--- title: "Ransomware-Bitcoin-Addresses" author: "Kaylee Robert Tejeda" date: "9/19/2021" output: pdf_document --- ```{r setup, include=FALSE} knitr::opts_chunk$set(echo = TRUE) ``` ####################################### # # # ####################################### # Bitcoin Heist Ransomware Address Dataset: # https://archive.ics.uci.edu/ml/datasets/BitcoinHeistRansomwareAddressDataset # https://archive.ics.uci.edu/ml/machine-learning-databases/00526/data.zip # ## BitcoinHeistRansomwareAddressDataset Data Set Abstract: BitcoinHeist datasets contains address features on the heterogeneous Bitcoin network to identify ransomware payments. Data Set Characteristics: Multivariate, Time-Series Number of Instances: 2916697 Area: Computer Attribute Characteristics: Integer, Real Number of Attributes: 10 Date Donated 2020-06-17 Associated Tasks: Classification, Clustering Missing Values? N/A Number of Web Hits: 35019 Source: Cuneyt Gurcan Akcora (cuneyt.akcora '@' umanitoba.ca) University of Manitoba, Canada Yulia Gel (ygl '@' utdallas.edu) University of Texas at Dallas, USA Murat kantarcioglu (muratk '@' utdallas.edu) University of Texas at Dallas, USA Data Set Information: We have downloaded and parsed the entire Bitcoin transaction graph from 2009 January to 2018 December. Using a time interval of 24 hours, we extracted daily transactions on the network and formed the Bitcoin graph. We filtered out the network edges that transfer less than B0.3, since ransom amounts are rarely below this threshold. Ransomware addresses are taken from three widely adopted studies: Montreal, Princeton and Padua. Please see the BitcoinHeist article for references. Attribute Information: Features address: String. Bitcoin address. year: Integer. Year. day: Integer. Day of the year. 1 is the first day, 365 is the last day. length: Integer. weight: Float. count: Integer. looped: Integer. neighbors: Integer. income: Integer. Satoshi amount (1 bitcoin = 100 million satoshis). label: Category String. Name of the ransomware family (e.g., Cryptxxx, cryptolocker etc) or white (i.e., not known to be ransomware). Our graph features are designed to quantify specific transaction patterns. Loop is intended to count how many transaction i) split their coins; ii) move these coins in the network by using different paths and finally, and iii) merge them in a single address. Coins at this final address can then be sold and converted to fiat currency. Weight quantifies the merge behavior (i.e., the transaction has more input addresses than output addresses), where coins in multiple addresses are each passed through a succession of merging transactions and accumulated in a final address. Similar to weight, the count feature is designed to quantify the merging pattern. However, the count feature represents information on the number of transactions, whereas the weight feature represents information on the amount (what percent of these transactions’ output?) of transactions. Length is designed to quantify mixing rounds on Bitcoin, where transactions receive and distribute similar amounts of coins in multiple rounds with newly created addresses to hide the coin origin. White Bitcoin addresses are capped at 1K per day (Bitcoin has 800K addresses daily). Note that although we are certain about ransomware labels, we do not know if all white addresses are in fact not related to ransomware. When compared to non-ransomware addresses, ransomware addresses exhibit more profound right skewness in distributions of feature values. Relevant Paper: 1 - Rivera-Castro, R., Pilyugina, P., & Burnaev, E. (2019, November). Topological Data Analysis for Portfolio Management of Cryptocurrencies. In 2019 International Conference on Data Mining Workshops (ICDMW) (pp. 238-243). IEEE. https://arxiv.org/abs/1906.07852 https://arxiv.org/pdf/1906.07852 Citation Request: @article{akcora2019bitcoinheist, title={BitcoinHeist: Topological Data Analysis for Ransomware Detection on the Bitcoin Blockchain}, author={Akcora, Cuneyt Gurcan and Li, Yitao and Gel, Yulia R and Kantarcioglu, Murat}, journal={arXiv preprint [Web Link]}, year={2019} } ```{r data-prep} # Install necessary packages if(!require(tidyverse)) install.packages("tidyverse", repos = "http://cran.us.r-project.org") if(!require(caret)) install.packages("caret", repos = "http://cran.us.r-project.org") # Load Libraries library(tidyverse) library(caret) # Download data url <- "https://archive.ics.uci.edu/ml/machine-learning-databases/00526/data.zip" dest_file <- "data/data.zip" if(!dir.exists("data"))dir.create("data") if(!file.exists(dest_file))download.file(url, destfile = dest_file) # Unzip data archive into CSV file if(!file.exists("data/BitcoinHeistData.csv"))unzip(dest_file, "BitcoinHeistData.csv", exdir="data") # Import data from CSV ransomware <- read_csv("data/BitcoinHeistData.csv") # Fill in the rest once the code is stabilized ``` ### Introduction ## Motivation There is much interest in tracing transactions on the Bitcoin blockchain. One reason is to identify possible ransomware wallet addresses before they are used. See references for further motivation. ## Data Set & Variables Refer to topological descriptions of variables using DAG and reference paper. ### Analysis ## Process & Techniques # Data Cleaning # Data Exploration & Visualization Self-organizing maps. kohonen package # Insights # Modeling Do the different clustering algorithms count as different approaches? If so, maybe I can use SOM as the overall method and compare the three different clustering algorithms. Or else, find a different algorithm. Maybe one rectangular SOM and one hexagonal? Or some combination of those? Look at some of the example work to see how many of them used two separate methods. ### Results Nothing to compare to unless categorical output is used, then can compare to original paper results. Otherwise, can compare binary results to other binary results from different hierarchical methods. ## Performance ### Conclusion ## Summary ## Potential Impact ## Limitations ## Future Work