Xiuwen Liu,Jianming Fu,Yanjiao Chen

DOI: https://doi.org/10.1016/j.ins.2020.03.048

IF: 8.1

2020-01-01

Information Sciences

Abstract:The rich source of online reports and discussions on social media can be leveraged to investigate the widespread cyber-attacks. In this paper, we study the problem of cybersecurity event mining based on continuous tweet streams. In contrast to traditional static methods that do not consider event evolution, we explore relevance among historical and online events for cyber-attack event discovery and evolution detection. We propose CyberEM, a novel event evolution model with a special focus on cybersecurity events. A pattern clustering algorithm and an NMF-based (non-negative matrix factorization) event aggregation algorithm are devised for cyber-attack indicator extraction and event evolution detection. We leverage both the patterns that belong to the cybersecurity domain and the patterns of the semantic contexts of cybersecurity to refine evolutionary relevance of events across multiple time intervals. Furthermore, we design a dynamic event inference algorithm to discover cybersecurity events and update event aggregation in an online manner. Through extensive evaluations with a large-scale real-world tweet dataset, we demonstrate the superiority of the proposed CyberEM model over existing methods in identifying cybersecurity events and their evolutionary relevance.

K. Kiruthika Devi,G. A. Sathish Kumar

DOI: https://doi.org/10.1142/s0218488524500016

2024-02-22

International Journal of Uncertainty, Fuzziness and Knowlege-Based Systems

Abstract:International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, Volume 32, Issue 01, Page 1-20, January 2024. Currently, social media networks such as Facebook and Twitter have evolved into valuable platforms for global communication. However, due to their extensive user bases, Twitter is often misused by illegitimate users engaging in illicit activities. While there are numerous research papers available that delve into combating illegitimate users on Twitter, a common shortcoming in most of these works is the failure to address the issue of class imbalance, which significantly impacts the effectiveness of spam detection. Few other research works that have addressed class imbalance have not yet applied bio-inspired algorithms to balance the dataset. Therefore, we introduce PSOB-U, a particle swarm optimization-based undersampling technique designed to balance the Twitter dataset. In PSOB-U, various classifiers and metrics are employed to select majority samples and rank them. Furthermore, an ensemble learning approach is implemented to combine the base classifiers in three stages. During the training phase of the base classifiers, undersampling techniques and a cost-sensitive random forest (CS-RF) are utilized to address the imbalanced data at both the data and algorithmic levels. In the first stage, imbalanced datasets are balanced using random undersampling, particle swarm optimization-based undersampling, and random oversampling. In the second stage, a classifier is constructed for each of the balanced datasets obtained through these sampling techniques. In the third stage, a majority voting method is introduced to aggregate the predicted outputs from the three classifiers. The evaluation results demonstrate that our proposed method significantly enhances the detection of illegitimate users in the imbalanced Twitter dataset. Additionally, we compare our proposed work with existing models, and the predicted results highlight the superiority of our spam detection model over state-of-the-art spam detection models that address the class imbalance problem. The combination of particle swarm optimization-based undersampling and the ensemble learning approach using majority voting results in more accurate spam detection.

Yizhe You,Zhengwei Jiang,Peian Yang,Jun Jiang,Kai Zhang,Xuren Wang,Chenpeng Tu,Huamin Feng

DOI: https://doi.org/10.1093/comjnl/bxae084

2024-09-29

The Computer Journal

Abstract:Abstract Open-source information platforms such as Twitter continuously provide the latest threat intelligence, including new vulnerabilities and in-the-wild exploitations of advanced persistent threat (APT) groups. Automated extraction of threat intelligence from Twitter has become crucial for defenders to access up-to-date threat knowledge. However, existing studies mainly rely on supervised learning methods to extract threat intelligence knowledge, such as entities, which require a large amount of annotated data. This paper presents Threat Intelligence Mining and Analysis based on Prompt Learning (P-TIMA), a framework specifically crafted for extracting and analyzing threat intelligence from Twitter. P-TIMA employs our innovative few-shot entity recognition method, SecEntPrompt (SEP), built on prompt learning, to extract vulnerability intelligence from Twitter. Additionally, P-TIMA analyzes and profiles the overarching vulnerability intelligence obtained from Twitter, along with in-the-wild exploitation intelligence of APT groups. The SEP improves the average entity recognition F1 score by 3.62-4.40 compared with the best-performing comparison model and outperforms the method based on the large language model on recognition performance and inference time. To validate our framework, we apply P-TIMA to extract vulnerability-related threat intelligence from real Twitter data. Through case studies, we then analyze trends in vulnerability threats and the exploitation capabilities of APT groups. In conclusion, our framework provides a more efficient and accurate method for extracting threat intelligence from Twitter, enabling defenders to stay up-to-date with the latest threat trends and helping them improve their defense strategies against cyber attacks.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Nicholas Thapen,Donal Simmie,Chris Hankin

DOI: https://doi.org/10.1186/s13326-016-0103-z

2016-10-07

Abstract:Background: Twitter updates now represent an enormous stream of information originating from a wide variety of formal and informal sources, much of which is relevant to real-world events. They can therefore be highly useful for event detection and situational awareness applications. Results: In this paper we apply customised filtering techniques to existing bio-surveillance algorithms to detect localised spikes in Twitter activity, showing that these correspond to real events with a high level of confidence. We then develop a methodology to automatically summarise these events, both by providing the tweets which best describe the event and by linking to highly relevant news articles. This news linkage is accomplished by identifying terms occurring more frequently in the event tweets than in a baseline of activity for the area concerned, and using these to search for news. We apply our methods to outbreaks of illness and events strongly affecting sentiment and are able to detect events verifiable by third party sources and produce high quality summaries. Conclusions: This study demonstrates linking event detection from Twitter with relevant online news to provide situational awareness. This builds on the existing studies that focus on Twitter alone, showing that integrating information from multiple online sources can produce useful analysis.

Rupinder Paul Khandpur,Taoran Ji,Steve Jan,Gang Wang,Chang-Tien Lu,Naren Ramakrishnan

DOI: https://doi.org/10.1145/3132847.3132866

2017-02-25

Abstract:Social media is often viewed as a sensor into various societal events such as disease outbreaks, protests, and elections. We describe the use of social media as a crowdsourced sensor to gain insight into ongoing cyber-attacks. Our approach detects a broad range of cyber-attacks (e.g., distributed denial of service (DDOS) attacks, data breaches, and account hijacking) in an unsupervised manner using just a limited fixed set of seed event triggers. A new query expansion strategy based on convolutional kernels and dependency parses helps model reporting structure and aids in identifying key event characteristics. Through a large-scale analysis over Twitter, we demonstrate that our approach consistently identifies and encodes events, outperforming existing methods.

Cryptography and Security,Human-Computer Interaction,Information Retrieval,Social and Information Networks

Gaolei Fei,Yong Cheng,Yang Liu,Zhuo Liu,Guangmin Hu

DOI: https://doi.org/10.1007/978-3-030-38961-1_57

2019-01-01

Abstract:Billions of data spread on Twitter every day, which carries a lot of information. It is meaningful to mine the useful information and make it valuable. The purpose of Twitter event detection is to detect what happened in our real life from these unstructured data. We introduce the spatio-temporal information of tweets into event detection. The event detection can be divided into three steps in this paper. First, we use the space difference between event words and noise words and introduce the relationship between words, then we can build a model to separate event words and noise words. Then we define the similarity between event tweets from three different aspects, which make up for the shortcomings of existing methods. Finally, we construct a graph based on the similarity between tweets, and the graph can be divided into different event clusters to complete the event detection. Our method has achieved good results and can be applied to event detection in actual life.

Guoming Lu,Yaqiao Mu,Jianbin Gu,Franck A. P. Kouassi,Chenxi Lu,Ruozhou Wang,Aiguo Chen

DOI: https://doi.org/10.1016/j.compeleceng.2021.107317

IF: 4.152

2021-01-01

Computers & Electrical Engineering

Abstract:Sub-event detection for social media is getting increasingly important because social media platforms have played key roles in disseminating vital information to the public. However, conventional methods fail to achieve high-quality analysis of events evolution due to the severe sparseness and noise of tweets data. In this paper, we propose an unsupervised sub-event detection model which learns rich information from hashtags with a Text-CNN model. Furthermore, a two steps training method leveraged by KL divergence is introduced to further reduce the negative influence of incoherent semantics. The experiments show that our method achieves very good performance on datasets of different languages. On the Chinese dataset, in terms of NMI, and BCubed F1 precision, our method has a significant increase of 5.1%, and 11.9%, respectively, over the baseline methods. In most cases, our method significantly improves the performance of sub-event detection compared with state-of-the-art methods.

Thea Riebe,Tristan Wirth,Markus Bayer,Philipp Kühn,Marc-André Kaufhold,Volker Knauthe,Stefan Guthe,Christian Reuter

DOI: https://doi.org/10.1007/978-3-030-86890-1_24

2021-01-01

Abstract:Receiving relevant information on possible cyber threats, attacks, and data breaches in a timely manner is crucial for early response. The social media platform Twitter hosts an active cyber security community. Their activities are often monitored manually by security experts, such as Computer Emergency Response Teams (CERTs). We thus propose a Twitter-based alert generation system that issues alerts to a system operator as soon as new relevant cyber security related topics emerge. Thereby, our system allows us to monitor user accounts with significantly less workload. Our system applies a supervised classifier, based on active learning, that detects tweets containing relevant information. The results indicate that uncertainty sampling can reduce the amount of manual relevance classification effort and enhance the classifier performance substantially compared to random sampling. Our approach reduces the number of accounts and tweets that are needed for the classifier training, thus making the tool easily and rapidly adaptable to the specific context while also supporting data minimization for Open Source Intelligence (OSINT). Relevant tweets are clustered by a greedy stream clustering algorithm in order to identify significant events. The proposed system is able to work near real-time within the required 15-min time frameand detects up to 93.8% of relevant events with a false alert rate of 14.81%.

Nuno Dionísio,Fernando Alves,Pedro M. Ferreira,Alysson Bessani

DOI: https://doi.org/10.48550/arXiv.1904.01127

2019-04-02

Abstract:To be prepared against cyberattacks, most organizations resort to security information and event management systems to monitor their infrastructures. These systems depend on the timeliness and relevance of the latest updates, patches and threats provided by cyberthreat intelligence feeds. Open source intelligence platforms, namely social media networks such as Twitter, are capable of aggregating a vast amount of cybersecurity-related sources. To process such information streams, we require scalable and efficient tools capable of identifying and summarizing relevant information for specified assets. This paper presents the processing pipeline of a novel tool that uses deep neural networks to process cybersecurity information received from Twitter. A convolutional neural network identifies tweets containing security-related information relevant to assets in an IT infrastructure. Then, a bidirectional long short-term memory network extracts named entities from these tweets to form a security alert or to fill an indicator of compromise. The proposed pipeline achieves an average 94% true positive rate and 91% true negative rate for the classification task and an average F1-score of 92% for the named entity recognition task, across three case study infrastructures.

Machine Learning,Cryptography and Security,Social and Information Networks

Yanxia Qin,Yue Zhang,Min Zhang,Dequan Zheng

2013-01-01

Abstract:Event detection on Twitter is an important and challenging research topic. On the one hand, Twitter provides first-hand information and fast broadcasting. On the other, challenges include short and noisy content, big volume data and fast-changing topics. Dominant approaches for Twitter event detection model events by clustering tweets, words or segments, while segments have been proven to be advantageous over both words and tweets in news event detection. We study segment-based news event detection, for which existing heuristic-based methods suffer from low recall. We propose feature-based event filtering to address this issue. Our filter incorporate a rich family of features that are empirically proven to be valuable. Experimental results show that our event detection system outperforms the state-of-theart baseline with doubled recall and increased precision.

Nidhi Rastogi,Sharmishtha Dutta,Mohammed J. Zaki,Alex Gittens,Charu Aggarwal

DOI: https://doi.org/10.48550/arXiv.2102.05571

2023-01-19

Abstract:Threat intelligence on malware attacks and campaigns is increasingly being shared with other security experts for a cost or for free. Other security analysts use this intelligence to inform them of indicators of compromise, attack techniques, and preventative actions. Security analysts prepare threat analysis reports after investigating an attack, an emerging cyber threat, or a recently discovered vulnerability. Collectively known as cyber threat intelligence (CTI), the reports are typically in an unstructured format and, therefore, challenging to integrate seamlessly into existing intrusion detection systems. This paper proposes a framework that uses the aggregated CTI for analysis and defense at scale. The information is extracted and stored in a structured format using knowledge graphs such that the semantics of the threat intelligence can be preserved and shared at scale with other security analysts. Specifically, we propose the first semi-supervised open-source knowledge graph-based framework, TINKER, to capture cyber threat information and its context. Following TINKER, we generate a Cyberthreat Intelligence Knowledge Graph (CTI-KG) and demonstrate the usage using different use cases.

Cryptography and Security,Artificial Intelligence,Information Retrieval,Machine Learning

Yanxia Qin,Yue Zhang,Min Zhang,Dequan Zheng

DOI: https://doi.org/10.1587/transinf.2017edp7311

2018-01-01

IEICE Transactions on Information and Systems

Abstract:Large scale first-hand tweets motivate automatic event detection on Twitter. Previous approaches model events by clustering tweets, words or segments. On the other hand, event clusters represented by tweets are easier to understand than those represented by words/segments. However, compared to words/segments, tweets are sparser and therefore makes clustering less effective. This article proposes to represent events with triple structures called frames, which are as efficient as, yet can be easier to understand than words/segments. Frames are extracted based on shallow syntactic information of tweets with an unsupervised open information extraction method, which is introduced for domain-independent relation extraction in a single pass over web scale data. This is then followed by bursty frame element extraction functions as feature selection by filtering frame elements with bursty frequency pattern via a probabilistic model. After being clustered and ranked, high-quality events are yielded and then reported by linking frame elements back to frames. Experimental results show that frame-based event detection leads to improved precision over a state-of-the-art baseline segment-based event detection method. Superior readability of frame-based events as compared with segment-based events is demonstrated in some example outputs.

Prasasthy Balasubramanian,Sadaf Nazari,Danial Khosh Kholgh,Alireza Mahmoodi,Justin Seby,Panos Kostakos

2024-02-15

Abstract:The extraction of cyber threat intelligence (CTI) from open sources is a rapidly expanding defensive strategy that enhances the resilience of both Information Technology (IT) and Operational Technology (OT) environments against large-scale cyber-attacks. While previous research has focused on improving individual components of the extraction process, the community lacks open-source platforms for deploying streaming CTI data pipelines in the wild. To address this gap, the study describes the implementation of an efficient and well-performing platform capable of processing compute-intensive data pipelines based on the cloud computing paradigm for real-time detection, collecting, and sharing CTI from different online sources. We developed a prototype platform (TSTEM), a containerized microservice architecture that uses Tweepy, Scrapy, Terraform, ELK, Kafka, and MLOps to autonomously search, extract, and index IOCs in the wild. Moreover, the provisioning, monitoring, and management of the TSTEM platform are achieved through infrastructure as a code (IaC). Custom focus crawlers collect web content, which is then processed by a first-level classifier to identify potential indicators of compromise (IOCs). If deemed relevant, the content advances to a second level of extraction for further examination. Throughout this process, state-of-the-art NLP models are utilized for classification and entity extraction, enhancing the overall IOC extraction methodology. Our experimental results indicate that these models exhibit high accuracy (exceeding 98%) in the classification and extraction tasks, achieving this performance within a time frame of less than a minute. The effectiveness of our system can be attributed to a finely-tuned IOC extraction method that operates at multiple stages, ensuring precise identification of relevant information with low false positives.

Cryptography and Security

Shengsheng Qian,Tianzhu Zhang,Changsheng Xu

DOI: https://doi.org/10.1145/3078971.3079007

2017-01-01

Abstract:Social event is something that occurs at specific place and time associated with some specific actions, and it consists of many stories over time. With the explosion of Web 2.0 platforms, a popular social event that is happening around us and around the world can spread very fast. As a result, social event analysis becomes more and more important for users to understand the whole evolutionary trend of social event over time. However, it is very challenging to do social event analysis because social event data from different social media sites have multi-modal, multi-domain, and large-scale properties. The goal of our research is to design advanced multimedia techniques to deal with the above issues and establish an effective and robust social event analysis framework for social event representation, detection, tracking and evolution analysis. (1) For social event representation, we propose a novel cross-domain collaborative learning algorithm based on non-parametric Bayesian dictionary learning model. It can make use of the shared domain priors and modality priors to collaboratively learn the data's representations by considering the domain discrepancy and the multi-modal property.(2) For social event detection, we propose a boosted multi-modal supervised Latent Dirichlet Allocation model. It can effectively exploit multi-modality information and utilize boosting weighted sampling strategy for large-scale data processing. (3) For social event tracking, we propose a novel multi-modal event topic model, which can effectively model the correlations between textual and visual modalities, and obtain their topics over time. (4) For social event evolution analysis, we propose a novel multi-modal multi-view topic-opinion mining model to conduct fined-grained topic and opinion analysis for social events from multiple social media sites collaboratively. It can discover multi-modal topics and the corresponding opinions over time to understand the evolutionary processes of social event. Extensive experimental results show that the proposed algorithms perform favorably against state-of-the-art methods for social event analysis.

Jun Zhao,Qiben Yan,Jianxin Li,Minglai Shao,Zuti He,Bo Li

DOI: https://doi.org/10.1016/j.cose.2020.101867

2020-08-01

Abstract:<p>Security organizations increasingly rely on Cyber Threat Intelligence (CTI) sharing to enhance resilience against cyber threats. However, its effectiveness remains dubious due to two major limitations: first, the existing approaches fail to identify the unseen types of <em>Indicator of compromise</em> (IOC); second, they are incapable of automatically generating categorized CTIs with domain tags (e.g., finance, government), which makes CTI sharing ineffective. To combat the challenges, this paper proposes TIMiner, a novel automated framework for CTI extraction and sharing based on social media data. Particularly, an efficient domain recognizer based on convolutional neural network is first implemented to identify CTIs' targeted domain. Then, an indicator of compromise (IOC) extraction approach based on word embedding and syntactic dependence is proposed, which provides the ability to identify unseen types of IOCs. Finally, the extracted IOC and its domain tag are integrated to generate a categorized CTI with specific-domain. TIMiner is capable of generating CTIs with domain tags automatically. With the categorized CTIs, <em>Threat-Index</em> is presented to quantify the severity of the threats toward different domains. Experimental results confirm that the proposed CTI domain recognizer and IOC extraction achieve superior performance with the accuracy exceeding 84% and 94%, respectively. Moreover, TIMiner stimulates new insights on the evolution of cyber attacks across multiple domains.</p>

computer science, information systems

Shiguang Wang,Prasanna Giridhar,Lance M. Kaplan,Tarek F. Abdelzaher

DOI: https://doi.org/10.1145/3055601.3055615

2017-01-01

Abstract:This paper proposes an unsupervised framework for tracking real world events from their traces on Twitter and Instagram. Empirical data suggests that event detection from Instagram streams errs on the false-negative side due to the relative sparsity of Instagram data (compared to Twitter data), whereas event detection from Twitter can suffer from false-positives, at least if not paired with careful analysis of tweet content. To tackle both problems simultaneously, we design a unified unsupervised algorithm that fuses events detected originally on Instagram (called I-events) and events detected originally on Twitter (called T-events), that occur in adjacent periods, in an attempt to combine the benefits of both sources while eliminating their individual disadvantages. We evaluate the proposed framework with real data crawled from Twitter and Instagram. The results indicate that our algorithm significantly improves tracking accuracy compared to baselines.

Sicheng Zhao,Yue Gao,Guiguang Ding,Tat-Seng Chua

DOI: https://doi.org/10.1109/TCYB.2017.2762344

Abstract:Detecting events from massive social media data in social networks can facilitate browsing, search, and monitoring of real-time events by corporations, governments, and users. The short, conversational, heterogeneous, and real-time characteristics of social media data bring great challenges for event detection. The existing event detection approaches rely mainly on textual information, while the visual content of microblogs and the intrinsic correlation among the heterogeneous data are scarcely explored. To deal with the above challenges, we propose a novel real-time event detection method by generating an intermediate semantic level from social multimedia data, named microblog clique (MC), which is able to explore the high correlations among different microblogs. Specifically, the proposed method comprises three stages. First, the heterogeneous data in microblogs is formulated in a hypergraph structure. Hypergraph cut is conducted to group the highly correlated microblogs with the same topics as the MCs, which can address the information inadequateness and data sparseness issues. Second, a bipartite graph is constructed based on the generated MCs and the transfer cut partition is performed to detect the events. Finally, for new incoming microblogs, incremental hypergraph is constructed based on the latest MCs to generate new MCs, which are classified by bipartite graph partition into existing events or new ones. Extensive experiments are conducted on the events in the Brand-Social-Net dataset and the results demonstrate the superiority of the proposed method, as compared to the state-of-the-art approaches.

Yawei Jia,Jing Xu,Zhonghu Xu,Kai Xing

DOI: https://doi.org/10.1007/978-3-319-50496-4_33

2016-01-01

Abstract:In the past few years, event detection has drawn a lot of attention. We proposed an efficient method to detect event in this paper. An event is defined as a set of descriptive, collocated keywords in this paper. Intuitively, documents that describe the same event will contain similar sets of keywords. Individual events will form clusters in the graph of keywords for a document collection. We built a network of keywords based on their co-occurrence in documents. We proposed an efficient method which create a keywords weight directed graph named KeyGraph and use community detection method to discover events. Clump of keywords describing an event can be used to analyse the trend of the event. The accuracy of detecting events is over eighty percents with our method.

Soroush Vosoughi,Deb Roy

DOI: https://doi.org/10.48550/arXiv.1605.05134

2016-05-17

Social and Information Networks

Abstract:Twitter has become one of the main sources of news for many people. As real-world events and emergencies unfold, Twitter is abuzz with hundreds of thousands of stories about the events. Some of these stories are harmless, while others could potentially be life-saving or sources of malicious rumors. Thus, it is critically important to be able to efficiently track stories that spread on Twitter during these events. In this paper, we present a novel semi-automatic tool that enables users to efficiently identify and track stories about real-world events on Twitter. We ran a user study with 25 participants, demonstrating that compared to more conventional methods, our tool can increase the speed and the accuracy with which users can track stories about real-world events.

Jun Wu,Xuesong Ye,Yanyuet Man

2023-05-06

Abstract:The rapid and accurate identification of bot accounts in online social networks is an ongoing challenge. In this paper, we propose BOTTRINET, a unified embedding framework that leverages the textual content posted by accounts to detect bots. Our approach is based on the premise that account personalities and habits can be revealed through their contextual content. To achieve this, we designed a triplet network that refines raw embeddings using metric learning techniques. The BOTTRINET framework produces word, sentence, and account embeddings, which we evaluate on a real-world dataset, CRESCI2017, consisting of three bot account categories and five bot sample sets. Our approach achieves state-of-the-art performance on two content-intensive bot sets, with an average accuracy of 98.34% and f1score of 97.99%. Moreover, our method makes a significant breakthrough on four content-less bot sets, with an average accuracy improvement of 11.52% and an average f1score increase of 16.70%. Our contribution is twofold: First, we propose a unified and effective framework that combines various embeddings for bot detection. Second, we demonstrate that metric learning techniques can be applied in this context to refine raw embeddings and improve classification performance. Our approach outperforms prior works and sets a new standard for bot detection in social networks.

Artificial Intelligence,Social and Information Networks