Interdisciplinary approach to criminal network analysis: Opportunities and challenges

The Crime as a Service (CaaS) model allows cybercriminals to specialise in certain illicit fields, instead of being jacks-of-all-trades with in-depth computer knowledge. This model facilitates serious cyber-enabled and -dependent crimes, e.g. by exchanging information on abusive tactics and engagement in selling illegal materials, products and services. A minority of proficient cybercriminals drives the CaaS model. This minority group develops advanced hacker tools and supports the underground forums’ majority population without the same technical skills. Law enforcement tries to disrupt the CaaS model, but their focus has so far been on taking down famous underground forums. Their approach has been shown to have limited impact on CaaS activities in practice. Investigators must instead target specific actors to have an enduring crippling effect. Consequently, there is a strong need for objective and reliable identification of the most prominent cybercriminals. Knowing which actor to put investigative efforts into means that investigators must scrutinise large quantities of unstructured data from underground forums. However, it is unfeasible to use contemporary investigative methods to examine unstructured data, and employing expert knowledge in manually analysing large amounts of data is absurd. Yet, a substantial improvement can be achieved by leveraging computational methods. This thesis aims (i) to provide a scientific basis for identifying and profiling cybercriminals in investigations and (ii) to derive advanced computational methods for the machine processing of unstructured data from underground forums. Our empirical studies work towards inferring actors’ proficiency by using an interdisciplinary approach. This approach combines methods from natural language processing and social network analysis. Our approach equips investigators with methods to profile several thousands of underground forum actors and differentiate between novices and proficient actors. Thus, investigators can efficiently and effectively analyse criminal networks to identify actors to further focus investigative resources. Our initial systematic studies on network centrality measures found them promising for ranking actors in a way that scientifically captures their relative importance. Still, there are two shortcomings in particular: (i) they appear to favour actors with higher communication frequency than important actors in the CaaS model and (ii) the results lack interpretabil