Enhancing the investigation of malware-related crimes using semantic technologies

Thesis

The expansion of technology connectivity and the pervasiveness of data in our society pose both challenges and opportunities for the government and the private sector. Big companies like Google and Facebook are in the forefront of successfully tackling the challenge of extracting meaning from this data deluge: building rich profiles of people and networks enable them to monetise and make profits by selling such profiles for targeted marketing purposes. For most organisations, though, the challenge of generating actionable intelligence from the available data sources is still daunting.

In the government sector, one of the sectors that could benefit significantly from data-driven intelligence is that of Law Enforcement. However, the deficit of specialized personnel and tools which extract meaningful information from data (as Chapter~\ ef{sec:intro} shows) is directly linked to weak investigation capabilities, ultimately hampering catching serious organised organisations.

As the literature review shows, the available forensic tools are just starting to change the focus from improving processing performance to facilitating investigation and exploration. One example is the increasing adoption of domain taxonomies to describe data.

This thesis addresses the capability gaps by demonstrating that analysts working in law enforcement would benefit from an data exploration tool leveraging specific semantic features. In addition to semantic search and integration of data (features already provided by many semantic data exploration tools), allowing the investigators to materialise classes, object properties and datatype properties could help them shaping their knowledge during the course of an investigation. Moreover, the ability of expressing knowledge in terms of semantic queries and rules could enhance information exchange between analysts.

A prototype was developed to assess the feasibility of the idea and validate it with actual investigators. Their feedback after testing the prototype indicated that such computer-provided features could indeed support the reasoning of the human analyst, making cybercrime investigation more efficient.

Authors: Carvalho, R

• Type of award: DPhil
• Level of award: Doctoral
• Awarding institution: University of Oxford
• Language: English
• Keywords: IOC; Threat intelligence; Intelligence; Investigation; Semantic; Malware; Cybercrime
• Subjects: Semantic technologies; Cybercrime investigation; Digital forensic science