View
8
Download
0
Category
Preview:
Citation preview
JuanEcheverria,ChristophBesel,ShiZhouDepartmentofComputerScienceUniversityCollegeLondon(UCL)
DiscoveryoftheBurstyBotnetbyunusualtweeting
behaviours
DiscoveryoftheBurstyBotnetbyunusualtweeting
behaviours
Twitterbotsandbotnet
Threats:Fakenews;spam;phishing;opinionmanipulation;streamingAPIcontamination;advertisementfraud...
Twitterbotdetection
• Manymethodsbasedon‘commonfeatures’ofbots• Onlysmallnumbersofbotsdetected
• Lackofgroundtruth
Outlineofthistalk
•RecentdiscoveryofStarWarsBotnet• 350,000bots
•OurdiscoveryoftheBurstyBotnet• 500,000bots• Unusualtweetingbehaviours• Directlinkwithaspammingattack
•ReflectiononTwitterbotdetection
Distributionofthelocationtagsoftweetsby1%Twitterusers
FirstclueoftheStarWarsbotnet
Uniformdistributionintworectanglezones?Evenonseaanddesert?
TweetsofrandomquotationsfromStarWarsnovels
Alltweets
Thesuspicioustweets
TheStarWarsBotnet• OnlytweetedrandomquotationsfromSWnovels.• OnlytweetedfromthesourceofWindowsphone
• Windowsphoneaccountsforonly0.02%ofalltweets.
• <10followers,<32friends,<11tweets....• >350,000Botsareidentified.
Nicestory...And?
0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.294
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Twitter ID (0 ~ 232)
Perc
en
tag
e
Twitter Users
ID Range containing Star−Wars Bots
Billions
1500 1510 1520 1530 1540 1550 1560 1570 1580 1590 1600
1%
5%
10%
30%
Twitter ID
Pe
rce
nta
ge
of
ID s
pa
ce
us
ed
Random Users
StarWars Bots
SWbotswerecreatedinburst!
SWbotsalsotweetedinburst!
• Alltheirtweetsweregeneratedimmediatelyaftertheircreation.
• Definitionof‘burstyusers’:• Usersthattweetedatleast3timesintheirfirsthour• Thentheynevertweetedagain
0 0.5 1.0 1.5 2.0 2.5 3.0 3.50
25%
50%
75%
100%
Twitter user ID space
Perc
en
tag
e o
f us
er ID
s
All users Bursty users
Star Wars bots
x10^9
Bursty bots
0 0.5 1.0 1.5 2.0 2.5 3.0 3.50
20,000
40,000
60,000
80,000
100,000
120,000
140,000
Twitter user ID space
Num
ber o
f bu
rsty
users
x10^9
Bursty bots
Star Wars bots
July 2013March 2012Feb 2012
June 2013
DiscoveryoftheBurstyBotnet
TheBurstyBotnet
• BurstyBotsonlytweetedintheirfirst2minutes.• TheywerecreatedinFebruaryandMarch2012.• TheyonlytweetedfromthesourceofMobileWeb.• Theymostlytweeted(i)aURL;and/or(ii)amention.
0 2 4 6 8 100
0.2
0.4
0.6
0.8
1
Minutes from creation to last tweet
Dis
trib
uti
on
Bursty bots
Star Wars bots
TheBurstyBotnet
• >500,000BurstyBotsareidentified.• StillaliveinTwitter.
• MostburstyusersareBurstyBots!
500 505 510 515 520 525 530 5350
2
4
6
8
10
12x 10
4
Twitter user IDs (x10^6)
Nu
mb
er
of
use
rs
Bursty users Bursty bots Difference
500 505 510 515 520 525 530 5350
5
10
15x 10
4
Twitter user IDs (x10^6)
Nu
mb
er
of
users
September 2015
September 2016
Disappeared Bursty bots
The‘disappeared’BurstyBots
• Another300,000BurstyBotshavebeenremovedbyTwitterbetweenSept.2015andSept.2016.• AvotefromTwitterthattheseareindeedbadbots?• ItseemsTwitterdoesnotknowwhatweknow?
• MostBurstyBotshavenofriendorfollower.• TheymostlytweetedonlyaURLand/oramention.
• Spammingattack?
TheBurstyBotnetproperties
TheBurstyBotnetspammingattack• 99.9%(2.8m)URLsareunique• ComplexURLshortenersandredirects.•MostURLspointtotwospamcampaigns.• Awebpageblockedbytinyurl.com• Aknownphishingwebpage
• www.facebook-goodies.com
Acarefullydesignedspammingattack
• 500,000botswerecreatedinburst,andtheytweetedinburst-- toevadebotdetection.• 2.8millionsuniqueURLsusingshortenersandredirects– tofoolspamdetection.• 1.3distinctTwitteruserswerementioned-- toincreasevisibilityandchanceofbeingclicked.• Success:61%ofURLswereactuallyclicked!• Aremarkablerevenue?
TheBurstyBotnet
•Nodoubtitisabotnet,anditwasforspammingattacks.•Furtherstudycanevenrevealtheallegedbotmaster.•Fullanalysisofthespammingattackwillbepublishedelsewhere.J• withalotofinterestingdetails...
ReflectiononTwitterbotsdetection•Existingmethodsfailtodetectlargebotnets•Theassumed“commonfeatures”arenotneccessarilycommon.•Understandable:lackofgroundtruth;evolvingbotnets
Along-termbattle• Thetwobotnetswerediscoveredbytheirunusualtweetingbehaviours.•Wecannotexpecttorepeatourluck.
•Botmasterswilllearnlessons.• Newbotnetswillavoidanyknownfeatures,especiallythecommonfeatures.
• Isa‘general’approachrealistic?• Todetectcommonorunusualfeatures?
ThankYou!
Dr.ShiZhouUniversityCollegeLondon(UCL)
ThankYou!
Dr.ShiZhouUniversityCollegeLondon(UCL)
Recommended