was
transmitted, that message is unrecoverable
Perl Object Environment Bot - http://poe.perl.org/?POE_Cookbook/IRC_Bots
Supybot - http://irc-wiki.org/Supybot
Bots can support features such as:
 Auto-rejoining channels if connection is lost
 Automated usage of proxy servers and peer-to-peer networks (e.g. Tor)
 Monitoring multiple channels simultaneously
51
Conclusion

Many branches of cybersecurity research exist



Hacker forum and IRC channels are relatively unexplored compared to other forums
of social media



What insights can be gained from studying such communities?
What similarities and differences exist in hacker communities from different geopolitical regions?
Honeypots also provide ample opportunities for research



Ranging from social media analytics to more technical works
Interdisciplinary problem
Provide data for attack pattern and malware classification studies
Honeypot captures can be cross-referenced with hacker social media: can any insights be gained
by combining data sources?
Cybersecurity is a challenge of growing importance
52
References












Abu Rajab, M., Zarfoss, J., Monrose, F., & Terzis, A. (2006). A multifaceted approach to understanding the botnet
phenomenon. Proceedings of the 6th ACM SIGCOMM on Internet measurement - IMC ’06, 41.
Akhoondi, M., Yu, C., & Madhyastha, H. V. (2012). LASTor: A Low-Latency AS-Aware Tor Client. 2012 IEEE Symposium on
Security and Privacy, 476–490.
Benjamin, V., & Chen, H. (2012). Securing Cyberspace : Identifying Key Actors in Hacker Communities. IEEE Intelligence
and
Security Informatics.
Binde, B. E., Mcree, R., & Connor, T. J. O. (2011). Assessing Outbound Traffic to Uncover Advanced Persistent Threat.
SANS
Technology Institute.
Cova, M., Kruegel, C., & Vigna, G. (2010). Detection and analysis of drive-by-download attacks and malicious JavaScript
code.
Proceedings of the 19th international conference on World wide web - WWW ’10, 281.
Crandall, J. R., Forrest, S., & Ladau, J. (2011). The Ecology of Malware. Proceedings of the 1st ACM workshop on Security
and
privacy in smartphones and mobile devices, 99–106.
Dholakia, Uptal M.; Bagozzi, Richard P.; Pearo, Lisa Klein. A Social Influence Model of Consumer
Participation in Networkand Small-group-based Virtual Communties. International Journal of
Research
in Marketing. 2004.
Dolfsma, Wilfred; Soete, Loe. Understanding the Dynamics of a Knowledge
Economy. Edward
Elgar
Publishing. 2006.
Emerson, R. M. (1976). Social Exchange Theory. nnual Review of Sociology, 2, 335–362.
Fallmann, H., Wondracek, G., & Platzer, C. (2010). Covertly Probing Underground Economy Marketplaces. Proceedings of
the
7th international conference on Detection of intrusions and malware, and vulnerability
assessment (DIMVA), 101– 110.
Franklin, J., Paxson, V., Perrig, A., & Savage, S. (2007). An Inquiry into the Nature and Causes of the Wealth of Internet
Miscreants. Proceedings of the 14th ACM conference on Computer and communications security, 375–388.
Fu, X., Ling, Z., Yu, W., & Luo, J. (2010). Cyber Crime Scene Investigations (C2SI) through Cloud Computing. 2010 IEEE
30th
International Conference on Distributed Computing Systems Workshops, 26–31.
53
References














Fuller, R. M., & Valacich, J. S. (2008). T HEORY AND R EVIEW M EDIA , T ASKS , AND C OMMUNICATION P ROCESSES :
MIS
Quarterly, 32(3), 575–600.
Geer, D. (2005). Malicious Bots Threaten Network Security. IEEE Computer Society, 38(1), 18–20.
Goel, S. (2011). Cyberwarfare Connecting the Dots in Cyber Intelligence. Communications of the ACM, 54(8), 132.
Hall, Angela T; Blass, Fred R; Ferris, Geral R; Massengale, Randy. Leader
Reputation and Accountability in
Organizations: Implications for Dysfunctional Leader Behavior. The Leadership Quarterly. Volume 15. Issue
4. August, 2004.
Holt, T. J. (2010). Exploring Strategies for Qualitative Criminological and Criminal Justice Inquiry Using OnLine Data.
Journal of
Criminal Justice Education, 21(4), 466–487.
Holt, T. J., & Kilger, M. (2012). Know Your Enemy : The Social Dynamics of Hacking. The Honeynet Project, 1–17.
Holt, T. J., & Lampke, E. (2010). Exploring stolen data markets online: products and market forces. Criminal Justice
Studies: A
Critical Journal of Crime, Law, and Society, 23(1), 33–50.
Holt, T. J., Strumsky, D., Smirnova, O., & Kilger, M. (2012). Examining the Social Networks of Malware Writers and
Hackers.
International Journal of Cyber Criminology, 6(1), 891–903.
Hopper, L., Hopper, R., & Womble, P. (2009). Identifying network attacks from a social perspective. 2009 IEEE Conference
on
Technologies for Homeland Security, 511–515.
Hutchins, Eric M, Michael Cloppert, R. A. (2011). Intelligence-Driven Computer Network Defense Informed by Analysis of
Adversary Campaigns and Intrusion Kill Chains. Lockheed Martin Corporation, (July 2005).
II, C. J. M., & Chen, H. (2008). Botnets, and the CyberCriminal Underground. IEEE International Conference on Intelligence
and
Security Informatics 2008, 206–211.
Imperva. (2012). Imperva Hacker Intelligence Intitiative. Monthly Trend Report #13. doi:10.1002/ana.23759
Lampe, Klaus Von; Johansen, Per Ole. Organized Crime and Trust: On the Conceptualization and Empirical Relevance
of Trust in the Context of Criminal Networks. Global Crime. Volume 6. Issue 2. 2004.
Jang, D., Kim, M., Jung, H., & Noh, B. (2009). Analysis of HTTP2P Botnet : Case Study Waledac. IEEE 9th Malaysia
International Conference on Communications, 15–17.
54
References












Kshetri, N. (2006). The Simple Economics of Cybercrimes. IEEE Security & Privacy, Jan-Feb, 33–39.
Leavitt, N. (2009). Anonymization Technology Takes a High Profile. IEEE Computer Society, (November), 15–18.
Ling, Z., Luo, J., Yu, W., & Fu, X. (2011). Equal-Sized Cells Mean Equal-Sized Packets in Tor? 2011 IEEE International
Conference on Communications (ICC), 1–6. Lu, W., & Ghorbani, A. a. (2008). Botnets Detection Based on
IRC-Community. IEEE GLOBECOM 2008 - 2008 IEEE Global
Telecommunications Conference, (1),
1–5.
Lu, W., Tavallaee, M., & Ghorbani, A.
a. (2009). Automatic discovery of botnet communities on largescale communication
networks. Proceedings of the
4th International Symposium on
Information, Computer, and Communications Security - ASIACCS ’09, 1.
McCusker, R. (2006) Transnational organised cyber crime: distinguishing threat from reality. Crime, Law and Social
Change.
46 (4-5), 257-273.
Motoyama, M., McCoy, D., Levchenko, K., Savage, S., & Voelker, G. M. (2011). An analysis of underground forums.
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference - IMC ’11, 71.
Moore, T., & Clayton, R. (2009). Evil Searching : Compromise and Recompromise of Internet Hosts for Phishing.
Financial
Cryptography and Data Security, 256–272.
Muller, Paul. Reputation, Trust and the Dynamics of Leadership in Communities of Practice. Journal of Management
and
Governance. Volume 10. Number 4. November, 2006.
Radianti, J. (2010). A Study of a Social Behavior inside the Online Black Markets. 2010 Fourth International
Conference on
Emerging
Security Information, Systems and Technologies, 88–92.
Radianti, J., Rich, E., & Gonzalez, J. J. (2007). Using a Mixed Data Collection Strategy to Uncover Vulnerability Black
Markets.
Workshop for Information Security and Privacy.
Radianti, J., Rich, E., & Gonzalez, J. J. (2009). Vulnerability Black Markets : Empirical Evidence and Scenario
Simulation. 42nd
Hawaii International Conference on, 1–10.
Rieck, K., Trinius, P., Willems, C., & Holz, T. (2011). Automatic Analysis of Malware Behavior using Machine
Learning. Journal
of Computer Security, 1–30.
55
References









Spencer, J. F. (2008). Using XML to map relationships in hacker forums. Proceedings of the 46th Annual Southeast
Regional
Conference on XX - ACM-SE 46, 487.
Tschorsch, F., & Scheuermann, B. (2011). Tor is unfair — And what to do about it. 2011 IEEE 36th Conference on
Local
Computer
Networks, 432–440.
Turrini, Elliot. (2010) Cybercrimes: A Multidisciplinary Analysis. Springer Publishing.
Yadav, S., Reddy, A. K. K., & Reddy, A. L. N. (2010). Detecting Algorithmically Generated Malicious Domain Names
Categories and Subject Descriptors. Proceedings of the 10th ACM SIGCOMM conference on Internet
measurement.
Yip, M. (2011). An Investigation into Chinese Cybercrime and the Applicability of Social Network Analysis. ACM Web
Science
Conference.
Yip, M., Shadbolt, N., & Webber, C. (2013). Why Forums ? An Empirical Analysis into the Facilitating Factors of
Carding Forums. ACM
Web Science, May.
Zhang, L., Yu, S., Wu, D., & Watters, P. (2011). A Survey on Latest Botnet Attack and Defense. 2011IEEE 10th
International Conference on Trust, Security and Privacy in Computing and Communications, 53–60.
Zhu, Z., Lu, G., Chen, Y., Fu, Z. J., Roberts, P., & Han, K. (2008). Botnet Research Survey. 2008 32nd Annual IEEE
International Computer Software and Applications Conference, 967–972.
Zhuge, J., Holz, T., Song, C., Guo, J., & Han, X. (2008). Studying Malicious Websites and the Underground Economy
on the
Chinese
Web. Workshop on the Economics of Information Security, 225–244.
56

similar documents