Predicting Cyber Events by Leveraging Hacker Sentiment

Recent high-profile cyber attacks exemplify why organizations need better cyber defenses. Cyber threats are hard to accurately predict because attackers usually try to mask their traces. However, they often discuss exploits and techniques on hacking forums. The community behavior of the hackers may provide insights into groups' collective malicious activity. We propose a novel approach to predict cyber events using sentiment analysis. We test our approach using cyber attack data from 2 major business organizations. We consider 3 types of events: malicious software installation, malicious destination visits, and malicious emails that surpassed the target organizations' defenses. We construct predictive signals by applying sentiment analysis on hacker forum posts to better understand hacker behavior. We analyze over 400K posts generated between January 2016 and January 2018 on over 100 hacking forums both on surface and Dark Web. We find that some forums have significantly more predictive power than others. Sentiment-based models that leverage specific forums can outperform state-of-the-art deep learning and time-series models on forecasting cyber attacks weeks ahead of the events.


I. INTRODUCTION
Recent high-profile cyber attacks-the massive denial of service attack using Mirai botnet, infections of computers word-wide with WannaCry and Petya ransomware, the Equifax data breach-highlight the need for organizations to develop cyber crime defenses. Cyber threats are hard to identify and predict because the hackers that conduct these attacks often obfuscate their activity and intentions. However, they may still use publicly accessible forums discuss vulnerabilities and share tradecraft about how to exploit them. The behavior of the hacker community, as expressed in such venues, may provide insights into group's malicious intent. It has been shown that computational models based on various behavior learning theories can help in cyber security situational awareness [1]. While cyber situation awareness [2], [3] is critical for defending networks, it is focused on detecting cyber events. In this paper, we describe a computational method that analyzes discussions on hacker forums to predict cyber attacks.
Opinion mining or sentiment analysis can be linked all the way back to Freud's 1901 paper on how slips of the tongue can reveal a person's hidden intentions [4]. While sentiment analysis was originally developed in the field of linguistics and psychology, it has recently been applied to a number of other fields with the first seminal work in the computational sciences being Pang 2002 [5]. Historically, the context it has been applied to are social networks, comments (such as on news sites) and reviews (either for products or movies). In this work, we apply sentiment analysis to posts on Dark Web forums with the purpose of forecasting cyber attacks. The Dark Web consists of websites that are not indexed nor searchable by standard search engine and can only be accessed using a special browser service.
We further explore the link between community behavior and malicious activity. The connection between security and human behavior has been studied in designing new technology [6], here we look to reverse engineer by mapping the malicious events to hacker behavior. Social media has been shown to be a source of useful data on human behavior and used to predict real world events [7], [8], [9]. Here, we inspect the ability of hacker forums to predict cyber events. We consider each individual forum, applying sentiment analysis to each post in the forum. After computing a daily average per forum and a 7 day running average sentiment signal per forum, we test these signals against ground truth data. We determine some forums have significantly more predictive power and these isolated forums can beat the evaluation models in 36% of the months under study using precision and recall of predictions within a 39-hour window of the event.

A. Hacker Forum Texts
We look at hacking forums from both the Surface Web and the Dark Web from 1 January 2016 to 31 January 2018. The Dark Web refers to sites accessible through The Onion Router private network platform [10]. The Surface Web refers to the World Wide Web accessible through standard browsers. In this paper, we focus only on English posts from 113 forums which were identified based on cyber security keywords consisting of 432,060 posts. The text from these forums were accessed using the methods proposed in [11], [12].

B. Ground truth data
We use ground truth data of cyber attacks from 2 major organizations in the Defense Industrial Base (DIB) industry. Henceforth, we will refer to them as Organization A and Organization B for anonymity. The ground truth comprises 3 event types: • endpoint-malware: a malicious software installation such as ransomware, spyware and adware is discovered on a company endpoint device.
arXiv:1804.05276v1 [cs.CL] 14 Apr 2018 • malicious-destination a visit by a user to a URL or IP address that is malicious in nature or a compromised website. • malicious-email receipt of an email that contains a malicious email attachment and/or a link to a known malicious destination.

III. SENTIMENT ANALYSIS
The first effective use of sentiment analysis in a predictive sense was by Pang et. al. [5] in assessing movie reviews. Since then, sentiment analysis has expanded to other fields. Sentiment analysis can be done with or without supervision (label training data). Supervised methods can be adapted to create trained models for specific purposes and contexts. The drawback is that labeled data may be highly costly and often researchers end up using AMT -Amazon Mechanical Turk. The alternative is to use lexical-based methods that do not rely on labeled data; however, it is hard to create a unique lexical-based dictionary to be used for all different contexts. Deep learning methods allow for additional functions like taking into account order of words in a sentence like the Stanford Recursive Deep Model. Methods can either be 2 way (positive or negative) or 3 way (positive, neutral, negative). Furthermore, dictionary based sentiment algorithms are either polarity-based where sentiment is based only of the frequency of positive or negative words whereas valencebased methods factor the intensity of the words into polarity. There are a number of issues with sentiment analysis which include: word pairs, word tuples, emoticons, slang, sarcasm, irony, questions, URLs, code, domain specific use of words (shoot an email, dead link), and inversions (small is good for portable electronics) which are difficult for computerized text analysis to handle.
Studies have found that a methods prediction performance varies considerably from one dataset to another. VADER works well for some tweets, but not for others, depending on the context. SentiStrength has good Macro F1 values, but has low coverage because it tends to classify a high number of instances as neutral.
The choice of a sentiment analysis is highly dependent on the data and application, therefore you need to take into account prediction performance and coverage. There is no single method that always achieves a consistent rank position for different datasets. Therefore, in this paper we test multiple methods for sentiment analysis. Most languages themselves are biased positive and if a lexicon is built on data, the positive bias that data can lead to a bias in the lexicon. This is why most methods are better at classifying positive than neutral or negative methods meaning that they are biased, neutral are the hardest to detect [13].

A. Vader
VADER: Valence Aware Dictionary for sEntiment Reasoning [14] is a rule-based sentiment model that has both a dictionary and associated intensity measures. It's dictionary has been tuned for microblog-like contexts and they incor-porate 5 generalizable rules that goes beyond pure dictionary lookups: 1) Increase intensity due to exclamation point 2) Increase intensity due to all caps in the presence of other non-all cap words 3) Increase intensity with degree modifiers i.e. extremely 4) Negate sentiment with contrastive conjunction i.e. but 5) Examine the preceding tri-gram to identify cases where negation flips the polarity of the text.
Therefore, VADER not only captures positive or negative, but also how positive and how negative beyond simple words counts. It is made further robust by the additional rules. It's "gold standard" lexicon was developed manually and with Amazon Mechanical Turk. Vader scores range from 0.0 to 1.0.

B. LIWC
Linguistic Inquiry and Word Count (LIWC) [15] was a pioneer in the computerized text analysis field with the first major iteration in 2007, we used the updated version LIWC 2015. It has two components: the processing component and the dictionaries. The heart of LIWC are the dictionaries that contain the lookup words in psychometric categories which is able to resolve content words from style words. LIWC counts the inputted words in psychologically meaningful categories which produces close to 100 dimensions for any given text being analyzed. For the purposes of this research, we are only focused on Tone which bests maps to sentiment as we have defined it. The Tone scores range from 0 to 100. LIWC also ignores context, irony, sarcasm, and idioms.

C. SentiStrength
SentiStrength [16] is another lexicon-based sentiment classifier which leverages dictionaries and non-lexical linguistics information to detect sentiment. SentiStrength focuses on the strength of the sentiment and uses weights for the words in its dictionaries. Additionally, positive sentiment strength and negative sentiment strength is scored separately. Each is scored from 1 to 5, with 5 being the greatest strength. For our purposes, we seek overall sentiment so we subtract the negative sentiment from the positive sentiment so that strongly positive (5,1) becomes 4, neutral (1,1) becomes 0 and strongly negative (1,5) becomes -4. Therefore, Sen-tiStrength scorese range from -4 to 4. SentiStrength is designed to do better with social media; however, it can't exploit indirect indicators of sentiment. It is also weaker for positive sentiment in news-related discussions.

IV. METHODOLOGY
In this section we document the methodology used and process workflow from the data processing to signal generation through warning generation and signal testing. Three cases studies are used to illustrate the process via example and Figure X provides a visual reference.

A. Processing the Data
Working with researchers at Arizona State University, we were able to develop a database of posts from forums on both the Dark Web and Surface Web which discuss computer security and network vulnerability topics. To protect the future utility of these sources, each forum has been coded with a number (forumid) from 1 to 350. The data consist of the forumid, date the post was made, and the text of the post. The data in this study was from 1 January 2016 to 31 January 2018. The data was collected by ASU and we used an API to pull and store the data in a local server and access it via Apache Lucene's Elastic Search engine.

B. Evaluating Sentiment Analysis
After a review of the sentiment analysis methods in Sen-tiBench [13], we decided to use Vader [14], SentiStrenght [16] and LIWC15 [15]. For social networks, VADER and LIWC15 were found to be the best method for 3-class classification and SentiStrength was the winner for 2-class classification. [13] These three methods were used because they Vader has a Python module, SentiStrenght has a Java implementation and LIWC15 is a stand-alone program.

C. Computing Daily Averages
A sentiment score for each forum post was computed using the three sentiment methods outlined above. Since there can be multiple posts on a forum for a day, we characterization the overall sentiment of the day with a daily average. There can be a wide range of sentiment scores for any given day, especially if there are a lot of posts from on a popular forum. In order to understand the trend of sentiment over time, we compute running averages.

D. Computing Running Averages
A running daily average was computed in order to assess the trend of sentiment over time. The more days in the running average, the smoother the curve and the harder to detect a change. Whereas no using a running average or making it only 1 or 2 days would have many jump discontinuities and swings. We looked at adjusting the running average from 1 to 30 days and settled on 7 days primarily because that was our original prediction window. Figure 1 shows the average F1 score various signals computed with running averages of 3, 7, 10 and 14 days.

E. Standardizing the Score
To make the 3 sentiment scores more comparable, their scores were standardized. As previously mentioned, VADER generates sentiment scores on a scale of 0 to 1, SentiStrength goes from -4 to 4, and LIWC goes from 0 to 100 for Tone. While standardizing the scores do not affect the correlation any forum would have with the ground truth from our target organizations, it will be necessary when we potentially combine signals from various forums and sentiment methods to find more powerful predictors.

F. Compute Correlations to Find Potential Signals
As previously mention, we have ground truth events from 2 defense industrial base organizations of 3 different cyber event types. The event types are endpoint-malware, malicious-destination and malicious-email. Correlations were computed between all forum-sentiments against all event types from both organizations. Additionally, since we are looking for predictive signals, we computed correlations with a negative lag from 0 to 30 days with a lag of -30 meaning offset the sentiment signal 30 days before the organization's event occurrence. A number of signals stood out as being more correlated than others against certain event types as seen in Figure I. This shows the LIWC sentiment on Forum 84 against Organization B's endpoint-malware events. The fact that multiple, consecutive lags have low p-values gives some indication that this might be a useful signal.

G. Forecasting Models
We also apply widely-used ARIMA model for forecasting events. ARIMA stands for autoregressive integrated moving average. The key idea is that the number of current events (y t ) depends on the past counts and forecast errors. Formally, ARIMA(p,d,q) defines an autoregressive model with p autoregressive lags, d difference operations, and q moving average lags (see [17]). Given the observed series of events Y = (y 1 , y 2 , . . . , y T ), ARIMA(p,d,q) applies d (≥ 0) difference operations to transform Y to a stationary series Y . Then the predicted value y t at time point t can be expressed in terms of past observed values and forecasting errors which is as follows: Here µ y is a constant, α i is the autoregressive (AR) coefficient at lag i, β j is the moving average (MA) coefficient at lag j, e t−j = y t−j −ŷ t−j is the forecast error at lag j, and e t is assumed to be the white noise (e t ∼ N (0, σ 2 )). The AR model is essentially an ARIMA model without moving average terms. We use maximum likelihood estimation for learning the parameters; more specifically, parameters are optimized with LBFGS method [18]. These models assume that (p, d, q) are known and the series is weakly stationary. To select the values for (p, d, q) we employ grid search over the values of (p, d, q) and select the one with minimum AIC score.

H. Testing Signals with ARIMAX
Again, Table I shows the signals that are better correlated with Organization B's ground truth events. The next step is to test these signals to see if they have any predictive power. To do this, the ARIMA model is used with the ground truth events to develop a baseline model from which to compare potential signals for the potential to have predictive power. Additionally, 4 other methods were used for comparison: Dark-Mentions, Deep-Exploit [19], ARIMAX with abuse.ch and a daywise-hourly-baserate model. Using ground truth events from both Organization A and Organization B, sentiment signals from the various forums, computed with the different methodologies were tested. Testing was done across the 3 event types for both Organizations with Precision, Recall and F1 computed to evaluate the signal. The timeseries of the sentiment for a given forum and sentiment method was used as the input to the timeseries forecasting model to predict future events. The model was trained on data from April 1, 2016 to May 31, 2017, in order to start generating warnings for the month of June 2017. After predictions were made for the month of June, they were scored against the actual ground truth and then the model was ran again to predict warnings for August 2017. This was done for all the way through January 2018.

I. Scoring
To determine how well the signals under study performed, a matching algorithm was used to compare the date occurrence of the predicted events with the actual events that occurred. Using the matching algorithm, we could consistently score which predicted events should be mapped to actual events and which predicted events did not occur as well as which actual events were not predicted. There is a window around the actual events which varies based on the event type. Endpoint-maleware has to be within 0.875 days, malicious-destination within 1.625 days and malicious-email within 1.375 days.

J. External Signals
Currently, there are other external signals that the data provider Organizations are currently evaluating for predictive potential. Again, external signals are timeseries information derived from open sources that are not based on information system network data. The other external signals under evaluation are: • ARIMAX: is the same model outlined in §4.7; however, time series counts of malicious activity are acquired from https://abuse.ch and used in conjunction with historical data. • Baseline: is the exact same model in §4.7 with no external signal and using only historical ground truth data to predict the future rate of attack. • Daywise-Baserate: is the same as the ARIMAX model mentioned above; however, the model takes day of the week into consideration assuming that the event rate for each day of the week is not the same. • Deep-Exploit: is an ARIMA model that is based on the vulnerability analysis determined by [20]. This method referred to as DarkEmbed learns the embeddings of Dark Web posts and then uses a trained exploit classifier to predicted which vulnerabilities in Dark Web posts might be exploited. • Dark-Mentions: Is an extension of [21] which predicts if a disclosed vulnerability will be exploited based on a variety of data sources in addition to the Dark Web using methods still being developed. These predictions are used to construct a rule based forecasting method based on keyword mentions in Dark Web forums and marketplaces.

V. RESULTS
After generating ARIMAX models with each potential signal, they were scored as mentioned above for each month from July 2017 to January 2018. The following tables show the results for the months under study. By month, you can see the number of actual ground truth events (Evt), the number of warnings generated by each signal (Warn), and the precision (P), recall (R) and F1 score for each. The table is sorted by largest F1 score for each month with only the top five signals listed. Signals generated by sentiment analysis that were part of the top five for each month are highlighted in light blue. Table II shows Organization A's endpoint-malware where sentiment signals dominated July, September and November and did reasonable well in the remaining months. Every month a sentiment signal beat at least on evaluation model. Malicious-Destination (Table III) had periodic performance July, September, November and January but the case is not as strong as Endpoint-Malware. Lastly, Table IV shows Malicious-Email results which illustrate that sentiment signals did well in July to September with waning results for the later months. Upon further inspection this is believed to be due to some key forums going offline toward the end of the year.  Table V shows that sentiment signals do best for July and October for Malicious-Destination. While baseline and daywise-baserate dominate the other months, sentiment signals perform better than the other evaluation models. Similar to Organization A, the Malicious-Destination for Organization B (Table VI) does the best early in July in August and moderately well in September to November until degrading to below all evaluation models in December and January. This may be due the few number of events and perhaps sentiment signals do not perform the best under low frequency conditions. The performance for Malicious-Email (Table VII) is oddly cyclical; however, sentiment signals dominated December and beat at least one evaluation model for every month.

VI. RELATED WORK
Given the serious nature of cyber attacks, naturally there are a number of other research efforts to predict such attacks. As it relates to our efforts, the three main areas of research are sentiment analysis in cyber security, predictive methods for cyber attacks and leveraging dark web data in cyber security.

A. Sentiment Analysis in Cyber Security
The closest work which has applied sentiment analysis of hacker forums to cyber security is [22]. While much research has investigated the specifics of cyber attacks, [22] investigates the actual cyber actors via their communication activities. Their focus was the cyber-physical systems related to critical infrastructure and they developed an automated analysis tool to identify potential threats against such infrastructure. Despite recognizing that there are over 140 hacker forums on the public web, the authors chose only one forum to scrape the complete forum once. They leveraged the Open Discussion Forum Crawler to do the scrapping and then used OpenNLP to tag parts of speech, filtering on nouns. Those nouns were cross referenced with three list of malicious keywords to identify posts whose sentiment would be determined with SentiStrength. Contextual analysis of keyword pairings with sentiment scores allowed them to confirm current statistics about critical infrastructure cyber attacks. The main differences illustrated in our work is that we use looked at over 100 forums, not just one from both the Dark Web and Surface Web. In collecting posts for over a two year period, we found the sentiment of all posts applying Vader and LIWC for sentiment in addition to just SentiStrength. Furthermore, we were able to model our data against ground truth events from companies making our approach predictive in nature. BiSAL [23] did sentiment analysis in English and Arabic on Dark Web forums with slight modification to cyber security terms. Other work such as [24] use sentiment in measuring radicalization. Remaining research in sentiment analysis, not specific to cyber security was presented earlier.

B. Predicting Cyber Attack
The issue of predicting cyber attacks is not new and their has been a considerable research effort in this field. The efforts split along two categories, using network traffic or non-network traffic. Forecasting methods such as [25], [26], [27] analyze network traffic. Where [25] is specific to predicting attacks using IPV4 packet traffic, and [26] looks at various network sensors at different layers to prevent unwanted Internet traffic, whereas [27] combines DNS traffic with security metadata such as number of policy violations and the number of clients in the network. Many researchers such as [28] based cyber prediction on open source information. They use the National Vulnerability Database. They highlight the difficulty in using public sources for building effective models. Other work has focused on detecting cyber bullying using graph detection models [29] with success, but is limited in malicious activity and not a predictive model.
The closest to our research is Gandotra et al [30] who outlined a number cyber prediction efforts using statistical modeling and algorithmic modeling. They highlight several significant challenges that we tried to address. The first challenge is that open source ground truth is incomplete and should be compiled from multiple sources and analysis doesn't scale to real world scenarios. We were able to get ground truth data from 2 companies that operate in the defense industrial base, this ground truth is across three different attack vectors and is over a two year time period. The additional challenges in [30] focus on the volume, speed and heterogeneity of network data which we avoid since we are attempting to prevent cyber events specifically with nonnetwork data. They also present two modeling approaches of statistical modeling and algorithmic modeling. We used statistical models not unlike what they present as classical time series models with auto-regressive, integrated moving average with historical data and external signals.

C. Dark Web Research
There has been a lot of research recently concerning the Dark Web or websites not indexed by major search engines. Typically the Dark Web refers to the TOR [10] network which is only accessible via specialized browsers. It has been shown by [12] that from an overall cyber security threat perspective, the Dark Web provides a valuable source of information for malicious activity. They developed a system that scrapes hacker forum and marketplace sites on the Dark Web to develop threat warnings for cyber defenders. We leverage the same data source but perform sentiment analysis to not only predict future threats, but to predict actual attacks. They also leverage the Deep Net which is the portion of the Surface Web not indexed by standard search engines.
While not using sentiment analysis, [31] offers insight to the trust establishment between participants in Dark Web forums. There may be behavioral patterns of malicious actors that provide insight to future activity. Dark Web conversations were shown to provide earlier insights than Surface Web conversations by [19] indicating potential predictive power for cyber events. [19] highlight two cases with a major DDoS attack and the Mirai attack. There may also be early insights on the Surface Web in many of the social media sites as illustrated in [32]. Our work focused only on forums where it was likely that computer security items would be discussed, but does contain a mix of Dark Web and Surface Web. There has been work using natural language processing on Dark Web text for predictive method such as [20]. Other predictive approaches such as Cyber Attacker Model Profile (CAMP) [33], focus on the macro level of a country and financial cyber crimes, where we look at a wider range of malicious activity against specific target organizations.

VII. CONCLUSIONS
Malicious activity can be very devastating to national security, economies, businesses and personal lives. As such, cyber security professionals working with major organizations and nation states could use all the help they can get in preventing malicious activity. We present a methodology to predict malicious cyber events by exploiting malicious actor's behavior via sentiment analysis of posts on hacker forums. These forums on both Surface Web and Dark Web have some predictive power to be used as signals external to the network for forecasting attacks using time series models. Using ground truth data from two major organizations in the Defense Industrial Base across three different cyber event types, we show that sentiment signals can be more predictive than a baseline time series model. Additionally, they will often beat other state of the art external signals, in the 7 months under study across the 3 event types from the 2 organizations, sentiment signals performed the best 15 out of 42 times or 36%. The signal parameters need to be tuned over significant historical data and the source forum could be shut off or taken down at any time; however, an automated implementation of this system would still be value added.