[WWW2012] analyzing spammers' social networks for fun and profit

Analyzing Spammers' Social Networks for Fun
and Profit
A Case Study of Cyber Criminal Ecosystem on Twitter

Chao Yang, Texas A&M University
Robert Harkreader, Texas A&M University
Jialong Zhang, Texas A&M University

WMMKS Lab 郭至軒

WWW'12

Criminal Account

malicious behavior

Twitter Rule

A Twitter account can be considered to
be spamming, and thus be suspended
by Twitter.

Twitter Rule

If it has a small number of followers
compared to the amount of accounts
that it follows.

Follow Follow
10 self 1000

Who follow criminal accounts?

Let the criminal accounts still exist.

Cyber Criminal Ecosystem

criminal account

criminal supporter

legitimate account
victim

inner outer

Inner Social Relationship

inner


2,060

9,868

G = (V,E)

V: all criminal accounts
E: all follow relationship, directed edge


Relationship Graph Connected Components
8 weakly connected
components (at least
3 nodes)

521 isolated nodes


Finding 1:
Criminal accounts tend to be socially connected, forming
a small-world network.


Graph Density

Follow
Account Density
Relationship

Criminal
Space in 2,060 9,868 2.33 × 10-3
Sample
Entire
Twitter 41.7 × 106 1.47 × 109 8.45 × 10-7
Space


Graph Density

Follow
Account Density
Relationship

Criminal Almost 3,000 times
Space in 2,060 9,868 2.33 × 10-3
Sample
Entire
Twitter 41.7 × 106 1.47 × 109 8.45 × 10-7
Space


Reciprocity Number of Bidirectional Links

Reciprocity of 95% criminal
accounts higher than 0.2.

Reciprocity of 55% normal
accounts higher than 0.2.

Reciprocity of around 20%
criminal accounts are nearly
1.0.


Average Shortest Path Length
Average number of steps along the shortest
paths for all possible pairs of graph nodes.

ASPL

Criminal Accounts 2.60

Legitimate Accounts 4.12


Criminal accounts have strong social
connections with each other.


What are the main factors leading
to that structure?


Tend to follow many accounts without considering
those accounts' quality much.

Following Quality:

average follower number of an account's all
following accounts


Tend to follow many accounts without considering
those accounts' quality much.

FQ of 85% criminal accounts
lower than 20,000.

FQ of 45% normal accounts
lower than 20,000.


Criminal accounts, belonging to the same criminal
organizations.


Criminal accounts, belonging to the same criminal
organizations.

Group criminal accounts into
different criminal campaigns by 2,060
malicious URL.

9,868
17 campaigns

8,667 edges 87.8 %


Provide followers to criminal accounts

1. Break the Following Limits
Policy

2. Evade spam detection


Finding 2:
Compared with criminal leaves, criminal hubs are more
inclined to follow criminal accounts.


HITS algorithm to
calculate hub score

k-means algorithm to
cluster them

Relationship Graph criminal hubs: 90
criminal leaf: 1,970


Criminal Following Ratio (CFR):

ratio of the number of an account’s criminal-
followings to its total following number


CRF of 80% criminal hubs
higher than 0.1.

CRF of 20% criminal leaves
higher than 0.1.

lower than 0.05.


Why?


Criminal hubs tend to obtain followers more
effectively by following other criminal accounts.

Shared Following Ratio (SFR):

percentage of an account’s followers, who
also follows at least one of this account’s
criminal-followings


Criminal hubs tend to obtain followers more
effectively by following other criminal accounts.

SRF of 80% criminal hubs
higher than 0.4.

higher than 0.4.


criminal hubs

following leaves and acquiring their
followers’ information

criminal leaves

randomly following other accounts to
expect them to follow back

Outer Social Relationship

criminal supporters
accounts outside the criminal community, who have close
"follow relationships" with criminal accounts


Malicious Relevance Score Propagation
Algorithm (Mr.SPA)
MR score:

measuring how closely this account follows
criminal accounts

MR score


Algorithm (Mr.SPA)
1. the more criminal accounts followed, the higher
score

2. the further away from a criminal account, the
lower score

3. the closer the support relationship between a
Twitter account and a criminal account, the higher
score


Algorithm (Mr.SPA)

Malicious Relevance Graph, G = (V,E,W)

V: all accounts
W: weight for each edge, closeness of
relationship


Algorithm (Mr.SPA)
MR Score Initialization:

Mi = 1, if Vi is criminal account
Mi = 0, if Vi is not criminal account


Algorithm (Mr.SPA)
MR Score Aggregation:

an account’s score should sum up all
the scores inherited from the accounts
it follows
C1

MR(C1) = M1
A

C2 MR(A) = M1 + M2

MR(C2) = M2


Algorithm (Mr.SPA)
MR Score Dampening:

the amount of MR score that an
account inherits from other accounts
should be multiplied by a dampening
factor of α according to their social
distances, where 0 < α < 1

C A1 A2

MR(C) = M MR(C) = α × M MR(C) = α2 × M


Algorithm (Mr.SPA)
MR Score Splitting:

the amount of MR score that an
account inherits from the accounts it
follows should be multiplied by a
A1
relationship-closeness factor
MR(A1) = 0.5 × M
C

MR(C) = M A2

MR(A2) = 0.5 × M


Algorithm (Mr.SPA)

n: number of total nodes
Iij: { 0, 1 }, if (i,j) ∈ E, Iij = 1; otherwise, Iij = 0


Algorithm (Mr.SPA)

I: the column-vector normalized adjacency
matrix of nodes


After Mr. SPA...

use x-means algorithm
to cluster accounts based 5,924 criminal supporters
on their MR scores

most accounts have most accounts do not
relatively small scores have very close follow
and are grouped into one relationships with criminal
single cluster accounts


Social Butterflies
Those accounts that have extraordinarily large numbers
of followers and followings.

use 2,000 following
as a threshold

3,818 social
butterflies


Social Butterflies
The reason why social butterflies tend to have close
friendships with criminals is mainly because most of
them usually follow back the users who follow them
without careful examinations.


Social Promoters
Those accounts that have large following-follower
ratios, larger following numbers and relatively high URL
ratios.

whose URL ratios are higher than
0.1, and following numbers and
following-follower ratios are both at
the top 10-percentile

508 social promoters


Social Promoters
The reason why social promoters tend to have close
friendships with criminal accounts is probably because
most of them usually promote themselves or their
business by actively following other accounts without
considerations of those accounts’ quality.


Dummies
Those accounts who post few tweets but have many
followers.

post fewer than 5 tweets and
whose follower numbers are
at the top 10-percentile

81 dummies


Dummies
The reason why dummies intend to have close
friendship with criminals is mainly because most of
them are controlled or utilized by cyber criminals.

Inferring Criminal Accounts

The number of Twitter accounts is HUGE!


Criminal account Inference Algorithm
(CIA)

start from a seed set


(CIA)

1. criminal accounts tend to be socially
connected

2. criminal accounts usually share similar
topics, thus having strong semantic
coordinations among them


(CIA)

Malicious Relevance Graph, G = (V,E,W)

V: all accounts
W: weight for each edge, WS(i,j)

P.S. SS: Semantic Similarity Score


(CIA)

n: number of total nodes
Iij: { 0, 1 }, if (i,j) ∈ E, Iij = 1; otherwise, Iij = 0


Evaluation of CIA

Dataset I: around half million accounts from our
previous study [35]

Dataset II: another new crawled 30,000 accounts
by starting from 10 newly identified criminal
accounts and using BFS strategy


Evaluation of CIA
Dataset I
CA: Criminal Account
MA: Malicious Affected Account

Selection Strategies
100 seeds, select 4,000
accounts


Evaluation of CIA
Dataset I

Selection Sizes
100 seeds


Evaluation of CIA
Dataset I

Seed Sizes
select 4,000 accounts


Evaluation of CIA
Dataset I

Seed Type
accounts


Evaluation of CIA
Dataset I

Recursive Inference
accounts


Evaluation of CIA
Dataset II

Seed Type
accounts

Conclusion

S Provide a macro scale to view the
criminal accounts.

Focus on analysis and use heuristic
W method. And the detail of semantic
similarity score has omitted.
Find out many malicious accounts,

O maybe analyze them can improve
accuracy of CIA to detect criminal
accounts.
There is bias for training dataset, and
T let CIA improve not much when
detect criminal accounts.

[WWW2012] analyzing spammers' social networks for fun and profit

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a [WWW2012] analyzing spammers' social networks for fun and profit

Semelhante a [WWW2012] analyzing spammers' social networks for fun and profit (20)

Mais de Chih-Hsuan Kuo

Mais de Chih-Hsuan Kuo (20)

Último

Último (20)

[WWW2012] analyzing spammers' social networks for fun and profit