Warningbird

•

0 gostou•1,955 visualizações

This document describes WarningBird, a system for detecting suspicious URLs in Twitter streams. It uses URL redirection chains and tweet context to extract 11 features for classifying URLs. WarningBird crawls URLs to obtain redirection chains, then performs domain grouping, feature extraction and logistic regression classification. It achieved low false positive and negative rates on real Twitter data. WarningBird can process URLs quickly and detect suspicious accounts faster than Twitter's own systems.

Tecnologia Design

WarningBird: Detecting Suspicious URLs in
Twitter Stream

Sangho Lee and Jong Kim
Pohang University of Science and Technology

January 18, 2012

Threat
Post URLs to attract traﬃc to website
Can deliver various payloads

Threat
Post URLs to attract traﬃc to website
Can deliver various payloads

Spam

Threat
Post URLs to attract traﬃc to website
Can deliver various payloads

Spam
Phishing

Threat
Post URLs to attract traﬃc to website
Can deliver various payloads

Spam
Phishing
Download
Malicious
Software

Twitter
Online micro-blogging service
Large (about 100 million accounts)
URL shortener services
Tweets broadcasted to legitimate users

Twitter
Online micro-blogging service
Large (about 100 million accounts)
URL shortener services
Tweets broadcasted to legitimate users
Good vector for attackers to attract traﬃc
Many potential targets
URL shorteners common and mask actual website
Many users view tweets based on content and not authorship

Existing Detection Approaches and Limitations
1. Detect accounts based on account information
E.g., ratio of Tweets with URLs to Tweets without URLs
Easily fabricated by attacker

Redirection Chains

Redirect chains start by resolving shortened URL
Several hops of URLs owned by attacker to redirect user
Dynamically choose which page a user ultimately visits
Crawlers goto legitimate URL
Legitimate users goto the malicious URL

Problem
Given a URL posted on Twitter, determine whether a
legitimate user would ultimately be directed to a malicious
URL by visiting the URL on Twitter

Warning Bird

Input: tweets
Output: suspicious URLs
Live website shows recent suspicious URLs

Data Collection

Use Twitter Streaming API to collect Tweets
Keep only Tweets with URLs
Crawl and store URL chain of each URL
Queue many Tweets to be analyzed together

Feature Extraction

Grouping domains xyz.com
= 20.30.40.50 = abc.com
Find entry point URLs
11 features based on URL
chains and Tweet context

Classiﬁer

Features are all normalized between zero and one
Logistic regression classiﬁcation experimentally found to be
the best
Ground truth from Twitter account status for supervised
learning

Experimentation
Real Twitter data from Twitter Streaming API
Their own commodity hardware
Performed experiments on Twitter data to investigate
Accuracy
Performance
Delay in Detection

Accuracy Results
60 days of training data 183k benign and 42k malicious URLs
30 days of test data 71k benign and 6.7k malicious URLs
Achieved 3.67% FPR and 3.21% FNR
Of 71k benign, 2.6k marked malicious
Of 6.7k malicious, 200 not discovered

Performance Results
Running time of various components
24ms time to crawl redirections (100 concurrent crawls)
2ms domain grouping
1.6ms feature extraction
0.5ms classiﬁcation
Process 100,000 URLs in one hour
Can distribute redirection crawling to improve this

Delay Results

WarningBird can detect faster than Twitter
Only shows results for those accounts suspended by Twitter
within a day

Conclusion
Found important feature others have ignored
Attacker must either spend more for more redirection servers
or risk being caught

Mais conteúdo relacionado

Mais procurados

Paper nctsn

Franciny S.

4 tools for saving great tweets

razorsocial

Mz sdl-140331

Angus Fox

Howtwitter works

zebikhan

Connect with us! http://www.virtualassistant.org/ http://www.facebook.com/virtualassistantinc http://virtualassistantinc.wordpress.com/ http://virtual-assistant-org.blogspot.com/ http://twitter.com/VAsocial virtual assistant, virtual assistants, small business services, virtual business services, one stop business service, business assistant, virtual assistant, administrative services, business support, support system, back office infrastructure, services, twitter, change twitter email notification, promote twitter profile

How to Promote Your Twitter Profile

Portfolio

Web of Short URL’s

IRJET Journal

Fake followers audit

Jimmy Finch

Spear phishing is an e-mail spoofing fraud attempt that targeting an organization to glean out confidential data and gain unauthorized access to organization's confidential data or internal network. Attacker may be motivated to carry confidential internal information to seek out financial gain, trade secrets or proprietary information. The emails sent to internal employees in spear phishing attempt appear to originate from a high ranking authoritative source positioned in the company. It is purposefully done so that very few people will question the intent regarding this request and readily provide the "supposed authority" with the requested details.

Spear Phishing Methodology

Network Intelligence India

Effective Anti-Phishing Strategies and Exercises - FISSEA 2017 Conference

Paubox, Inc.

Social media analysis in R using twitter API

Mohd Shadab Alam

Conventions of twitter 2

haverstockmedia

bluemix_spark_service

vishi nema

Social Developers London update for Twitter Developers

Angus Fox

Mais procurados (13)

Paper nctsn

4 tools for saving great tweets

Mz sdl-140331

Howtwitter works

How to Promote Your Twitter Profile

Web of Short URL’s

Fake followers audit

Spear Phishing Methodology

Effective Anti-Phishing Strategies and Exercises - FISSEA 2017 Conference

Social media analysis in R using twitter API

Conventions of twitter 2

bluemix_spark_service

Social Developers London update for Twitter Developers

Semelhante a Warningbird

Warningbird a near real time detection system for suspicious urls in twitter ...

JPINFOTECH JAYAPRAKASH

Phishing is a social engineering Technique which they main aim is to target the user Information like user id, password, credit card information and so on. Which result a financial loss to the user. Detecting Phishing is the one of the challenge problem that relay to human vulnerabilities. This paper proposed the Detecting Phishing Web Sites using different Machine Learning Approaches. In this to evaluate different classification models to predict malicious and benign websites by using Machine Learning Algorithms. Experiments are performed on data set consisting malicious and benign, In This paper the results shows the proposed Algorithms has high detection accuracy. Nakkala Srinivas Mudiraj ""Detecting Phishing using Machine Learning"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-4 , June 2019, URL: https://www.ijtsrd.com/papers/ijtsrd23755.pdf Paper URL: https://www.ijtsrd.com/computer-science/computer-security/23755/detecting-phishing-using-machine-learning/nakkala-srinivas-mudiraj

Detecting Phishing using Machine Learning

ijtsrd

Web Application Security

Chris Hillman

Abstract: Existence of spam URLs over emails and Online Social Media (OSM) has become a growing phenomenon. To counter the dissemination issues associated with long complex URLs in emails and character limit imposed on various OSM (like Twitter), the concept of URL shortening gained a lot of traction. URL shorteners take as input a long URL and give a short URL with the same landing page in return. With its immense popularity over time, it has become a prime target for the attackers giving them an advantage to conceal malicious content. Bitly, a leading service in this domain is being exploited heavily to carry out phishing attacks, work from home scams, pornographic content propagation, etc. This imposes additional performance pressure on Bitly and other URL shorteners to be able to detect and take a timely action against the illegitimate content. In this study, we analyzed a dataset marked as suspicious by Bitly in the month of October 2013 to highlight some ground issues in their spam detection mechanism. In addition, we identified some short URL based features and coupled them with two domain speciﬁc features to classify a Bitly URL as malicious / benign and achieved a maximum accuracy of 86.41%. To the best our knowledge, this is the ﬁrst large scale study to highlight the issues with Bitly’s spam detection policies and proposing a suitable countermeasure.

Exploration of gaps in Bitly's spam detection and relevant countermeasures

Cybersecurity Education and Research Centre

Report - Final_New_phishila

Ashwin Palani

ppt presentation

webhostingguy

Conference Abstract: This session will focus on integrating with social media with your Spring projects. The Spring Social project allows developers to interact with Twitter, LinkedIn, Facebook & TripIt in web and mobile projects. We will discuss security concerns with OAuth 1.0 & 2.0 and how Spring templates make our job easier. Topics Include: - Spring Greenhouse - reference implementation of Spring Social - Spring Mobile - integrating Spring Social with iPhone & Android - Security with OAuth - Accessing Social data with REST, JSON & XML - Examples of Spring Social Media Templates

Spring Social - Messaging Friends & Influencing People

Gordon Dickens

Url manipulation

Shivam Singh

Proxy log review and use cases

Mostafa Yahia

GNUCITIZEN Pdp Owasp Day September 2007

guest20ab09

Tracking online conversations with Yahoo Pipes

Corinne Weisgerber

International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.

F43033234

IJERA Editor

Colloquim Report - Rotto Link Web Crawler

Akshay Pratap Singh

On the Persistence of Persistent Identifiers of the Scholarly Web

Martin Klein

Extracting Resources that Help Tell Events' Stories

Carlo Andrea Conte

Using & Abusing APIs: An Examination of the API Attack Surface

CA API Management

This report from Imperva’s Hacker Intelligence Initiative (HII), describes a Search Engine Poisoning (SEP) campaign from start to finish. SEP abuses the ranking algorithms of search engines to promote an attacker-controlled Web site that contains malware. Imperva’s Application Defense Center (ADC) has witnessed these types of automated attack campaigns, which cause search engines to return high-ranking Web pages infected with malicious code that references an attacker-controlled Web site.

Search Engine Poisoning

Imperva

Web spoofing (1)

Khushboo Taneja

Rails 3 and OAuth for Barcamp Tampa

Bryce Kerley

Colloquim Report on Crawler - 1 Dec 2014

Sunny Gupta

Semelhante a Warningbird (20)

Warningbird a near real time detection system for suspicious urls in twitter ...

Detecting Phishing using Machine Learning

Web Application Security

Exploration of gaps in Bitly's spam detection and relevant countermeasures

Report - Final_New_phishila

ppt presentation

Spring Social - Messaging Friends & Influencing People

Url manipulation

Proxy log review and use cases

GNUCITIZEN Pdp Owasp Day September 2007

Tracking online conversations with Yahoo Pipes

F43033234

Colloquim Report - Rotto Link Web Crawler

On the Persistence of Persistent Identifiers of the Scholarly Web

Extracting Resources that Help Tell Events' Stories

Using & Abusing APIs: An Examination of the API Attack Surface

Search Engine Poisoning

Web spoofing (1)

Rails 3 and OAuth for Barcamp Tampa

Colloquim Report on Crawler - 1 Dec 2014

Último

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

ICT role in 21st century education and its challenges

rafiqahmad00786416

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Architecting Cloud Native Applications

WSO2

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

When you’re building (micro)services, you have lots of framework options. Spring Boot is no doubt a popular choice. But there’s more! Take Quarkus, a framework that’s considered the rising star for Kubernetes-native Java. It always depends on what's best for your situation, but how to choose the best solution if you're comparing 2 frameworks? Both Spring Boot and Quarkus have their positives and negatives. Let us compare the two by live coding a couple of common use cases in Spring Boot and Quarkus. After this talk, you’ll be ready to get started with Quarkus yourself, and know when to select Quarkus or Spring Boot.

Spring Boot vs Quarkus the ultimate battle - DevoxxUK

Jago de Vreede

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

The action of the next cyber saga takes place in the mystical lands of the Asia-Pacific region, where the main characters began their digital activities in the middle of 2021 and qualitatively strengthened it in 2022. Corporate espionage, document theft, audio recordings, and data leaks from messaging platforms were all a matter of one day for Dark Pink. Their geographical focus may have started in the Asia-Pacific region, but their ambitions knew no bounds, targeting a European government ministry in a bold move to expand their portfolio. Their victim profile was as diverse as a UN meeting, targeting military organizations, government agencies, and even a religious organization. Because discrimination is not a fashionable agenda. In the world of cybercrime, they serve as a reminder that sometimes the most serious threats come in the most unassuming packages with a pink bow.

Cyberprint. Dark Pink Apt Group [EN].pdf

Overkill Security

Warningbird

1. WarningBird: Detecting Suspicious URLs in Twitter Stream Sangho Lee and Jong Kim Pohang University of Science and Technology January 18, 2012

2. Threat Post URLs to attract traﬃc to website Can deliver various payloads

3. Threat Post URLs to attract traﬃc to website Can deliver various payloads Spam

4. Threat Post URLs to attract traﬃc to website Can deliver various payloads Spam Phishing

5. Threat Post URLs to attract traﬃc to website Can deliver various payloads Spam Phishing Download Malicious Software

6. Twitter Online micro-blogging service Large (about 100 million accounts) URL shortener services Tweets broadcasted to legitimate users

7. Twitter Online micro-blogging service Large (about 100 million accounts) URL shortener services Tweets broadcasted to legitimate users Good vector for attackers to attract traﬃc Many potential targets URL shorteners common and mask actual website Many users view tweets based on content and not authorship

8. Existing Detection Approaches and Limitations 1. Detect accounts based on account information E.g., ratio of Tweets with URLs to Tweets without URLs Easily fabricated by attacker

9. Existing Detection Approaches and Limitations 1. Detect accounts based on account information E.g., ratio of Tweets with URLs to Tweets without URLs Easily fabricated by attacker 2. Detect accounts based on social graph E.g., connectivity measures for each node Hard to obtain and analyze large amounts of Twitter data

10. Existing Detection Approaches and Limitations 1. Detect accounts based on account information E.g., ratio of Tweets with URLs to Tweets without URLs Easily fabricated by attacker 2. Detect accounts based on social graph E.g., connectivity measures for each node Hard to obtain and analyze large amounts of Twitter data 3. Crawl URLs to classify them E.g., detect malicious URLs based on html content Redirection chains used by attackers

11. Redirection Chains Redirect chains start by resolving shortened URL Several hops of URLs owned by attacker to redirect user Dynamically choose which page a user ultimately visits Crawlers goto legitimate URL Legitimate users goto the malicious URL

12. Problem Given a URL posted on Twitter, determine whether a legitimate user would ultimately be directed to a malicious URL by visiting the URL on Twitter

13. Problem Given a URL posted on Twitter, determine whether a legitimate user would ultimately be directed to a malicious URL by visiting the URL on Twitter Assumptions: Cannot use features easily fabricated by attacker No access to large Twitter graph Have access to part of redirect chain available to crawlers Redirect chains cannot be fabricated

14. Problem Given a URL posted on Twitter, determine whether a legitimate user would ultimately be directed to a malicious URL by visiting the URL on Twitter Assumptions: Cannot use features easily fabricated by attacker No access to large Twitter graph Have access to part of redirect chain available to crawlers Redirect chains cannot be fabricated Solution Overview: Create classiﬁer Rely on redirect chain for features Validate accuracy/performance with Twitter data

15. Warning Bird Input: tweets Output: suspicious URLs Live website shows recent suspicious URLs

16. Data Collection Use Twitter Streaming API to collect Tweets Keep only Tweets with URLs Crawl and store URL chain of each URL Queue many Tweets to be analyzed together

17. Feature Extraction Grouping domains xyz.com = 20.30.40.50 = abc.com Find entry point URLs 11 features based on URL chains and Tweet context

18. Features

19. Classiﬁer Features are all normalized between zero and one Logistic regression classiﬁcation experimentally found to be the best Ground truth from Twitter account status for supervised learning

20. Experimentation Real Twitter data from Twitter Streaming API Their own commodity hardware Performed experiments on Twitter data to investigate Accuracy Performance Delay in Detection

21. Accuracy Results 60 days of training data 183k benign and 42k malicious URLs 30 days of test data 71k benign and 6.7k malicious URLs Achieved 3.67% FPR and 3.21% FNR Of 71k benign, 2.6k marked malicious Of 6.7k malicious, 200 not discovered

22. Performance Results Running time of various components 24ms time to crawl redirections (100 concurrent crawls) 2ms domain grouping 1.6ms feature extraction 0.5ms classiﬁcation Process 100,000 URLs in one hour Can distribute redirection crawling to improve this

23. Delay Results WarningBird can detect faster than Twitter Only shows results for those accounts suspended by Twitter within a day

24. Conclusion Found important feature others have ignored Attacker must either spend more for more redirection servers or risk being caught

Warningbird

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (13)

Semelhante a Warningbird

Semelhante a Warningbird (20)

Último

Último (20)

Warningbird