di discovery of the he bur ursty di discovery of the he
play

Di Discovery of the he Bur ursty Di Discovery of the he Bur - PowerPoint PPT Presentation

Di Discovery of the he Bur ursty Di Discovery of the he Bur ursty Botnet b Bo by u unusu sual t tweeting Botnet b Bo by u unusu sual t tweeting be beha havio iour urs beha be havio iour urs Juan Echeverria, Christoph


  1. Di Discovery of the he Bur ursty Di Discovery of the he Bur ursty Botnet b Bo by u unusu sual t tweeting Botnet b Bo by u unusu sual t tweeting be beha havio iour urs beha be havio iour urs Juan Echeverria, Christoph Besel, Shi Zhou Department of Computer Science University College London (UCL)

  2. Twitter bots and botnet Threats: Fake news; spam; phishing; opinion manipulation; streaming API contamination; advertisement fraud...

  3. Twitter bot detection • Many methods based on ‘common features’ of bots • Only small numbers of bots detected • Lack of ground truth

  4. Outline of this talk • Recent discovery of Star Wars Botnet • 350,000 bots • Our discovery of the Bursty Botnet • 500,000 bots • Unusual tweeting behaviours • Direct link with a spamming attack • Reflection on Twitter bot detection

  5. First clue of the Star Wars botnet Distribution of the location tags of tweets by 1% Twitter users

  6. Uniform distribution in two rectangle zones? Even on sea and desert?

  7. Tweets of random quotations from Star Wars novels The suspicious tweets All tweets

  8. The Star Wars Botnet • Only tweeted random quotations from SW novels. • Only tweeted from the source of Windows phone • Windows phone accounts for only 0.02% of all tweets. • <10 followers, <32 friends, <11 tweets.... • >350,000 Bots are identified.

  9. Nice story... And?

  10. Random Users 30% StarWars Bots 10% Percentage of ID space used 5% SW bots were 1% created in burst! 1500 1510 1520 1530 1540 1550 1560 1570 1580 1590 1600 Twitter ID 100% Twitter Users 90% ID Range containing 80% Star − Wars Bots 70% Percentage 60% 50% 40% 30% 20% 10% 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.294 Billions Twitter ID (0 ~ 2 32 )

  11. SW bots also tweeted in burst! • All their tweets were generated immediately after their creation. • Definition of ‘bursty users’: • Users that tweeted at least 3 times in their first hour • Then they never tweeted again

  12. Discovery of 100% All users Bursty users the Bursty Botnet 75% Percentage of user IDs Bursty bots 50% Star Wars bots 25% 0 0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 Twitter u ser ID space x 10^9 July 2013 June 2013 140,000 Feb 2012 March 2012 120,000 Bursty bots Number of b ursty u sers 100,000 Star Wars bots 80,000 60,000 40,000 20,000 0 0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 Twitter u ser ID space x 10^9

  13. The Bursty Botnet 1 Bursty bots Star Wars bots 0.8 Di stribution 0.6 0.4 0.2 0 0 2 4 6 8 10 Minutes from creation to last tweet • Bursty Bots only tweeted in their first 2 minutes. • They were created in February and March 2012. • They only tweeted from the source of Mobile Web. • They mostly tweeted (i) a URL; and/or (ii) a mention.

  14. The Bursty Botnet • >500,000 Bursty Bots 4 are identified. 12 x 10 • Still alive in Twitter. Bursty users 10 Bursty bots Difference Number of u sers 8 • Most bursty users are 6 Bursty Bots! 4 2 0 500 505 510 515 520 525 530 535 Twitter user ID s ( x 10 ^ 6 )

  15. The ‘disappeared’ Bursty Bots 4 15 x 10 September 2015 September 2016 Number of u sers 10 Disappeared Bursty bots 5 0 500 505 510 515 520 525 530 535 Twitter user ID s ( x 10 ^ 6 ) • Another 300,000 Bursty Bots have been removed by Twitter between Sept. 2015 and Sept. 2016. • A vote from Twitter that these are indeed bad bots? • It seems Twitter does not know what we know?

  16. The Bursty Botnet properties • Most Bursty Bots have no friend or follower. • They mostly tweeted only a URL and/or a mention. • Spamming attack?

  17. The Bursty Botnet spamming attack • 99.9% (2.8m) URLs are unique • Complex URL shorteners and redirects. • Most URLs point to two spam campaigns. • A webpage blocked by tinyurl.com • A known phishing webpage • www.facebook-goodies.com

  18. A carefully designed spamming attack • 500,000 bots were created in burst, and they tweeted in burst -- to evade bot detection. • 2.8 millions unique URLs using shorteners and redirects – to fool spam detection. • 1.3 distinct Twitter users were mentioned -- to increase visibility and chance of being clicked. • Success: 61% of URLs were actually clicked! • A remarkable revenue?

  19. The Bursty Botnet • No doubt it is a botnet, and it was for spamming attacks. • Further study can even reveal the alleged botmaster. • Full analysis of the spamming attack will be published elsewhere. J • with a lot of interesting details ...

  20. Reflection on Twitter bots detection • Existing methods fail to detect large botnets • The assumed “common features” are not neccessarily common. • Understandable: lack of ground truth; evolving botnets

  21. A long-term battle • The two botnets were discovered by their unusual tweeting behaviours. • We can not expect to repeat our luck. • Botmasters will learn lessons. • New botnets will avoid any known features, especially the common features. • Is a ‘general’ approach realistic? • To detect common or unusual features?

  22. Thank k You! Thank k You! Dr Dr. Shi Zhou Dr Dr. Shi Zhou University College London (U (UCL) University College London (U (UCL)

Recommend


More recommend