With the proliferation of the use of the Internet, cyber security has become a major concern for users and businesses alike. While communication technologies have undoubtedly positively changed the way we communicate, it also provides cybercriminals with methods and techniques to be used for illegitimate purposes such as the distribution of o ensive and threatening materials [ 25 ], spamming, phishing, cyberbullying, viruses, harassment and cyberstalking [ 18 ]. Cyberstalking is a complicated and pervasive problem, which a ects and targets a huge number of individuals [ 4 ], and unlike many other cybercrimes, cyberstalking does not occur on a single occasion [ 24 ], rather victims experience repeated, systematic and multiple attacks. Cyberstalking has been identi ed as a growing social problem [ 7 ], and a global issue [ 13 ], to an extent in which it is envisaged that almost twenty percent of people at one stages of their lives will become a victim of cyberstalking, where women will more likely become a victim than men [ 11 ]. In [ 12 ] Maple et al. have de ned cyberstalking as a \course of actions that involves more than one incident perpetrated through or utilising electronic means that cause distress, fear or alarm". There is evidence that cyberstalking will increase in both frequency and intensity [ 16 ].

While cybercriminals such as cyberstalkers utilise an array of technologies, tools and techniques like chat rooms, bulletin boards, newsgroups, instant messaging (IM ), short message service (SMS ), multimedia messaging service (MMS ), and trojans, email is one of the most commonly used methods of cyberstalking [ 21, 13, 20, 15 ]. A cyberstalker can send emails, SMS, IM, MMS, and chat to threaten, insult, harass, or disrupt e-mail communications by ooding a victim's e-mail inbox with unwanted mail [ 23, 22 ] anywhere at any time anonymously or pseudonymously, without fear of prosecution. This creates a new challenge for law enforcement and in digital forensic investigation. Anonymity in communication is one of the main issues exploited by cybercriminals [ 10 ]. Therefore, cyberstalkers could easily disguise themselves by spoo ng email, and creating di erent pseudonym accounts mostly from free web mail providers. Similarly web based gateways are utilised to spoof SMS [ 5 ], and di erent anonymous chat IDs are easily created.

These techniques, coupled with the availability of remailers, unauthorised networks, public library's computers, internet cafs, and free anonymous communications through websites, in addition to free and unregistered mobile SIM cards, inexpensive and unregistered mobile handsets, give an upper hand to cyberstalkers in their attack and complicate the investigation of cyberstalking cases [ 20 ]. Cyberstalking prevention with text messages ltering might not be as e ective as required, because it does not always hold cyberstalkers accountable for their misuse of emails, and other text-based messages communication. Therefore identifying the original sender of emails, SMS, MMS, and chat is an important factor in the prosecution of an attacker [ 25 ].

The discussion so far shows that it is imperative to deal with cyberstalking on the very earliest stage. We will therefore in the remainder of the paper discuss a framework to detect cyberstalking in text-based messages and to support the collection of evidence for law enforcement. Text categorization and analysis plays a crucial role in our framework.

The Need to Detect and Document Text-based Cyberstalking Text-based cyberstalking includes sending abusive, hate, threatening, harassing and obscene emails, SMS, chats, MMS, IM, including video and photo; sending email or MMS with the intention to spread viruses to a victim's device, either with attachments containing viruses or directing victims to a malicious website through a hyperlink; taking over victim's email account; sending high volumes of junk emails, SMS, MMS, Chat and IM. To minimise the e ect of textbased cyberstalking, we propose a system that monitors, detects, captures and documents evidence. Such a system requires that we provide means to analyse textual documents like messages and gather some information from this analysis, for instance to determine the true authorship of emails when we cannot trust any email header information. We therefore discuss how text categorization and processing can be utilized for several aspects of this task.

Our work is inspired by [ 2 ] where the authors propose a system that simply records data within a session, that is duration of victim's computer connection to and disconnection from Internet. However, their system has major limitations in handling text-based cyberstalking. We therefore propose a framework to detect and lter messages and to collect and analyse evidence.

A further aim of our system is to assist the victims in documenting evidence for the initial complain process, as well as to help law enforcement in early stages of their investigation. In order to persuade authorities to investigate or prosecute a cyberstalker, the responsibility is often on the victim to produce such evidence [ 21, 3 ], thus, it is imperative that the victims save and keep all copies of communication whether email or other communications and with all their headers available and readable to be given to law enforcement [ 8, 14 ]. Such documentation will clearly demonstrate the course of incident and provide valuable information for both the investigation and prosecution process [ 17 ].

Therefore an automated system will not only make the initial complaint process and investigation easier but will also speedup investigations with less e ort. Furthermore it will encourage victims to come forward and complain to prosecute a cyberstalker, because \cyberstalking and stalking's victim reporting is an important consideration for the criminal justice system, not only to guarantee that o enders are held accountable for their actions, but also to ensure that crime victims receive the support and services needed"[ 19 ]. 3

Our proposed framework is called Anti Cyberstalking Text-based System (ACTS). To the best of our knowledge it is the rst framework that specialises on the automatic detection and evidence documentation of text-based cyberstalking. A prototypical implementation of the framework is under development, and the data collection process is ongoing. ACTS will, e.g., run on a user's device to Messages Emails MMS SMS Chat IM

Message

ID unwanted messages

Legitamate messages Personalisation Module λ Detection β Module Attacker α Identification &WPrritoefpilerisnts Database

Code Dictionary Aggregator Messages and evidence col ection Module 0 ? 1

The proposed system utilises text mining, statistical analysis, text categorization and machine learning to combat cyberstalking. It consists of ve main modules: detection, attacker identi cation, personalisation, Aggregator and messages and evidence collection.

ACTS rst tries to detect cyberstalking based on a message ID list (the lists is optional for users and initially empty), which is automatically updated by the system. Messages whose IDs do not appear in the list are examined by the identi cation, personalisation, and detection modules; the results from three modules are passed to the aggregator for nal decision.

Similar to some text categorization based email detection systems which can identify unwanted email, the detection module is employed to detect potential cyberstalking text based on their content. The received message is preprocessed by appying tokenisation, stop-word removal, stemming and presentation. Text mining techniques are utilised to extract required patterns from the message; a corresponding supervised algorithm like neural network/support vector machines is employed to detect and categorise emails to compute a value based on three outputs, labelled as (00) not cyberstalking, (10) cyberstalking, and (01) grey email.

The attacker identi cation module is employed to identify whether received anonymous or pseudonymous messages are written by a cyberstalker or not, and to detect those messages from cyberstalkers where the message does not contain any known unwanted words. For this purpose, cyberstalker's writeprints including lexical, syntactic, structural and content-speci c features [ 26 ] will be utilised. Unfortunately, due to character limitation of short messages like Twitter tweets, for e.g. SMS is limited to 160 characters per message, writeprints might not always provide enough information to identify the author of the message. Nevertheless, because of their characters limitation, people tend to use unstandardised and informal language abbreviations and other symbols, which mostly depend on user's choice, subject of discussion and communities [ 9 ], where some of these abbreviations and symbols could provide valuable information in identify the sender. Thus to overcome this shortcoming and to enhance the identi cation process, we combines cyberstalker's writeprints with cyberstalker's pro le including linguistic and behavioural pro les, utilising the existing cyberstalker's writeprints and pro les history in database.

Above considerations are based on the premise that, by de nition, the victim must receive more than one attack to constitute cyberstalking. Thus there exist n messages where n 2 CE fm1; ::::mng and n > 2 which will be used to check any new arriving message. Intuitively CE will increase as the attack continues. A number of supervised algorithms have been used in authorship identi cation, where both authors and a set of their work are known prior to the identi cation process. Unfortunately, this is not the case in our approach. Identifying attackers is more challenging, rstly, because it will be implemented on user's device to detect messages, secondly, because we need to identify and detect the sender without prior knowledge. The system needs to decide whether a received message is written by a cyberstalker or not, thus supervised algorithms are not applicable. For this purpose, principal component analysis (PCA) could be employed to detect messages based on stylometrics and pro les; the new message's data is projected on PCA, and compared to the data matrix of all cyberstalking messages in CE . The result is represented by the value based on three outputs: not cyberstalking ( r2 ), cyberstalking ( r1 ) and grey (r1 < <r2 ). The value is passed to the aggregator component. r1 and r2 are pre-de ned threshold values in attacker identi cation (which have to be determined experimentally).

We also have to take into account that cyberstalking is often highly personalised; a bare word(s) or a phrase(s) of a message might have no inclination whatsoever towards bad feeling almost to anyone, but it might cause fear and distress to a cyberstalking victim. For instance, sending child birthday wishes may commonly be considered as positive, but not in case of somebody who lost their child or had undergone abortion. This complicates the process of developing a general tool to combat text-based cyberstalking. For this reason we de ne a personalisation module which is employed to enhance overall victim's control over incoming messages, where each victim can outline and de ne their own rule preferences. Therefore the personalisation module consists of rule based components and a code dictionary. The rule based component is optional, where rules are de ned based on words, date and phrases provided by the user. A typical rule could be if ((dateA<today<dateB) ^ (message contains "abc")) return true. A code dictionary is created from sentiment and a ect word(s) or phrases, which are commonly used in cyberstalking. Furthermore, the code dictionary could also be updated by the user. The received message would be preprocessed, for this purpose k-shingling [ 6 ] could be utilised. Where each k-length shingle is run against the dictionary, probabilistic disambiguation[ 1 ] is another possible method to be used; both the dictionary's returned result and rule-based result are represented by the value : either cyberstalking (1) or not cyberstalking (0) (when both returned results are negative).

The nal decision whether a received message is cyberstalking or not is made in the aggregator module, utilising the outcome from the previous modules. , and are the nal calculated result values for each individual received email by the attacker identi er and detection module, respectively. Messages are identi ed as either grey (?), cyberstalking (1) or not cyberstalking (0) based on ( ; ; ) as follows 80 if ( = 00 ^ ( > ( ; ; ) = <

1 if ( = 10 _ >:? if ( = 01 ^ (r1 < r2) ^ ( r1 _

= 0) ) ; = 1)); < r2) ^ = 0).

The nal module is the messages and evidence collection module, which collects evidence from a newly arriving cyberstalking message, for instance, in the case of email the c source IP address or, if it is not available, the next server relay in the path, and the domain name (both addresses are automatically submitted to WHOIS and other IP geolocation website). The information with timestamp and email headers is saved for instance in the evidence database on the victims' device. The module also regularly updates and adds stylometrics, pro les and related information of the cyberstalking message to the database. Furthermore it will utilise statistical methods like multivariate Gaussian distribution and PCA to analyse the writeprint and pro les of cyberstalking, and text mining to extract similar features, attacker behavioural, greeting, farewell, etc, speci cally between anonymous message and non anonymous message. The integrity and authenticity of a cyberstalking message, gathered evidence information whether saved on computer or through transmission are preserved using hash functions and asymmetric encryption keys. 4

Combating cyberstalking is a challenging task, where technical solutions are a cornerstone in its prevention and mitigation. We therefore presented the ACTS framework that lters, detect and documents text-based cyberstalking. In the context of our framework we in particular discussed the potential use of textual machine learning approaches and discussed the di erence to classical email categorization. The aim of our solution is not only to mitigate cyberstalking, but also to help victims in documenting evidence, which is required for law enforcement. Future work includes the implementation and evaluation of ACTS, in particular by measuring the e ectiveness of the proposed text categorization methods in this emerging problem area.