Cyber threat intelligence (CTI) researchers strive to uncover collaborations and emerging techniques within hacker networks. This study proposes an empirical approach to detect communities within hacker forums for CTI purposes. Eighteen algorithms are systematically evaluated, including state-of-the-art and benchmark methods for identifying overlapping and disjoint groups. Using discussions from five prominent English hacker forums, a comparative analysis examines the influence of the algorithms’ theoretical foundations on community detection. Since ground truths are unattainable for such networks, the study utilizes a multi-metric strategy, incorporating modularity, coverage, performance, and a newly introduced quality measure, Triplet Hub Potential, which quantifies the presence of influential hubs. The findings reveal that while modularity optimization algorithms such as Leiden and Louvain deliver consistent results, neighbor-based expanding techniques tend to provide superior performance. In particular, the Expansion algorithm stood out by uncovering granular hierarchical community structures. The ability to investigate these intimacies is helpful for CTI researchers. Ultimately, we suggest an approach to investigate hacker forums using community detection methods and encourage the future development of algorithms tailored to expose nuances within hacker networks.

中文翻译：

---

了解您的可疑社区：检测和调查黑客社区的方法


网络威胁情报 (CTI) 研究人员致力于发现黑客网络内的协作和新兴技术。本研究提出了一种基于 CTI 目的检测黑客论坛内社区的实证方法。对十八种算法进行了系统评估，包括用于识别重叠和不相交组的最先进的基准方法。利用五个著名的英语黑客论坛的讨论，进行比较分析，研究算法的理论基础对社区检测的影响。由于此类网络无法获得基本事实，因此该研究采用了多指标策略，结合了模块化、覆盖范围、性能以及新引入的质量衡量标准“三重中心潜力”，该指标量化了有影响力的中心的存在。研究结果表明，虽然 Leiden 和 Louvain 等模块化优化算法可提供一致的结果，但基于邻居的扩展技术往往能提供卓越的性能。特别是，扩展算法通过揭示细粒度的分层社区结构而脱颖而出。调查这些亲密关系的能力对 CTI 研究人员很有帮助。最终，我们建议使用社区检测方法来调查黑客论坛，并鼓励未来开发专门的算法来揭露黑客网络中的细微差别。