Interdisciplinary Centre for Finding, Understanding and Countering Crime in the Cloud
Lead Research Organisation:
University of Cambridge
Department Name: Computer Science and Technology
Abstract
The Cambridge Interdisciplinary Centre for Crime in the Cloud (CICCC) will combine the diverse range of skills available in the Institute of Criminology, the Faculty of Law and the Computer Laboratory at the University of Cambridge. Our approach will be multidisciplinary, including researchers with expertise in computer science, criminology, cybersecurity, economics, psychology, forensics and law.
Our approach will be data driven. We have negotiated access to some very substantial datasets including large feeds of data such as spam email messages and technical information about the operation of cloud services from several major cloud providers and public bodies. Together, they will constitute the largest data resource available anywhere outside of classified systems on abuse online; we will have more, and more diverse, data than almost all service firms or law enforcement agencies, creating a unique opportunity for research to develop new tools for cloud crime detection and forensics.
We will mine and correlate these datasets to extract information about criminal activity. Our analysis will enhance our understanding of crime in the cloud, enable us to devise identifiers of such criminality, allow us to build systems to detect crime when it occurs, and ensure we collect evidence of wrongdoing to a high standard. We will work closely with law enforcement to ensure appropriate interventions can be undertaken.
Our overall objective is to create a sustainable and internationally competitive centre for academic research into cybercrime. The primary aim of the centre is to improve the security of users of cloud services, and to improve outcomes for those who would be affected by their misuse. We will develop a strong legal framework to operate in, and maintain high ethical standards in everything we do. We will incorporate this into APIs for abuse data sharing that support appropriate authentication, nonrepudiation and privacy mechanisms, and feed these back to the industry.
We aim to provide the police with an enhanced ability to search large amounts of data related to cybercrime in the cloud, improved forensics, better chain-of-custody mechanisms for evidence, additional training, and meaningful statistics on cybercrime. We have strong relationships with industry, and we will provide them with important data and insights on how, when and why criminality in the cloud occurs, thus enabling cloud providers to improve security for the users of cloud services by cracking down swiftly on abuse. We will also work closely with other academics, providing sanitised datasets to researchers generally, and enable trustworthy researchers access to our full dataset on the same basis as ourselves. This will solve the main problem faced by most academics who want to do research on cybercrime, namely the difficulty of getting access to real data on actual abuse.
Our approach will be data driven. We have negotiated access to some very substantial datasets including large feeds of data such as spam email messages and technical information about the operation of cloud services from several major cloud providers and public bodies. Together, they will constitute the largest data resource available anywhere outside of classified systems on abuse online; we will have more, and more diverse, data than almost all service firms or law enforcement agencies, creating a unique opportunity for research to develop new tools for cloud crime detection and forensics.
We will mine and correlate these datasets to extract information about criminal activity. Our analysis will enhance our understanding of crime in the cloud, enable us to devise identifiers of such criminality, allow us to build systems to detect crime when it occurs, and ensure we collect evidence of wrongdoing to a high standard. We will work closely with law enforcement to ensure appropriate interventions can be undertaken.
Our overall objective is to create a sustainable and internationally competitive centre for academic research into cybercrime. The primary aim of the centre is to improve the security of users of cloud services, and to improve outcomes for those who would be affected by their misuse. We will develop a strong legal framework to operate in, and maintain high ethical standards in everything we do. We will incorporate this into APIs for abuse data sharing that support appropriate authentication, nonrepudiation and privacy mechanisms, and feed these back to the industry.
We aim to provide the police with an enhanced ability to search large amounts of data related to cybercrime in the cloud, improved forensics, better chain-of-custody mechanisms for evidence, additional training, and meaningful statistics on cybercrime. We have strong relationships with industry, and we will provide them with important data and insights on how, when and why criminality in the cloud occurs, thus enabling cloud providers to improve security for the users of cloud services by cracking down swiftly on abuse. We will also work closely with other academics, providing sanitised datasets to researchers generally, and enable trustworthy researchers access to our full dataset on the same basis as ourselves. This will solve the main problem faced by most academics who want to do research on cybercrime, namely the difficulty of getting access to real data on actual abuse.
Planned Impact
Our project will have impact through four channels: law enforcement, industry, academia and to the public and policymakers generally.
We aim to develop better ways for academics and law enforcement to work together. We already have established relationships with UK and US law enforcement, having worked with SOCA in the past on tracking phishing, and with the Met on forensic tools to recover video from deleted files on mobile phones. We have an active collaboration with the US National Cyber-Forensics Training Alliance (which includes the FBI, Secret Service and various police forces).
One of the co-investigators directs the Cambridge Police Executive Programme, which has trained many chief constables and senior officers from forces worldwide. It attracts over 300 alumni and other participants to the annual Cambridge conference on Evidence-Based Policing and we will use this venue for impact. We will also disseminate our results through ACPO, whose cyber lead also heads up our regional cybercrime squad. From year three of the project, one of our research associates will focus on user engagement and will help the NCA, the Met and other police forces take on board not just our data but also the forensic tools and methodologies that we develop.
Industrial impact will be at least as important, and the service firms' big problems include how to share abuse data. At present some data is shared between key people on a basis of personal trust but this will not scale indefinitely. Our centre will start to fill that gap by providing a curated feed for sharing, rather than raw data; and by starting to develop the electronic infrastructure required. We will build on data-sharing APIs already under development by industry to provide, first, electronic signature mechanisms to assure the evidential value of data, and second, sanitized data based on a careful treatment of privacy issues, from the UK/EU, US and international viewpoints. We anticipate that this will be of sufficient value to the industry that by the end of year two we can start to attract serious industry financing and make the centre sustainable (independently of RCUK funding) by the end of year five. We will continue to work with industry security teams and the ad-hoc 'trust groups' as we have done for many years. We will continue to contribute data, code and intelligence to industry partners.
Cybercrime is moving rapidly up the political and news agenda with growing public concern that falling real-world crime is offset by rising crime online. This raises significant policy issues around the Home Office narrative of falling crime. It has also led to many media opportunities for the investigators, not just on UK TV and print media, but worldwide. Our public outreach and education activities will continue. If the grant is awarded to Cambridge we will have more results to talk about, and our media activities and expertise will enable us to maximise their impact.
Our earlier work on the costs of cybercrime demonstrated that most of these costs are indirect and stem from business foregone because of consumer reluctance to shop, bank or engage with government online, and because of defensive and clean-up costs, not all of which are appropriate. Better public appreciation of the real risks and costs is a public good, and it is also valuable to educate businesses generally about this topic. For example, our study showed that some 4% of offered transactions at UK e-commerce websites were declined because of alerts from fraud engines. Access by retailers to better fraud detection systems and methodologies can make a real contribution to the economy, not just by cutting rime, but by increasing sales.
Finally, we are active members of CSaP (Cambridge Science and Policy) which brings many senior civil servants to Cambridge on short visits. This will give us a channel to disseminate results to policy teams across Whitehall and in Brussels including to ministers.
We aim to develop better ways for academics and law enforcement to work together. We already have established relationships with UK and US law enforcement, having worked with SOCA in the past on tracking phishing, and with the Met on forensic tools to recover video from deleted files on mobile phones. We have an active collaboration with the US National Cyber-Forensics Training Alliance (which includes the FBI, Secret Service and various police forces).
One of the co-investigators directs the Cambridge Police Executive Programme, which has trained many chief constables and senior officers from forces worldwide. It attracts over 300 alumni and other participants to the annual Cambridge conference on Evidence-Based Policing and we will use this venue for impact. We will also disseminate our results through ACPO, whose cyber lead also heads up our regional cybercrime squad. From year three of the project, one of our research associates will focus on user engagement and will help the NCA, the Met and other police forces take on board not just our data but also the forensic tools and methodologies that we develop.
Industrial impact will be at least as important, and the service firms' big problems include how to share abuse data. At present some data is shared between key people on a basis of personal trust but this will not scale indefinitely. Our centre will start to fill that gap by providing a curated feed for sharing, rather than raw data; and by starting to develop the electronic infrastructure required. We will build on data-sharing APIs already under development by industry to provide, first, electronic signature mechanisms to assure the evidential value of data, and second, sanitized data based on a careful treatment of privacy issues, from the UK/EU, US and international viewpoints. We anticipate that this will be of sufficient value to the industry that by the end of year two we can start to attract serious industry financing and make the centre sustainable (independently of RCUK funding) by the end of year five. We will continue to work with industry security teams and the ad-hoc 'trust groups' as we have done for many years. We will continue to contribute data, code and intelligence to industry partners.
Cybercrime is moving rapidly up the political and news agenda with growing public concern that falling real-world crime is offset by rising crime online. This raises significant policy issues around the Home Office narrative of falling crime. It has also led to many media opportunities for the investigators, not just on UK TV and print media, but worldwide. Our public outreach and education activities will continue. If the grant is awarded to Cambridge we will have more results to talk about, and our media activities and expertise will enable us to maximise their impact.
Our earlier work on the costs of cybercrime demonstrated that most of these costs are indirect and stem from business foregone because of consumer reluctance to shop, bank or engage with government online, and because of defensive and clean-up costs, not all of which are appropriate. Better public appreciation of the real risks and costs is a public good, and it is also valuable to educate businesses generally about this topic. For example, our study showed that some 4% of offered transactions at UK e-commerce websites were declined because of alerts from fraud engines. Access by retailers to better fraud detection systems and methodologies can make a real contribution to the economy, not just by cutting rime, but by increasing sales.
Finally, we are active members of CSaP (Cambridge Science and Policy) which brings many senior civil servants to Cambridge on short visits. This will give us a channel to disseminate results to policy teams across Whitehall and in Brussels including to ministers.
Publications
Anderson R
(2019)
Measuring the Changing Cost of Cybercrime
Anderson R
(2018)
Privacy and security: Making security sustainable
Anderson R
(2018)
Making security sustainable
in Communications of the ACM
Anderson R.
(2017)
Standardisation and Certification of the Internet of Things
Anderson R.
(2018)
Bitcoin Redux
Anderson R.
(2018)
Privacy for Tigers
Bada M
(2019)
Developing cybersecurity education and awareness programmes for small- and medium-sized enterprises (SMEs)
in Information & Computer Security
Bada Maria
(2019)
The Social and Psychological Impact of Cyber-Attacks
in arXiv e-prints
| Description | The data we have collected via the Cambridge Cybercrime Centre are now (Mar 2022) licensed by 198 researchers under 68 license agreements with universities in 17 countries worldwide. We are collaborating with ever more researchers as well as simply providing them with data. We have published a series of papers exploring the modus operandi of one online scam after another; see the publications list for details. We analysed an FBI intervention whereby half a dozen DDoS services were taken down, out of an underground market of about 50, and found it was effective at suppressing market activity for about three months before things returned to 'normal'. We also analysed an NCA initiative to use Google ads to inform UK citizens thinking of using DDoS-for-hire services that the use of such services was illegal, and found that while the use of such services grew in the USA during the period of the campaign, it did not grow in the UK. Since the start of the pandemic we have greatly expanded our collection activities to other underground forums so as to collect data on the effect of the pandemic in general, and lockdown in particular, on cybercrime. We are seen as the go-to place for cybercrime research, and have been invited to brief the Home Secretary (among others) on the nature of cybercrime, and what to do about it. |
| Exploitation Route | We negotiated access to some very substantial datasets relating to cybercrime and we are using our neutral academic status to obtain more data and build one of the largest and most diverse data sets available to researchers. To the donated data we are adding large amounts of data collected by our own sensors, including measurements of DDoS, samples of Mirai and other malware, and tens of millions of messages (in both English and Russian) scraped from hacker forums. We have now licensed this to over ta hundred researchers elsewhere. The problem we set out to tackle is that cybercrime research never used to be repeatable -- individuals would get access to specific datasets, do some analysis, and move on, but others could not get access to the same data to try out their own ideas. By creating a curated resource to which others can get licensed access, we are making it possible for academics in the UK and elsewhere to do the same kind of research that large organisations such as Google, Facebook and the FBI can do. We have established the Cambridge Cybercrime Centre as the key worldwide resource for academics wishing to study cybercrime. |
| Sectors | Communities and Social Services/Policy,Creative Economy,Digital/Communication/Information Technologies (including Software),Education,Financial Services, and Management Consultancy,Government, Democracy and Justice,Security and Diplomacy |
| URL | https://www.cambridgecybercrime.uk/ |
| Description | Our most significant contributions outside academia have been, first, intensive data collection on versions of the Mirai botnet; second, working with law enforcement in the USA and the UK to help them identify and take down DDoS-for-hire websites, while measuring the effects of the intervention; and third, collecting vast amounts of data to enable other researchers to understand the effect of the pandemic on cybercrime. As for the first, we have a number of nodes collecting data and are also developing honeypots. The Mirai botnet exploits IoT devices with known default passwords, and came to attention in October 2016 when wifi-enabled CCTV cameras in Vietnam, Brazil and elsewhere were recruited into a botnet that took down Dyn DNS, interrupting the availability of Twitter and other big services on the US eastern seaboard for several hours. Since then several variants have appeared each day, and we've worked to track them. We developed techniques of differential decompilation so we can see rapidly how a new version differs from the already understood variants, so we can see what it's trying to do and which of our existing countermeasures might work against it. This information is shared on a daily basis with law-enforcement agencies such as the NCA and the FBI, with industry partners and with other interested academics. As for the second, a number of DDoS services were raided in December 2019, and we carefully measured the time it took for the DDoS market to return to normal. We also helped the NCA measure the effects of an advertising campaign: they bought Google ads to tell UK gamers contemplating the use of DDoS-for-hire websites that this was illegal. The intervention stopped the growth of this crime type compared with the USA. As for the third, we expanded collection to both dark web and discord forums, and from cybercrime to violent online political extremism too. In terms of impact, the data collected by the Cambridge Cybercrime Centre is now used by over 150 researchers at over 50 institutions worldwide, and the largest interest is in our CrimeBB database, which most of our licensees use. This contains about 100 million messages, mostly in English and Russian, scraped from dozens of underground forums, providing a curated dataset of criminal communications going back over a decade. This enables researchers not only to track the evolution of particular crime types but to see who was involved, what they said they were doing, who was paying whom for what and a whole lot of other information that was not previously available. The users are predominantly criminologists, lawyers, sociologists and security economists, but there are some computer scientists too. |
| First Year Of Impact | 2015 |
| Sector | Communities and Social Services/Policy,Digital/Communication/Information Technologies (including Software),Education,Government, Democracy and Justice,Security and Diplomacy |
| Impact Types | Societal,Policy & public services |
| Description | Taking down websites to prevent crime |
| Geographic Reach | National |
| Policy Influence Type | Contribution to a national consultation/review |
| Impact | We did a study for the Home Office on what worked, and what didn't, when it comes to taking down websites to prevent crime. We found that the police are extremely inefficient as they do a fraction of a percent of the takedown work that commercial contractors do; the contractors learn how to work the system (by talking in appropriate ways to registrars, hosting companies and others) and have staff specialised in dealing with different problems (e.g. speaking Chinese to China Telecom). We recommended a randomised controlled trial where some forces outsource their takedown work to commercial firms. The Home Office was glad to get the report and are mulling over what to do with it. Meanwhile they let us publish the work |
| URL | https://www.lightbluetouchpaper.org/ |
| Description | Industrial sponsorship |
| Amount | $75,000 (USD) |
| Organisation | Threatstop Inc |
| Sector | Private |
| Country | United States |
| Start | 04/2016 |
| Title | CrimeBB |
| Description | CrimeBB is a database of postings to underground cybercrime forums. It is the most widely used of all the resources collected and curated by our team. Starting in 2016, we scraped the contents of hackforums, where people bought and sold malware and other crime tools and services. We can't list it under "databases" as it's not "published" and doesn't have a DOI. For ethical and data-protection reasons it's available only under license. |
| Type Of Material | Improvements to research infrastructure |
| Year Produced | 2016 |
| Provided To Others? | Yes |
| Impact | We set out at the Cambridge Cybercrime Centre to turn cybercrime research into a science. Previously, researchers collected their own data and couldn't share it, so their findings could not easily be replicated or built on. We set out to change that by collecting and curating data at scale. Of all our collections, CrimeBB has turned out to be by far the most popular. We have other collections too; for example, ExtremeBB is a more recent project, which collects postings to extremist forums. As of February 2022, our data are licensed by 198 researchers at 65 research groups in 17 countries. |
| URL | https://www.cambridgecybercrime.uk/process.html |
| Description | Collaboration with Threatstop |
| Organisation | Threatstop Inc |
| Country | United States |
| Sector | Private |
| PI Contribution | We're analysing a lot of DDoS data collected by Threatstop. |
| Collaborator Contribution | Threatstop gave us US$75k for work on distributed denial of service attacks. We used the money to hire Daniel Thomas for one year. |
| Impact | We're going to help them help their customers deal with DDoS attacks better, and in the process understand them better ourselve |
| Start Year | 2015 |
| Description | Collaboration with Yahoo |
| Organisation | Yahoo! |
| Country | United States |
| Sector | Private |
| PI Contribution | On the identification and counting of phishing attacks. |
| Collaborator Contribution | Supplying us under NDA a copy of their spam feed, and giving Richard Clayton access to their systems as an intern to run analytics |
| Impact | Improved detection of spam and phishing by 20%. |
| Start Year | 2010 |
| Description | Cybercrime conference |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | We invited people doing cybercrime research to Cambridge, including other academics who license our research data, the firms that provide it, and people interested in policy around cybercrime. |
| Year(s) Of Engagement Activity | 2016,2017,2018 |
| URL | https://www.cambridgecybercrime.uk/conference2018.html |