Download pdf - Discovery of the Bursty Botnet by unusual tweeting behavioursstatisticalcyber.com/talks/Zhou, Shi slides.pdf · Twitter bot detection •Many methods based on ‘common features’

JuanEcheverria,ChristophBesel,ShiZhouDepartmentofComputerScienceUniversityCollegeLondon(UCL)

DiscoveryoftheBurstyBotnetbyunusualtweeting

behaviours

DiscoveryoftheBurstyBotnetbyunusualtweeting

behaviours

Twitterbotsandbotnet

Threats:Fakenews;spam;phishing;opinionmanipulation;streamingAPIcontamination;advertisementfraud...

Twitterbotdetection

• Manymethodsbasedon‘commonfeatures’ofbots• Onlysmallnumbersofbotsdetected

• Lackofgroundtruth

Outlineofthistalk

•RecentdiscoveryofStarWarsBotnet• 350,000bots

•OurdiscoveryoftheBurstyBotnet• 500,000bots• Unusualtweetingbehaviours• Directlinkwithaspammingattack

•ReflectiononTwitterbotdetection

Distributionofthelocationtagsoftweetsby1%Twitterusers

FirstclueoftheStarWarsbotnet

Uniformdistributionintworectanglezones?Evenonseaanddesert?

TweetsofrandomquotationsfromStarWarsnovels

Alltweets

Thesuspicioustweets

TheStarWarsBotnet• OnlytweetedrandomquotationsfromSWnovels.• OnlytweetedfromthesourceofWindowsphone

• Windowsphoneaccountsforonly0.02%ofalltweets.

• <10followers,<32friends,<11tweets....• >350,000Botsareidentified.

Nicestory...And?

0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.294

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Twitter ID (0 ~ 232)

Perc

en

tag

e

Twitter Users

ID Range containing Star−Wars Bots

Billions

1500 1510 1520 1530 1540 1550 1560 1570 1580 1590 1600

1%

5%

10%

30%

Twitter ID

Pe

rce

nta

ge

of

ID s

pa

ce

us

ed

Random Users

StarWars Bots

SWbotswerecreatedinburst!

SWbotsalsotweetedinburst!

• Alltheirtweetsweregeneratedimmediatelyaftertheircreation.

• Definitionof‘burstyusers’:• Usersthattweetedatleast3timesintheirfirsthour• Thentheynevertweetedagain

0 0.5 1.0 1.5 2.0 2.5 3.0 3.50

25%

50%

75%

100%

Twitter user ID space

Perc

en

tag

e o

f us

er ID

s

All users Bursty users

Star Wars bots

x10^9

Bursty bots

0 0.5 1.0 1.5 2.0 2.5 3.0 3.50

20,000

40,000

60,000

80,000

100,000

120,000

140,000

Twitter user ID space

Num

ber o

f bu

rsty

users

x10^9

Bursty bots

Star Wars bots

July 2013March 2012Feb 2012

June 2013

DiscoveryoftheBurstyBotnet

TheBurstyBotnet

• BurstyBotsonlytweetedintheirfirst2minutes.• TheywerecreatedinFebruaryandMarch2012.• TheyonlytweetedfromthesourceofMobileWeb.• Theymostlytweeted(i)aURL;and/or(ii)amention.

0 2 4 6 8 100

0.2

0.4

0.6

0.8

1

Minutes from creation to last tweet

Dis

trib

uti

on

Bursty bots

Star Wars bots

TheBurstyBotnet

• >500,000BurstyBotsareidentified.• StillaliveinTwitter.

• MostburstyusersareBurstyBots!

500 505 510 515 520 525 530 5350

2

4

6

8

10

12x 10

4

Twitter user IDs (x10^6)

Nu

mb

er

of

use

rs

Bursty users Bursty bots Difference

500 505 510 515 520 525 530 5350

5

10

15x 10

4

Twitter user IDs (x10^6)

Nu

mb

er

of

users

September 2015

September 2016

Disappeared Bursty bots

The‘disappeared’BurstyBots

• Another300,000BurstyBotshavebeenremovedbyTwitterbetweenSept.2015andSept.2016.• AvotefromTwitterthattheseareindeedbadbots?• ItseemsTwitterdoesnotknowwhatweknow?

• MostBurstyBotshavenofriendorfollower.• TheymostlytweetedonlyaURLand/oramention.

• Spammingattack?

TheBurstyBotnetproperties

TheBurstyBotnetspammingattack• 99.9%(2.8m)URLsareunique• ComplexURLshortenersandredirects.•MostURLspointtotwospamcampaigns.• Awebpageblockedbytinyurl.com• Aknownphishingwebpage

• www.facebook-goodies.com

Acarefullydesignedspammingattack

• 500,000botswerecreatedinburst,andtheytweetedinburst-- toevadebotdetection.• 2.8millionsuniqueURLsusingshortenersandredirects– tofoolspamdetection.• 1.3distinctTwitteruserswerementioned-- toincreasevisibilityandchanceofbeingclicked.• Success:61%ofURLswereactuallyclicked!• Aremarkablerevenue?

TheBurstyBotnet

•Nodoubtitisabotnet,anditwasforspammingattacks.•Furtherstudycanevenrevealtheallegedbotmaster.•Fullanalysisofthespammingattackwillbepublishedelsewhere.J• withalotofinterestingdetails...

ReflectiononTwitterbotsdetection•Existingmethodsfailtodetectlargebotnets•Theassumed“commonfeatures”arenotneccessarilycommon.•Understandable:lackofgroundtruth;evolvingbotnets

Along-termbattle• Thetwobotnetswerediscoveredbytheirunusualtweetingbehaviours.•Wecannotexpecttorepeatourluck.

•Botmasterswilllearnlessons.• Newbotnetswillavoidanyknownfeatures,especiallythecommonfeatures.

• Isa‘general’approachrealistic?• Todetectcommonorunusualfeatures?

ThankYou!

Dr.ShiZhouUniversityCollegeLondon(UCL)

ThankYou!

Dr.ShiZhouUniversityCollegeLondon(UCL)