KADetector: Automatic Identification of Key Actors in Online Hack Forums Based on Structured Heterogeneous Information Network

Underground forums have been widely used by cybercriminals to exchange knowledge and trade in illicit products or services, which have played a central role in the cybercriminal ecosystem. In order to facilitate the deployment of effective countermeasures, in this paper, we propose and develop an intelligent system named KADetector to automate the analysis of Hack Forums for the identification of its key actors who play the vital role in the value chain. In KADetector, to identify whether the given users are key actors, we not only analyze their posted threads, but also utilize various kinds of relations among users, threads, replies, comments, sections and topics. To model the rich semantic relationships, we first introduce a structured heterogeneous information network (HIN) for representation and then use a meta-path based approach to incorporate higher-level semantics to build up relatedness over users in Hack Forums. To reduce the high computation and space cost, given different meta-paths built from the HIN, we propose a new HIN embedding model named ActorHin2Vec to learn the low-dimensional representations for the nodes in HIN. After that, a classifier is built for key actor identification. To the best of our knowledge, this is the first work to use structured HIN for underground participant analysis. Comprehensive experiments on the data collections from Hack Forums are conducted to validate the effectiveness of our developed system KADetector in key actor identification by comparisons with alternative methods.