warningbird detecting suspicious urls in twitter stream
play

WarningBird: Detecting Suspicious URLs in Twitter Stream NDSS 2012 - PowerPoint PPT Presentation

Nov 24, 2023 •110 likes •332 views

WarningBird: Detecting Suspicious URLs in Twitter Stream NDSS 2012 Sangho Lee and Jong Kim POSTECH, Korea February 8, 2012 Suspicious URLs in Twitter Twitter suffers from malicious tweets. Containing URLs for spam, phishing,

  1. WarningBird: Detecting Suspicious URLs in Twitter Stream NDSS 2012 Sangho Lee and Jong Kim POSTECH, Korea February 8, 2012

  2. Suspicious URLs in Twitter • Twitter suffers from malicious tweets. – Containing URLs for spam, phishing, … • Many detection schemes rely on – Features of Twitter accounts and msgs. – Features of URL and content • Many evading techniques also exist. – Feature fabrication – Conditional redirection NDSS 2012 2

  3. Conditional Redirection • Attackers distribute initial URLs of conditional redirect chains via tweets. • Conditional redirection servers will lead – Normal browsers to malicious landing pages – Crawlers to benign landing pages • User agent, IP addresses, repeated visiting, … Misclassifications can occur NDSS 2012 3

  4. Motivation and Goal • Attackers can evade previous detection schemes. – Selectively provide malicious content to normal browsers not to investigators • We propose a novel suspicious URL detection system for Twitter. – Be robust against evasion techniques – Detects suspicious URLs in real time NDSS 2012 4

  5. Outline • Introduction • Case Study • Proposed Scheme • Evaluation • Discussion and Conclusion NDSS 2012 5

  6. Case Study blackraybansunglasses.com 6584 different accounts & short URLs (3% of daily sample) google.com for reused crawlers random spam page for normal browsers NDSS 2012 6

  7. Outline • Introduction • Case Study • Proposed Scheme – Basic Idea – System Overview – Derived Features • Evaluation • Discussion and Conclusion NDSS 2012 7

  8. Basic Idea • Attackers need to reuse redirection servers. – No infinite redirection servers • We analyze a group of correlated URL chains. – To detect redirection servers reused – To derive features of the correlated URL chains NDSS 2012 8

  9. System Overview • Data collection – Collect tweets with URLs from public timeline – Visit each URL to obtain URL chains and IP addresses • Feature extraction – Group domains with the same IP addresses – Find entry point URLs – Generate feature vectors for each entry point NDSS 2012 9

  10. System Overview (continued) • Training – Label feature vectors using account status info. • suspended Þ malicious, active Þ benign – Build classification models • Classification – Classify suspicious URLs NDSS 2012 10

  11. Features • Correlated URL chains – Length of URL redirect chain – Frequency of entry point URL – # of different initial and landing URLs • Tweet context information – # of different Twitter sources – Standard deviation of account creation dates – Standard deviation of friends-followers ratios NDSS 2012 11

  12. Outline • Introduction • Case Study • Proposed Scheme • Evaluation – System Setup and Data Collection – Training Classifiers – Data Analysis – Detection Efficiency – Running Time • Discussion and Conclusion NDSS 2012 12

  13. System Setup and Data Collection • System specification – Two Intel Quad Core Xeon 2.4 GHz CPUs – 24 GiB main memory • Data collection – Twitter Streaming API – One percent samples from Twitter public timeline (Spritzer role) – 27,895,714 tweets with URLs between April 8 and August 8, 2011 (122 days) NDSS 2012 13

  14. Training Classifiers • Training dataset – Tweets between May 10 and July 8 – 183,113 benign and 41,721 malicious entry point URLs • Classification algorithm – L2-regularized logistic regression • 10-fold cross validation – FP: 1.64%, FN: 10.69% NDSS 2012 14

  15. Data Analysis 3758 entry point URLs (on average, daily) 283 suspicious URLs 20 false positive URLs 30 new suspicious URLs • Relatively small number of new suspicious URLs – We detect suspicious URLs that are not detected or blocked by Twitter. NDSS 2012 15

  16. Data Analysis (continued) • Reoccurrences of May 10’s URLs • Up to 12% benign & 52% suspicious URLs NDSS 2012 16

  17. Detection Efficiency • We measure the time difference between – When WarningBird detects suspicious accounts – When Twitter suspends the accounts Avg. time difference: 13.5 min more than 20 hours NDSS 2012 17

  18. Running Time • Processing time for each URL: 28.31 ms – Redirect chain crawling: 24.20 ms • Hundred crawling threads – Domain grouping: 2.00 ms – Feature extraction: 1.62 ms – Classification: 0.48 ms • Our system can classify about 127,000 URLs per hour. – About 12.7% of all public tweets with URLs per hour NDSS 2012 18

  19. Outline • Introduction • Case Study • Proposed Scheme • Evaluation • Discussion and Conclusion NDSS 2012 19

  20. Discussion • Evasion is possible but restricted. – Do not reuse redirection servers • Need extra $ (to buy compromised hosts) • Need more effort to take down hosts – Reduce the rate of malicious tweets • Less effective NDSS 2012 20

  21. Conclusion • We proposed a new suspicious URL detection system for Twitter. • Our system is robust against feature fabrication and conditional redirection. • Evaluation results show accuracy and efficiency. NDSS 2012 21

Recommend

URLs K. Cooper 1 1 Department of Mathematics Washington State University 2014 URLs Introduction

URLs K. Cooper 1 1 Department of Mathematics Washington State University 2014 URLs Introduction

URLs URLs K. Cooper 1 1 Department of Mathematics Washington State University 2014 URLs Introduction URL Universal Resource Locater A way to specify any file publicly available on the World Wide Web Aka Universal Resource Identifier a

892 views • 22 slides
Geo-spatial Event Detection in the Twitter Stream Maximilian Walther and Michael Kaisser AGT

Geo-spatial Event Detection in the Twitter Stream Maximilian Walther and Michael Kaisser AGT

Geo-spatial Event Detection in the Twitter Stream Maximilian Walther and Michael Kaisser AGT International, J agerstrae 41, 10117 Berlin, Germany { mwalther,mkaisser } @agtinternational.com Abstract. The rise of Social Media services in the

552 views • 12 slides
Uniform Resource Locators (URLs) Scheme Port Number Query

Uniform Resource Locators (URLs) Scheme Port Number Query

Uniform Resource Locators (URLs) Scheme Port Number Query http://www.company.com:81/a/b/c.html?user=Alice&year=2008#p2 Host Name Hierarchical portion Fragment CS 142 Lecture Notes: URLs and Links Slide 1 <a> Examples Full

315 views • 4 slides
Actionable Objective Optimization for Suspicious Behavior Detection on Large Bipartite Graphs

Actionable Objective Optimization for Suspicious Behavior Detection on Large Bipartite Graphs

Actionable Objective Optimization for Suspicious Behavior Detection on Large Bipartite Graphs Tong Zhao, Matthew Malir, Meng Jiang DM2 Laboratory Computer Science and Engineering University of Notre Dame Suspicious Behavior on Bipartite Graph

584 views • 40 slides
12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
How Using NNNetwork simplified i18n config Objectives - Configure iOS app for IT/ES (help urls,

How Using NNNetwork simplified i18n config Objectives - Configure iOS app for IT/ES (help urls,

How Using NNNetwork simplified i18n config Objectives - Configure iOS app for IT/ES (help urls, account creation form, country config, etc.) - Create a new format for service and web urls: `es.nextdoor.com` and `es-api.nextdoor.com` while

492 views • 10 slides
Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L i L L Long ong I I Islan I l and S d S d S d Soun ound d with with NERACOOS Buoy y Observations James ODonnell, Todd Fake, Kay

815 views • 26 slides
MC-Checker: Detecting Memory Consistency Errors in MPI One-Sided Applications Zhezhe Chen 1 ,

MC-Checker: Detecting Memory Consistency Errors in MPI One-Sided Applications Zhezhe Chen 1 ,

MC-Checker: Detecting Memory Consistency Errors in MPI One-Sided Applications Zhezhe Chen 1 , James Dinan 2 , Zhen Tang 3 , Pavan Balaji 4 , Hua Zhong 3 , Jun Wei 3 , Tao Huang 3 , and Feng Qin 5 1. Twitter Inc. 2. Intel Corporation 3. Chinese

398 views • 27 slides
Using Twitter for your CPD Janet Thomas November 2019 #PHYSIO19 Why twitter for CPD?

Using Twitter for your CPD Janet Thomas November 2019 #PHYSIO19 Why twitter for CPD?

Using Twitter for your CPD Janet Thomas November 2019 #PHYSIO19 Why twitter for CPD? Twitter is free! Twitter is flexible CPD from your phone Twitter crosses professional, hierarchical and geographical boundaries You

595 views • 13 slides
Detecting Reverse Engineering with Canaries Collin Mulliner Security Engineer @ Cruise

Detecting Reverse Engineering with Canaries Collin Mulliner Security Engineer @ Cruise

Detecting Reverse Engineering with Canaries Collin Mulliner Security Engineer @ Cruise Automation Twitter: @ collinrm CanSecWest March 2018 About Me Security since ~1994 (hard to tell) BS, MS, PhD in computer science (all focused on

1.29k views • 80 slides
Draft Refining AI Analysis with CP Techniques or How to identifying suspicious values in

Draft Refining AI Analysis with CP Techniques or How to identifying suspicious values in

Draft Refining AI Analysis with CP Techniques or How to identifying suspicious values in programs with floating-point numbers Michel RUEHER University of Nice Sophia-Antipolis / I3S CNRS, France (joined work with Olivier Ponsini, Claude

529 views • 26 slides
? sync ref chosen as sync source by Listener Stream B: Presentation Stream C: timestamps

? sync ref chosen as sync source by Listener Stream B: Presentation Stream C: timestamps

Nominal Media Clock: Ts (implicit, not distributed) Stream A: ? sync ref chosen as sync source by Listener Stream B: Presentation Stream C: timestamps Stream D: from different Talkers A-F Stream E: Listener must Stream F: align

57 views • 3 slides
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
Designing Effective Websites Day 5 - May 1 Did you find any URLs like these? Have you come

Designing Effective Websites Day 5 - May 1 Did you find any URLs like these? Have you come

Designing Effective Websites Day 5 - May 1 Did you find any URLs like these? Have you come across URL' like these: Building a Mobile Website Some opt to build a separate (secondary) site for mobile Not necessarily a flawed approach

465 views • 30 slides
Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Inno Innovative Materials tive Materials Air Force Research Center for Nondestructive Testin Testing T Tech chnologies, es, I Inc. c. Laboratory Evaluation Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft

308 views • 12 slides
Detecting changes in Detecting changes in the rate the rate of a of a Poisson process

Detecting changes in Detecting changes in the rate the rate of a of a Poisson process

Detecting changes in Detecting changes in the rate the rate of a of a Poisson process Poisson process George V. Moustakides Outline Overview of the change detection problem CUSUM test and Lordens criterion The Poisson

454 views • 28 slides
Use of Java / JVM at Twitter @TonyPrintezis | @TwitterBoston tprintezis@twitter.com #JCP EC

Use of Java / JVM at Twitter @TonyPrintezis | @TwitterBoston tprintezis@twitter.com #JCP EC

Use of Java / JVM at Twitter @TonyPrintezis | @TwitterBoston tprintezis@twitter.com #JCP EC Twitter reps Tony Printezis VM Team | Infrastructure Org | Twitter ex-HotSpot (Sun / Oracle, 6+ years), ex-SunLabs (3+ years) Ramki

192 views • 15 slides
112 quotes & text 1920x1080 72 URLs & citations 72 code{:;} 36 credits

112 quotes & text 1920x1080 72 URLs & citations 72 code{:;} 36 credits

112 quotes & text 1920x1080 72 URLs & citations 72 code{:;} 36 credits Growing Pains Software Repositories at SCALE Do you put all of your bits in a single gigantic repository or many smaller ones? Why are we even asking?

880 views • 68 slides
Phase III Stream Assessment Study: Potential Stream Restoration Projects Strawberry Run and

Phase III Stream Assessment Study: Potential Stream Restoration Projects Strawberry Run and

Phase III Stream Assessment Study: Potential Stream Restoration Projects Strawberry Run and Taylor Run December 5, 2018 Tonights Agenda Introduce the project team Why stream restoration? Healthy stream characteristics

736 views • 44 slides
Jeffrey D. Ullman To motivate the Bloom-filter idea, consider a web crawler. It keeps,

Jeffrey D. Ullman To motivate the Bloom-filter idea, consider a web crawler. It keeps,

Cloud and Big Data Summer School, Stockholm, Aug., 2015 Jeffrey D. Ullman To motivate the Bloom-filter idea, consider a web crawler. It keeps, centrally, a list of all the URLs it has found so far. It assigns these URLs to any

549 views • 37 slides
Trust Forum Nassau, Bahamas Process of Analyzing Suspicious Transactions Reports Presented By:

Trust Forum Nassau, Bahamas Process of Analyzing Suspicious Transactions Reports Presented By:

Association of International Banks and Trust Forum Nassau, Bahamas Process of Analyzing Suspicious Transactions Reports Presented By: Mrs. Joann Fritz-Creary Legal Counsel and Training Officer (FIU) 13 th April 2016 Property of the

937 views • 11 slides
Introduction to Stream Computing and Reservoir Sampling COMP 480/580 February 6, 2020 Data

Introduction to Stream Computing and Reservoir Sampling COMP 480/580 February 6, 2020 Data

Introduction to Stream Computing and Reservoir Sampling COMP 480/580 February 6, 2020 Data Streams Data that are continuously generated by many sources at very fast rates Examples: Google queries Twitter feeds Financial

428 views • 16 slides
Join the Conversation on Twitter Use #AMSSAevents to follow the conversation on Twitter and

Join the Conversation on Twitter Use #AMSSAevents to follow the conversation on Twitter and

Join the Conversation on Twitter Use #AMSSAevents to follow the conversation on Twitter and connect with other webinar participants. AMSSA can be found on Twitter @amssabc Tim Foran Immigration, Refugees and Citizenship Canada (IRCC)

1.53k views • 116 slides
Automated Segmentation of Suspicious Breast Masses from Ultrasound Images Viksit Kumar, Jeremy

Automated Segmentation of Suspicious Breast Masses from Ultrasound Images Viksit Kumar, Jeremy

Automated Segmentation of Suspicious Breast Masses from Ultrasound Images Viksit Kumar, Jeremy Webb, Adriana Gregory, Mostafa Fatemi, Azra Alizad GTC 2018, San Jose, USA SIGNIFICANCE Breast cancer is most common and leading cause of death in

303 views • 13 slides

More recommend