Xiuwen Liu,Jianming Fu,Yanjiao Chen

DOI: https://doi.org/10.1016/j.ins.2020.03.048

IF: 8.1

2020-01-01

Information Sciences

Abstract:The rich source of online reports and discussions on social media can be leveraged to investigate the widespread cyber-attacks. In this paper, we study the problem of cybersecurity event mining based on continuous tweet streams. In contrast to traditional static methods that do not consider event evolution, we explore relevance among historical and online events for cyber-attack event discovery and evolution detection. We propose CyberEM, a novel event evolution model with a special focus on cybersecurity events. A pattern clustering algorithm and an NMF-based (non-negative matrix factorization) event aggregation algorithm are devised for cyber-attack indicator extraction and event evolution detection. We leverage both the patterns that belong to the cybersecurity domain and the patterns of the semantic contexts of cybersecurity to refine evolutionary relevance of events across multiple time intervals. Furthermore, we design a dynamic event inference algorithm to discover cybersecurity events and update event aggregation in an online manner. Through extensive evaluations with a large-scale real-world tweet dataset, we demonstrate the superiority of the proposed CyberEM model over existing methods in identifying cybersecurity events and their evolutionary relevance.

Haishuai Wang,Peng Zhang,Ling Chen,Chengqi Zhang

DOI: https://doi.org/10.1007/978-3-319-19548-3_27

2015-01-01

Abstract:In this paper, we present our recent progress of designing a real-time system, SocialAnalysis, to discover and summarize emergent social events from social media data streams. In social networks era, people always frequently post messages or comments about their activities and opinions. Hence, there exist temporal correlations between the physical world and virtual social networks, which can help us to monitor and track social events, detecting and positioning anomalous events before their outbreakings, so as to provide early warning.The key technologies in the system include: (1) Data denoising methods based on multi-features, which screens out the query-related event data from massive background data. (2) Abnormal events detection methods based on statistical learning, which can detect anomalies by analyzing and mining a series of observations and statistics on the time axis. (3) Geographical position recognition, which is used to recognize regions where abnormal events may happen.

Ju Fan,Jiarong Qiu,Yuchen Li,Qingfei Meng,Dongxiang Zhang,Guoliang Li,Kian-Lee Tan,Xiaoyong Du

DOI: https://doi.org/10.1109/icde.2018.00178

2018-01-01

Abstract:The wide adoption of social networks has brought a new demand on influence analysis. This paper presents OCTOPUS that offers social network users and analysts valuable insights through topic-aware social influence analysis services. OCTOPUS has the following novel features. First, OCTOPUS provides a user-friendly interface that allows users to employ simple and easy-to-use keywords to perform influence analysis. Second, OCTOPUS provides three powerful keyword-based topic-aware influence analysis tools: keyword-based influential user discovery, personalized influential keywords suggestion, and interactive influential paths exploration. These tools can not only discover influential users, but also provide insights on how the users influence the network. Third, OCTOPUS enables online influence analysis, which provides end-users with instant results. We have implemented and deployed OCTOPUS, and demonstrate its usability and efficiency on two social networks.

Silvia Mitter,Claudia Wagner,Markus Strohmaier

DOI: https://doi.org/10.48550/arXiv.1402.6289

2014-02-26

Abstract:Online social networks (OSN) like Twitter or Facebook are popular and powerful since they allow reaching millions of users online. They are also a popular target for socialbot attacks. Without a deep understanding of the impact of such attacks, the potential of online social networks as an instrument for facilitating discourse or democratic processes is in jeopardy. In this extended abstract we present insights from a live lab experiment in which social bots aimed at manipulating the social graph of an online social network, in our case Twitter. We explored the link creation behavior between targeted human users and our results suggest that socialbots may indeed have the ability to shape and influence the social graph in online social networks. However, our results also show that external factors may play an important role in the creation of social links in OSNs.

Social and Information Networks,Physics and Society

Chun-Ming Lai,Xiaoyun Wang,Yunfeng Hong,Yu-Cheng Lin,S. Felix Wu,Patrick McDaniel,Hasan Cam

DOI: https://doi.org/10.23919/CNSM.2017.8256040

2018-02-13

Abstract:Online social network (OSN) discussion groups are exerting significant effects on political dialogue. In the absence of access control mechanisms, any user can contribute to any OSN thread. Individuals can exploit this characteristic to execute targeted attacks, which increases the potential for subsequent malicious behaviors such as phishing and malware distribution. These kinds of actions will also disrupt bridges among the media, politicians, and their constituencies. For the concern of Security Management, blending malicious cyberattacks with online social interactions has introduced a brand new challenge. In this paper we describe our proposal for a novel approach to studying and understanding the strategies that attackers use to spread malicious URLs across Facebook discussion groups. We define and analyze problems tied to predicting the potential for attacks focused on threads created by news media organizations. We use a mix of macro static features and the micro dynamic evolution of posts and threads to identify likely targets with greater than 90% accuracy. One of our secondary goals is to make such predictions within a short (10 minute) time frame. It is our hope that the data and analyses presented in this paper will support a better understanding of attacker strategies and footprints, thereby developing new system management methodologies in handing cyber attacks on social networks.

Social and Information Networks

Zhaobo Luo,Xiaohong Jiang,Yi Feng,Chaolun Xia

DOI: https://doi.org/10.1109/FSKD.2009.737

2009-01-01

Abstract:The variation in dynamic networks may contain information drifting over time, which might imply significant events or behaviors. Taking full use of the variation of a dynamic network, especially the variation of cliques within a dynamic network, has the potential to enable us to partly predict what is going to happen, to bring us early warnings and to provide us a faster response to emergency. As an attempt to utilize this time-related information in social network analysis, a dynamic core detection algorithm is proposed in this paper. To clarify this method, a group of core features are first given, which are applied to abstract dynamic patterns from original data. A relationship network is then created based on these core features, and the core of social network is then generated from this relationship network by relation strength thresholding. This approach is further illustrated in a real-world case study, which is a worldwide terrorist network based on open source data. The experimental results show that this method is able to detect meaningful dynamic core within a social network.

Soumajyoti Sarkar,Mohammad Almukaynizi,Jana Shakarian,Paulo Shakarian

DOI: https://doi.org/10.1007/s13278-019-0603-9

2019-09-30

Social Network Analysis and Mining

Abstract:With the rise in security breaches over the past few years, there has been an increasing need to mine insights from social media platforms to raise alerts of possible attacks in an attempt to defend conflict during competition. In this study, we attempt to build a framework that utilizes unconventional signals from the darkweb forums by leveraging the reply network structure of user interactions with the goal of predicting enterprise-related external cyber attacks. We use both unsupervised and supervised learning models that address the challenges that come with the lack of enterprise attack metadata for ground-truth validation as well as insufficient data for training the models. We validate our models on a binary classification problem that attempts to predict cyber attacks on a daily basis for an organization. Using several controlled studies on features leveraging the network structure, we measure the extent to which the indicators from the darkweb forums can be successfully used to predict attacks. We use information from 53 forums in the darkweb over a span of 17 months for the task. Our framework to predict real-world organization cyber attacks of three different security events suggests that focusing on the reply path structure between groups of users based on random walk transitions and community structures has an advantage in terms of better performance solely relying on forum or user posting statistics prior to attacks.

Zhibo Sun,Carlos E. Rubio-Medrano,Ziming Zhao,Tiffany Bao,Adam Doupe,Gail-Joon Ahn

DOI: https://doi.org/10.1145/3292006.3300036

2019-01-01

Abstract:The studies on underground forums and marketplaces have significantly advanced our understandings of cybercrime workflows and underground economies. Researchers of underground economies have conducted comprehensive studies on public interactions. However, little research focuses on private interactions. The lack of the investigation on private interactions may cause misunderstandings on underground economies, as users in underground forums and marketplaces tend to share the minimal amount of information in public interactions and resort to private messages for follow-up conversations. In this paper, we propose methods to investigate the underground private interactions and we analyze a recently leaked dataset from Nulled.io. We present analyses on the contents and purposes of private messages. In addition, we design machine learning-based models that only use the publicly available information to detect if two underground users privately communicate with each other. Finally, we perform adversarial analysis to evaluate the robustness of the detector to different types of attacks.

Carlos A. Freitas,Fabrício Benevenuto,Saptarshi Ghosh,Adriano Veloso

DOI: https://doi.org/10.48550/arXiv.1405.4927

2014-05-20

Abstract:Data extracted from social networks like Twitter are increasingly being used to build applications and services that mine and summarize public reactions to events, such as traffic monitoring platforms, identification of epidemic outbreaks, and public perception about people and brands. However, such services are vulnerable to attacks from socialbots $-$ automated accounts that mimic real users $-$ seeking to tamper statistics by posting messages generated automatically and interacting with legitimate users. Potentially, if created in large scale, socialbots could be used to bias or even invalidate many existing services, by infiltrating the social networks and acquiring trust of other users with time. This study aims at understanding infiltration strategies of socialbots in the Twitter microblogging platform. To this end, we create 120 socialbot accounts with different characteristics and strategies (e.g., gender specified in the profile, how active they are, the method used to generate their tweets, and the group of users they interact with), and investigate the extent to which these bots are able to infiltrate the Twitter social network. Our results show that even socialbots employing simple automated mechanisms are able to successfully infiltrate the network. Additionally, using a $2^k$ factorial design, we quantify infiltration effectiveness of different bot strategies. Our analysis unveils findings that are key for the design of detection and counter measurements approaches.

Social and Information Networks,Physics and Society

Quanyan Zhu,Andrew Clark,Radha Poovendran,Tamer Basar

DOI: https://doi.org/10.48550/arXiv.1207.5844

2012-07-25

Abstract:As social networking sites such as Facebook and Twitter are becoming increasingly popular, a growing number of malicious attacks, such as phishing and malware, are exploiting them. Among these attacks, social botnets have sophisticated infrastructure that leverages compromised users accounts, known as bots, to automate the creation of new social networking accounts for spamming and malware propagation. Traditional defense mechanisms are often passive and reactive to non-zero-day attacks. In this paper, we adopt a proactive approach for enhancing security in social networks by infiltrating botnets with honeybots. We propose an integrated system named SODEXO which can be interfaced with social networking sites for creating deceptive honeybots and leveraging them for gaining information from botnets. We establish a Stackelberg game framework to capture strategic interactions between honeybots and botnets, and use quantitative methods to understand the tradeoffs of honeybots for their deployment and exploitation in social networks. We design a protection and alert system that integrates both microscopic and macroscopic models of honeybots and optimally determines the security strategies for honeybots. We corroborate the proposed mechanism with extensive simulations and comparisons with passive defenses.

Social and Information Networks,Cryptography and Security,Computer Science and Game Theory

David Koll,Martin Schwarzmaier,Jun Li,Xiang-Yang Li,Xiaoming Fu

DOI: https://doi.org/10.1109/icdcsw.2017.67

2017-01-01

Abstract:Online Social Networks (OSNs) have become a rewarding target for attackers. One particularly popular attack is the Sybil attack, in which the adversary creates many fake accounts called Sybils in order to, for instance, distribute spam or manipulate voting results. A first generation of defense systems tried to detect these Sybils by analyzing changes in the structure of the OSN graph unfortunately with limited success. Based on these efforts a second generation of solutions enriches the graph structural approaches with higher-level user features in order to detect Sybil nodes more efficiently. In this work we provide an in-depth analysis of these defenses. We describe their common design and working principles, analyze their vulnerabilities, and design simple yet effective attack strategies that an adversary could launch to circumvent these systems. In our evaluation we reveal that an miscreant can exploit the credulity of OSN users and follow a targeted attack strategy to successfully avoid detection by all existing approaches.

Soumajyoti Sarkar,Mohammad Almukaynizi,Jana Shakarian,Paulo Shakarian

DOI: https://doi.org/10.48550/arXiv.1811.06537

2018-11-16

Abstract:With rise in security breaches over the past few years, there has been an increasing need to mine insights from social media platforms to raise alerts of possible attacks in an attempt to defend conflict during competition. We use information from the darkweb forums by leveraging the reply network structure of user interactions with the goal of predicting enterprise cyber attacks. We use a suite of social network features on top of supervised learning models and validate them on a binary classification problem that attempts to predict whether there would be an attack on any given day for an organization. We conclude from our experiments using information from 53 forums in the darkweb over a span of 12 months to predict real world organization cyber attacks of 2 different security events that analyzing the path structure between groups of users is better than just studying network centralities like Pagerank or relying on the user posting statistics in the forums.

Social and Information Networks

Steve Kim,Anubhav Nagpal.,R. Ian,Anthony Glover,Marilyn H. Silva

Abstract:The usage of Social Network Sites has increased rapidly in recent years. The area of Social Networking currently has many security issues. Since the success of a Social Network Site depends on the number of users it attracts, there is pressure on providers of Social Network sites to design systems that encourage behavior which increases both the number of users and their connections. However, like any fast-growing technology, security has not been a high priority in the development of Social Network Sites. As a result, along with the benefits of Social Network Sites, significant security risks have resulted. Providing Social Network Site users with tools which will help protect them is ideal. Making tools available to users which can provide the ability to retrieve other online user information via chat, website, along other tools which can be installed on the user’s computer will be ideal in helping to tackle such issues. These will be the tools addressed in the paper.

Computer Science,Engineering

Yang Yang,Jianfei Wang,Yutao Zhang,Wei Chen,Jing Zhang,Honglei Zhuang,Zhilin Yang,Bo Ma,Zhanpeng Fang,Sen Wu,Xiaoxiao Li,Debing Liu,Jie Tang

DOI: https://doi.org/10.1145/2487575.2487720

2013-01-01

Abstract:Online social networks become a bridge to connect our physical daily life and the virtual Web space, which not only provides rich data for mining, but also brings many new challenges. In this paper, we present a novel Social Analytic Engine (SAE) for large online social networks. The key issues we pursue in the analytic engine are concerned with the following problems: 1) at the micro-level, how do people form different types of social ties and how people influence each other? 2) at the meso-level, how do people group into communities? 3) at the macro-level, what are the hottest topics in a social network and how the topics evolve over time?We propose methods to address the above questions. The methods are general and can be applied to various social networking data. We have deployed and validated the proposed analytic engine over multiple different networks and validated the effectiveness and efficiency of the proposed methods.

Affan Yasin,Rubia Fatima,Lin Liu,Jianmin Wang,Raian Ali,Ziqi Wei

DOI: https://doi.org/10.1002/spy2.161

2021-01-01

Security and Privacy

Abstract:Malicious scammers and social engineers are causing great harms to modern society, as they have led to the loss of data, information, money, and many more for individuals and companies. Knowledge about social engineering (SE) is wide‐spread and it exits in non‐academic papers and communication channels. Knowledge is mostly based on expert opinion and experience reports. Such knowledge, if articulated, can provide a valid source of knowledge and information. We performed the analysis of such sources, guided by academic principles around SE, and solicit existing SE scenarios from public awareness education materials, news stories, research literature, official advisories to public departments. We adopted grounded theory to extract the general knowledge behind SE, such as, attacking cycles, information gathering strategies, psychological principles, attack vectors, and so on. In this article, we aim to review and synthesize a body of knowledge (rationale and motivation of social engineers). The study aims to: (a) understand the rationale of social engineers; (b) capture the knowledge of SE attacks and extract important information from the sources; (c) propose an activity for counteracting SE attacks, and how it can be used in security education.

Michalis Kallitsis,Vasant Honavar,Rupesh Prajapati,Dinghao Wu,John Yen

DOI: https://doi.org/10.48550/arXiv.2108.00079

2021-08-06

Abstract:Network telescopes or "Darknets" provide a unique window into Internet-wide malicious activities associated with malware propagation, denial of service attacks, scanning performed for network reconnaissance, and others. Analyses of the resulting data can provide actionable insights to security analysts that can be used to prevent or mitigate cyber-threats. Large Darknets, however, observe millions of nefarious events on a daily basis which makes the transformation of the captured information into meaningful insights challenging. We present a novel framework for characterizing Darknet behavior and its temporal evolution aiming to address this challenge. The proposed framework: (i) Extracts a high dimensional representation of Darknet events composed of features distilled from Darknet data and other external sources; (ii) Learns, in an unsupervised fashion, an information-preserving low-dimensional representation of these events (using deep representation learning) that is amenable to clustering; (iv) Performs clustering of the scanner data in the resulting representation space and provides interpretable insights using optimal decision trees; and (v) Utilizes the clustering outcomes as "signatures" that can be used to detect structural changes in the Darknet activities. We evaluate the proposed system on a large operational Network Telescope and demonstrate its ability to detect real-world, high-impact cybersecurity incidents.

Cryptography and Security,Machine Learning

Theodore Longtchi,Rosana Montañez Rodriguez,Laith Al-Shawaf,Adham Atyabi,Shouhuai Xu

DOI: https://doi.org/10.48550/arXiv.2203.08302

2022-03-15

Cryptography and Security

Abstract:Social engineering attacks are a major cyber threat because they often serve as a first step for an attacker to break into an otherwise well-defended network, steal victims' credentials, and cause financial losses. The problem has received due amount of attention with many publications proposing defenses against them. Despite this, the situation has not improved. In this paper, we aim to understand and explain this phenomenon by looking into the root cause of the problem. To this end, we examine the literature on attacks and defenses through a unique lens we propose -- {\em psychological factors (PFs) and techniques (PTs)}. We find that there is a big discrepancy between attacks and defenses: Attacks have deliberately exploited PFs by leveraging PTs, but defenses rarely take either of these into consideration, preferring technical solutions. This explains why existing defenses have achieved limited success. This prompts us to propose a roadmap for a more systematic approach towards designing effective defenses against social engineering attacks.

Amy Sliva,Kai Shu,Huan Liu

DOI: https://doi.org/10.1007/978-3-319-94709-9_62

2018-06-27

Abstract:As networked and computer technologies continue to pervade all aspects of our lives, the threat from cyber attacks has also increased. However, detecting attacks, much less predicting them in advance, is a non-trivial task due to the anonymity of cyber attackers and the ambiguity of network data collected within an organization; often, by the time an attack pattern is recognized, the damage has already been done. Evidence suggests that the public discourse in external sources, such as news and social media, is often correlated with the occurrence of larger phenomena, such as election results or violent attacks. In this paper, we propose an approach that uses sentiment polarity as a sensor to analyze the social behavior of groups on social media as an indicator of cyber at-tack behavior. We developed an unsupervised sentiment prediction method that uses emotional signals to enhance the sentiment signal from sparse textual indicators. To explore the efficacy of sentiment polarity as an indicator of cyber-attacks, we performed experiments using real-world data from Twitter that corresponds to attacks by a well-known hacktivist group.

Raymond Y. K. Lau,Yunqing Xia

DOI: https://doi.org/10.7763/ijfcc.2013.v2.187

2013-01-01

International Journal of Future Computer and Communication

Abstract:Recent research reveals that the number of cyber-attacks has been doubled in the past three years. This is a devastating growth of the number of cyber-attacks, and it reveals a serious business problem around the world. Existing intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and anti-malware systems mainly rely on low-level network traffic features or program code signatures to detect cyber-attacks. However, since hackers can constantly change their attack tactics by, it is extremely difficult for existing security solutions to detect cyber-attacks. There are increasing more evidences showing that cybercriminals tend to exchange cybercrime knowledge and transact via online social media. Accordingly, it presents unprecedented opportunities for security intelligence experts to tap into online social media to extract the vital security intelligence for cyber-attack forensics. The main contributions of this paper are the design, development, and evaluation of a Latent Dirichlet Allocation (LDA)-based latent text mining model for cyber-attack forensics. Our preliminary evaluation of the proposed latent text mining model based on a real-world data set crawled from Twitter and Blog sites shows that it significantly outperforms the probabilistic latent semantic indexing (pLSI) method in terms of extracting more relevant and richer concepts describing real-world cyber-attack incidents.

H. Vicky Zhao,K. J. Ray Liu

DOI: https://doi.org/10.1109/jstsp.2010.2051256

IF: 7.695

2010-01-01

IEEE Journal of Selected Topics in Signal Processing

Abstract:Users in video-sharing social networks actively interact with each other, and it is of critical importance to model user behavior and analyze the impact of human factors on video sharing systems. In video-sharing social networks, users have access to extra resources from their peers, and they also contribute their own resources to help others. Each user wants to maximize his/her own payoff, and they negotiate with each other to achieve fairness and address this conflict. However, some selfish users may cheat to their peers and manipulate the system to maximize their own payoffs, and cheat prevention is a critical requirement in many social networks to stimulate user cooperation. It is of ample importance to design monitoring mechanisms to detect and identify misbehaving users, and to design cheat-proof cooperation stimulation strategies. Using video fingerprinting as an example, this paper analyzes the complex dynamics among colluders during multiuser collusion, and explores possible monitoring mechanisms to detect and identify misbehaving colluders in multiuser collusion. We consider two types of colluder networks: one has a centralized structure with a trusted ringleader, and the other is a distributed peer-structured network. We investigate the impact of network structures on misbehavior detection and identification, propose different selfish colluder identification schemes for different colluder networks, and analyze their performance. We show that the proposed schemes can accurately identify selfish colluders without falsely accusing others even under attacks. We also evaluate their robustness against framing attacks and quantify the maximum number of framing colluders that they can resist.