See all pictures here »
Up to 80 percent of certain anonymous underground forum users can be identified using linguistics, researchers say.
The techniques compare user posts to track them across forums and could even unveil authors of thesis papers or blogs who had taken to underground networks.
"If our dataset contains 100 users we can at least identify 80 of them," researcher Sadia Afroz told an audience at the 29C3 Chaos Communication Congress in Germany.
"Function words are very specific to the writer. Even if you are writing a thesis, you'll probably use the same function words in chat messages.
"Even if your text is not clean, your writing style can give you away."
The analysis techniques could also reveal botnet owners, malware tool authors and provide insight into the size and scope of underground markets, making the research appealing to law enforcement.
To achieve their results the researchers used techniques including stylometric analysis, the authorship attribution framework Jstylo, and Latent Dirichlet allocation which can distinguish a conversation on stolen credit cards from one on exploit-writing, and similarly help identify interesting people.
The analysis was applied across millions of posts from tens of thousands of users of a series of multilingual underground websites including thebadhackerz.com, blackhatpalace.com, www.carders.cc, free-hack.com, hackel1te.info, hack-sector.forumh.net, rootwarez.org, L33tcrew.org and antichat.ru.
It found up to 300 distinct discussion topics in the forums, with some of the most popular being carding, encryption services, password cracking and blackhat search engine optimisation tools.
While successful, the work faces a series of challenges. Analysis could only be performed using a minimum of 5000 words (this research used the "gold standard" of 6500 words) which culled the list of potential targets from tens of thousands to mere hundreds.
It also needs to separate discussion on product information like credit cards, exploits and drugs from conversational text in order to facilitate machine learning to automate the process, according to researcher Aylin Caliskan Islam.
And posts must be translated to English, a process which boosted author identification from 66 to around 80 per cent but was imperfect using freely available tools like Google and Bing.
However both of these tasks were performed successfully, and further development including the use of "exclusive" language translation tools would only serve to boost the identification accuracy.
Leetspeak, an alternative alphabet popular in some forum circles, cannot be translated.
The project is ongoing and future work promises to increase the capacity to unmask users. This Islam said would include temporal information which would exploit users who logged into forums from the same IP addresses and wrote posts at around the same time.
"They might finish work, come home and log in," Islam said.
It could also tie user identities to the topics they write about and produce a map of their interactions, identify multiple accounts held by a single author, and combine forum messages with internet relay chat (IRC) data sets.
"We want to automate the whole process."
Afroz said while the work appeals to law enforcements and government agencies, it is not designed to catch users out.
"We aren't trying to identify users, we are trying to show them that this is possible," she said.
To this end, the researchers released tools last year, updated last December, which help users to anonymise their writing.
One tool, Anonymouth, takes a 500 word sample of a user's writing to identify unique features such as function words which could make them identifiable.
The other, JStylo, is the machine learning engine which powers Anonymouth.
The Drexel and George Mason universities research team is composed of Sadia Afroz, Aylin Caliskan Islam, Ariel Stolerman, Rachel Greenstadt, and Damon McCoy.
Copyright © SC Magazine, Australia
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.