Discovery of the Bursty Botnet by unusual tweeting behavioursstatisticalcyber.com/talks/Zhou, Shi...

Post on 22-Aug-2020

0 views 0 download

Preview:

Click to see full reader
Report this document
SHARE

transcript

JuanEcheverria,ChristophBesel,ShiZhouDepartmentofComputerScienceUniversityCollegeLondon(UCL)

DiscoveryoftheBurstyBotnetbyunusualtweeting

behaviours

DiscoveryoftheBurstyBotnetbyunusualtweeting

behaviours

Twitterbotsandbotnet

Threats:Fakenews;spam;phishing;opinionmanipulation;streamingAPIcontamination;advertisementfraud...

Twitterbotdetection

• Manymethodsbasedon‘commonfeatures’ofbots• Onlysmallnumbersofbotsdetected

• Lackofgroundtruth

Outlineofthistalk

•RecentdiscoveryofStarWarsBotnet• 350,000bots

•OurdiscoveryoftheBurstyBotnet• 500,000bots• Unusualtweetingbehaviours• Directlinkwithaspammingattack

•ReflectiononTwitterbotdetection

Distributionofthelocationtagsoftweetsby1%Twitterusers

FirstclueoftheStarWarsbotnet

Uniformdistributionintworectanglezones?Evenonseaanddesert?

TweetsofrandomquotationsfromStarWarsnovels

Alltweets

Thesuspicioustweets

TheStarWarsBotnet• OnlytweetedrandomquotationsfromSWnovels.• OnlytweetedfromthesourceofWindowsphone

• Windowsphoneaccountsforonly0.02%ofalltweets.

• <10followers,<32friends,<11tweets....• >350,000Botsareidentified.

Nicestory...And?

0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.294

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Twitter ID (0 ~ 232)

Perc

en

tag

e

Twitter Users

ID Range containing Star−Wars Bots

Billions

1500 1510 1520 1530 1540 1550 1560 1570 1580 1590 1600

1%

5%

10%

30%

Twitter ID

Pe

rce

nta

ge

of

ID s

pa

ce

us

ed

Random Users

StarWars Bots

SWbotswerecreatedinburst!

SWbotsalsotweetedinburst!

• Alltheirtweetsweregeneratedimmediatelyaftertheircreation.

• Definitionof‘burstyusers’:• Usersthattweetedatleast3timesintheirfirsthour• Thentheynevertweetedagain

0 0.5 1.0 1.5 2.0 2.5 3.0 3.50

25%

50%

75%

100%

Twitter user ID space

Perc

en

tag

e o

f us

er ID

s

All users Bursty users

Star Wars bots

x10^9

Bursty bots

0 0.5 1.0 1.5 2.0 2.5 3.0 3.50

20,000

40,000

60,000

80,000

100,000

120,000

140,000

Twitter user ID space

Num

ber o

f bu

rsty

users

x10^9

Bursty bots

Star Wars bots

July 2013March 2012Feb 2012

June 2013

DiscoveryoftheBurstyBotnet

TheBurstyBotnet

• BurstyBotsonlytweetedintheirfirst2minutes.• TheywerecreatedinFebruaryandMarch2012.• TheyonlytweetedfromthesourceofMobileWeb.• Theymostlytweeted(i)aURL;and/or(ii)amention.

0 2 4 6 8 100

0.2

0.4

0.6

0.8

1

Minutes from creation to last tweet

Dis

trib

uti

on

Bursty bots

Star Wars bots

TheBurstyBotnet

• >500,000BurstyBotsareidentified.• StillaliveinTwitter.

• MostburstyusersareBurstyBots!

500 505 510 515 520 525 530 5350

2

4

6

8

10

12x 10

4

Twitter user IDs (x10^6)

Nu

mb

er

of

use

rs

Bursty users Bursty bots Difference

500 505 510 515 520 525 530 5350

5

10

15x 10

4

Twitter user IDs (x10^6)

Nu

mb

er

of

users

September 2015

September 2016

Disappeared Bursty bots

The‘disappeared’BurstyBots

• Another300,000BurstyBotshavebeenremovedbyTwitterbetweenSept.2015andSept.2016.• AvotefromTwitterthattheseareindeedbadbots?• ItseemsTwitterdoesnotknowwhatweknow?

• MostBurstyBotshavenofriendorfollower.• TheymostlytweetedonlyaURLand/oramention.

• Spammingattack?

TheBurstyBotnetproperties

TheBurstyBotnetspammingattack• 99.9%(2.8m)URLsareunique• ComplexURLshortenersandredirects.•MostURLspointtotwospamcampaigns.• Awebpageblockedbytinyurl.com• Aknownphishingwebpage

• www.facebook-goodies.com

Acarefullydesignedspammingattack

• 500,000botswerecreatedinburst,andtheytweetedinburst-- toevadebotdetection.• 2.8millionsuniqueURLsusingshortenersandredirects– tofoolspamdetection.• 1.3distinctTwitteruserswerementioned-- toincreasevisibilityandchanceofbeingclicked.• Success:61%ofURLswereactuallyclicked!• Aremarkablerevenue?

TheBurstyBotnet

•Nodoubtitisabotnet,anditwasforspammingattacks.•Furtherstudycanevenrevealtheallegedbotmaster.•Fullanalysisofthespammingattackwillbepublishedelsewhere.J• withalotofinterestingdetails...

ReflectiononTwitterbotsdetection•Existingmethodsfailtodetectlargebotnets•Theassumed“commonfeatures”arenotneccessarilycommon.•Understandable:lackofgroundtruth;evolvingbotnets

Along-termbattle• Thetwobotnetswerediscoveredbytheirunusualtweetingbehaviours.•Wecannotexpecttorepeatourluck.

•Botmasterswilllearnlessons.• Newbotnetswillavoidanyknownfeatures,especiallythecommonfeatures.

• Isa‘general’approachrealistic?• Todetectcommonorunusualfeatures?

ThankYou!

Dr.ShiZhouUniversityCollegeLondon(UCL)

ThankYou!

Dr.ShiZhouUniversityCollegeLondon(UCL)

Top related

Botnet Architecture
Technology
Tweeting for Business
Marketing
Tweeting Troubles
Documents
Botnet ppt
Documents
Tweeting the news
Documents
Live Tweeting Assignment
News & Politics
Tweeting our conference…
Documents
Finding bursty topics from microblogs
Technology
Your Botnet is My Botnet: Analysis of a Botnet Takeoverchris/research/doc/ccs09... · 2020-06-06 · Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco
Documents
Tweeting the Game: Is live-tweeting reshaping the NHL fandom experience
Sports
Botnet detection using correlated anomalies · deals with machine learning techniques and algorithms used for training botnet ... Botnet detection faces a number of ... Botnet detection
Documents
Let’s get tweeting
Business
Tweeting 101
Self Improvement
Tweeting the Bible
Documents
The proton temperature anisotropy associated with bursty ...space.ustc.edu.cn/users/1166164509JDEkSVp1eWMzZ24...The proton temperature anisotropy associated with bursty bulk flows
Documents
Conficker Botnet
Technology
Botnet Infiltration
Documents
Tracing Botnet in Taiwan - FIRST Botnet Analysis Module (BAM) – C&C Tracer – Botnet Tracer The Botnet in Taiwan – Case Study Ⅰ IRC Botnet ... Tracing Botnet in Taiwan Author:
Documents
Tweeting from events
Technology
Roadrunners Botnet
Documents

Copyright © 2018 DOCUMENTS