BEACON: A Unified Behavioral-Tactical Framework for Explainable Cybercrime Analysis with Large Language Models
Arush Sachdeva, Rajendraprasad Saravanan, Gargi Sarkar, Kavita Vemuri, Sandeep Kumar Shukla
TL;DR
BEACON presents a dual-dimension framework that fuses psychological manipulation theory with a 14-stage cybercrime lifecycle to enable explainable, automated analysis of victim narratives. By fine-tuning a 7B LLM with QLoRA for joint multi-label classification across tactical and behavioral dimensions and explanation generation, BEACON achieves substantial gains in both prediction accuracy and reasoning quality over a zero-shot baseline. The authors introduce a dual-supervised dataset and a rigorous evaluation on real-world narratives with synthetic augmentation, demonstrating improved forensic interpretability and case triage capabilities. The approach advances practical cybercrime investigation by linking adversarial strategy to victim cognition, while highlighting limitations related to data bias, class imbalance, and the need for human oversight in deployment.
Abstract
Cybercrime increasingly exploits human cognitive biases in addition to technical vulnerabilities, yet most existing analytical frameworks focus primarily on operational aspects and overlook psychological manipulation. This paper proposes BEACON, a unified dual-dimension framework that integrates behavioral psychology with the tactical lifecycle of cybercrime to enable structured, interpretable, and scalable analysis of cybercrime. We formalize six psychologically grounded manipulation categories derived from Prospect Theory and Cialdini's principles of persuasion, alongside a fourteen-stage cybercrime tactical lifecycle spanning reconnaissance to final impact. A single large language model is fine-tuned using parameter-efficient learning to perform joint multi-label classification across both psychological and tactical dimensions while simultaneously generating human-interpretable explanations. Experiments conducted on a curated dataset of real-world and synthetically augmented cybercrime narratives demonstrate a 20 percent improvement in overall classification accuracy over the base model, along with substantial gains in reasoning quality measured using ROUGE and BERTScore. The proposed system enables automated decomposition of unstructured victim narratives into structured behavioral and operational intelligence, supporting improved cybercrime investigation, case linkage, and proactive scam detection.