The emergence and commoditization of cyber-criminal activities calls for new empirical methods, measures, and technologies to quantify and understand offender operations across all forms of cyber-crime: from malware engineering and attack delivery, to running underground operations trading illegal goods such as drugs and illegal pornography, to spreading disinformation and planning (cyber-)terrorism operations. Without appropriate scientific measures of cyber-offender and attacker operations, capabilities, and resources, it remains impossible to derive sound policies, strategies and technologies that appropriately address realistic and evidence-based attacker and offender models. WACCO 2024 calls for all contributions aiming at providing methods, measures, metrics, and technologies or tools to quantitatively or qualitatively evaluate cyber-offenders and attackers from technical and non-technical angles. The workshop invites contributions from, but not limited to, the fields of computer science and computer security, criminology, psychology, law, and economics addressing this issue.
WACCO 2024 welcomes (full and short) paper submissions, for publication in the EuroSP IEEE proceedings and presentation at WACCO 2024, and Research talks, for presentation at WACCO 2024 (no proceedings). All submissions will go through the same review process, and receive feedback from the PC.
Call for Papers
WACCO 2024 welcomes (full and short) paper submissions, for publication in the EuroSP IEEE proceedings and presentation at WACCO 2024, and Research talks, for presentation at WACCO 2024 (no proceedings). All submissions will go through the same review process, and receive feedback from the PC.
Topics of interest include, but are not limited to:
- Empirical studies on attacker operations and communities
- Novel methods to perform attacker measurements at scale across several communities
- Cooperation and trust as a source of attackers’ effectiveness
- Attackers’ skill set
- Attackers’ operational security
- Measuring the spread of false information campaigns on social media
- Quantitative and qualitative methods to measure, track, and counter cybercrime
- Cybercrime measurement and networks
- Cybercrime policy
- Economics of cybercrime
- Profiling of cybercriminals
- Security metric design and evaluation
- Security patch measurement
- Statistical exploration and prediction of security incidents
- Open Source INTelligence (OSINT) and digital footprints
The workshop is co-located with the 9th IEEE European Symposium on Security and Privacy (EuroS&P 2024).
Important Dates
All deadlines are Anywhere on Earth (AoE = UTC-12h).
Paper submission due | |
Acceptance notice to authors | April 30, 2024 |
Publication-ready papers submitted | |
Workshop | July 8, 2024 |
Accepted Papers
Full Papers:
-
The (Relative) Impact of Email Cues on the Perceived Threat of Phishing Attacks: A User Perspective on Phishing Deceptiveness
Pavlo Burda, Maria Eleni Kokkini, Luca Allodi and Nicola Zannone
-
Attacking Operational Technology Without Specialized Knowledge: The Unspecialized OT Threat Actor Profile
Stash Kempinski, Savio Sciancalepore, Emmanuele Zambon and Luca Allodi
-
(Research Talk) The Ephemeral Threat: Attacking Algorithmic Trading Systems powered by Deep Learning
Advije Rizvani, Giovanni Apruzzese and Laskov Pavel
-
Measuring the Unmeasurable: Estimating True Population of Hidden Online Communities
Jonah Gibbon, Tina Marjanov, Alice Hutchings and John Aston
-
Towards Better Understanding of Cybercrime: The Role of Fine-Tuned LLMs in Translation
Veronica Valeros, Anna Širokova, Carlos Catania and Sebastián García
-
Actionable Cyber Threat Intelligence using Knowledge Graphs and Large Language Models
Romy Fieblinger, Md Tanvirul Alam and Nidhi Rastogi
-
A Methodology to Measure the "Cost" of CPS Attacks: Not all CPS Networks are Created Equal
Martin Rosso, Emmanuele Zambon, Luca Allodi and Jerry Den Hartog
-
Threat analysis and adversarial model for Smart Grids
Javier Sande Ríos, Jesús Canal Sánchez, Carmen Manzano Hernández and Sergio Pastrana
Short Papers:
-
Understanding crypter-as-a-service in a popular underground marketplace
Alejandro de la Cruz and Sergio Pastrana
Program
Registration
08:00 - 09:00 (Timezone: CEST (UTC+02:00))
Welcome
09:00 - 09:15 (Timezone: CEST (UTC+02:00))
Keynote
09:15 - 10:15 (Timezone: CEST (UTC+02:00))
Crypto-assets: a target, platform and vehicle of choice for cybercrime
09:15 - 10:15
Svetlana Abramova
Bio
Dr. Svetlana Abramova is a scientist at the Austrian Institute of Technology affiliated with the Financial Technologies research group of the Complexity Science Hub since May 2024. She obtained her Ph.D. at the Department of Computer Science of the University of Innsbruck, where she continued her academic career as a postdoctoral researcher and assistant professor before joining the AIT.
Abstract
Over the past years, crypto-assets have become pivotal elements in the evolving landscape of proft-driven cybercrime. They serve as a direct target of attacks, enable innovative crimes through emerging financial platforms and services, or are used as a preferred medium for illicit transactions and money laundering. This keynote will unveil an increasingly complex role crypto-assets play in cybercrime operations, highlight current challenges in combating financial crime and uncovering real-world perpetrators, and explore the effect of successful law enforcement actions on financial ecosystems. In the first part of this presentation, I will present the findings of interviews with Dutch hackers about their online and offline pathways into cybercrime, co-offending en desistence. Preliminary results show that the first (baby) steps in pathways into cybercrime include gaming, Google and YouTube. In the second part of this presentation, I will discuss two interventions we are currently using to deter starting cybercriminals.
Coffee Break
10:15 - 10:45 (Timezone: CEST (UTC+02:00))
Session 1: Cybercrime
10:45 - 12:30 (Timezone: CEST (UTC+02:00))
Measuring the Unmeasurable: Estimating True Population of Hidden Online Communities
10:45 - 11:10
Jonah Gibbon, Tina Marjanov, Alice Hutchings and John Aston
The true size of hidden populations is an important aspect when staging interventions or devising policies, yet is inherently difficult to obtain due to its nature. In this paper we present a novel approach for hidden population estimation by leveraging activity measured on underground forums. The proposed method consists of two main components. First, we determine the overlap of populations across forums by evaluating users’ behavioural patterns. Subsequently, we employ a Bayesian model tailored for extrapolating data from multiple systems in order to estimate the actual population size. We estimate the true number of people participating in online discussion to be 2-8.3 times higher than observed on major cybercriminal forums, and 1.5-3.5 times higher than observed on extremist forums. Our research contributes to a deeper understanding of hidden populations and offers insights into the potential magnitude of participation in online forums beyond what is readily apparent.
The (Relative) Impact of Email Cues on the Perceived Threat of Phishing Attacks: A User Perspective on Phishing Deceptiveness
11:10 - 11:35
Pavlo Burda, Maria Eleni Kokkini, Luca Allodi and Nicola Zannone
User perception of phishing threats is fundamental for the uptake and effectiveness of many phishing countermeasures, including phishing reporting and awareness. Extant research focused on phishing victimization, but a clear understanding of the drivers influencing users’ perception of phishing threats is still missing. This work investigates the relationship between phishing cues and perceived email deceptiveness through an online questionnaire with 74 participants. By assessing email conditions varying on cues, participants judged the perceived deceptiveness of emails individually and relative to each other. Results reveal that impersonation-related cues increase the perceived email deceptiveness and that emails with persuasion-related cues rank as the most deceitful irrespectively of other cues. We discuss our findings w.r.t. the literature and their implications on practice and research.
Understanding crypter-as-a-service in a popular underground marketplace
11:35 - 12:00
Alejandro de la Cruz and Sergio Pastrana
Crypters are pieces of software whose main goal is to transform a target binary so it can avoid detection from Anti Viruses (AVs from now on) applications. They work similar to packers, by taking a malware binary M and applying a series of modifications, obfuscations and encryptions to output a binary M′ that evades one or more AVs. The goal is to remain fully undetected, or FUD in the hacking jargon, while maintaining its (often malicious) functionality. In line to the growth of commoditization in cybercrime, the crypter-as-a-service model has gained popularity, in response to the increased sophistication of detection mechanisms. In this business model, customers receive an initial crypter which is soon updated once becomes detected by anti-viruses. This paper provides the first study on an online underground market dedicated to crypter-asa-service. We compare the most relevant products in sale, analyzing the existent social network on the platform and comparing the different features that they provide. We also conduct an experiment as a case study, to validate the usage of one of the most popular crypters sold in the market, and compare the results before and after crypting binaries (both benign and malware), to show its effectiveness when evading antivirus engines.
Panel discussion
12:00 - 12:30
Lunch Break
12:30 - 13:30 (Timezone: CEST (UTC+02:00))
Session 2: AI/LLMs
13:30 - 15:15 (Timezone: CEST (UTC+02:00))
Towards Better Understanding of Cybercrime: The Role of Fine-Tuned LLMs in Translation
13:30 - 13:55
Veronica Valeros, Anna Širokova, Carlos Catania and Sebastián García
Understanding cybercrime communications is paramount for cybersecurity defence. This often involves translating communications into English for processing, interpreting, and generating timely intelligence. The problem is that translation is hard. Human translation is slow, expensive, and scarce. Machine translation is inaccurate and biased. We propose using fine-tuned Large Language Models (LLM) to generate translations that can accurately capture the nuances of cybercrime language. We apply our technique to public chats from the NoName057(16) Russian-speaking hacktivist group. Our results show that our fine-tuned LLM model is better, faster, more accurate, and able to capture nuances of the language. Our method shows it is possible to achieve high-fidelity translations and significantly reduce costs by a factor ranging from 430 to 23,000 compared to a human translator.
(Research Talk) The Ephemeral Threat: Attacking Algorithmic Trading Systems powered by Deep Learning
13:55 - 14:20
Advije Rizvani, Giovanni Apruzzese and Laskov Pavel
We scrutinize the security of an application domain of Deep Learning (DL) overlooked by prior security research: time-series forecasting of financial predictions. Despite abundant efforts revealing the brittleness of DL models to adversarial perturbations, such efforts hardly envisioned practical adversarial threat models and assessed their effects on a DL-powered algorithmic trading system (ATS). In this work, we shed light on the vulnerability of ATS to adversarial perturbations launched by a constrained, but realistic, attacker. First, through an extensive literature review, we expose the limited attention given to DL security in the financial domain—which is naturally attractive for adversaries. Then, we formalize the concept of ephemeral perturbations (EP), which can be used to stage a novel type of attack tailored for DL-based ATS. Finally, we carry out an end-to-end evaluation of our proposed EP against a profitable ATS. Our results reveal that the introduction of small changes to the input stock-prices not only (i) induces the DL model to behave incorrectly—which is well-known; but also (ii) leads to the whole ATS to make suboptimal buy/sell decisions—which translate in a net-loss by the targeted organization. We will release our implementation.
Actionable Cyber Threat Intelligence using Knowledge Graphs and Large Language Models
14:20 - 14:45
Romy Fieblinger, Md Tanvirul Alam and Nidhi Rastogi
Cyber threats are constantly evolving. Extracting actionable insights from unstructured Cyber Threat Intelligence (CTI) data is essential to guide cybersecurity decisions. Increasingly, organizations like Microsoft, Trend Micro, and CrowdStrike are using generative AI to facilitate CTI extraction. This paper addresses the challenge of automating the extraction of actionable CTI using advancements in Large Language Models (LLMs) and Knowledge Graphs (KGs). We explore the application of state-of-the-art open-source LLMs, including the LLama-2 series, Mistral-7b-Instruct, and Zephyr for extracting meaningful triples from CTI texts. Our methodology evaluates various techniques such as prompt engineering, the guidance framework, and fine-tuning to optimize information extraction and structuring. The extracted data is then utilized to construct a Knowledge Graph, offering a structured and queryable representation of threat intelligence. Experimental results demonstrate the effectiveness of our approach in extracting relevant information, with guidance and fine-tuning showing superior performance over prompt engineering. However, while our methods prove effective in small-scale tests, applying LLMs to large-scale data for Knowledge Graph construction and Link Prediction presents ongoing challenges.
Panel discussion
14:45 - 15:15
Coffee Break
15:15 - 15:45 (Timezone: CEST (UTC+02:00))
Session 3: CPD/OT
15:45 - 17:30 (Timezone: CEST (UTC+02:00))
A Methodology to Measure the "Cost" of CPS Attacks: Not all CPS Networks are Created Equal
15:45 - 16:10
Martin Rosso, Emmanuele Zambon, Luca Allodi and Jerry Den Hartog
Cyber-Physical Systems (CPS) are (connected) computer systems used to monitor and control physical processes using digital control programs. Cyberattacks against CPS can cause physical impact with potentially devastating consequences. While some past attacks required expert CPS knowledge (e.g., Stuxnet), other attacks could be done by anyone, solely with pure IT knowledge. Understanding what causes these differences is essential in effectively defending systems, but there is currently no way of qualifying let alone quantifying them. In this paper, we first define a notion of attack “cost” focusing on the required CPS-specific attacker knowledge. We then identify several context factors that may influence this cost and, finally, provide a methodology to analyze the relation between attack cost and CPS-context factors using past cyberattacks. To validate the methodology in a reproducible way, we apply it to publicly reported CPS incidents with physical impact. Though this constitutes only a small set of attacks, our methodology is able to find correlations between context factors and the attack cost, as well as significant differences in context factors between CPS domains.
Threat analysis and adversarial model for Smart Grids
16:10 - 16:35
Javier Sande Ríos, Jesús Canal Sánchez, Carmen Manzano Hernández and Sergio Pastrana
The power grid is a critical infrastructure that allows for the efficient and robust generation, transmission, delivery and consumption of electricity. In the recent years, the physical components have been equipped with computing and network devices, which optimizes the operation and maintenance of the grid. The cyber domain of this smart power grid opens a new plethora of threats, which adds to classical threats on the physical domain. Accordingly, different stakeholders including regulation bodies, industry and academy, are making increasing efforts to provide security mechanisms to mitigate and reduce cyber-risks. Despite these efforts, there have been various cyberattacks that have affected the smart grid, leading in some cases to catastrophic consequences, showcasing that the industry might not be prepared for attacks from high profile adversaries. At the same time, recent work shows a lack of agreement among grid practitioners and academic experts on the feasibility and consequences of academic-proposed threats. This is in part due to inadequate simulation models which do not evaluate threats based on attackers full capabilities and goals. To address this gap, in this work we first analyze the main attack surfaces of the smart grid, and then conduct a threat analysis from the adversarial model perspective, including different levels of knowledge, goals, motivations and capabilities. To validate the model, we provide real-world examples of the potential capabilities by studying known vulnerabilities in critical components, and then analyzing existing cyber-attacks that have affected the smart grid, either directly or indirectly.
Attacking Operational Technology Without Specialized Knowledge: The Unspecialized OT Threat Actor Profile
16:35 - 17:00
Stash Kempinski, Savio Sciancalepore, Emmanuele Zambon and Luca Allodi
Due to the unique characteristics of Operational Technology (OT), i.e., technology centered around cyberphysical activities, performing OT-related cyber-attacks is traditionally thought to require both specialized- and generic IT-related knowledge. However, in recent years, the need for specialized knowledge decreased, and OT-related cyberattacks became increasingly easier to perform. In this paper, we profile a new threat actor, referred to as the unspecialized OT attacker, who performs targeted, OT-related cyberattacks with at most basic generic knowledge. We show the relevance of this threat actor by identifying past OTrelated cyber-attacks that match this threat actor profile’s capabilities; we do so by mapping the types of tools used during these cyber-attacks and the knowledge required to use them. To further substantiate our analysis, we investigate readily-available tools that can assist threat actors in performing OT-related cyber-attacks. The combination of our findings highlights the present-day lowered entry level requirements to attack OT environments while limiting the scope of current assumptions.
Panel discussion
17:00 - 17:30
End
17:30 (Timezone: CEST (UTC+02:00))
Review Model
Open reports
WACCO promotes an open and transparent review process. Reviews of accepted papers will be published together with the papers and archived in a public github repository associated with WACCO. A link to that repository must be included in all accepted submissions. The reasons why WACCO implements an open report model are the following:
- It documents why the paper was considered positively to contribute to the larger scientific domain it pertains to;
- It provides a critique useful to better delineate research limitations and scope, which can be of particular benefit to young researchers and students alike;
- It provides a structural incentive for reviewers to write constructive and clear reviews;
- It provides a structural incentive for authors to implement reviewer recommendations for the camera-ready version of their paper;
- It provides a critical viewpoint for future work and research follow-ups;
- It provides additional transparency to the quality of the adopted review process and its outcomes.
Submission
WACCO encourages submission of full papers and position papers from academia, industry, and government for appearance in the EuroSP IEEE proceedings. They should present interesting results for both theory and experimentation in the area of attacker and cyber-crime operations. We also particularly welcome independent reproduction of previous studies or experiments or negative results. We expect full papers to be of 10 pages in length (IEEE Format). Longer papers that document extensive experimentation are full in scope (which could be described in annex of the main body of the paper). Position papers of around 4 pages in length should present new open and interesting questions that the community should address or open questions that past research papers have not yet addressed. We expect position papers to be presented in panels or poster-platform sessions.
Additionally, WACCO 2024 welcomes submissions of Research Talks. Research Talk submissions will go through the same review process as full/short papers and will be evaluated on the same criteria of quality, but will not appear in the IEEE proceedings. We especially encourage the submission of multidisciplinary work looking for feedback from qualified experts in the domain. Research Talk submissions can be in any format, and of length commensurate to the contribution. Indicatively, Research Talks submissions are expected to be in the range of 7000-8000 words. To keep review loads acceptable, submissions of more than 10000 words may be desk rejected. Research Talk submissions should clearly state “Research Talk” in the title of the submission.
Anonymous submissions
Papers should be fully anonymized before review: author names or affiliations may not appear or be revealed in the text. Previous work of the authors should be referred to the third person. In the unusual case that an anonymous reference is not possible, the authors should blind the reference (e.g. “[x] Blinded citation to preserve submission anonymity”). Papers that are not properly anonymized may be desk rejected.
Submission of work that has been previously presented at conferences without proceedings, even if that work is associated with the names of the authors, or is published on online repositories such as ArXiv.org or SSRN, is allowed as long as the submission is fully anonymized. PC members that may recognize the work and its authors are asked to declare conflict on that paper and will not be assigned to it.
Publications
All papers will be published by IEEE CS and posted on the IEEE digital libraries. All authors of accepted papers are expected to present their paper at the workshop.
Submission site
Please submit your paper through EasyChair here.
Organization Committees
Program Co-chairs
Luca Allodi | Eindhoven University of Technology | l.allodi@tue.nl |
Alice Hutchings | University of Cambridge | alice.hutchings@cl.cam.ac.uk |
Sergio Pastrana | University Carlos III of Madrid | spastran@inf.uc3m.es |
Publicity and Publication Co-chairs
To be announced.
Program Committee
- Maria Bada, Queen Mary University of London
- Benoît Dupont, University of Montreal
- Rutger Leukfeldt, NSCR
- Rebekah Overdorf, Université de Lausanne
- Sasha Romanosky, RAND
- Tyler Moore, The University of Tulsa
- Dmitry Zhdanov, Illinois State University
- Will Scott, University of Michigan
- Carlos Gañán, Delft University of Technology
- Tom Van Goethem, KU Leuven
- Jorge Blasco Alís, Universidad Politécnica de Madrid
- Juan Tapiador, Universidad Carlos III de Madrid
- Daniel R. Thomas, University of Strathclyde
- Veronica Valeros, Czech Technical University in Prague
- Jeroen van der Ham, University of Twente
- Yi Ting Chua, University of Tulsa
- Matthew Edwards, University of Bristol
- Rolf van Wegberg, TU Delft
- Masarah Paquet-Clouston, Université de Montréal
- Mohammad Hammas Saeed, Boston University
- Maria Grazia Porcedda, Trinity College Dublin
- Zinaida Benenson, Friedrich-Alexander-Universität
- Asier Moneva, NSCR
Registration
The workshop is co-located with the 9th IEEE European Symposium on Security and Privacy (EuroS&P 2024). To register please visit the registration page of the main event.