Embed Size (px)
Citation preview
These slides from Luiz Arthur Feitosa Santos, Rodrigo Campiolo, Daniel Macêdo Batista e Marco Aurélio Gerosa was licensed with a license Creative Commons - Attribution – Non-Commercial 3.0 Not adjusted.
Luiz Arthur F. [email protected]
Rodrigo [email protected]
Daniel Macêdo [email protected]
Marco Aurélio [email protected]
Evaluating the Utilization of Twitter Messages as a Source of Security Alerts
Authors:
Introduction:
●Research Problem:
Delay in propagation of information from new threats (Zero-day vulnerabilities).
Specialized applications are not fully effective against new threats.
●Potential Solutions:
The problem can be mitigated by rapid propagation of alerts.
Use of social networks.
2
Objective:
Analyze a set of Twitter messages to verify that these messages can help in the identification and early warning of potential security problems.
Contributions:
Confirm that there is collaboration in social networks in relation to computer security.
Characterization of security messages.
3
Hypotheses:
H1 - There is information about computer security in Twitter messages and many of these messages indicate potential threats.
H2 - Twitter reports issues of information security before some specialized sites.
H3 - Users on Twitter are concerned to warn another users about security issues.
4
Methodology:
5
Methodology:
6
1. Get tweets
a. … Problem X …b. ...PROBLEM Y … http...c. ... Problem … X … http...d. Threat Y ... #viruse. … @user … Problem X …f. New Malware Z...g. X Solution.. http
Searches in the range of 1 minute for 132 days:
security AND (virus OR worm OR attack OR intrusion OR invasion OR ddos OR hacker OR cracker OR exploit OR malware)
Methodology:
7
Tweettweet
TWEETTwEet
Degree of similarity:0,5 – tweets with tweets
3. Similarity and cluster
1a. … Problem X …1c. ... Problem … X … http...1e. … @user … Problem X …
2d. Threat Y ... #virus2b. ...PROBLEM Y … http...
3f. New Malware Z...
4g. X Solution... http
1. Get tweets
a. … Problem X …b. ...PROBLEM Y … http...c. ... Problem … X … http...d. Threat Y ... #viruse. … @user … Problem X …f. New Malware Z...g. X Solution.. http
Methodology:
8
2. Get Feeds
a. Problem X... new exploit...b. Problem Z...
3. Similarity and cluster
1a. … Problem X …1c. ... Problem … X … http...1e. … @user … Problem X …
2d. Threat Y ... #virus2b. ...PROBLEM Y … http...
3f. New Malware Z...
4g. X Solution... http
1. Get tweets
a. … Problem X …b. ...PROBLEM Y … http...c. ... Problem … X … http...d. Threat Y ... #viruse. … @user … Problem X …f. New Malware Z...g. X Solution.. http
Searches for 2 months using 30 websites of security.
We also used a web crawler.
Methodology:
9
2. Get Feeds
a. Problem X... new exploit...b. Problem Z...
3. Similarity and cluster
1a. … Problem X …1c. ... Problem … X … http...1e. … @user … Problem X …
2d. Threat Y ... #virus2b. ...PROBLEM Y … http...
3f. New Malware Z...
4g. X Solution... http
4. Important messages
1a. … Problem X …
3f. New Malware Z...
Degree of similarity:0,2 – news with tweets
1. Get tweets
a. … Problem X …b. ...PROBLEM Y … http...c. ... Problem … X … http...d. Threat Y ... #viruse. … @user … Problem X …f. New Malware Z...g. X Solution.. http
Data Collected:
Twitter - from 28/Apr/2012 to 06/Nov/2012
●Number of tweets: 82,355●Average of tweets per day: ~623●Number of user: 42,340●with links to URLs: 87.6 %●with mention users - @: 37.7 %●with hashtags - #: 37 %
Feeds - from 01/Apr/2012 to 15/Nov/2012
●Number of feeds: 4,546
10
Data Analysis:
Words most used by security tweets
11
Searched terms Security terms
Qty Words Qty Words
51.197 security 4.671 android
23.030 malware 4.536 flame
22.108 attack 4.214 infosec
10.196 hacker 4.200 news
9.893 virus 4.056 cyber
5.695 exploit 3.270 anti
2.359 ddos 2.788 computer
951 worm 2.637 hacking
816 intrusion 2.419 iran
699 invasion 2.398 apple
246 cracker 2.336 internet
Data Analysis:
Sample of relevant tweets:
12
Pos tweets Message excerpts
1 512 Malicious code on Adobe Flash player http...
2 463 How Flame virus has changed everything for online security firms ... http://t.co...
3 374 New Java Zero-Day Exploit Hits http...
4 373 Kaspersky Anti-Virus Internet Security ... http://t.co/D0Gqh3RR
438 37 Only 9 of 22 virus scanners block Java exploit http://t.co/rw1sa3jf
439 37 ...Microsoft Services Agreement email notifications lead to latest Java exploit http...
440 36 RT @CompuSec... Hackers, rootkit find place in new novel...
441 36 # Android Map Malware http://t.co/...
1735 10 ...Gevaarlijk wis-virus verwijdert brandende VS-vlag - Er is een nieuwe variant...
1736 10 Valse Amazon-bestelling bevat Java-exploit ... http://t.co/f1KIGG2s via @shareth...
1737 10 ...malware via Java-lek Op de website van de Telegraaf hebben aanvallers kwaadaardige...
1738 10 Mobile Malware On The Rise, Android Most At Risk, Says McAfee http://t.co/iyhKXaxE
Data Analysis:
Classification of tweets grouped with the specialized sites.
13
Classification % Tweets
Relevant 62%
Irrelevant 20%
Spams 10%
Others 8%
82%are related with
security!
Classification % Tweets
Security alerts 60%
General security 31%
Others 9%
Data Analysis:
Classification of tweets after clustering. Evaluating a sample of 100 groups of a total 1.738.
14
91 %are related with
security!
Evaluation of Hypotheses:
H1 - There is information about computer security in Twitter messages and many of these messages indicate potential threats.
82.355 tweets in 132 days, averaging of 623,90 tweets per day.
91% tweets reported security issues.
60% tweets report security alerts.
15
Evaluation of Hypotheses:
●H2 - Twitter reports issues of information security before some specialized sites.
43% of tweets have most recent date.
Example:
PHP-CGI query string parameter vulnerability
➢Post on 02/May/2012 at CERT.➢Posted in Twitter on 04/May/2012.➢Cataloged in NIST on 11/May/2012.
16
Evaluation of Hypotheses:
●H3 - Users on Twitter are concerned to warn another users about security issues.
17
Evaluation of Hypotheses:
●H3 - Users on Twitter are concerned to warn another users about security issues.
18
Average time of propagation is 12 days.
10 retweets hit ~10,000 users. The last two messages respectively hit 22,468 and 52,074 Twitter users.
The message most propagate hit ~512,000 people.
Final Considerations:
●Difficulty selecting tweets (content and size).
●Social networks propagate security alerts.
●The alerts achieve high and rapid spread.
19
Future Work:
●Make new queries using other terms of the security.
●Improve the filter anti-spam/messages out of context.
●Evaluation of security alerts on other social networks.
●Develop an automated early warning of security based on social networks.
20
21
Luiz Arthur F. Santos
Rodrigo Campiolo
Daniel Macêdo Batista
Marco Aurélio Gerosa
Thanks / Obrigado!
Questions?
