Di Discovery of the he Bur ursty Di Discovery of the he Bur - - PowerPoint PPT Presentation

di discovery of the he bur ursty di discovery of the he
SMART_READER_LITE
LIVE PREVIEW

Di Discovery of the he Bur ursty Di Discovery of the he Bur - - PowerPoint PPT Presentation

Aug 15, 2023 357 likes •598 views

Di Discovery of the he Bur ursty Di Discovery of the he Bur ursty Botnet b Bo by u unusu sual t tweeting Botnet b Bo by u unusu sual t tweeting be beha havio iour urs beha be havio iour urs Juan Echeverria, Christoph

slide-1
SLIDE 1

Juan Echeverria, Christoph Besel, Shi Zhou Department of Computer Science University College London (UCL)

Di Discovery of the he Bur ursty Bo Botnet b by u unusu sual t tweeting be beha havio iour urs Di Discovery of the he Bur ursty Bo Botnet b by u unusu sual t tweeting be beha havio iour urs

slide-2
SLIDE 2

Twitter bots and botnet

Threats: Fake news; spam; phishing; opinion manipulation; streaming API contamination; advertisement fraud...

slide-3
SLIDE 3

Twitter bot detection

  • Many methods based on ‘common features’ of bots
  • Only small numbers of bots detected
  • Lack of ground truth
slide-4
SLIDE 4

Outline of this talk

  • Recent discovery of Star Wars Botnet
  • 350,000 bots
  • Our discovery of the Bursty Botnet
  • 500,000 bots
  • Unusual tweeting behaviours
  • Direct link with a spamming attack
  • Reflection on Twitter bot detection
slide-5
SLIDE 5

Distribution of the location tags of tweets by 1% Twitter users

First clue of the Star Wars botnet

slide-6
SLIDE 6

Uniform distribution in two rectangle zones? Even on sea and desert?

slide-7
SLIDE 7

Tweets of random quotations from Star Wars novels

All tweets The suspicious tweets

slide-8
SLIDE 8

The Star Wars Botnet

  • Only tweeted random quotations from SW novels.
  • Only tweeted from the source of Windows phone
  • Windows phone accounts for only 0.02% of all tweets.
  • <10 followers, <32 friends, <11 tweets....
  • >350,000 Bots are identified.
slide-9
SLIDE 9

Nice story... And?

slide-10
SLIDE 10

0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.294 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Twitter ID (0 ~ 232) Percentage Twitter Users ID Range containing Star−Wars Bots Billions

1500 1510 1520 1530 1540 1550 1560 1570 1580 1590 1600 1% 5% 10% 30%

Twitter ID Percentage of ID space used

Random Users StarWars Bots

SW bots were created in burst!

slide-11
SLIDE 11

SW bots also tweeted in burst!

  • All their tweets were generated immediately

after their creation.

  • Definition of ‘bursty users’:
  • Users that tweeted at least 3 times in their first hour
  • Then they never tweeted again
slide-12
SLIDE 12

0.5 1.0 1.5 2.0 2.5 3.0 3.5 25% 50% 75% 100% Twitter user ID space Percentage of user IDs All users Bursty users Star Wars bots x10^9 Bursty bots 0.5 1.0 1.5 2.0 2.5 3.0 3.5 20,000 40,000 60,000 80,000 100,000 120,000 140,000 Twitter user ID space Number of bursty users x10^9 Bursty bots Star Wars bots

July 2013 March 2012 Feb 2012 June 2013

Discovery of the Bursty Botnet

slide-13
SLIDE 13

The Bursty Botnet

  • Bursty Bots only tweeted in their first 2 minutes.
  • They were created in February and March 2012.
  • They only tweeted from the source of Mobile Web.
  • They mostly tweeted (i) a URL; and/or (ii) a mention.

2 4 6 8 10 0.2 0.4 0.6 0.8 1 Minutes from creation to last tweet Distribution Bursty bots Star Wars bots

slide-14
SLIDE 14

The Bursty Botnet

  • >500,000 Bursty Bots

are identified.

  • Still alive in Twitter.
  • Most bursty users are

Bursty Bots!

500 505 510 515 520 525 530 535 2 4 6 8 10 12 x 10

4

Twitter user IDs (x10^6) Number of users Bursty users Bursty bots Difference

slide-15
SLIDE 15

500 505 510 515 520 525 530 535 5 10 15 x 10

4

Twitter user IDs (x10^6) Number of users

September 2015 September 2016 Disappeared Bursty bots

The ‘disappeared’ Bursty Bots

  • Another 300,000 Bursty Bots have been removed by

Twitter between Sept. 2015 and Sept. 2016.

  • A vote from Twitter that these are indeed bad bots?
  • It seems Twitter does not know what we know?
slide-16
SLIDE 16
  • Most Bursty Bots have no friend or follower.
  • They mostly tweeted only a URL and/or a mention.
  • Spamming attack?

The Bursty Botnet properties

slide-17
SLIDE 17

The Bursty Botnet spamming attack

  • 99.9% (2.8m) URLs are unique
  • Complex URL shorteners and redirects.
  • Most URLs point to two spam campaigns.
  • A webpage blocked by tinyurl.com
  • A known phishing webpage
  • www.facebook-goodies.com
slide-18
SLIDE 18

A carefully designed spamming attack

  • 500,000 bots were created in burst, and they

tweeted in burst -- to evade bot detection.

  • 2.8 millions unique URLs using shorteners and

redirects – to fool spam detection.

  • 1.3 distinct Twitter users were mentioned -- to

increase visibility and chance of being clicked.

  • Success: 61% of URLs were actually clicked!
  • A remarkable revenue?
slide-19
SLIDE 19

The Bursty Botnet

  • No doubt it is a botnet, and it was for

spamming attacks.

  • Further study can even reveal the

alleged botmaster.

  • Full analysis of the spamming attack

will be published elsewhere. J

  • with a lot of interesting details ...
slide-20
SLIDE 20

Reflection on Twitter bots detection

  • Existing methods fail to detect large

botnets

  • The assumed “common features” are

not neccessarily common.

  • Understandable: lack of ground truth;

evolving botnets

slide-21
SLIDE 21

A long-term battle

  • The two botnets were discovered by

their unusual tweeting behaviours.

  • We can not expect to repeat our luck.
  • Botmasters will learn lessons.
  • New botnets will avoid any known

features, especially the common features.

  • Is a ‘general’ approach realistic?
  • To detect common or unusual features?
slide-22
SLIDE 22

Thank k You!

Dr

  • Dr. Shi Zhou

University College London (U (UCL)

Thank k You!

Dr

  • Dr. Shi Zhou

University College London (U (UCL)