When it comes to hackers, a University of Arizona (UA) research team adheres to the often quoted tenet of Sun Tzu: “It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles…”.
The UA research team headed by Professor Hsinchun Chen, Regents’ Professor of MIS and Director of the university’s Artificial Intelligence Laboratory, with support from the National Science Foundation’s (NSF) Secure and Trustworthy Cyberspace program, is studying what motivates hackers and cyberattackers to predict how they might act.
Know thy opponents
Image courtesy of UA
This project is not Chen’s first foray into defeating bad guys via information analysis. Back in 1997, he developed COPLINK, software that facilitates the sharing, analysis, and visualization of law enforcement data. It is currently used by thousands of law enforcement agencies across the US. In 2011, IBM purchased Knowledge Computing Corporation, the company Chen founded to commercialize COPLINK, for $500 million.
In 2007, Chen and his associates at UA’s Artificial Intelligence Laboratory worked on a project called Dark Web Terrorism Research. The team developed software tools that automatically collect and analyze terrorist content from the internet. ZDNet contributor Phil Windley writes, “The Dark Web research uses spidering to gather data from the Web and then applies techniques like social network analysis and authorship analysis (Writeprint) to identify groups and even link articles written by the same anonymous author.”
Not resting on their laurels
In an October 2015 NSF post, Robert J. Margetta writes, “Chen and his collaborators have generated findings that shed light on how hacker communities interact and share information — and even created actionable intelligence for criminal investigations by federal agencies.”
To Chen, it’s not enough. “The most important part isn’t looking back and saying what have they done?” Chen tells Margetta. “It’s looking forward and saying ‘What are the emerging threats?’ We’re trying to understand the intent of the people planning attacks. Instead of looking at the bullets, we’re looking at the shooters.”
Chen tells Margetta tapping into hacker behavior has proved more of a challenge than previous projects, including when they gathered information about terrorists, “This community is even more tightly knit.”
The important 5%
Chen and his associates at UA’s Artificial Intelligence Laboratory have the skill and computing power to analyze the millions of tidbits they collect from hacker forums, IRC chat rooms, and messaging texts. In this NSF award abstract, Chen and his associates describe what they intend to do with all the data:
“The proposed integrated computational framework, the resulting algorithms, and software will allow social science researchers and security practitioners to examine how cyber attack groups form, develop, and spread their ideas; identify important and influential cyber criminals in the online world; and develop the means to recognize online hacker identities through their communication and interaction styles.”
As to the team’s computational framework, Margetta mentions, “Through automated text mining that can search for everything from relevant terms and topics to ‘sentiment analysis,’ Chen and his collaborators are able to distill that chatter down to a much smaller body of communications (5 percent of the data collected) that deal with top-tier, likely threats.”
There is honor among thieves
One finding of interest already gleaned by the researchers is that hackers develop social structures. Chen tells Margetta, “Honor among thieves applies to hackers, and as a community they punish any transgressions. Communities begin to distrust hackers that lose money, steal from partners-in-crime, or make mistakes that harm their associates.”
Not unlike businesses above ground, Chen and his team have determined that hackers:
- work in groups and collaborate on projects;
- seek counsel (business and technical) from trusted associates;
- methodize sharing data and selling stolen goods; and
- analyze each others’ work and post reviews.
A different approach to cybersecurity research
Chen admits there are other data analysis projects underway, but not like the one at UA. “It takes a very different approach from previous cybersecurity research,” explains Chen. “You want to understand the intent, the modus operandi of operators. Instead of just finding out about one operation at a time, you’re looking at an entire source of information about ongoing activities.”
To get to that point, Chen and the UA researchers continue to create tools that will allow faster, more accurate analysis of gleaned data, and ultimately better predictions about future threats. “I’m not interested in the hackers themselves,” Chen informs Margetta. “I’m interested in developing the best science that will help advance cyber security big data research.”
Margetta also seems to understand how hackers think, writing, “It’s a process with no end point and one that will require researchers to adapt to new hacker communications methods, shifting intentions in the malicious hacker community, and an ever-expanding pool of data.”
Hackers always have and always will change things up.