Marc Lemercier

SPOT 1.0: Scoring Suspicious Profiles on Twitter

Everyday more than fifty million messages are generated by about two hundred million profiles on Twitter. Some users attempt to exploit the success of this micro logging platform and its relative freedom to perform malicious actions that can lead to identity or data theft. This work aims to propose a framework to assess suspicious behavior on Twitter. We present a tool developed for Scoring Suspicious Profiles On Twitter (SPOT1.0) through a three-dimensional indicator that involves the degree of aggressiveness, the visibility and the level of danger.

Multi-layer Crisis Mapping: A Social Media-Based Approach

During the sudden catastrophic events that have occurred in this last decade, social media have proven their importance in the creation and management of ad-hoc crisis communities. These platforms are increasingly used as complementary support tools for conventional crisis management teams. Recent disasters (e.g. Haiti, Australia, Japan, Mexico, etc.) have demonstrated their real potential in providing support to emergency operations for crisis management. However, several questions remain unanswered regarding the efficiency of their usage and especially their integration into the conventional information collection systems (technological sensors, cameras, SMS, etc.) usually used for crisis mapping. This paper aims to present multi-layer crisis mapping using a social media-based approach. We propose a generic step-by-step methodology as an integrated approach that connects a set of needs to a set of appropriate responses. The concept presented in this paper is the need/solution matrix, which plays a key role in the design of a multi-layer crisis map. The paper ends with an experiment with the well-known Twitter microblogging platform.

Indirect Information Linkage for OSINT through Authorship Analysis of Aliases

In this paper we examine the problem of automatically linking online accounts for open source intelligence gathering. We specifically aim to determine if two social media accounts are shared by the same author, without the use of direct linking evidence. We profile the accounts using authorship analysis and find the best matching guess. We apply this to a series of Twitter accounts identified as malicious by a methodology named SPOT and find several pairs of accounts that belong to the same author, despite no direct evidence linking the two. Overall, our results show that linking aliases is possible with an accuracy of 84%, and using our automated threshold method improves our accuracy to over 90% by removing incorrectly discovered matches.

The Multi-layer Imbrication for Data Leakage Prevention from Mobile Devices

The convergence of mobile and online social network technologies has led to the emergence of mobile social applications available through stores for mobile devices. Nowadays, one can observe the proliferation of mobile social networks and the diversity of digital profiles for a unique person. In this work, we propose to model the multiple facets of one digital life from the data available on his smartphone. More specifically, we investigate the interactions and connections that may exist between the multiple digital faces of an individual. We provide a set of indicators that measure the level of imbrication of a contact that belongs to the egocentric social network of a smartphone user. We prove the efficiency of these features for the detection of illegitimate contacts by link prediction on a case study of Facebook. This application shows that local information stored on mobile devices can participate to the prevention of data leakage on online social networks.

A dynamic approach to detecting suspicious profiles on social platforms

The combined success of social networking sites and smartphones has changed the way people communicate. It is now possible to publish and track contents in real time at any time and from anywhere. The large number of users on social platforms constitutes an unprecedented opportunity for attack for malicious users. Social engineering techniques, spammers, phishing and malicious attacks are examples of threats that can lead to data loss, data theft, identity theft, etc. The detection of suspicious messages or profiles is mainly covered in the literature as a binary and static classification problem. In this paper, we propose a dynamic behavioral framework for identifying suspicious profiles on social networking sites. This approach is based on three indicators: balance, energy and anomaly, synthesized from daily activities of users. We demonstrate that sensing users regularly, even on few indicators, enables suspicious behaviour to be predicted with a high level of accuracy. The low calculation costs of the approach makes it embeddable into smartphones of social networking users for inferring trust scores to their contacts.

A smartphone-based online social network trust evaluation system

Abstract The number of smartphone users has increased significantly over the last decade. The number of people using social networking sites is also increasing, and these platforms offer many features through which individuals can communicate with their contacts. The digital sphere is an opportunity for communication, but it is also an unprecedented arena for malicious attacks. The high quantity of personal and/or sensitive data, coupled with the large number of users, is one of the main motivations of malicious actors. We introduce in this paper a novel trust indicator for evaluating the contacts of an online social network user. This analysis is particularly important since the security policy of online social networks rests on the principle that a user’s contact is a person of trust. This assumption, not always verified as true, gives any number of people access to personal information. To address this problem, we propose applying a multi-layer model and extend it by proposing overlapping features that highlight the level of overlap of a contact belonging to the set of social networking friends of a smartphone user. We prove the efficiency of these features in evaluating trust using a case study with Facebook and Twitter.

Robust clustering methods for detecting smartphone's abnormal behavior

Smartphones have become increasingly popular, and, nowadays, thanks to the use of 3G networks, the need for connectivity in a business environment is significant. Smartphones provide access to a tremendous amount of sensitive information related to business, such as customer contacts, financial data and Intranet networks. If any of this information were to fall into the hands of hackers, it would be devastating for the company. In this paper, we propose a cluster-based approach to detecting abnormal behaviour in smartphone applications. First we carry out various robust clustering techniques that help to identify and regroup applications that exhibit similar behaviour. The clustering results are then used to define a cluster-based outlier factor for each application, which in turn identifies the top n malware applications. Initial results of the experiments prove the efficiency and accuracy of cluster-based approaches in detecting abnormal smartphone applications and those with a low false-alert rate.

Diagnosing smartphone's abnormal behavior through robust outlier detection methods

Smartphones have become increasingly popular and nowadays with the using of 3G networks, the needs in terms of connectivity in a business environment are substantial. Malicious use of such devices is highly dangerous since users may be victims of such use. In this paper, we present two statistical methods (Minimum Covariance Determinant (MCD) and Minimum Volume Ellipsoid (MVE) used to detect abnormal smartphones applications. Initial experiments results prove the efficiency and the accuracy of the MVE and MCD in detecting abnormal smartphones applications.

REPLOT: REtrieving profile links on Twitter for suspicious networks detection

In the last few decades social networking sites have encountered their first large-scale security issues. The high number of users associated with the presence of sensitive data (personal or professional) is certainly an unprecedented opportunity for malicious activities. As a result, one observes that malicious users are progressively turning their attention from traditional e-mail to online social networks to carry out their attacks. Moreover, it is now observed that attacks are not only performed by individual profiles, but that on a larger scale, a set of profiles can act in coordination in making such attacks. The latter are referred to as malicious social campaigns. In this paper, we present a novel approach that combines authorship attribution techniques with a behavioural analysis for detecting and characterizing social campaigns. The proposed approach is performed in three steps: first, suspicious profiles are identified from a behavioural analysis; second, connections between suspicious profiles are retrieved using a combination of authorship attribution and temporal similarity; third, a clustering algorithm is performed to identify and characterise the suspicious campaigns obtained. We provide a real-life application of the methodology on a sample of 1,000 suspicious Twitter profiles tracked over a period of forty days. Our results show that a large set of suspicious profiles behaves in coordination (70%) and propagates mainly, but not only, trustworthy URLs on the online social network. Among the three largest detected campaigns, we have highlighted that one represents an important security issue for the platform by promoting a significant set of malicious URLs.

A Gaussian mixture model for dynamic detection of abnormal behavior in smartphone applications

Nowadays smartphones get increasingly popular which also attracted hackers. With the increasing capabilities of such phones, more and more malicious softwares targeting these devices have been developed. Malwares can seriously damage an infected device within seconds. This paper focus on the aggregation of a popular probabilistic model: the Gaussian mixture model, for a dynamic detection of the abnormal behavior in smartphone applications. More precisely, we propose to apply a mixture model estimation technique on the behavior of applications, for density modeling and data clustering. The mixture models of the different smartphones are then aggregated to estimate the global model that reflecting the probability density of the global data set. Furthermore, we carry out a model-based clustering outlier detection to compute an anomaly score for each application, leading to identify the malware applications. Initial experiments results prove the efficiency and the accuracy of the model-based clustering in detecting abnormal applications with a low false alerts rate.