Di Discovery of the he Bur ursty Di Discovery of the he Bur ursty Botnet b Bo by u unusu sual t tweeting Botnet b Bo by u unusu sual t tweeting be beha havio iour urs beha be havio iour urs Juan Echeverria, Christoph Besel, Shi Zhou Department of Computer Science University College London (UCL)
Twitter bots and botnet Threats: Fake news; spam; phishing; opinion manipulation; streaming API contamination; advertisement fraud...
Twitter bot detection • Many methods based on ‘common features’ of bots • Only small numbers of bots detected • Lack of ground truth
Outline of this talk • Recent discovery of Star Wars Botnet • 350,000 bots • Our discovery of the Bursty Botnet • 500,000 bots • Unusual tweeting behaviours • Direct link with a spamming attack • Reflection on Twitter bot detection
First clue of the Star Wars botnet Distribution of the location tags of tweets by 1% Twitter users
Uniform distribution in two rectangle zones? Even on sea and desert?
Tweets of random quotations from Star Wars novels The suspicious tweets All tweets
The Star Wars Botnet • Only tweeted random quotations from SW novels. • Only tweeted from the source of Windows phone • Windows phone accounts for only 0.02% of all tweets. • <10 followers, <32 friends, <11 tweets.... • >350,000 Bots are identified.
Nice story... And?
Random Users 30% StarWars Bots 10% Percentage of ID space used 5% SW bots were 1% created in burst! 1500 1510 1520 1530 1540 1550 1560 1570 1580 1590 1600 Twitter ID 100% Twitter Users 90% ID Range containing 80% Star − Wars Bots 70% Percentage 60% 50% 40% 30% 20% 10% 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.294 Billions Twitter ID (0 ~ 2 32 )
SW bots also tweeted in burst! • All their tweets were generated immediately after their creation. • Definition of ‘bursty users’: • Users that tweeted at least 3 times in their first hour • Then they never tweeted again
Discovery of 100% All users Bursty users the Bursty Botnet 75% Percentage of user IDs Bursty bots 50% Star Wars bots 25% 0 0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 Twitter u ser ID space x 10^9 July 2013 June 2013 140,000 Feb 2012 March 2012 120,000 Bursty bots Number of b ursty u sers 100,000 Star Wars bots 80,000 60,000 40,000 20,000 0 0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 Twitter u ser ID space x 10^9
The Bursty Botnet 1 Bursty bots Star Wars bots 0.8 Di stribution 0.6 0.4 0.2 0 0 2 4 6 8 10 Minutes from creation to last tweet • Bursty Bots only tweeted in their first 2 minutes. • They were created in February and March 2012. • They only tweeted from the source of Mobile Web. • They mostly tweeted (i) a URL; and/or (ii) a mention.
The Bursty Botnet • >500,000 Bursty Bots 4 are identified. 12 x 10 • Still alive in Twitter. Bursty users 10 Bursty bots Difference Number of u sers 8 • Most bursty users are 6 Bursty Bots! 4 2 0 500 505 510 515 520 525 530 535 Twitter user ID s ( x 10 ^ 6 )
The ‘disappeared’ Bursty Bots 4 15 x 10 September 2015 September 2016 Number of u sers 10 Disappeared Bursty bots 5 0 500 505 510 515 520 525 530 535 Twitter user ID s ( x 10 ^ 6 ) • Another 300,000 Bursty Bots have been removed by Twitter between Sept. 2015 and Sept. 2016. • A vote from Twitter that these are indeed bad bots? • It seems Twitter does not know what we know?
The Bursty Botnet properties • Most Bursty Bots have no friend or follower. • They mostly tweeted only a URL and/or a mention. • Spamming attack?
The Bursty Botnet spamming attack • 99.9% (2.8m) URLs are unique • Complex URL shorteners and redirects. • Most URLs point to two spam campaigns. • A webpage blocked by tinyurl.com • A known phishing webpage • www.facebook-goodies.com
A carefully designed spamming attack • 500,000 bots were created in burst, and they tweeted in burst -- to evade bot detection. • 2.8 millions unique URLs using shorteners and redirects – to fool spam detection. • 1.3 distinct Twitter users were mentioned -- to increase visibility and chance of being clicked. • Success: 61% of URLs were actually clicked! • A remarkable revenue?
The Bursty Botnet • No doubt it is a botnet, and it was for spamming attacks. • Further study can even reveal the alleged botmaster. • Full analysis of the spamming attack will be published elsewhere. J • with a lot of interesting details ...
Reflection on Twitter bots detection • Existing methods fail to detect large botnets • The assumed “common features” are not neccessarily common. • Understandable: lack of ground truth; evolving botnets
A long-term battle • The two botnets were discovered by their unusual tweeting behaviours. • We can not expect to repeat our luck. • Botmasters will learn lessons. • New botnets will avoid any known features, especially the common features. • Is a ‘general’ approach realistic? • To detect common or unusual features?
Thank k You! Thank k You! Dr Dr. Shi Zhou Dr Dr. Shi Zhou University College London (U (UCL) University College London (U (UCL)
Recommend
More recommend