Research:Spambot detection system to support stewards/Literature review

This page contains excerpts on spam detection features from relevant academic literature, including approaches for Wikipedia and for social media platforms.

Wikipedia[edit]

Green et al. (2017)[edit]

Spam users identification in Wikipedia via editing behavior^[1]:

• User’s edit size based features: average size of edits, standard deviation of edit sizes, variance significance.
• Editing time behavior based features: average time between edits, standard deviation of time between edits.
• Links in edit based features: unique link ratio, link ratio in edits, talk page edit ratio.
• Username based features: number of digits in a username, the ratio of digits in a username, the number of leading digits in a username, the unique character ratio in a username.

Kumar et al. (2015)[edit]

A Wikipedia vandal early warning system^[2]:

• Consecutive re-edit, slowly.
• Consecutive re-edit, very fast.
• Consecutive re-edit of a meta-page.
• Consecutive re-edit of a non-meta-page.
• Consecutive re-edit of a meta-page, very fast.
• Consecutive re-edit of a meta-page, fast.
• Consecutive re-edit of a meta-page, slowly.
• Consecutively re-edit fast and consecutively reedit very fast.
• First edit meta-page.
• Edit of a new page at distance at most 3 hops, slowly.
• Edit of a new page at distance at most 3 hops slowly and twice.

Adler et al. (2011)[edit]

Wikipedia vandalism detection combining natural language, metadata, and reputation features^[3]:

• Metadata: whether editor is anonymous/registered, length (in chars) of revision comment left, size difference between prev. and current versions, time since article (of edit) last modified, time when edit made (UTC, or local w/geolocation), local day-of-week when edit made (per geolocation), time since editor’s first Wikipedia edit, time since editor last caught vandalizing, size of new article version relative to new one, is author of current edit same as previous?
• Reputation: reputation for editor via behavior history, reputation for geographical region (editor groups), reputation for article (on which edit was made), reputation for topical category (article groups), histogram of text trust distribution after edit, histogram of text trust distribution before edit, change in text trust histogram due to edit.
• Text: ratio of numerical chars. to all chars, ratio of alpha-numeric chars. to all chars, ratio of upper-case chars. to all chars, ratio of upper-case chars. to lower-case chars, length of longest consecutive sequence of single char, length of longest token, average relative frequency of inserted words, compression rate of inserted text, per LZW, kullback-Leibler divergence of char. distribution, length of the previous version of the article.
• Language: freq./impact of vulgar and offensive words, freq./impact of first and second person pronouns, freq./impact of colloquial words w/high bias, freq./impact of non-vulgar sex-related words, freq./impact of miscellaneous typos/colloquialisms, freq./impact of previous five factors in combination, freq./impact of “good words”; wiki-syntax elements, is rev. comment indicative of a revert?
• Not zero-delay (only appropriate for historical vandalism detection): is the editor of the next edit registered?, is the editor of next edit same as current?, time between current edit and next on same page, number of later edits useful for implicit feedback, length of revision comment for next revision, is next edit comment indicative of a revert?, average of implicit feedback from judges, worst feedback from any judge, how close QUALITY AVG is to QUALITY MIN, max reverts possible given QUALITY AVG, editor rep. per WikiTrust (permitting future data), measure of relevance of implicit feedback.

West et al. (2011a)[edit]

Autonomous link spam detection in purely collaborative environments^[4]:

• Wikipedia: top-level domain of the URL (e.g., *.com or *.edu), length (in characters) of the URL being added, whether the URL points to a broad domain/folder or specific file, quantity of subdomains in the URL (i.e., sub.example.com = 3), whether the link was added per a special reference/citation format, where in the article the link was added (as function of article length), length (in characters) of the hypertext description of added link, whether the link/URL is found on the article’s discussion page, age of the article to which link was added (i.e., time-since creation).
• Landing site: measure of the prevalence of profane language on the landing site, quantity of images displayed on the landing site, size (in bytes) of the textual content on the landing site, ratio of raw content-size to compressed size; speaks to repetitiveness, length of the HTML title, in characters (i.e., <title>. . . </title>), quantity of HTML <meta keywords="w1, w2, . . . , wn"> on site, average word length of visible textual content on the landing site, measure of the commercial intent of the landing site.
• Third-party: whether the landing site is topic-similar to Wikipedia article of addition, whether or not the URL contains adult content, load time of landing site, as a percentile of all sites, time that the landing site has been online, continent to which the whois registration of site maps, whether URL is active on the Safe-Browsing “malware” list, whether URL is active on the Safe-Browsing “phishing” list.
• Aggregate: historical time-decayed measure of vandalism/controversy on article, quantity of citations/references in the article of link addition, length of the Wikipedia article to which the link was added, article visitors in last t ∈ {hour, day, week,month, 6-months}, article edits committed in last t ∈ {hour, day, week,month, 6-months}, links to URL added in last t ∈ {hour, day, week,month, 6-months}, links to domain added in last t ∈ {hour, day, week,month, 6-months}, historical, time-decayed measure of spam-iness for added URL, of all the times the URL has been linked, the % added by the current editor, historical, time-decayed measure of spam-iness for added domain, of all the times the domain has been linked, the % added by the current editor, Length (in characters) of the revision summary, time-of-day when the link was added (UTC locale), day-of-week when the link was added (UTC locale), quantity of incoming links to landing site, meta-feature speaking to site’s historical traffic patterns.

West et al. (2011b)[edit]

Link spamming Wikipedia for profit^[5]:

Nowadays, spam models must have more direct intentions. Thus, the principal goal of Wikipedia link spam is maximizing exposure, the quantity of people who view a spam link. The status quo means of gaining exposure is to use subtle tactics in the hope that a link can become persistent in an article (i.e., have a long lifespan). We find the impact of this strategy is minimal, with spam links receiving a median of 6 views before removal. This poor performance is a result of Wikipedia’s diligent editors. Consequently, link spamming models relying on persistence are not particularly successful. (...) Spam campaigns based on our model leverage four attack vectors:
- High-traffic placement: Using popular pages.
- Registered accounts: Gaming the privilege delegation system, accounts can be obtained that can edit rapidly and in a programmatic fashion.
- Blatant nature: Prominently placed/styled links solicit reader attention and increase click-through.
- Distributed: Distributed hosts provide the IP agility needed to sustain spam attacks at scale.

Social media[edit]

Seyler et al. (2021)[edit]

Textual Analysis and Timely Detection of Suspended Social Media Accounts^[6]:

• Average Time Between Tweets (novel and distinguishing feature)
• Vocabulary Size (novel and distinguishing feature)
• Average Number of URLs (distinguishing feature)
• Average Length of Tweets
• Average Number of Stopwords
• Average Number of OOV Words (novel feature)
• Average Number of Retweets
• Average Number of Hashtags
• Percentage of Tweets that Contain Spam Words (novel and distinguishing feature)

Yang et al. (2011)[edit]

Empirical evaluation and new design for fighting evolving Twitter spammers^[7]:

• Profile: number of followers, number of followings, fofo ratio, reputation, number of tweets, age.
• Content: URL ratio, unique URL ratio, hashtag (#) ratio, reply (@) ratio, tweet similarity, duplicate tweet count.
• Graph: number of bi-directional links, bi-directional links ratio, betweenness centrality, clustering coefficient.
• Neighbor: average neighbors’ followers, average neighbors’ tweets, followings to median neighbors’ followers.
• Timing: following rate, tweet rate.
• Automation: API ratio, API url ratio, API tweet similarity.

Note: this work might be too Twitter-oriented.

Benevenuto et al. (2011)[edit]

Detecting spammers on Twitter using the maximum, minimum, average, and median of the following metrics^[8]:

• number of hashtags per number of words on each tweet,
• number of URLs per words, number of words of each tweet,
• number of characters of each tweet,
• number of URLs on each tweet,
• number of hashtags on each tweet,
• number of numeric characters (i.e. 1,2,3) that appear on the text,
• number of users mentioned on each tweet,
• number of times the tweet has been retweeted (counted by the presence of ”RT @username” on the text).

It is also used a popular list of spam words, the fraction of tweets that are reply messages, and the fraction of tweets of the user containing URLs.

Stringhini et al. (2010)[edit]

Detecting spammers on social networks^[9]:

• FF ratio: number of friend requests that a user sent to the number of friends she has. Since a bot is not a real person, and, therefore, nobody knows him/her in real life, only a fraction of the profiles contacted would acknowledge a friend request.
• URL ratio: presence of URLs in the logged messages, since bots are likely to send URLs in their messages in order to attract users to spam web pages.
• Message Similarity: leveraging the similarity among the messages sent by a user, since most bots sent very similar messages, considering both message size and content, as well as the advertised sites.
• Friend Choice: whether a profile likely used a list of names to pick its friends or not.
• Messages Sent: number of messages sent by a profile as a feature, since profiles that send out hundreds of messages are less likely to be spammers, given that, in our initial analysis, most spam bots sent less that 20 messages.
• Friend Number: number of friends a profile has since profiles with thousands of friends are less likely to be spammers that the ones with a few.

Lee et al. (2010)[edit]

Uncovering social spammers, social honeypots + machine learning^[10]:

• User demographics: including age, gender, location, and other descriptive information about the user;
• User-contributed content: including “About Me” text, blog posts, comments posted on other user’s profiles, tweets, etc.;
• User activity features: including posting rate, tweet frequency;
• User connections: including number of friends in the social network, followers, following.

Additionally, it also measured the average content similarity over all pairs of tweets posted by a user where the content similarity is computed using the standard cosine similarity over the bag-of-words vector representation.

Grier et al. (2010)[edit]

The underground of Spam on 140 characters or less^[11]:

Using clickthrough data, we analyze spammers’ use of features unique to Twitter and the degree that they affect the success of spam. We find that Twitter is a highly successful platform for coercing users to visit spam pages, with a clickthrough rate of 0.13%, compared to much lower rates previously reported for email spam. We group spam URLs into campaigns and identify trends that uniquely distinguish phishing, malware, and spam, to gain an insight into the underlying techniques used to attract users. (...)  Given the absence of spam filtering on Twitter, we examine whether the use of URL blacklists would help to significantly stem the spread of Twitter spam. Our results indicate that blacklists are too slow at identifying new threats, allowing more than 90% of visitors to view a page before it becomes blacklisted. We also find that even if blacklist delays were reduced, the use by spammers of URL shortening services for obfuscation negates the potential gains unless tools that use blacklists develop more sophisticated spam filtering.

Wang (2010)[edit]

Spam detection in Twitter^[12]:

• Graph-based features: number of friends, number of followers, and reputation of a user.
• Content-based features: duplicate tweets, HTTP links, replies, mentions and trending topics.

Benevenuto et al. (2010)[edit]

Detecting spammers and content promoters in online video social networks^[13]:

• Video: they capture specific properties of the videos uploaded by the user, i.e., each user has a set of videos in the system, each one with attributes that may serve as indicators of its “quality", as perceived by others.
• User: one could expect that legitimate users spend more time doing actions such as selecting friends, adding videos as favorites, and subscribing to content updates from others.
• Social network: attributes might capture specific interaction patterns that could help differentiate legitimate users, promoters, and spammers.

References[edit]