Result: Proposed Methodology for Cyber Criminal Profiling

Title:
Proposed Methodology for Cyber Criminal Profiling
Authors:
WARIKOO, Arun
Source:
Cybercrimes, Secure Emerging Web Environments, and Digital ForensicsInformation security journal (Print). 23(4-6):172-178
Publisher Information:
Philadelphia, PA: Taylor & Francis, 2014.
Publication Year:
2014
Physical Description:
print, 1/4 p
Original Material:
INIST-CNRS
Subject Terms:
Computer science, Informatique, Security, safety, Sécurité (multidisciplinaire, général), Sciences exactes et technologie, Exact sciences and technology, Sciences appliquees, Applied sciences, Informatique; automatique theorique; systemes, Computer science; control theory; systems, Logiciel, Software, Organisation des mémoires. Traitement des données, Memory organisation. Data processing, Gestion des mémoires et des fichiers (y compris la protection et la sécurité des fichiers), Memory and file management (including protection and security), Sciences biologiques et medicales, Biological and medical sciences, Sciences medicales, Medical sciences, Psychopathologie. Psychiatrie, Psychopathology. Psychiatry, Etude clinique de l'adulte et de l'adolescent, Adult and adolescent clinical studies, Troubles du comportement social. Comportement criminel. Délinquance, Social behavior disorders. Criminal behavior. Delinquency, Psychologie. Psychanalyse. Psychiatrie, Psychology. Psychoanalysis. Psychiatry, PSYCHOPATHOLOGIE. PSYCHIATRIE, Analyse comportementale, Behavioral analysis, Análisis conductual, Attaque informatique, Computer attack, Ataque informática, Criminalité, Criminality, Criminalidad, Criminologie, Criminology, Criminología, Cybercriminalité, Cybercriminality, Cibercriminalidad, Identification système, System identification, Identificación sistema, Méthodologie, Methodology, Metodología, Métrique, Metric, Métrico, Police scientifique, Forensic science, Ciencia forense, Sécurité informatique, Computer security, Seguridad informatica, cyber attacks, cyber criminal profiling, forensics, profiling framework
Document Type:
Conference Conference Paper
File Description:
text
Language:
English
ISSN:
1939-3555
Access URL:
http://pascal-francis.inist.fr/vibad/index.php?action=search&terms=29139416
Rights:
Copyright 2015 INIST-CNRS
CC BY 4.0
Sauf mention contraire ci-dessus, le contenu de cette notice bibliographique peut être utilisé dans le cadre d’une licence CC BY 4.0 Inist-CNRS / Unless otherwise stated above, the content of this bibliographic record may be used under a CC BY 4.0 licence by Inist-CNRS / A menos que se haya señalado antes, el contenido de este registro bibliográfico puede ser utilizado al amparo de una licencia CC BY 4.0 Inist-CNRS
Notes:
Computer science; theoretical automation; systems

Psychopathology. Psychiatry. Clinical psychology

FRANCIS
Accession Number:
edscal.29139416
Database:
PASCAL Archive

Further Information

Criminal profiling is an important tool employed by law enforcement agencies in their investigations. Criminal profiling is much more than an educated guess; it requires a scientific-based methodology. Cyber crimes are occurring at an alarming rate globally. Law enforcement agencies follow similar techniques to traditional crimes. As is the case in traditional criminal investigation, cyber criminal profiling is a key component in cyber crime investigations as well. This paper examines cyber criminal profiling techniques prevalent today, including inductive and deductive profiling, and the need for employing a hybrid technique that incorporates both inductive and deductive profiling. This paper proposes a cyber criminal profiling methodology based on the hybrid technique. Criminal behavior and characteristics are identified by analyzing the data against a predefined set of metrics.

AN0099753634;[6mr3]01aug.14;2019Mar05.12:18;v2.2.500

Proposed Methodology for Cyber Criminal Profiling. 

Criminal profiling is an important tool employed by law enforcement agencies in their investigations. Criminal profiling is much more than an educated guess; it requires a scientific-based methodology. Cyber crimes are occurring at an alarming rate globally. Law enforcement agencies follow similar techniques to traditional crimes. As is the case in traditional criminal investigation, cyber criminal profiling is a key component in cyber crime investigations as well. This paper examines cyber criminal profiling techniques prevalent today, including inductive and deductive profiling, and the need for employing a hybrid technique that incorporates both inductive and deductive profiling. This paper proposes a cyber criminal profiling methodology based on the hybrid technique. Criminal behavior and characteristics are identified by analyzing the data against a predefined set of metrics.

Keywords: cyber attacks; cyber criminal profiling; forensics; profiling framework

INTRODUCTION

The growing reliance on the cyber space among government institutions and businesses alike has led to a tremendous surge in cybercrimes. The Internet Crime Reports published yearly by the Internet Crime Complaint Center (IC3) is testimony to the menace of cybercrime. IC3 received 289,874 consumer complaints with an adjusted dollar loss of $525,441,1101, an 8.3% increase in reported losses since 2011 (Annual Report, [1]).

Before we dig deeper into cyber crime profiling, it is important to understand what cyber crime is. There is no official meaning of cyber crime written in any dictionary. Cyber crime is a subgroup of computer crime (Shinder & Tittel, [13]). Computer crime, as per the U.S. Department of Justice (DOJ), is defined as "any violation of criminal law that involves the knowledge of computer technology for its perpetration, investigation or prosecution" (Shinder et al., [13]). There are varying definitions on cyber crime as described by legislators and organizations. The United Nations (UN) defines cyber crime as "any illegal behavior committed by means of, or in relation to, a computer system or network, including such crimes as illegal possession of and offering or distributing information by means of a computer system or network" (Shinder et al.,

[13]). Symantec (n.d.) defines cyber crime as "any crime that is committed using a computer or network, or hardware device. The computer or device may be the agent of the crime, the facilitator of the crime, or the target of the crime."

There is a motive behind every crime, and cyber crimes are no different. Cyber crimes are performed for the various motives such as financial gain, intellectual property (IP) theft, espionage, terrorism, and for thrill. A UN study (Malby et al., [10]) on cyber crime states that "upwards of 80% of cybercrime acts are estimated to originate in some form of organized activity, with cybercrime black markets established on a cycle of malware creation, computer infection, botnet management, harvesting of personal and financial data, data sale, and 'cashing out' of financial information."

PROFILING

Criminal profiling is a key tool available to investigators used to narrow the range of suspects and evaluate the likelihood of a suspect committing a crime. Criminal profiling is a scientific technique to assess and analyze the scene of a crime and deduce behavioral characteristics of the individual committing the crime <bold>(</bold>Kirwan & Power, [8]). A profile consists of a set of characteristics likely to be shared by criminals who commit a particular type of crime (Shinder et al., [13]). Profiling methods are based on two assumptions (Kirwan et al., [8]) that are as follows:

consistency assumption, based on the premise that an offender will exhibit similar behavior throughout all their crimes; and

homology assumption, based on the premise that similar offense styles have to be associated with similar offender background characteristics.

Two types of criminal profiling methods are prevalent today. These are inductive profiling and deductive profiling.

Inductive profiling method (Figure 1) employs a database that contains extensive data on criminals committing a type of crime. The profiler analyzes the data, establishes correlations, and deduces the characteristics common to statistically large number of offenders committing a specific type of crime (Shinder et al., [13]).

Graph: FIGURE 1 Inductive profiling methodology.

Deductive profiling (Figure 2) involves analysis of forensic evidence and victim profiling to determine the motive and attacker characteristics (Tennakoon, [15]). The profiler analyzes the forensic evidence, employs the principles of victimology, and utilizes his/or her experience to deduce criminal characteristics (Shinder et al., [13]).

Graph: FIGURE 2 Deductive profiling methodology.

CYBER CRIMINAL PROFILING

Criminal profiling plays a key role in investigations. This paper uses the definition provided in "Examination of Cyber-criminal Behavior" (Jahankhani & Al-Nemrat, [7]), which is as follows: "An educated attempt to provide specific information as to the type of individual who committed a certain crime. A profile based on characteristics patterns or factors of uniqueness that distinguishes certain individuals from the general population."

As is the case with a crime, cyber criminal profiling must be used as a tool for cyber crime investigations. Cyber criminal profiling is effective as a law enforcement tool only when a standard methodology is used in developing profiles and is not based on an educated guess.

Cyber criminal profiling is garnering tremendous attention due to the rise in cyber crimes. Although it is similar to traditional criminal profiling, it presents numerous challenges to investigators. The perpetrators of the crime are remote and may be residing on different continents (Jahankhani et al., [7]). An interdisciplinary approach is required that applies not only psychology, criminology, and law but also a technological understanding on the subject of cyber crime (Tennakoon, [15]).

Profiling is still based on educated guesses wherein investigators try to identify patterns by comparing with recorded cyber crimes that may lead to results that are inaccurate. Without a proper use of a scientific methodology and empirical analysis, profilers may come to different conclusions and recommendations (Broucek & Turner, [4]). Therefore, a standard methodology is required for cyber criminal profiling to be a credible and effective tool for law enforcement agencies.

Forensic psychology offender profiling techniques are being used in cyber crime investigations as well. Inductive profiling involves a statistical analysis and is a method frequently used by the Federal Bureau of Investigation (Jahankhani et al., [7]). The inductive profiling method utilizes data mining techniques to develop models for pattern detection and involves the examination of data to identify patterns that match known fraud profiles (Wheelbarger, [18]).

Much academic work has been done on building a database of cyber criminal profiles. One of the projects known as the Hackers Profiling Project revolved around building a huge database on existing hacker profiles that included demographics, socioeconomic background, social relationships, and psychological traits (Kirwan et al., [8]). However, profiling was based on data obtained from self-reporting questionnaires rather than hacker activities and offenses (Kirwan et al., [8]). Donato ([5]) in his paper on criminal profiling proposes a methodology on how to use criminal profiling to improve digital forensics and cybercrime investigations. Donato's methodology focuses on finding the capability of the attacker in terms of skill level and deducing psychological characteristics on basis of the evidence (Kirwan et al., [8]). Donato's methodology does not look at empirical analysis to establish patterns, nor does it look at demographic characteristics of previous offenders (Kirwan et al., [8]).

In the cyber world, technology keeps on changing and hackers develop and employ new techniques known as zero day attacks. Their behavior is dynamic and may change over time with the acquisition of new skills (Jahankhani et al., [7]). The other issue is that the data are based on generalizations, and the sampling leaves out a dataset of skillful people who avoid detection over a period of time, thereby introducing inaccuracies in the results (Benny, [3]). Therefore, relying on inductive profiling only is not suitable for cyber criminal profiling. On the other hand, relying just on deductive profiling will leave investigators oblivious to the current trends such as popular attack methods, likely targets and victims (Tennakoon, [15]). Therefore, a hybrid methodology must be employed for cyber criminal profiling.

PROPOSED METHODOLOGY

The proposed methodology is based on a hybrid profiling model wherein the initial processes are deductive in nature and statistical analysis is performed to identify common patterns and characteristics. Digital forensics data can provide vital clues about the attacker such as sophistication of attack, motivation, tools used, and vulnerabilities exposed (Kwan, Ray, & Stephens, [9]). Cyber criminals, like traditional offenders, have their modus operandi that they tend to repeat at each crime (Shinder et al., [13]).

The proposed methodology employs six Profile Identification Metrics to determine the offender's modus operandi, psychology, and behavior characteristics:

<bold> Attack Signature. </bold> This refers to the tools that were used for the attack. Analysis of the digital forensic evidence will provide information on the nature of attack signature. For example, if forensic evidence points to a zero day attack, it implies that a customized code was created for the attack. On the other hand, attacks that expose known vulnerabilities employ ready to use tools or known codes.

<bold> Attack Method. </bold> This refers to the method used for the attack. Social engineering, malware, distributed denial of service (DDoS), spamming, and phishing are some of the common attack methods employed by the cybercriminals.

<bold> Motivation Level. </bold> Motivation level is a key metric in identifying cyber criminal behavior. Motivation Level can be determined by the complexity of the attack, and the complexity of an attack can be determined by employing the vulnerability tree methodology (Vidalis & Jones, [17]). An attack with high level of complexity were an attacker has to exploit multiple layers of vulnerabilities implicitly implies an attacker with a high motivation level. Such attackers are risk takers and persistent in their attack. An attacker with medium level motivation conducts attacks that are not continuous. An attack with high level of complexity indicates an attacker with low level motivation is risk averse and nonpersistent.

<bold> Capability Factor. </bold> Capability factor is another important metric useful in identifying characteristics and is defined in terms of the availability of hacking tools, the ability to use those tools and techniques, and the level of resources at the attacker's disposal. Script kiddies are attackers with basic skill level and use freely available tools. An attacker with intermediate skills uses freely available tools or purchases malware to conduct attacks and has a handle on the tools used. An advanced level attacker is an expert in developing customized codes for zero day exploits.

<bold> Attack Severity. </bold> Attack severity is defined in terms of the impact the threat has on the enterprise. The severity of an attack is classified into the following:

Low: no tangible to the enterprise;

Medium: there is moderate disruption to the enterprise;

Major: major breach that can have a major business impact; and

Critical: the enterprise goes out of business the moment the threat is realized.

<bold> Demographics. </bold> Geographic location is a critical metric in profile identification. Existing profiling methods do not look at geographic locations for profile building, which is a key indicator in identifying characteristics of cyber crimes (Tompsett, Marshall, & Semmens, [16]). It is well documented that the majority of cyber crimes of a particular type originate from a certain location. For example, cyber crimes related to espionage have been known to originate from China.

The proposed methodology is a four-step process as follows:

Process 1 or P1

The first stage (Figure 3) involves victim profiling. P1 involves identifying the various aspects of an individual or an organization that attracted criminals (Tennakoon, [15]).

Graph: FIGURE 3 Process 1/ P1 of the proposed methodology.

Process 2 or P2

The second stage (Figure 4) involves identifying the motive behind the attack. A motive is closely associated with a victim. For example, an attack on government implies that the motive is espionage. This stage also involves analyzing the digital forensic evidence to deduce possible characteristics.

Graph: FIGURE 4 Process 2/ P2 of the proposed methodology.

Process 3 or P3

This stage involves an empirical analysis on the data and an identification of trends by conducting a statistical analysis (Figure 5). Criminal behavior and characteristics are identified by analyzing the data against the above mentioned metrics.

TABLE 1 Cyber Criminal Profiles

<table><thead valign="bottom"><tr><td>Cybercriminal Profile</td><td>Motive</td><td>Structure</td><td>Motivation Level</td><td>Skill Level</td><td>Attack Severity</td><td>Attack Method</td></tr></thead><tbody><tr><td>Novice</td><td>Fun Thrill</td><td>Unorganized</td><td>Low</td><td>Basic</td><td>Low to Medium</td><td>Freely available tools</td></tr><tr><td>Hacktivists</td><td>Political Activism</td><td>Unorganized</td><td>High</td><td>Basic to Intermediate</td><td>Low to Medium</td><td>Phishing, Spamming, DoS</td></tr><tr><td>Cyber Criminals</td><td>Financial Gain</td><td>Unorganized with some level of collaboration</td><td>Medium</td><td>Intermediate</td><td>Medium to High</td><td>Spamming, Malware</td></tr><tr><td>Cyber Crime Syndicates</td><td>Financial Gain</td><td>Organized Well Funded</td><td>High</td><td>Intermediate to Advanced</td><td>High</td><td>Malware available in the underground market</td></tr><tr><td>Cyber Spies</td><td>Espionage IP Theft</td><td>State Sponsored Highly Organized Well Funded</td><td>High</td><td>Highly Advanced</td><td>Critical</td><td>Customized codes, zero day attacks</td></tr><tr><td>Cyber Terrorists</td><td>Disruption</td><td>Well Funded Work in small modules</td><td>Medium</td><td>Basic to Intermediate</td><td>Low to Medium</td><td>DoS</td></tr></tbody></table>

Graph: FIGURE 5 Process 3/ P3 of the proposed methodology.

Process 4 or P4

This is the final stage and involves building cyber criminal profiles from the characteristics that have been identified. For example, an extremely skillful attacker that employs zero day exploits to target defense institutions to extract sensitive information falls under the cyber spy bucket.

Cyber criminals are classified into six profiles (see Table 1).

Hacktivists

Hacktivists are politically motivated and target governments, news groups, and companies doing business with governments. Their motive for hacking is to get their political message across. Most hacktivist groups are not organized and rely on freely available tools with the intention of conveying their political message (Nachreiner, [11]). Their skill level can vary from basic to intermediate.

Cyber Criminals

Cyber criminals are driven by financial gains and target consumers and businesses. They are not organized and their skill level ranges from basic to intermediate.

Cyber Syndicates

They are highly organized, well-funded, and headed by crime organizations. They are responsible for stealing billions of dollars from consumers and businesses each year and also buy and sell the private information and intellectual property and trade attack toolkits, zero day exploit code, malware code (Nachreiner, [11]).

Cyber Spies

Cyber spies are state sponsored and very well-funded. Their motive is espionage and IP theft. They target government organizations and business dealing with governments to extract sensitive information. They are highly advanced and create customized codes incorporating previously undiscovered software vulnerabilities (Nachreiner, [11]). They often leverage the most advanced attack and evasion techniques into their attack, using kernel level rootkits, stenography, and encryption to avoid detection (Nachreiner).

Novice

This class of hackers has basic skill level and relies on freely available hacking tools. They do this for fun and entertainment.

Cyber Terrorists

This group is well funded, organized, and engage in hacktivism as well as criminal activity (Bednarz, [2]).

The cyber criminal profiling methodology, as illustrated in Figure 6, must be an interactive process for accuracy and effectiveness. Investigations are iterative in nature. Initial investigations reveal basic details. As the investigations moves from basic to advanced stages, more and more information on the victim is collected, which may help in identifying additional motives that were missed in the initial investigation. Additional evidence may also be collected providing more data for profile characterization.

Graph: FIGURE 6 Iterative Process.

CONCLUSION

Cyber criminal profiling must be based on a scientific process. A standard profiling methodology is required for accuracy, reliability, and effectiveness. The cyber criminal profiling methodology proposed in this paper is based on a hybrid profiling model that involves both inductive as well as deductive profiling. This methodology needs to be tested by simulating different scenarios in a lab setting.

Footnotes

1 Color versions of one or more of the figures in the article can be found online at www.tandfonline.com/uiss.

REFERENCES

Annual Report. (2012). Internet Crime Report. Internet Crime Complaint Center (IC3) , p. 4.

2 Bednarz , A. (2004). Profiling cybercriminals: A promising but immature science. Networkworld. Retrieved from http://www.networkworld.com/

3 Benny , D (2007). The uses of inductive and deductive reasoning in investigations and criminal profiling. BECCA Report , pp. 7 – 9.

4 Broucek , V. , and Turner , P. (2006). Winning the battles , losing the war? Rethinking methodology for forensic computing research. Journal in Computer Virology , 3 – 12.

5 Donato , L. (2009). An introduction to how criminal profiling could be used as a support for computer hacking investigations. Journal of Digital Forensic Practice , 2 , 183 – 195.

6 Drummond , D. (2010). A new approach to China. Google Blog. Retrieved from www. googleblog.blogspot.com

7 Jahankhani , H. , and Al-Nemrat , A. (2010). Examination of cyber-criminal behavior. International Journal of Information Science and Management , 41 – 48.

8 Kirwan , G. , and Power , A. (2011). The psychology of cyber crime , 1st edition. IGI Global.

9 Kwan , L. , Ray , P. , and Stephens , G. (2008). Towards a methodology for profiling cyber criminals. IEEE Computer Society. Proceedings of the 41st Hawaii International Conference on System Sciences , pp. 3 – 5.

Malby , S. , Mace , R. , Holterhof , A. , Brown , C. , Kascherus , S. , and Ignatuschtschenko , E. (2013). Comprehensive study on cybercrime. United Nations Office on Drugs and Crime , pp. 38 – 39

Nachreiner , C. (2013). Profiling modern hacktivists, criminals and cyber spies. Watchguard Security Center. Retrieved from www.watchguardsecuritycenter.com

Shinder , D. (2010). Profiling and categorizing cybercriminals. TechRepublic. Retrieved from www.techrepublic.com

Shinder , D. , and Tittel , E. (2002.) Scene of the cybercrime – computer forensics handbook , 1st edition. Syngress Publishing.

Symantec. (n.d.). What is cybercrime? Symantec. Retrieved from www.us.norton.com

Tennakoon , H (2011). The need for a comprehensive methodology for profiling cyber-criminals. New Security Learning. Retrieved www.newsecuritylearning.com

Tompsett , B. C. , Marshall , A. M. , and Semmens , N. C. (2005). Cybrprofiling: Offender profiling and geographic profiling of crime on the Internet. Computer Network Forensics Research Workshop , p. 1.

Vidalis , S. and Jones , A. (2003). Using vulnerability trees for decision making in threat assessment. School of Computing Technical Report CS-03-2, School of Computing , University of Glamorgan , pp. 5 – 8.

Wheelbarger , S (2009). CyberForensics. Criminal justice collaboratory. Colby Community College. Retrieved from www.colbycriminaljustice.wikidot.com/cyberforensics

By Arun Warikoo

Reported by Author

Arun Warikoo is a security solutions specialist. He has worked extensively in the private sectors to improve the security of their critical information systems. His research focuses on improving the governance around security and developing frameworks on cyber security.