Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Identification of Malicious Posts on the Dark Web Using Supervised Machine Learning

Sebastião Alves de Jesus Filho, Gustavo Di Giovanni Bernardo, Paulo Henrique Ribeiro Gabriel, Bruno Bogaz Zarpelão, Rodrigo Sanches Miani

TL;DR

This study targets malicious posts on Brazilian Portuguese Dark Web forums to enhance Cyber Threat Intelligence. It builds two labeled datasets via a multi-stage process combining IoCs, contextual keywords, and manual analysis, and evaluates multiple text representations and classifiers, identifying LightGBM with TF-IDF Unigram as the best performer with 94% accuracy on the relevant class. The authors validate outputs on unlabeled data using LDA topic modeling, and demonstrate practical potential for real-time CTI pipelines, with 7,498 new posts yielding 15% relevance. The work advances multilingual CTI by providing publicly available datasets and a robust labeling approach, while outlining future expansion to additional sources and representation methods.

Abstract

Given the constant growth and increasing sophistication of cyberattacks, cybersecurity can no longer rely solely on traditional defense techniques and tools. Proactive detection of cyber threats has become essential to help security teams identify potential risks and implement effective mitigation measures. Cyber Threat Intelligence (CTI) plays a key role by providing security analysts with evidence-based knowledge about cyber threats. CTI information can be extracted using various techniques and data sources; however, machine learning has proven promising. As for data sources, social networks and online discussion forums are commonly explored. In this study, we apply text mining techniques and machine learning to data collected from Dark Web forums in Brazilian Portuguese to identify malicious posts. Our contributions include the creation of three original datasets, a novel multi-stage labeling process combining indicators of compromise (IoCs), contextual keywords, and manual analysis, and a comprehensive evaluation of text representations and classifiers. To our knowledge, this is the first study to focus specifically on Brazilian Portuguese content in this domain. The best-performing model, using LightGBM and TF-IDF, was able to detect relevant posts with high accuracy. We also applied topic modeling to validate the model's outputs on unlabeled data, confirming its robustness in real-world scenarios.

Identification of Malicious Posts on the Dark Web Using Supervised Machine Learning

TL;DR

This study targets malicious posts on Brazilian Portuguese Dark Web forums to enhance Cyber Threat Intelligence. It builds two labeled datasets via a multi-stage process combining IoCs, contextual keywords, and manual analysis, and evaluates multiple text representations and classifiers, identifying LightGBM with TF-IDF Unigram as the best performer with 94% accuracy on the relevant class. The authors validate outputs on unlabeled data using LDA topic modeling, and demonstrate practical potential for real-time CTI pipelines, with 7,498 new posts yielding 15% relevance. The work advances multilingual CTI by providing publicly available datasets and a robust labeling approach, while outlining future expansion to additional sources and representation methods.

Abstract

Given the constant growth and increasing sophistication of cyberattacks, cybersecurity can no longer rely solely on traditional defense techniques and tools. Proactive detection of cyber threats has become essential to help security teams identify potential risks and implement effective mitigation measures. Cyber Threat Intelligence (CTI) plays a key role by providing security analysts with evidence-based knowledge about cyber threats. CTI information can be extracted using various techniques and data sources; however, machine learning has proven promising. As for data sources, social networks and online discussion forums are commonly explored. In this study, we apply text mining techniques and machine learning to data collected from Dark Web forums in Brazilian Portuguese to identify malicious posts. Our contributions include the creation of three original datasets, a novel multi-stage labeling process combining indicators of compromise (IoCs), contextual keywords, and manual analysis, and a comprehensive evaluation of text representations and classifiers. To our knowledge, this is the first study to focus specifically on Brazilian Portuguese content in this domain. The best-performing model, using LightGBM and TF-IDF, was able to detect relevant posts with high accuracy. We also applied topic modeling to validate the model's outputs on unlabeled data, confirming its robustness in real-world scenarios.

Paper Structure

This paper contains 33 sections, 7 figures, 19 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Cyber Threat Intelligence
  4. Deep Web and Dark Web
  5. Dark Web Forum
  6. Text Classification
  7. Related Work
  8. Materials and Methods
  9. Construction of Labeled Datasets
  10. Stage I - Post Collection
  11. Stage II - Initial Pre-processing
  12. Stage III - IoC Extraction
  13. Stage IV - Preprocessing for Text Mining
  14. Stage V - Topic Modeling
  15. Stage VI - Labeling
  16. ...and 18 more sections

Figures (7)

  • Figure 1: Stages of the post classification model development phase
  • Figure 2: Post classification process flow
  • Figure 3: Steps of the testing phase for the model Identification of relevant posts in new data collected from the Dark Web
  • Figure 4: Performance metrics of the best classifiers evaluated on the DATASET I
  • Figure 5: Performance metrics of the best classifiers evaluated on DATASET II
  • ...and 2 more figures