One would be hard pressed to find an aspect of life where networks are not present. Interconnections are at the core of complex systems – such as society, or the world economy – allowing us to study and understand their dynamics. Some of the most transformative technologies are based on networks, be they hypertext documents making up the World Wide Web, interconnected networking devices forming the Internet, or the various neural network architectures used in deep learning. Social networks that are formed based on our interactions play a central role in our every day lives; they determine how ideas and knowledge spread and they affect behaviour. This is also true for cybercriminal networks present on underground forums, and social network analysis provides valuable insights to how these communities operate either on the dark web or the surface web.
For today’s post in the series `Three Paper Thursday’, I’ve selected three papers that highlight the valuable information we can learn from studying underground forums if we model them as networks. Network topology and large scale structure provide insights to information flow and interaction patterns. These properties along with discovering central nodes and the roles they play in a given community are useful not only for understanding the dynamics of these networks but for various purposes, such as devising disruption strategies.
[1] Zamani, Maryam & Rabbani, Fereshteh & Horicsányi, Attila & Zafeiris, Anna & Vicsek, Tamás. (2019). Differences in structure and dynamics of networks retrieved from dark and public web forums. Physica A: Statistical Mechanics and its Applications.
Underground communities differ from each other, which can also be seen through analysing properties of their social networks. In this work the authors compared various public (Reddit), semi-dark (8chan) and dark web (Dream Market and Pedo support community) forums and investigated their structural properties and dynamics as these networks evolve over time. They formed two types of interaction networks, where nodes correspond to users on the forums. In the first network edges were created between two users if they directly reply to each other’s posts. Where this information was not available, an edge was added between two nodes if they participate in the same thread. As a result of this work, the authors highlighted differences in interaction patterns and degree distributions between public forums and dark web forums.
[2] Mitch Macdonald & Richard Frank (2017) The network structure of malware development, deployment and distribution. Global Crime
The authors of this study identified community structures within the network constructed from threads posted by malware writers, hackers and market actors on the target forum. Using social network analysis techniques they analysed community structure to conclude whether the forum follows the structure of complex networks characterised by modular communities formed of weak ties. In particular, they performed community detection, and analysed network size, connectedness, cohesion and redundancy. They concluded that the networks exhibit a small world property suggesting high communication efficiency in hacker communities due to short path lengths, which also increases access to key players. These findings also point to key nodes playing the role of “bridges” within community networks. Finally, results of community structure show that nodes tend to form subgroups based on shared interests.
[3] M. Yip, N. Shadbolt and C. Webber, Structural analysis of online criminal social networks. 2012 IEEE International Conference on Intelligence and Security Informatics
The authors set out to investigate social interactions in the underground economy by analysing anonymised private messaging records extracted from the Carderplanet, Shadowcrew, Cardersmarket and Darkmarket carding forums. Similarly to the previous two papers, this work also constructed social networks that model interactions on these forums and examined network topology and structural properties. The aim of the authors was to provide information to devising effective disruption strategies. Results of analysing degree distributions show that members interact with others mostly in a non random manner, that is, they select interaction partners based on some specific preference, such as vendor reputation. The authors also conclude that the examined networks exhibit a similar attribute in that high degree nodes do not tend to be interconnected with each other, which is the opposite phenomenon one would observe in a collaboration network. This points to the fact that some underlying mechanisms opposing collaboration, such as competition between vendors, are present.