warningbird detecting suspicious urls in twitter stream
play

WarningBird: Detecting Suspicious URLs in Twitter Stream NDSS 2012 - PowerPoint PPT Presentation

Nov 24, 2023 •110 likes •332 views

WarningBird: Detecting Suspicious URLs in Twitter Stream NDSS 2012 Sangho Lee and Jong Kim POSTECH, Korea February 8, 2012 Suspicious URLs in Twitter Twitter suffers from malicious tweets. Containing URLs for spam, phishing,

  1. WarningBird: Detecting Suspicious URLs in Twitter Stream NDSS 2012 Sangho Lee and Jong Kim POSTECH, Korea February 8, 2012

  2. Suspicious URLs in Twitter • Twitter suffers from malicious tweets. – Containing URLs for spam, phishing, … • Many detection schemes rely on – Features of Twitter accounts and msgs. – Features of URL and content • Many evading techniques also exist. – Feature fabrication – Conditional redirection NDSS 2012 2

  3. Conditional Redirection • Attackers distribute initial URLs of conditional redirect chains via tweets. • Conditional redirection servers will lead – Normal browsers to malicious landing pages – Crawlers to benign landing pages • User agent, IP addresses, repeated visiting, … Misclassifications can occur NDSS 2012 3

  4. Motivation and Goal • Attackers can evade previous detection schemes. – Selectively provide malicious content to normal browsers not to investigators • We propose a novel suspicious URL detection system for Twitter. – Be robust against evasion techniques – Detects suspicious URLs in real time NDSS 2012 4

  5. Outline • Introduction • Case Study • Proposed Scheme • Evaluation • Discussion and Conclusion NDSS 2012 5

  6. Case Study blackraybansunglasses.com 6584 different accounts & short URLs (3% of daily sample) google.com for reused crawlers random spam page for normal browsers NDSS 2012 6

  7. Outline • Introduction • Case Study • Proposed Scheme – Basic Idea – System Overview – Derived Features • Evaluation • Discussion and Conclusion NDSS 2012 7

  8. Basic Idea • Attackers need to reuse redirection servers. – No infinite redirection servers • We analyze a group of correlated URL chains. – To detect redirection servers reused – To derive features of the correlated URL chains NDSS 2012 8

  9. System Overview • Data collection – Collect tweets with URLs from public timeline – Visit each URL to obtain URL chains and IP addresses • Feature extraction – Group domains with the same IP addresses – Find entry point URLs – Generate feature vectors for each entry point NDSS 2012 9

  10. System Overview (continued) • Training – Label feature vectors using account status info. • suspended Þ malicious, active Þ benign – Build classification models • Classification – Classify suspicious URLs NDSS 2012 10

  11. Features • Correlated URL chains – Length of URL redirect chain – Frequency of entry point URL – # of different initial and landing URLs • Tweet context information – # of different Twitter sources – Standard deviation of account creation dates – Standard deviation of friends-followers ratios NDSS 2012 11

  12. Outline • Introduction • Case Study • Proposed Scheme • Evaluation – System Setup and Data Collection – Training Classifiers – Data Analysis – Detection Efficiency – Running Time • Discussion and Conclusion NDSS 2012 12

  13. System Setup and Data Collection • System specification – Two Intel Quad Core Xeon 2.4 GHz CPUs – 24 GiB main memory • Data collection – Twitter Streaming API – One percent samples from Twitter public timeline (Spritzer role) – 27,895,714 tweets with URLs between April 8 and August 8, 2011 (122 days) NDSS 2012 13

  14. Training Classifiers • Training dataset – Tweets between May 10 and July 8 – 183,113 benign and 41,721 malicious entry point URLs • Classification algorithm – L2-regularized logistic regression • 10-fold cross validation – FP: 1.64%, FN: 10.69% NDSS 2012 14

  15. Data Analysis 3758 entry point URLs (on average, daily) 283 suspicious URLs 20 false positive URLs 30 new suspicious URLs • Relatively small number of new suspicious URLs – We detect suspicious URLs that are not detected or blocked by Twitter. NDSS 2012 15

  16. Data Analysis (continued) • Reoccurrences of May 10’s URLs • Up to 12% benign & 52% suspicious URLs NDSS 2012 16

  17. Detection Efficiency • We measure the time difference between – When WarningBird detects suspicious accounts – When Twitter suspends the accounts Avg. time difference: 13.5 min more than 20 hours NDSS 2012 17

  18. Running Time • Processing time for each URL: 28.31 ms – Redirect chain crawling: 24.20 ms • Hundred crawling threads – Domain grouping: 2.00 ms – Feature extraction: 1.62 ms – Classification: 0.48 ms • Our system can classify about 127,000 URLs per hour. – About 12.7% of all public tweets with URLs per hour NDSS 2012 18

  19. Outline • Introduction • Case Study • Proposed Scheme • Evaluation • Discussion and Conclusion NDSS 2012 19

  20. Discussion • Evasion is possible but restricted. – Do not reuse redirection servers • Need extra $ (to buy compromised hosts) • Need more effort to take down hosts – Reduce the rate of malicious tweets • Less effective NDSS 2012 20

  21. Conclusion • We proposed a new suspicious URL detection system for Twitter. • Our system is robust against feature fabrication and conditional redirection. • Evaluation results show accuracy and efficiency. NDSS 2012 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

URLs K. Cooper 1 1 Department of Mathematics Washington State University 2014 URLs Introduction

URLs K. Cooper 1 1 Department of Mathematics Washington State University 2014 URLs Introduction

URLs URLs K. Cooper 1 1 Department of Mathematics Washington State University 2014 URLs Introduction URL Universal Resource Locater A way to specify any file publicly available on the World Wide Web Aka Universal Resource Identifier a

892 views • 22 slides
Geo-spatial Event Detection in the Twitter Stream Maximilian Walther and Michael Kaisser AGT

Geo-spatial Event Detection in the Twitter Stream Maximilian Walther and Michael Kaisser AGT

Geo-spatial Event Detection in the Twitter Stream Maximilian Walther and Michael Kaisser AGT International, J agerstrae 41, 10117 Berlin, Germany { mwalther,mkaisser } @agtinternational.com Abstract. The rise of Social Media services in the

552 views • 12 slides
Uniform Resource Locators (URLs) Scheme Port Number Query

Uniform Resource Locators (URLs) Scheme Port Number Query

Uniform Resource Locators (URLs) Scheme Port Number Query http://www.company.com:81/a/b/c.html?user=Alice&year=2008#p2 Host Name Hierarchical portion Fragment CS 142 Lecture Notes: URLs and Links Slide 1 <a> Examples Full

315 views • 4 slides
Actionable Objective Optimization for Suspicious Behavior Detection on Large Bipartite Graphs

Actionable Objective Optimization for Suspicious Behavior Detection on Large Bipartite Graphs

Actionable Objective Optimization for Suspicious Behavior Detection on Large Bipartite Graphs Tong Zhao, Matthew Malir, Meng Jiang DM2 Laboratory Computer Science and Engineering University of Notre Dame Suspicious Behavior on Bipartite Graph

584 views • 40 slides
12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
How Using NNNetwork simplified i18n config Objectives - Configure iOS app for IT/ES (help urls,

How Using NNNetwork simplified i18n config Objectives - Configure iOS app for IT/ES (help urls,

How Using NNNetwork simplified i18n config Objectives - Configure iOS app for IT/ES (help urls, account creation form, country config, etc.) - Create a new format for service and web urls: `es.nextdoor.com` and `es-api.nextdoor.com` while

492 views • 10 slides
Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L i L L Long ong I I Islan I l and S d S d S d Soun ound d with with NERACOOS Buoy y Observations James ODonnell, Todd Fake, Kay

815 views • 26 slides
MC-Checker: Detecting Memory Consistency Errors in MPI One-Sided Applications Zhezhe Chen 1 ,

MC-Checker: Detecting Memory Consistency Errors in MPI One-Sided Applications Zhezhe Chen 1 ,

MC-Checker: Detecting Memory Consistency Errors in MPI One-Sided Applications Zhezhe Chen 1 , James Dinan 2 , Zhen Tang 3 , Pavan Balaji 4 , Hua Zhong 3 , Jun Wei 3 , Tao Huang 3 , and Feng Qin 5 1. Twitter Inc. 2. Intel Corporation 3. Chinese

398 views • 27 slides
Using Twitter for your CPD Janet Thomas November 2019 #PHYSIO19 Why twitter for CPD?

Using Twitter for your CPD Janet Thomas November 2019 #PHYSIO19 Why twitter for CPD?

Using Twitter for your CPD Janet Thomas November 2019 #PHYSIO19 Why twitter for CPD? Twitter is free! Twitter is flexible CPD from your phone Twitter crosses professional, hierarchical and geographical boundaries You

595 views • 13 slides
Detecting Reverse Engineering with Canaries Collin Mulliner Security Engineer @ Cruise

Detecting Reverse Engineering with Canaries Collin Mulliner Security Engineer @ Cruise

Detecting Reverse Engineering with Canaries Collin Mulliner Security Engineer @ Cruise Automation Twitter: @ collinrm CanSecWest March 2018 About Me Security since ~1994 (hard to tell) BS, MS, PhD in computer science (all focused on

1.29k views • 80 slides
Draft Refining AI Analysis with CP Techniques or How to identifying suspicious values in

Draft Refining AI Analysis with CP Techniques or How to identifying suspicious values in

Draft Refining AI Analysis with CP Techniques or How to identifying suspicious values in programs with floating-point numbers Michel RUEHER University of Nice Sophia-Antipolis / I3S CNRS, France (joined work with Olivier Ponsini, Claude

529 views • 26 slides
? sync ref chosen as sync source by Listener Stream B: Presentation Stream C: timestamps

? sync ref chosen as sync source by Listener Stream B: Presentation Stream C: timestamps

Nominal Media Clock: Ts (implicit, not distributed) Stream A: ? sync ref chosen as sync source by Listener Stream B: Presentation Stream C: timestamps Stream D: from different Talkers A-F Stream E: Listener must Stream F: align

57 views • 3 slides
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
Designing Effective Websites Day 5 - May 1 Did you find any URLs like these? Have you come

Designing Effective Websites Day 5 - May 1 Did you find any URLs like these? Have you come

Designing Effective Websites Day 5 - May 1 Did you find any URLs like these? Have you come across URL' like these: Building a Mobile Website Some opt to build a separate (secondary) site for mobile Not necessarily a flawed approach

465 views • 30 slides
Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Inno Innovative Materials tive Materials Air Force Research Center for Nondestructive Testin Testing T Tech chnologies, es, I Inc. c. Laboratory Evaluation Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft

308 views • 12 slides
Detecting changes in Detecting changes in the rate the rate of a of a Poisson process

Detecting changes in Detecting changes in the rate the rate of a of a Poisson process

Detecting changes in Detecting changes in the rate the rate of a of a Poisson process Poisson process George V. Moustakides Outline Overview of the change detection problem CUSUM test and Lordens criterion The Poisson

454 views • 28 slides
draft-fieau-https-delivery-delegation Frdric Fieau - Orange Iuniana Oprescu - Orange IETF 93

draft-fieau-https-delivery-delegation Frdric Fieau - Orange Iuniana Oprescu - Orange IETF 93

draft-fieau-https-delivery-delegation Frdric Fieau - Orange Iuniana Oprescu - Orange IETF 93 Prague 2015 Rationale Delegation of content delivery occurs both in the clear HTTP and encrypted HTTPS in interconnection Several methods

622 views • 9 slides
Pointers Ch 9 & 13.1 Highlights - pointers object vs memory address An object is simply a

Pointers Ch 9 & 13.1 Highlights - pointers object vs memory address An object is simply a

Pointers Ch 9 & 13.1 Highlights - pointers object vs memory address An object is simply a box in memory and if you pass this into a function it makes a copy A memory address is where a box is located and if you pass this into a function,

471 views • 17 slides
IT350: Web & Internet Programming Set 19: Security, Hacking and myspace Input to your

IT350: Web & Internet Programming Set 19: Security, Hacking and myspace Input to your

IT350: Web & Internet Programming Set 19: Security, Hacking and myspace Input to your Website How does a user input information to your site? How does your server-side code process the input? How do you store the input?

717 views • 12 slides
Data-Intensive Distributed Computing CS 431/631 (Fall 2020) Part 3: From MapReduce to Spark (1/2)

Data-Intensive Distributed Computing CS 431/631 (Fall 2020) Part 3: From MapReduce to Spark (1/2)

Data-Intensive Distributed Computing CS 431/631 (Fall 2020) Part 3: From MapReduce to Spark (1/2) Ali Abedi These slides are available at https://www.student.cs.uwaterloo.ca/~cs451/ This work is licensed under a Creative Commons

384 views • 26 slides
Making Drupal Friendly for Editors and Clients BADCamp

Making Drupal Friendly for Editors and Clients BADCamp

Making Drupal Friendly for Editors and Clients BADCamp October 5, 2019 Jim.Vomero@FourKitchens.com @nJim Four Kitchens builds websites and apps for organizations that depend on

933 views • 51 slides
EECS 394 Software Development Chris Riesbeck Developing Mobile/Web Apps 1 Wednesday, October

EECS 394 Software Development Chris Riesbeck Developing Mobile/Web Apps 1 Wednesday, October

EECS 394 Software Development Chris Riesbeck Developing Mobile/Web Apps 1 Wednesday, October 24, 2012 Mobile Choices 2 Wednesday, October 24, 2012 Native Apps Native app access to all phone features best look and feel and performance

1.12k views • 38 slides
Macaroons and dCache or delegating in a cloudy world Patrick Fuhrmann Paul Millar Paul

Macaroons and dCache or delegating in a cloudy world Patrick Fuhrmann Paul Millar Paul

Macaroons and dCache or delegating in a cloudy world Patrick Fuhrmann Paul Millar Paul Millar On behave of the project team Macaroons and dCache | Taipei | Patrick Fuhrmann, Paul Millar | 15 March 2016 | 1 Macaroons and dCache | Taipei |

432 views • 11 slides
Session 22 Intra Server Control 1 Lecture Objectives Understand the differences between a

Session 22 Intra Server Control 1 Lecture Objectives Understand the differences between a

Session 22 Intra-server Control Session 22 Intra Server Control 1 Lecture Objectives Understand the differences between a server side forward and a redirect Understand the differences between an include and a forward and when

308 views • 6 slides

More recommend