Follow the money: revealing risky nodes in a Ransomware-Bitcoin network

Adam Brian Turner; Stephen McCombie; Allon J. Uhlmann

Follow the money: revealing risky nodes in a Ransomware-Bitcoin network

Adam Brian Turner, Stephen McCombie, Allon J. Uhlmann

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

455 Downloads (Pure)

Abstract

This paper demonstrates the use of network analysis to identify core nodes associated with ransomware attacks in cryptocurrency transaction networks. The method helps trace the cyber entities involved in cryptocurrency attacks and supports intelligence efforts to identify and disrupt cryptocurrency networks. A data corpus is built by the unsupervised machine learning graph algorithm ‘DeepWalk’ [1]. DeepWalk evaluates the position of nodes within networks. It compares the relative position of different nodes (similarity) and identifies those whose removal would most affect the network (riskiness). This method helps identify on the blockchain the key nodes that are involved in the execution of a ransomware attack. When applied to the ransomware “cash out” graph, the method derived “riskiness” scores for specific nodes. Analysing the derived “riskiness” at a community level (groups of nodes in the network) provides an enhanced granularity for identifying and targeting influential nodes. Such insight could potentially support both intelligence and forensics investigations.

Original language	English
Title of host publication	Proceedings of the 54th Hawaii International Conference on System Sciences \| 2021
Place of Publication	Honolulu
Publisher	University of Hawaii at Manoa
Pages	1560-1572
Number of pages	13
ISBN (Print)	9780998133140
Publication status	Published - 5 Jan 2021
Event	Hawaii International Conference on System Sciences (54th : 2021) - Honolulu, United States Duration: 5 Jan 2021 → 8 Jan 2021

Conference

Conference	Hawaii International Conference on System Sciences (54th : 2021)
Abbreviated title	HICSS-54
Country/Territory	United States
City	Honolulu
Period	5/01/21 → 8/01/21

Bibliographical note

Version archived for private and non-commercial use with the permission of the author/s and according to publisher conditions. For further rights please contact the publisher.

Keywords

Ransomware
Bitcoin
Intelligence

Access to Document

Publisher version (open access)Final published version, 1.03 MBLicence: CC BY-NC-ND

http://hdl.handle.net/10125/70801

Cite this

@inproceedings{c0c2adb7f0234e86a84d81251266913a,

title = "Follow the money: revealing risky nodes in a Ransomware-Bitcoin network",

abstract = "This paper demonstrates the use of network analysis to identify core nodes associated with ransomware attacks in cryptocurrency transaction networks. The method helps trace the cyber entities involved in cryptocurrency attacks and supports intelligence efforts to identify and disrupt cryptocurrency networks. A data corpus is built by the unsupervised machine learning graph algorithm {\textquoteleft}DeepWalk{\textquoteright} [1]. DeepWalk evaluates the position of nodes within networks. It compares the relative position of different nodes (similarity) and identifies those whose removal would most affect the network (riskiness). This method helps identify on the blockchain the key nodes that are involved in the execution of a ransomware attack. When applied to the ransomware “cash out” graph, the method derived “riskiness” scores for specific nodes. Analysing the derived “riskiness” at a community level (groups of nodes in the network) provides an enhanced granularity for identifying and targeting influential nodes. Such insight could potentially support both intelligence and forensics investigations.",

keywords = "Ransomware, Bitcoin, Intelligence",

author = "Turner, {Adam Brian} and Stephen McCombie and Uhlmann, {Allon J.}",

note = "Version archived for private and non-commercial use with the permission of the author/s and according to publisher conditions. For further rights please contact the publisher.; Hawaii International Conference on System Sciences (54th : 2021), HICSS-54 ; Conference date: 05-01-2021 Through 08-01-2021",

year = "2021",

month = jan,

day = "5",

language = "English",

isbn = "9780998133140",

pages = "1560--1572",

booktitle = "Proceedings of the 54th Hawaii International Conference on System Sciences | 2021",

publisher = "University of Hawaii at Manoa",

}

Turner, AB , McCombie, S & Uhlmann, AJ 2021, Follow the money: revealing risky nodes in a Ransomware-Bitcoin network. in Proceedings of the 54th Hawaii International Conference on System Sciences | 2021. University of Hawaii at Manoa, Honolulu, pp. 1560-1572, Hawaii International Conference on System Sciences (54th : 2021), Honolulu, Hawaii, United States, 5/01/21. <http://hdl.handle.net/10125/70801>

Follow the money: revealing risky nodes in a Ransomware-Bitcoin network. / Turner, Adam Brian ; McCombie, Stephen; Uhlmann, Allon J.
Proceedings of the 54th Hawaii International Conference on System Sciences | 2021. Honolulu: University of Hawaii at Manoa, 2021. p. 1560-1572.

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

TY - GEN

T1 - Follow the money

T2 - Hawaii International Conference on System Sciences (54th : 2021)

AU - Turner, Adam Brian

AU - McCombie, Stephen

AU - Uhlmann, Allon J.

N1 - Version archived for private and non-commercial use with the permission of the author/s and according to publisher conditions. For further rights please contact the publisher.

PY - 2021/1/5

Y1 - 2021/1/5

N2 - This paper demonstrates the use of network analysis to identify core nodes associated with ransomware attacks in cryptocurrency transaction networks. The method helps trace the cyber entities involved in cryptocurrency attacks and supports intelligence efforts to identify and disrupt cryptocurrency networks. A data corpus is built by the unsupervised machine learning graph algorithm ‘DeepWalk’ [1]. DeepWalk evaluates the position of nodes within networks. It compares the relative position of different nodes (similarity) and identifies those whose removal would most affect the network (riskiness). This method helps identify on the blockchain the key nodes that are involved in the execution of a ransomware attack. When applied to the ransomware “cash out” graph, the method derived “riskiness” scores for specific nodes. Analysing the derived “riskiness” at a community level (groups of nodes in the network) provides an enhanced granularity for identifying and targeting influential nodes. Such insight could potentially support both intelligence and forensics investigations.

AB - This paper demonstrates the use of network analysis to identify core nodes associated with ransomware attacks in cryptocurrency transaction networks. The method helps trace the cyber entities involved in cryptocurrency attacks and supports intelligence efforts to identify and disrupt cryptocurrency networks. A data corpus is built by the unsupervised machine learning graph algorithm ‘DeepWalk’ [1]. DeepWalk evaluates the position of nodes within networks. It compares the relative position of different nodes (similarity) and identifies those whose removal would most affect the network (riskiness). This method helps identify on the blockchain the key nodes that are involved in the execution of a ransomware attack. When applied to the ransomware “cash out” graph, the method derived “riskiness” scores for specific nodes. Analysing the derived “riskiness” at a community level (groups of nodes in the network) provides an enhanced granularity for identifying and targeting influential nodes. Such insight could potentially support both intelligence and forensics investigations.

KW - Ransomware

KW - Bitcoin

KW - Intelligence

M3 - Conference proceeding contribution

SN - 9780998133140

SP - 1560

EP - 1572

BT - Proceedings of the 54th Hawaii International Conference on System Sciences | 2021

PB - University of Hawaii at Manoa

CY - Honolulu

Y2 - 5 January 2021 through 8 January 2021

ER -

Follow the money: revealing risky nodes in a Ransomware-Bitcoin network

Abstract

Conference

Bibliographical note

Keywords

Access to Document

Fingerprint

Cite this