Real-time classification of malicious URLs on Twitter using machine activity data
Title | Real-time classification of malicious URLs on Twitter using machine activity data |
Publication Type | Conference Paper |
Year of Publication | 2015 |
Authors | Burnap, P., Javed, A., Rana, O. F., Awan, M. S. |
Conference Name | 2015 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM) |
Date Published | aug |
Keywords | Computer crime, Cricket World Cup, cyber criminals, Data models, drive-by-download, invasive software, machine activity data, machine activity logs, machine classification system, malicious server, malicious software, malicious software behaviour, Malware, online social networks, pattern classification, pubcrawl170109, real-time malicious URL classification, Real-time Systems, social networking (online), Superbowl, Twitter, Twitter data, Uniform resource locators, user machines, Web pages |
Abstract | Massive online social networks with hundreds of millions of active users are increasingly being used by Cyber criminals to spread malicious software (malware) to exploit vulnerabilities on the machines of users for personal gain. Twitter is particularly susceptible to such activity as, with its 140 character limit, it is common for people to include URLs in their tweets to link to more detailed information, evidence, news reports and so on. URLs are often shortened so the endpoint is not obvious before a person clicks the link. Cyber criminals can exploit this to propagate malicious URLs on Twitter, for which the endpoint is a malicious server that performs unwanted actions on the person's machine. This is known as a drive-by-download. In this paper we develop a machine classification system to distinguish between malicious and benign URLs within seconds of the URL being clicked (i.e. `real-time'). We train the classifier using machine activity logs created while interacting with URLs extracted from Twitter data collected during a large global event - the Superbowl - and test it using data from another large sporting event - the Cricket World Cup. The results show that machine activity logs produce precision performances of up to 0.975 on training data from the first event and 0.747 on a test data from a second event. Furthermore, we examine the properties of the learned model to explain the relationship between machine activity and malicious software behaviour, and build a learning curve for the classifier to illustrate that very small samples of training data can be used with only a small detriment to performance. |
DOI | 10.1145/2808797.2809281 |
Citation Key | burnap_real-time_2015 |
- malware
- Web pages
- user machines
- Uniform resource locators
- Twitter data
- Superbowl
- social networking (online)
- real-time systems
- real-time malicious URL classification
- pubcrawl170109
- pattern classification
- online social networks
- Computer crime
- malicious software behaviour
- malicious software
- malicious server
- machine classification system
- machine activity logs
- machine activity data
- invasive software
- drive-by-download
- Data models
- cyber criminals
- Cricket World Cup