Papers by Victor Benjamin
Detecting Cyber-Adversarial Videos in Traditional Social media
Cyber-threat intelligence (CTI) has matured and grown into its own industry within recent years. ... more Cyber-threat intelligence (CTI) has matured and grown into its own industry within recent years. Many CTI efforts involve scrutinizing text-based conversations in DarkNet forums and markets. However, hackers commonly share knowledge and other information through video formats that have been largely ignored. Further, cybercriminals are increasingly making use of mainstream social media to transmit hacking knowledge and assets, but this has gone unexplored in literature. In this research-in-progress, a video classifier to detect cybercriminal content in mainstream social media is designed and implemented. A collection of hacking and non-hacking videos was retrieved from a popular social media website to serve as a testbed. Feature sets included video metadata as well as features engineered from the videos themselves, including object detection and aesthetic qualities. This study demonstrates a methodological proof-of-concept that can enable future research that further investigates cyber-adversarial video contents, which have remained largely unexplored to this day. This study also contributes to literature regarding cyber-adversarial contents in mainstream social media.
Exploring Differences Among Darknet and Surface Internet Hacking Communities
Cyber-threat intelligence (CTI) has matured into its own industry within recent years. CTI effort... more Cyber-threat intelligence (CTI) has matured into its own industry within recent years. CTI efforts frequently involve scrutinizing data within Darknet communities to understand emerging threats. Many hackers within the Darknet share knowledge and other information through a variety of formats, including video. At the same time, many hackers are also making use of the “surface” Internet and traditional video-sharing platforms to disseminate hacking knowledge. Gleaning intelligence from the Darknet can be a very laborious and costly task, raising the question of how meaningful and valuable are the hacker patterns that can be observed on the surface Internet. Extant research contains no studies that compare and contrast hacking videos uploaded to the Darknet versus those uploaded to traditional Internet communities. In this research-in-progress, a testbed of hacking videos is constructed by sourcing videos from a popular video-sharing website, as well as several Darknet forums. The testbed is scrutinized to understand differences in how the populations of users watching such videos respond to them, and whether there are any unique engagement patterns that emerge within the Darknet and surface Internet populations. The results of this work serve to justify further investigations into the hacker knowledge gap between the Darknet and the traditional Internet.
Cybercrime Through an Interdisciplinary Lens
Augmenting Social Bot Detection with Crowd-Generated Labels
Information Systems Research, Jun 1, 2023
Social media platforms are facing increasing numbers of cyber-adversaries seeking to manipulate o... more Social media platforms are facing increasing numbers of cyber-adversaries seeking to manipulate online discourse by using social bots to help automate and scale their attacks. Likewise, some social media users have developed capabilities to identify social bot activity at varying degrees of confidence. We exploit this user intelligence to augment traditional bot detection systems. Furthermore, not all crowd-generated labels are of equal value or credibility. Some individuals are quite adept at identifying social bot activity, whereas others may become merely suspicious but remain uncertain. We design a system inspired by speech act theory to evaluate which crowd-generated labels are most credible for augmenting bot detection system efficacy.
Exploring Differences Among Darknet and Surface Internet Hacking Communities
2021 IEEE International Conference on Intelligence and Security Informatics (ISI), 2021
Cyber-threat intelligence (CTI) has matured into its own industry within recent years. CTI effort... more Cyber-threat intelligence (CTI) has matured into its own industry within recent years. CTI efforts frequently involve scrutinizing data within Darknet communities to understand emerging threats. Many hackers within the Darknet share knowledge and other information through a variety of formats, including video. At the same time, many hackers are also making use of the “surface” Internet and traditional video-sharing platforms to disseminate hacking knowledge. Gleaning intelligence from the Darknet can be a very laborious and costly task, raising the question of how meaningful and valuable are the hacker patterns that can be observed on the surface Internet. Extant research contains no studies that compare and contrast hacking videos uploaded to the Darknet versus those uploaded to traditional Internet communities. In this research-in-progress, a testbed of hacking videos is constructed by sourcing videos from a popular video-sharing website, as well as several Darknet forums. The testbed is scrutinized to understand differences in how the populations of users watching such videos respond to them, and whether there are any unique engagement patterns that emerge within the Darknet and surface Internet populations. The results of this work serve to justify further investigations into the hacker knowledge gap between the Darknet and the traditional Internet.
Conducting large-scale analyses of underground hacker communities
Digital Threats: Research and Practice, 2021
To increase situational awareness, major cybersecurity platforms offer Cyber Threat Intelligence ... more To increase situational awareness, major cybersecurity platforms offer Cyber Threat Intelligence (CTI) about emerging cyber threats, key threat actors, and their modus operandi. However, this intelligence is often reactive, as it analyzes event log files after attacks have already occurred, lacking more active scrutiny of potential threats brewing in cyberspace before an attack has occurred. One intelligence source receiving significant attention is the Dark Web, where significant quantities of malicious hacking tools and other cyber assets are hosted. We present the AZSecure Hacker Assets Portal (HAP). The Dark Web-based HAP collects, analyzes, and reports on the major Dark Web data sources to offer unique perspective of hackers, their cybercriminal assets, and their intentions and motivations, ultimately contributing CTI insights to improve situational awareness. HAP currently supports 200+ users internationally from academic institutions such as UT San Antonio and National Taiwan...
Cybersecurity as an Industry: A Cyber Threat Intelligence Perspective
The Palgrave Handbook of International Cybercrime and Cyberdeviance, 2020
PeerJ Computer Science, 2021
The evolution of electronic media is a mixed blessing. Due to the easy access, low cost, and fast... more The evolution of electronic media is a mixed blessing. Due to the easy access, low cost, and faster reach of the information, people search out and devour news from online social networks. In contrast, the increasing acceptance of social media reporting leads to the spread of fake news. This is a minacious problem that causes disputes and endangers the societal stability and harmony. Fake news spread has gained attention from researchers due to its vicious nature. proliferation of misinformation in all media, from the internet to cable news, paid advertising and local news outlets, has made it essential for people to identify the misinformation and sort through the facts. Researchers are trying to analyze the credibility of information and curtail false information on such platforms. Credibility is the believability of the piece of information at hand. Analyzing the credibility of fake news is challenging due to the intent of its creation and the polychromatic nature of the news. In...
Impact of Mobile Channel Adoption in Goal-directed Platforms
SSRN Electronic Journal, 2019
With the ubiquity of mobile devices and an increasing trend in extending real-world activities in... more With the ubiquity of mobile devices and an increasing trend in extending real-world activities into the virtual, goal-directed platforms have experienced rising popularity as they provide individuals with enhanced capabilities for goal pursuit. Prior literature has demonstrated the important role of the diversity in goal pursuit approaches to individuals’ goal pursuit activities. However, a few studies have investigated the technology-mediated goal pursuits especially how mobile channel, as an additional means of web-based goal pursuit means, will affect users’ goal pursuit. In this research, we start with the theoretical perspective of affordance and goal pursuit theory, and then perform a series of empirical analyses to examine the impacts of multi-channel adoption on goal pursuit activity and persistence. Our results indicate that mobile adoption improves overall goal pursuit effort by 140.1%. A positive impact on goal pursuit persistence is also observed. Users spend 0.656 days learning content after they adopted mobile channel. Most notably, users with varying levels of goal specificity and goal pursuit competency benefit differently from the adoption of the mobile channel. Particularly, users with high-level goal specificity are observed to spent 0.234 more days and 56.5% more effort in their goal pursuit compared to uses with a less specific goal. Robustness checks and replication of data analyses further validate our findings under various scenarios.
MIS Quarterly, 2019
Society's growing dependence on computers and information technologies has been matched by an esc... more Society's growing dependence on computers and information technologies has been matched by an escalation of the frequency and sophistication of cyber attacks committed by criminals operating from the Darknet. As a result, security researchers have taken an interest in scrutinizing the Darknet and other underground web communities to develop a better understanding of cybercriminals and emerging threats. However, many scholars lack the capability or expertise to operationalize Darknet research and are thus unable to contribute to this increasingly impactful body of literature. This article introduces a framework for guiding such research, called Darknet Identification, Collection, Evaluation, with Ethics (DICE-E). The DICE-E framework provides a focused reference point and detailed guidelines for scholars wishing to become active in the Darknet research stream. Four steps to conducting Darknet forum research are outlined: (1) identification of Darknet data sources, (2) data collection strategies, (3) evaluation of Darknet data, and (4) ethical concerns related to Darknet research. To illustrate how DICE-E can be utilized, an example empirical study is reported. This exemplar illustrates how DICE-E can guide scholars through key decision points when attempting to incorporate the Darknet within their research.
Journal of Management Information Systems, 2016
He specializes in large social network analysis and statistical modeling of social network proble... more He specializes in large social network analysis and statistical modeling of social network problems. His work also focuses on social media, technology diffusion, and business analytics.
Identifying language groups within multilingual cybercriminal forums
2016 IEEE Conference on Intelligence and Security Informatics (ISI), 2016
Online cybercriminal communities exist in various geopolitical regions, including America, China,... more Online cybercriminal communities exist in various geopolitical regions, including America, China, Russia, and more. Some multilingual forums exist where cybercriminals of differing geopolitical origin interact and exchange hacking knowledge and cybercriminal assets. Researchers can study such forums to better understand the global cybercriminal supply chain and cybercrime trends. However, little work has focused on identifying members of different language groups and geopolitical origin within such forums. One challenge is the necessity of a technique that scales across multiple languages. We are motivated to explore computational techniques that support automated and scalable categorization of cybercriminal forum participants into varying language groups. In particular, we make use of Paragraph Vectors, a state-of-the-art neural network language model to generate fixed-length vector representations (i.e., document embeddings) of messages posted by forum participants. Results indicate Paragraph Vectors outperforms traditional n-gram frequency approaches for generating document embeddings that are useful for clustering cybercriminals into language groups.
Journal of the Association for Information Science and Technology, 2014
As the Internet becomes ubiquitous, it has advanced to more closely represent aspects of the real... more As the Internet becomes ubiquitous, it has advanced to more closely represent aspects of the real world. Due to this trend, researchers in various disciplines have become interested in studying relationships between real‐world phenomena and their virtual representations. One such area of emerging research seeks to study relationships between real‐world and virtual activism of social movement organization (SMOs). In particular, SMOs holding extreme social perspectives are often studied due to their tendency to have robust virtual presences to circumvent real‐world social barriers preventing information dissemination. However, many previous studies have been limited in scope because they utilize manual data‐collection and analysis methods. They also often have failed to consider the real‐world aspects of groups that partake in virtual activism. We utilize automated data‐collection and analysis methods to identify significant relationships between aspects of SMO virtual communities and...
2015 IEEE International Conference on Intelligence and Security Informatics (ISI), 2015
The need for more research scrutinizing online hacker communities is a common suggestion in recen... more The need for more research scrutinizing online hacker communities is a common suggestion in recent years. However, researchers and practitioners face many challenges when attempting to do so. In particular, they may encounter hacking-specific terms, concepts, tools, and other items that are unfamiliar and may be challenging to understand. For these reasons, we are motivated to develop an automated method for developing understanding of hacker language. We utilize the latest advancements in recurrent neural network language models (RNNLMs) to develop an unsupervised machine learning technique for learning hacker language. The selected RNNLM produces state-of-the-art word embeddings that are useful for understanding the relations between different hacker terms and concepts. We evaluate our work by testing the RNNLMs ability to learn relevant relations between known hacker terms. Results suggest that the latest work in RNNLMs can aid in modeling hacker language, providing promising direction for future research.
2015 IEEE International Conference on Intelligence and Security Informatics (ISI), 2015
Cybersecurity is a problem of growing relevance that impacts all facets of society. As a result, ... more Cybersecurity is a problem of growing relevance that impacts all facets of society. As a result, many researchers have become interested in studying cybercriminals and online hacker communities in order to develop more effective cyber defenses. In particular, analysis of hacker community contents may reveal existing and emerging threats that pose great risk to individuals, businesses, and government. Thus, we are interested in developing an automated methodology for identifying tangible and verifiable evidence of potential threats within hacker forums, IRC channels, and carding shops. To identify threats, we couple machine learning methodology with information retrieval techniques. Our approach allows us to distill potential threats from the entirety of collected hacker contents. We present several examples of identified threats found through our analysis techniques. Results suggest that hacker communities can be analyzed to aid in cyber threat detection, thus providing promising direction for future work.
2015 IEEE International Conference on Intelligence and Security Informatics (ISI), 2015
Emotion plays an important role in shaping public policy and business decisions. The growth of so... more Emotion plays an important role in shaping public policy and business decisions. The growth of social media has allowed people to express their emotion publicly in an unprecedented manner. Textual content and user linkages fostered by social media networks can be used to examine emotion types, intensity, and contagion. However, research into how emotion evolves and entrains in social media that influence security issues is scarce. In this research, we developed an approach to analyzing emotion expressed in political social media. We compared two methods of emotion analysis to identify influential users and to trace their contagion effects on public emotion, and report preliminary findings of analyzing the emotion of 105,304 users who posted 189,012 tweets on the U.S. immigration and border security issues in November 2014. The results provide strong implication for understanding social actions and for collecting social intelligence for security informatics. This research should contribute to helping decision makers and security personnel to use public emotion effectively to develop appropriate strategies.
2014 IEEE Joint Intelligence and Security Informatics Conference, 2014
As computing and communication technologies become ubiquitous throughout society, researchers and... more As computing and communication technologies become ubiquitous throughout society, researchers and practitioners have become motivated to advance current cybersecurity capabilities. In particular, research on the human element behind cybercrime would offer new knowledge on securing cyberspace against those with malicious intent. Past work documents the existence of many hacker communities with participants sharing various cybercriminal assets and knowledge. However, participants vary in expertise, with some possessing only passing curiosity while others are capable cybercriminals. Here we develop a time-to-event based approach for assessing the relationship between various participation behaviors and participation length among hacker Internet Relay Chat (IRC) community participants. Using both the Kaplan-Meier model and Cox's model, we are able to develop predictions on individuals' participation trajectory based on a series of message content and social network features. Results indicate that participation volume, discussion of pertinent topics, and social interconnectedness are all important at varying levels for identifying participants within hacker communities that have potential to become adept cybercriminals.
2013 IEEE International Conference on Intelligence and Security Informatics, 2013
Analyzing authorship of online texts is an important analysis task in security-related areas such... more Analyzing authorship of online texts is an important analysis task in security-related areas such as cybercrime investigation and counter-terrorism, and in any field of endeavor in which authorship may be uncertain or obfuscated. This paper presents an automated approach for authorship analysis using machine learning methods, a robust stylometric feature set, and a series of visualizations designed to facilitate analysis at the feature, author, and message levels. A testbed consisting of 506,554 forum messages, in English and Arabic, from 14,901 authors was first constructed. A prototype portal system was then developed to support feasibility analysis of the approach. A preliminary evaluation to assess the efficacy of the text visualizations was conducted. The evaluation showed that task performance with the visualization functions was more accurate and more efficient than task performance without the visualizations.
Security Informatics, 2014
Methods and tools to conduct authorship analysis of web contents is of growing interest to resear... more Methods and tools to conduct authorship analysis of web contents is of growing interest to researchers and practitioners in various security-focused disciplines, including cybersecurity, counter-terrorism, and other fields in which authorship of text may at times be uncertain or obfuscated. Here we demonstrate an automated approach for authorship analysis of web contents. Analysis is conducted through the use of machine learning methodologies, an expansive stylometric feature set, and a series of visualizations intended to help facilitate authorship analysis at the author, message, and feature levels. To operationalize this, we utilize a testbed containing 506,554 forum messages in English and Arabic, source from 14,901 authors that participated in an online web forum. A prototype portal system providing authorship comparisons and visualizations was then designed and constructed in order to support feasibility analysis and real world value of the automated authorship analysis approach. A preliminary user evaluation was performed to assess the efficacy of visualizations, with evaluation results demonstrating task performance accuracy and efficiency was improved through use of the portal.
Uploads
Papers by Victor Benjamin