Detecting Arabic Spammers and Content Polluters on Twitter

Nour El-Mawass1 and Saad Alaboodi2 College of Computer and Information Sciences, King Saud University (Riyadh, Saudi Arabia) 1nour.elmawass at ieee.org, 2salaboodi at ksu.edu.sa

Abstract— Spam is thriving on Arabic Twitter. With a large that rank Saudi Arabia as the Arab nation with the highest online population, a mounting political unrest, and an under- number of active Twitter users [2], or that show a “booming sized and unspecialized response effort, the current state of usage” with a penetration higher than 51% [3]. Arabic online social networks (OSNs) offers a perfect target for the spam industry, bringing both abuse and manipulation While the first generation of spammers on Twitter was to the scene. The result is a ubiquitous spam presence that generally naive and had obvious characteristics that helped redefines the signal to noise ratio, and makes spam a de separate it from the rest of the population, spammers nowa- facto component of the online social platforms. English spam days recur to cheap automated techniques to gain trust and on online social networks has been heavily studied in the credibility and go unnoticed in the larger crowd. literature. To date however, social spam in other languages has been largely ignored. Our own analysis of spam content on In this work, we study the contemporary population of Arabic trending hashtags in Saudi Arabia results in an estimate spammers on Twitter, specifically those that tweet in Arabic of about three quarters of the total generated content. This and that mainly hijack Saudi trends, and target the Arabic alarming rate, backed by independent concurrent estimates, speaking population. We develop new detection features makes the development of adaptive spam detection techniques that adapt to the current evading techniques, and we use a very real and pressing need. In this study, we present a first attempt at detecting accounts that promote spam and content these features to train a Machine Learning-based system pollution on Arabic Twitter. Using a large crawled dataset of that has the goal of detecting spammers. We show that our more than 23 million Arabic tweets, and a manually labeled approach outperforms older widely-accepted approaches, and sample of more than 5000 tweets, we analyze the spam content is therefore more adapted to the current detection needs. on Saudi Twitter, and assess the performance of previous spam detection features on our recently gathered dataset. We also adapt the previously proposed features to respond to spammers A. Contributions and outline evading techniques, and use these features to build a new highly We summarize the contributions of this work in the accurate data-driven detection system. Keywords— Online Social Networks, Social Spam Detection, following points: Machine Learning, Supervised Classification, Twitter, Arabic • We provide unique statistics on the prevalence of spam Spam and automation in trending hashtags written in Arabic. Previous work has mainly targeted English and Chinese I.INTRODUCTION spam [4], and we hope that this work will contribute to The rise of online social networks (OSNs) has marked the a greater understanding of non-English spam. beginning of a new spam era. Whether it is on Facebook, • We evaluate the performance of a widely-known, Twitter or other similar platforms, spam on OSNs is char- English-customized spam detection system on our re- acterized by its invasiveness, ubiquity, and interference with cently gathered dataset. the website’s main functionalities. The spammers’ aggressive • We evaluate previously proposed detection features, abuse of OSNs threatens of reducing the value and credibility and assess the impact of evasion techniques on these of these platforms, which may destroy their premise of an features. alternative, secure, and enjoyable online existence. • We propose a set of features that are most suitable to In our investigation, we found that about three quarters the detection of the current Twitter’s Arabic spammers of the tweets in trending hashtags in Saudi Arabia are spam population and develop a highly accurate detection messages. This estimation is backed by independent reports system that outperforms other models on our dataset. placing Saudi Arabia as the number two “global target for The rest of this paper is organized as follows. In part II online spam and other forms of cyber-violation”, and as the we introduce Twitter and cover related work on social spam number one “most spammed country in the world for three detection. Part III is dedicated to data crawling and labeling. years in a row with a 83.3% spam rate”[1]. A deeper analysis In part IV we explain in detail how the features are computed shows that the percentage of tweets generated automatically and how they respond to different evasion techniques. The is even higher. This not only means that Twitter’s resources architecture of the system is discussed in part V. In part are being consumed by malicious accounts rather than the VI, we show the results and performance of our classifier intended users, but it also implies the need to doubt any and compare it to the performance of an English-customized statistics or opinion mining results based on these trends. detection system. We discuss the obtained results in section In particular, it becomes legitimate to question the reports VII and conclude the paper in part VIII. II.BACKGROUNDAND RELATED WORK content on Twitter, their work focuses on detecting automat- ically generated Arabic tweets, using crowdsourcing to build A. The Twitter social network their labeled collection. Twitter is an online social network and microblogging The dominating methodology in the work we discussed platform allowing its users to write and read tweets, which so far is the supervised classification methodology. Other are texts limited by 140 characters that can optionally contain approaches require little human expert involvement and a URL or an image. Accounts are public by default, and use graph and time-based parameters to cluster and detect the friendship relationship is unidirectional: A user i can malicious activity on social networks [16], [17]. follow user j without j following i back. In this scenario, III.DATA COLLECTION i is a “follower” of j and j is a “friend” (or alternatively a “followee”) of i. A. Crawling Twitter A user i can mention another user j (not necessarily a We used two main ways to collect our dataset. First, we friend of i), by including its user screen name preceded by used Twitter API to crawl 7 trending hashtags in Saudi the “@” symbol in the tweet. The same convention also Arabia in the period between 26 November and 15 December appears in any reply to a tweet by j. A user can also 2014. This resulted in a dataset containing 319,390 unique “favourite” or “retweet” other users’ tweets. A hashtag is Arabic tweets, and 102,131 unique account identifiers. In a special text entity that may be formed by one or several addition, we used the search API on December 13, 2014 words preceded by the “#” symbol. Hashtags link the tweets to collect 22,771,358 unique tweets generated by 1,816,668 that contain them, allowing communities and discussions to unique account identifiers. Table III-A summarizes the infor- grow around specific topics. A hashtag that gains a lot of mation of the crawled dataset. popularity in a given region becomes a “trend”, and will B. Building the labeled dataset show on the Twitter page of users in that region. To ensure that the labeled dataset1 contains a wealth of spammers (both in numbers and variation), we had to recur B. Related work to a source that is known to attract spamming activity. We The supervised learning model is extensively used in selected a trending hashtag related to an important sport the social spam detection literature. While details of the event (the 22nd Arabian Gulf Cup final match) and pulled implementation vary, the essence of the model relies on ap- all the tweets that contained the chosen related hashtag (see plying statistical modeling on a labeled dataset representing table III-B for details). accounts of the targeted OSN. This trend started early in the We randomly chose 10% of the 55,239 obtained tweets, field with applications targeting spammers on Youtube [5]. and classified them by mean of manual examination. 76.3% There are several approaches to collect the data. One of the texts were classified as spam and 23.7% were classified method is to attract spammers using social honeypots. These as legitimate texts relevant to the hashtag context. For each are accounts created with the aim of mimicking the average tweet, we pulled the related account IDs (including the user of the studied social network [6]. Another, more active original account ID that generated the tweet and the retweeter approach, is to collect users directly either by brute force account ID if existing), and further investigated the content [7] or by sampling the Twitter sphere. The latter approach of the obtained accounts, classifying them into spammers involves choosing a small sample of users as a seed, and and non-spammers. expanding the network by following the social networks C. Manual account classification of these users up to a given degree [8]. Yet another fast collection method is to sample accounts that are tweeting Building on both our first hand experience and Twitter’s in Twitter’s public timeline [6] (now discontinued), or in definition2 of spam, we give here our definition of a spam trending hashtags [8], or from a sample collected from tweet3. A tweet is considered a spam tweet if it satisfies the Twitter’s streaming API [9]. following conditions: In building the labeled ground-truth data, some approaches 1) The tweet is not composed purely of text. That is, it infer the spamming status of an account by manually assess- contains a hashtag, a mention, a URL or an image. ing its tweets [7], [10]. An alternative is to assess the safety 2) And it is out of context, e.g. the tweet’s content or of URLs in tweets using safe browsing services as a mean sentiment is irrelevant to the context in which the to detect spam tweets [11]. tweet is embedded. This can apply to the following More recent work has investigated the relationship be- overlapping definitions: tween automation and spamming. In [12], a system for 1In the aim of reproducibility, we intend to make the labeled features automated spammers detection is described. Features related matrix and the trained models available online. to automation have been exploited to adapt to the changing 2Twitter’s definition is rather loose, allowing the platform a freedom in structure of Twitters spammers population [10]. An analysis interpreting spamming behavior https://support.twitter.com/ of automated activity in Twitter is presented in [13], and a articles/18311-the-twitter-rules 3We developed a manual labeling algorithm to guide human annotators system that detects the automation of an account is described labeling both tweets and accounts. For an extensive discussion of the in [14]. Similar to our work, authors in [15] target Arabic algorithm, we refer the interested reader to our technical report [18]. TABLE I CRAWLED DATASET INFORMATION Source Period Nb. of unique tweets Nb. of unique account IDs 7 trending hashtags in KSA 26 Nov - 15 Dec 2014 319,390 102,131 Twitter Streaming API Dec 13 2014 (12:00 noon - 12:00 night UTC) 22,771,358 1,816,668

TABLE II INFORMATION ON THE SELECTED TRENDING HASHTAG Hashtag Nb. Of tweets Period Nb. of classified tweets % of spam tweets Who’s behind the failure of 55,239 26 to 27 Nov 2014 5255 73.6 % the Saudi football team

Other general features of the account include the total number of tweets, the number of lists containing the account, the number of tweets favorited by the account, the age of the account, and its “global tweeting frequency”, computed as:

nbtotal(tweets) agedays(account) We noticed, however, that some spamming accounts trick both the age and the tweeting frequency features by remain- ing relatively idle for an extended amount of time after the creation of the account, or by exhibiting spamming behavior only recently in a newly compromised account. Thus, we Fig. 1. A spam tweet that promotes a followers selling service by hijacking introduced the “recent tweeting frequency”, which computes two unrelated trending hashtags. The tweet text says: ’[This is an] automatic the frequency over the last 200 tweets only. retweet. Khaliji (Gulf-based) accounts. Call [phone number]’. Note the high number of retweets and the random number added to the end of the text. B. Content attributes Content attributes are based on the recent activity of the • The tweet topic is not related to the hashtag/trend profile, namely the last 200 tweets. it contains (the topic can be inferred from the text The most general descriptors of a profile’s content are the or the image). rates of retweets, replies and of original tweets (they sum • The URL redirects to a page not related to the to 1). These attributes assess the interaction of the account tweet text or the tweet hashtag. with its environment and how much of its content is self- • The URL redirects to a malicious/phishing site. generated. On the tweet level, we computed the minimum, • The tweet is advertising a product or a service maximum, median and average number of words per tweet. by hijacking hashtags or mentioning users in an 1) Entities-related attributes: We use “entity” to denote automated way. the non-natural language parts of the tweet, namely hashtags, In addition to this definition, and as of Twitter’s rules, we URLs and mentions. It is natural to expect that the distribu- consider any tweet advertising a paid retweet/favorite service tions of usage of these entities is different between spammers or selling followers to be a spam as well. and non-spammers. We therefore use several features formu- Fig. 1 shows an example of a spam tweet, which is lations to capture this difference. misusing two unrelated hashtags. Its goal is to promote On the global level (over the most recent 200 tweets), a followers selling service, and it provides a local phone three features can be extracted: the proportion of tweets with number for interested customers. URLs, hashtags and mentions, respectively. In addition, since spammers tend to repeat the same URL, hashtag or mention IV. FEATURES in their tweets for advertisement and visibility reasons, we A. Profile attributes Using features related to the social network of a profile compute the number of unique entities and the average is a legacy of the earlier work on spam detection. This number of times a unique entity is used. For URLs for explains why a lot of evading techniques have the exact aim example, a normal user that is not topic-focused is expected of evading these features. These features include the number to have an average usage of 1 per url, meaning that he used of followers, the number of friends, and the relationship each unique URL only once. A spammer on the other hand 4 between these two variables captured by the followers per tends to have a much higher average usage per unique URL . nb(followers) We use the following expression to compute this value: friends ratio: nb(friends) . We also looked at these measures in time by computing nb(URLs) the number of followers (resp. friends) acquired per day: nb(unique(URLs))

nbtotal(followers) 4Note that the unshortened final URL is used, since the shortened URL nb/day(followers) = agedays(account) can be different each time the tweet is generated. The existence of these entities can be also assessed on the in- evade the rigid (exact) similarity measure. Techniques to add dividual tweet level by computing the minimum, maximum, artificial difference to the tweet include adding a random or median and average number of occurrences of each type iterated number to the tweet (incremented by one each time of these entities in a tweet. For example, we can compute the same tweet is generated), or adding randomly generated the average number of hashtags per tweet (computed by short words (such as xjl, jz1, qic). averaging this measure over the most recent 200 tweets). The The basic features related to similarity measures are: number of features obtained this way is 12 (4 × 3). We also 1) the average similarity computed as: computed the same measures per word per tweet, increasing P similarity(t , t ) the number of features to 24 (12 × 2). ti,tj∈T,i

Precision 0.895 0.872 0.924 0.929 0.744 0.432 Recall 0.718 0.958 0.961 0.868 0.399 0.769 Random False Positive 0.042 0.282 0.132 0.039 0.231 0.601 Forests F-measure 0.797 0.913 0.942 0.898 0.519 0.553 ROC area 0.891 0.958 0.674 Accuracy 87.79% 92.59% 53.69%

Precision 0.896 0.876 0.9 0.904 0.826 0.481 Recall 0.73 0.958 0.947 0.824 0.464 0.835 False Positive 0.042 0.27 0.176 0.053 0.165 0.536 SVM F-measure 0.804 0.915 0.923 0.862 0.594 0.61 ROC area 0.844 0.886 0.65 Accuracy 88.17% 90.12% 60.25%

TABLE III CLASSIFICATION PERFORMANCE a subject that presents a pressing economic, political and [7] Fabrıcio Benevenuto, Gabriel Magno, Tiago Rodrigues, and Virgılio computational problem. We proposed a high performance Almeida. Detecting spammers on twitter. In Collaboration, elec- tronic messaging, anti-abuse and spam conference (CEAS), volume 6, spammers detection system that is customized to the current page 12, 2010. Arabic spammers population on Twitter. We also presented [8] Sarita Yardi, Daniel Romero, Grant Schoenebeck, et al. Detecting the evasion techniques developed by spammers and how spam in a twitter network. First Monday, 15(1), 2009. [9] Chris Grier, Kurt Thomas, Vern Paxson, and Michael Zhang. @ spam: detection features can be adapted to account for the evasion the underground on 140 characters or less. In Proceedings of the 17th effects. Using these features, we assessed the performance ACM conference on Computer and communications security, pages of our approach with newly proposed features compared to 27–37. ACM, 2010. [10] Chao Yang, Robert Chandler Harkreader, and Guofei Gu. Die free or a widely-known, English-customized detection system. We live hard? empirical evaluation and new design for fighting evolving compared both approaches over our recent Arabic spammers twitter spammers. In Recent Advances in Intrusion Detection, pages dataset and showed that a small subset of features proposed 318–337. Springer, 2011. [11] Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, and Dawn Song. in the literature is still valid. With the wealth of data offered Design and evaluation of a real-time url spam filtering service. In by an invasive and ubiquitous Arabic spam presence on Security and Privacy (SP), 2011 IEEE Symposium on, pages 447–462. Twitter, we plan to further investigate the subject, espe- IEEE, 2011. [12] Amit A Amleshwaram, Narasimha Reddy, Sandeep Yadav, Guofei Gu, cially in terms of detection and characterization of spam and Chao Yang. Cats: Characterizing automation of twitter spammers. content, techniques and campaigns (as opposed to spamming In Communication Systems and Networks (COMSNETS), 2013 Fifth accounts). International Conference on, pages 1–10. IEEE, 2013. [13] Zi Chu, Steven Gianvecchio, Haining Wang, and Sushil Jajodia. Who is tweeting on twitter: human, bot, or cyborg? In Proceedings of the REFERENCES 26th annual computer security applications conference, pages 21–30. ACM, 2010. [1] 3rd Cyber Security Forum 2016. https:// [14] Zi Chu, Steven Gianvecchio, Haining Wang, and Sushil Jajodia. fleming.events/en/events/program/security/ Detecting automation of twitter accounts: Are you a human, bot, or kingdom-cyber-security-forum, 2016. [Online; accessed cyborg? Dependable and Secure Computing, IEEE Transactions on, 7-March-2016]. 9(6):811–824, 2012. [2] K. T. Abdurabb. Saudi Arabia has highest number of active Twitter [15] Hind Almerekhi and Tamer Elsayed. Detecting Automatically- users in the Arab world. http://www.arabnews.com/news/ Generated Arabic Tweets. In Information Retrieval Technology, pages 592901, 2014. [Online; accessed 20-December-2014]. 123–134. Springer, 2015. [3] Marcello Mari. Twitter usage is booming in Saudi [16] Alex Beutel, Wanhong Xu, Venkatesan Guruswami, Christopher Arabia. http://www.globalwebindex.net/blog/ Palow, and Christos Faloutsos. Copycatch: stopping group attacks by twitter-usage-is-booming-in-saudi-arabia, 2013. spotting lockstep behavior in social networks. In Proceedings of the [Online; accessed 20-December-2014]. 22nd international conference on World Wide Web, pages 119–130, 2013. [4] Yin Zhu, Xiao Wang, Erheng Zhong, Nathan Nan Liu, He Li, and [17] Meng Jiang, Bryan Hooi, Alex Beutel, Shiqiang Yang, Peng Cui, and Qiang Yang. Discovering spammers in social networks. In Proceedings Christos Faloutsos. A general suspiciousness metric for dense blocks of the 26th AAAI Conference on Artificial Intelligence, 2012. in multimodal data. In Proceedings of IEEE international conference [5] Fabr´ıcio Benevenuto, Tiago Rodrigues, Virg´ılio Almeida, Jussara on data mining. IEEE, 2015. Almeida, and Marcos Gonc¸alves. Detecting spammers and content [18] Nour El-Mawass and Saad Alaboodi. Hunting for Spammers: Detect- promoters in online video social networks. In Proceedings of the 32nd ing Evolved Spammers on Twitter. arXiv preprint arXiv:1512.02573, international ACM SIGIR conference on Research and development in 2015. information retrieval, pages 620–627. ACM, 2009. [19] Meeyoung Cha, Hamed Haddadi, Fabricio Benevenuto, and P Krishna [6] Gianluca Stringhini, Christopher Kruegel, and Giovanni Vigna. Detect- Gummadi. Measuring user influence in twitter: The million follower Proceedings of the 26th Annual ing spammers on social networks. In fallacy. ICWSM, 10(10-17):30, 2010. Computer Security Applications Conference, pages 1–9. ACM, 2010.