The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.03 - May-June (2013 vol.10)
pp: 183-195
Sangho Lee , Pohang University of Science and Technology (POSTECH), Pohang
Jong Kim , Pohang University of Science and Technology (POSTECH), Pohang
ABSTRACT
Twitter is prone to malicious tweets containing URLs for spam, phishing, and malware distribution. Conventional Twitter spam detection schemes utilize account features such as the ratio of tweets containing URLs and the account creation date, or relation features in the Twitter graph. These detection schemes are ineffective against feature fabrications or consume much time and resources. Conventional suspicious URL detection schemes utilize several features including lexical features of URLs, URL redirection, HTML content, and dynamic behavior. However, evading techniques such as time-based evasion and crawler evasion exist. In this paper, we propose WarningBird, a suspicious URL detection system for Twitter. Our system investigates correlations of URL redirect chains extracted from several tweets. Because attackers have limited resources and usually reuse them, their URL redirect chains frequently share the same URLs. We develop methods to discover correlated URL redirect chains using the frequently shared URLs and to determine their suspiciousness. We collect numerous tweets from the Twitter public timeline and build a statistical classifier using them. Evaluation results show that our classifier accurately and efficiently detects suspicious URLs. We also present WarningBird as a near real-time system for classifying suspicious URLs in the Twitter stream.
INDEX TERMS
Twitter, Feature extraction, Crawlers, Servers, IP networks, Browsers, Training, classification, Suspicious URL, twitter, URL redirection, conditional redirection
CITATION
Sangho Lee, Jong Kim, "WarningBird: A Near Real-Time Detection System for Suspicious URLs in Twitter Stream", IEEE Transactions on Dependable and Secure Computing, vol.10, no. 3, pp. 183-195, May-June 2013, doi:10.1109/TDSC.2013.3
REFERENCES
[1] S. Lee and J. Kim, "WarningBird: Detecting Suspicious URLs in Twitter Stream," Proc. 19th Network and Distributed System Security Symp. (NDSS), 2012.
[2] H. Kwak, C. Lee, H. Park, and S. Moon, "What Is Twitter, a Social Network or a News Media?" Proc. 19th Int'l World Wide Web Conf. (WWW), 2010.
[3] D. Antoniades, I. Polakis, G. Kontaxis, E. Athanasopoulos, S. Ioannidis, E.P. Markatos, and T. Karagiannis, "we.b: The Web of Short URLs," Proc. 20th Int'l World Wide Web Conf. (WWW), 2011.
[4] D.K. McGrath and M. Gupta, "Behind Phishing: An Examination of Phisher Modi Operandi," Proc. First USENIX Workshop Large-Scale Exploits and Emergent Threats (LEET), 2008.
[5] Z. Chu, S. Gianvecchio, H. Wang, and S. Jajodia, "Who Is Tweeting on Twitter: Human, Bot, or Cyborg?" Proc. 26th Ann. Computer Security Applications Conf. (ACSAC), 2010.
[6] G. Stringhini, C. Kruegel, and G. Vigna, "Detecting Spammers on Social Networks," Proc. 26th Ann. Computer Security Applications Conf. (ACSAC), 2010.
[7] C. Grier, K. Thomas, V. Paxson, and M. Zhang, "@spam: The Underground on 140 Characters or Less," Proc. 17th ACM Conf. Computer and Comm. Security (CCS), 2010.
[8] S. Chhabra, A. Aggarwal, F. Benevenuto, and P. Kumaraguru, "Phi.sh/$oCiaL: the Phishing Landscape through Short URLs," Proc. Eighth Ann. Collaboration, Electronic Messaging, Anti-Abuse and Spam Conf. (CEAS), 2011.
[9] F. Klien and M. Strohmaier, "Short Links under Attack: Geographical Analysis of Spam in a URL Shortener Network," Proc. 23rd ACM Conf. Hypertext and Social Media (HT), 2012.
[10] K. Lee, J. Caverlee, and S. Webb, "Uncovering Social Spammers: Social Honeypots $+$ Machine Learning," Proc. 33rd Int'l ACM SIGIR Conf. Research and Development in Information Retrieval, 2010.
[11] A. Wang, "Don't Follow Me: Spam Detecting in Twitter," Proc. Int'l Conf. Security and Cryptography (SECRYPT), 2010.
[12] F. Benevenuto, G. Magno, T. Rodrigues, and V. Almeida, "Detecting Spammers on Twitter," Proc. Seventh Collaboration, Electronic Messaging, Anti-Abuse and Spam Conf. (CEAS), 2010.
[13] J. Song, S. Lee, and J. Kim, "Spam Filtering in Twitter Using Sender-Receiver Relationship," Proc. 14th Int'l Symp. Recent Advances in Intrusion Detection (RAID), 2011.
[14] C. Yang, R. Harkreader, and G. Gu, "Die Free or Live Hard? Empirical Evaluation and New Design for Fighting Evolving Twitter Spammers," Proc. 14th Int'l Symp. Recent Advances in Intrusion Detection (RAID), 2011.
[15] H. Gao, Y. Chen, K. Lee, D. Palsetia, and A. Choudhary, "Towards Online Spam Filtering in Social Networks," Proc. 19th Network and Distributed System Security Symp. (NDSS), 2012.
[16] J. Ma, L.K. Saul, S. Savage, and G.M. Voelker, "Beyond Blacklists: Learning to Detect Malicious Web Sites from Suspicious URLs," Proc. 15th ACM SIGKDD Conf. Knowledge Discovery and Data Mining (KDD), 2009.
[17] J. Ma, L.K. Saul, S. Savage, and G.M. Voelker, "Identifying Suspicious URLs: An Application of Large-Scale Online Learning," Proc. 26th Int'l Conf. Machine Learning (ICML), 2009.
[18] D. Canali, M. Cova, G. Vigna, and C. Kruegel, "Prophiler: A Fast Filter for the Large-Scale Detection of Malicious Web Pages," Proc. 20th Int'l World Wide Web Conf. (WWW), 2011.
[19] K. Thomas, C. Grier, J. Ma, V. Paxson, and D. Song, "Design and Evaluation of a Real-Time URL Spam Filtering Service," Proc. IEEE Symp. Security and Privacy (S&P), 2011.
[20] C. Whittaker, B. Ryner, and M. Nazif, "Large-Scale Automatic Classification of Phising Pages," Proc. 17th Network and Distributed System Security Symp. (NDSS), 2010.
[21] Capture-HPC, "https://projects.honeynet.orgcapture-hpc ," 2013.
[22] Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. King, "Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities," Proc. 13th Network and Distributed System Security Symp. (NDSS), 2006.
[23] M. Cova, C. Kruegel, and G. Vigna, "Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code," Proc. 19th Int'l World Wide Web Conf. (WWW), 2010.
[24] P. Eckersley, "How Unique Is Your Web Browser?" Proc. 10th Privacy Enhancing Technologies Symp. (PET), 2010.
[25] A. Kapravelos, M. Cova, C. Kruegel, and G. Vigna, "Escape from Monkey Island: Evading High-Interaction Honeyclients," Proc. Eighth Conf. Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), 2011.
[26] M.A. Rajab, L. Ballard, N. Jagpal, P. Mavrommatis, D. Nojiri, N. Provos, and L. Schmidt, "Trends in Circumventing Web-Malware Detection," technical report, Google, 2011.
[27] TweetAttacks, "Twitter Marketing Software that Breaks the Limits," http:/tweetattacks.com, 2013.
[28] T. Holz, C. Gorecki, K. Rieck, and F.C. Freiling, "Measuring and Detecting Fast-Flux Service Networks," Proc. 15th Network and Distributed System Security Symp. (NDSS), 2008.
[29] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna, "Your Botnet Is My Botnet: Analysis of a Botnet Takeover," Proc. 16th ACM Conf. Computer and Comm. Security (CCS), 2009.
[30] K. Thomas, C. Grier, V. Paxson, and D. Song, "Suspended Accounts in Retrospect: An Analysis of Twitter Spam," Proc. ACM SIGCOMM Internet Measurement Conf. (IMC), 2011.
[31] Twitter Developers, "Streaming API," https://dev.twitter.com/docsstreaming-api , 2013.
[32] P. Jaccard, "The Distribution of Flora in the Alpine Zone," The New Phytologist, vol. 11, no. 2, pp. 37-50, 1912.
[33] Twitter Developers, "Next Steps with the t.co Link Wrapper," https://dev.twitter.com/blognext-steps-with-the-tco-link-wrapper , 2013.
[34] Twitter Developers, "The t.co URL Wrapper," https://dev. witter.com/docstco-url-wrapper , 2013.
[35] Google, "Google Safe Browsing API," http://code.google.com/apissafebrowsing, 2013.
[36] Twitter Help Center, "The Twitter Rules," https://support. twitter.com/articles18311-the-twitter-rules , 2013.
[37] R.-E. Fan, K.-W. Chang, C.-J. Hsieh, X.-R. Wang, and C.-J. Lin, "LIBLINEAR: A Library for Large Linear Classification," J. Machine Learning Research, vol. 9, pp. 1871-1874, 2008.
[38] Y.-W. Chen and C.-J. Lin, "Combining SVMs with Various Feature Selection Strategies," Feature Extraction, series Studies in Fuzziness and Soft Computing, vol. 207, pp. 315-324, Springer, 2006.
[39] C.Y.R. Harkreader, J. Zhang, S. Shin, and G. Gu, "Analyzing Spammers' Social Networks for Fun and Profit—a Case Study of Cyber Criminal Ecosystem on Twitter," Proc. 21st Int'l World Wide Web Conf. (WWW), 2012.
[40] S. Ghosh, B. Viswanath, F. Kooti, N.K. Sharma, G. Korlam, F. Benevenuto, N. Ganguly, and K.P. Gummadi, "Understanding and Combating Link Farming in the Twitter Social Network," Proc. 21st Int'l World Wide Web Conf. (WWW), 2012.
[41] J. Zhang, C. Seifert, J.W. Stokes, and W. Lee, "ARROW: Generating Signatures to Detect Drive-By Downloads," Proc. 20th Int'l World Wide Web Conf. (WWW), 2011.
15 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool