社交网络异常用户检测技术研究进展

doi:10.11959/j.issn.2096-109x.2018025

摘要/Abstract

摘要：

在社交网络中，异常用户检测问题是网络安全研究的关键问题之一，异常用户通过创建多个马甲进行虚假评论，网络欺凌或网络攻击等行为严重威胁正常用户的信息安全和社交网络的信用体系，因此大量研究人员对该问题进行了深入研究。回顾了近年来该问题的研究成果，并总结出一个整体架构。数据收集层介绍数据获取方式与相关数据集；特征表示层阐述属性特征、内容特征、网络特征、活动特征与辅助特征；算法选择层介绍监督算法、无监督算法与图算法；结果评估层阐述数据标注方式与方法评估指标。最后，展望了该领域未来的研究方向。

关键词: 社交网络, 异常用户检测, 网络安全

Abstract:

In social networks,the problem of anomalous users detection is one of the key problems in network security research.The anomalous users conduct false comments,cyberbullying or cyberattacks by creating multiple vests,which seriously threaten the information security of normal users and the credit system of social networks ,so a large number of researchers conducted in-depth study of the issue.The research results of the issue in recent years were reviewed and an overall structure was summarized.The data collection layer introduces the data acquisition methods and related data sets,and the feature presentation layer expounds attribute features,content features,network features,activity features and auxiliary features.The algorithm selection layer introduces supervised algorithms,unsupervised algorithms and graph algorithms.The result evaluation layer elaborates the method of data annotation method and index.Finally,the future research direction in this field was looked forward.

Key words: social network, anomalous users detection, cyber security

中图分类号:

T309

曲强, 于洪涛, 黄瑞阳. 社交网络异常用户检测技术研究进展[J]. 网络与信息安全学报, 2018, 4(3): 13-23.

Qiang QU, Hongtao YU, Ruiyang HUANG. Research progress of abnormal user detection technology in social network[J]. Chinese Journal of Network and Information Security, 2018, 4(3): 13-23.

图/表 8

表1

图1

表2

表3

表4

表5

表6

表7

方法评估指标"

方法评估指标	形式定义
精确率	$A = \frac{T P + T N}{T P + T N + F P + F N}$
准确率	$P = \frac{T P}{T P + F P}$
召回率	$R = \frac{T P}{T P + F N}$
F指数	$F = \frac{2 P R}{P + R}$
MCC	$M C C = \frac{T P \times T N - F P \times F N}{\sqrt{(T P + F P) (T P + F N) (T N + F N) (T N + F N)}}$

表7

参考文献 67

[1]	RAYANA S , AKOGLU L . Collective opinion spam detection:Bridging review networks and metadata[C]// The 21st ACM Sigkdd International Conference on Knowledge Discovery and Data Mining. 2015: 985-994.
[2]	LIM E P , NGUYEN V A , JINDAL N ,et al. Detecting product review spammers using rating behaviors[C]// The 19th ACM International Conference on Information and Knowledge Management. 2010: 939-948.
[3]	MALBON J . Taking fake online consumer reviews seriously[J]. Journal of Consumer Policy, 2013,36(2): 139-157.
[4]	CAO Q , SIRIVIANOS M , YANG X ,et al. Aiding the detection of fake accounts in large scale social online services[C]// The 9th Usenix Conference on Networked Systems Design and Implementation. 2012: 15-15.
[5]	CHENG J , BERNSTEIN M , DANESCU-NICULESCU-MIZIL C ,et al. Anyone can become a troll:causes of trolling behavior in online discussions[C]// ACM Conference on Computer-Supported Cooperative Work and Social Computing (CSCW 2017). 2017.
[6]	HINDUJA S , PATCHIN J W . Bullying,cyberbullying,and suicide[J]. Archives of Suicide Research, 2010,14(3): 206-221.
[7]	ZAFARANI R , LIU H . 10 bits of surprise:Detecting malicious users with minimum information[C]// The 24th ACM International on Conference on Information and Knowledge Management. 2015: 423-431.
[8]	KUMAR S , CHENG J , LESKOVEC J . Antisocial behavior on the Web:characterization and detection[C]// The 26th International Conference on World Wide Web Companion. 2017: 947-950.
[9]	JIANG M , KUMAR S , SUBRAHMANIAN V S ,et al. Data-driven approaches towards malicious behavior modeling[C]// The 23rd ACM SIGKDD Conference on Knowledge Discovery and Data Mining (KDD). 2017, 19:42.
[10]	JIANG M , CUI P , FALOUTSOS C . Suspicious behavior detection:current trends and future directions[J]. IEEE Intelligent Systems, 2016,31(1): 31-39.
[11]	BEUTEL A , AKOGLU L , FALOUTSOS C . Graph-based user behavior modeling:from prediction to fraud detection[C]// The 21st ACM Sigkdd International Conference on Knowledge Discovery and Data Mining. 2015: 2309-2310.
[12]	YE J , AKOGLU L . Discovering opinion spammer groups by network footprints[C]// Joint European Conference on Machine Learning and Knowledge Discovery in Databases. 2015: 267-282.
[13]	PRAKASH B A , SRIDHARAN A , SESHADRI M ,et al. Eigenspokes:surprising patterns and scalable community chipping in large graphs[C]// Pacific-Asia Conference on Knowledge Discovery and Data Mining. 2010: 435-448.
[14]	HOOI B , SONG H A , BEUTEL A ,et al. Fraudar:bounding graph fraud in the face of camouflage[C]// The 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 2016: 895-904.
[15]	JIANG M , CUI P , BEUTEL A ,et al. Inferring strange behavior from connectivity pattern in social networks[C]// Pacific-Asia Conference on Knowledge Discovery and Data Mining. 2014: 126-138.
[16]	FIRE M , KATZ G , ELOVICI Y . Strangers intrusion detection-detecting spammers and fake profiles in social networks based on topology anomalies[J]. Human Journal, 2012,1(1): 26-39.
[17]	YAMAK Z , SAUNIER J , VERCOUTER L . Detection of multiple identity manipulation in collaborative projects[C]// The 25th International Conference Companion on World Wide Web. 2016: 955-960.
[18]	WU S , LIU Q , LIU Y ,et al. Information credibility evaluation on social media[C]// The 30th AAAI Conference on Artificial Intelligence. 2016: 4403-4404.
[19]	FRIGGERI A , ADAMIC L A , ECKLES D ,et al. Rumor cascades[J]. Dalton Transactions, 2014,43(16): 6108-19.
[20]	HOSSEINMARDI H , GHASEMIANLANGROODI A , HAN R ,et al. Towards understanding cyberbullying behavior in a semianonymous social network[C]// 2014 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM). 2014: 244-252.
[21]	ADLER B , DE ALFARO L , PYE I . Detecting wikipedia vandalism using wikitrust[J]. Notebook Papers of CLEF, 2010,1: 22-23.
[22]	GUPTA A , LAMBA H , KUMARAGURU P ,et al. Faking sandy:characterizing and identifying fake images on twitter during hurricane sandy[C]// The 22nd International Conference on World Wide Web. 2013: 729-736.
[23]	HU X , TANG J , ZHANG Y ,et al. Social spammer detection in microblogging[C]// The International Joint Conference on Artificial Intelligence. 2013: 2633-2639.
[24]	HU X , TANG J , GAO H ,et al. Social spammer detection with sentiment information[C]// 2014 IEEE International Conference on Data Mining (ICDM). 2014: 180-189.
[25]	LEE K , CAVERLEE J , WEBB S . Uncovering social spammers:social honeypots+ machine learning[C]// The 33rd International ACM SIGIR Conference on Research and Development in Information Retrieval. 2010: 435-442.
[26]	BEUTEL A , XU W , GURUSWAMI V ,et al. Copycatch:stopping group attacks by spotting lockstep behavior in social networks[C]// The 22nd International Conference on World Wide Web. 2013: 119-130.
[27]	LI Y , MARTINEZ O , CHEN X ,et al. In a world that counts:clustering and detecting fake social engagement at scale[C]// The 25th International Conference on World Wide Web. 2016: 111-120.
[28]	WU L , HU X , MORSTATTER F ,et al. Adaptive spammer detection with sparse group modeling[C]// The International AAAI Conference on Web and Social Media. 2017: 319-326.
[29]	XU C , SU B , CHENG Y ,et al. An adaptive fusion algorithm for spam detection[J]. IEEE Intelligent Systems, 2014,29(4): 2-8.
[30]	JIANG M , CUI P , BEUTEL A ,et al. Catchsync:catching synchronized behavior in large directed graphs[C]// The 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 2014: 941-950.
[31]	RATKIEWICZ J , CONOVER M , MEISS M R ,et al. Detecting and tracking political abuse in social media[C]// The International Conference on Weblogs and Social Media(ICWSM). 2011: 297-304.
[32]	TSIKERDEKIS M , ZEADALLY S . Multiple account identity deception detection in social media using nonverbal behavior[J]. IEEE Transactions on Information Forensics and Security, 2014,9(8): 1311-1321.
[33]	AKOGLU L , MCGLOHON M , FALOUTSOS C . Oddball:spotting anomalies in weighted graphs[C]// Pacific-Asia Conference on Knowledge Discovery and Data Mining. 2010: 410-421.
[34]	HU X , TANG J , LIU H . Online social spammer detection[C]// The 28th AAAI Conference on Artificial Intelligence. 2014: 59-65.
[35]	HORNE B D , ADALI S . This just in:fake news packs a lot in title,uses simpler,repetitive content in text body,more similar to satire than real news[C]// The 2nd International Workshop on News and Public Opinion. 2017.
[36]	KUMAR S , SPEZZANO F , SUBRAHMANIAN V S . Vews:a wikipedia vandal early warning system[C]// The 21sh ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 2015: 607-616.
[37]	SHIN K , HOOI B , KIM J ,et al. D-cube:dense-block detection in terabyte-scale tensors[C]// The 10th ACM International Conference on Web Search and Data Mining. 2017: 681-689.
[38]	KUMAR S , WEST R , LESKOVEC J . Disinformation on the web:Impact,characteristics,and detection of wikipedia hoaxes[C]// The 25th International Conference on World Wide Web. 2016: 591-602.
[39]	RATKIEWICZ J , CONOVER M , MEISS M ,et al. Truthy:mapping the spread of astroturf in microblog streams[C]// The 20th International Conference Companion on World Wide Web. 2011: 249-252.
[40]	GIATSOGLOU M , CHATZAKOU D , SHAH N ,et al. Nd-sync:detecting synchronized fraud activities[C]// Pacific-Asia Conference on Knowledge Discovery and Data Mining. 2015: 201-214.
[41]	SUBRAHMANIAN V S , AZARIA A , DURST S ,et al. The DARPA Twitter bot challenge[J]. Computer, 2016,49(6): 38-46.
[42]	PEREZ C , LEMERCIER M , BIRREGAH B ,et al. Spot 1.0:scoring suspicious profiles on twitter[C]// The International Conference on Advances in Social Networks Analysis and Mining (ASONAM). 2011: 377-381.
[43]	ADLER B T , DE ALFARO L,MOLA-VELASCO S M , et al . Wikipedia vandalism detection:combining natural language,metadata,and reputation features[C]// The International Conference on Intelligent Text Processing and Computational Linguistics. 2011: 277-288.
[44]	CHENG J , DANESCU-NICULESCU-MIZIL C , LESKOVEC J . Antisocial behavior in online discussion communities[J].Computer Science,2015. Computer Science, 2015.
[45]	KUMAR S , CHENG J , LESKOVEC J ,et al. An army of me:Sockpuppets in online discussion communities[C]// The 26th International Conference on World Wide Web. 2017: 857-866.
[46]	DICKERSON J P , KAGAN V , SUBRAHMANIAN V S . Using sentiment to detect bots on twitter:are humans more opinionated than bots?[C]// 2014 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM). 2014: 620-627.
[47]	MUKHERJEE A , VENKATARAMAN V , LIU B ,et al. What yelp fake review filter might be doing?[C]// The International Conference on Web and Social Media(ICWSM). 2013.
[48]	SOLORIO T , HASAN R , MIZAN M . A case study of sockpuppet detection in wikipedia[C]// The Workshop on Language Analysis in Social Media. 2013: 59-68.
[49]	GANI K , HACID H , SKRABA R . Towards multiple identity detection in social networks[C]// The 21st International Conference on World Wide Web. 2012: 503-504.
[50]	GAO H , HU J , WILSON C ,et al. Detecting and characterizing social spam campaigns[C]// The 10th ACM Sigcomm Conference on Internet Measurement. 2010: 35-47.
[51]	BENEVENUTO F , MAGNO G , RODRIGUES T ,et al. Detecting spammers on twitter[C]// Collaboration,Electronic Messaging,Anti-abuse and Spam Conference (CEAS). 2010:12.
[52]	SHAH N , BEUTEL A , GALLAGHER B ,et al. Spotting suspicious link behavior with fbox:an adversarial perspective[C]// 2014 IEEE International Conference on Data Mining (ICDM). 2014: 959-964.
[53]	KUNEGIS J , LOMMATZSCH A , BAUCKHAGE C . The slashdot zoo:mining a social network with negative edges[C]// The 18th International Conference on World Wide Web. 2009: 741-750.
[54]	XU Q , XIANG E W , YANG Q ,et al. SMS spam detection using noncontent features[J]. IEEE Intelligent Systems, 2012,27(6): 44-51.
[55]	KUMAR S , SPEZZANO F , SUBRAHMANIAN V S . Accurately detecting trolls in slashdot zoo via decluttering[C]// 2014 IEEE ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM). 2014: 188-195.
[56]	SHACHAF P , HARA N . Beyond vandalism:Wikipedia trolls[J]. Journal of Information Science, 2010,36(3): 357-370.
[57]	CHENG J , DANESCU-NICULESCU-MIZIL C , LESKOVEC J . How community feedback shapes user behavior[C]// The International Conference on Weblogs and Social Media (ICWSM). 2014.
[58]	JINDAL N , LIU B . Opinion spam and analysis[C]// The 2008 International Conference on Web Search and Data Mining. 2008: 219-230.
[59]	MUKHERJEE A , LIU B , GLANCE N . Spotting fake reviewer groups in consumer reviews[C]// The 21st International Conference on World Wide Web. 2012: 191-200.
[60]	HOOI B , SHAH N , BEUTEL A ,et al. Birdnest:bayesian inference for ratings-fraud detection[C]// 2016 SIAM International Conference on Data Mining.Society for Industrial and Applied Mathematics. 2016: 495-503.
[61]	FEI G , MUKHERJEE A , LIU B ,et al. Exploiting burstiness in reviews for review spammer detection[C]// The 7th International AAAI Conference on Weblogs and Social Media (ICWSM). 2013: 175-184.
[62]	BU Z , XIA Z , WANG J . A sock puppet detection algorithm on virtual spaces[J]. Knowledge-Based Systems, 2013,37: 366-377.
[63]	JIANG M , CUI P , WANG F ,et al. Fema:flexible evolutionary multi-faceted analysis for dynamic behavioral pattern discovery[C]// The 20th ACM Sigkdd International Conference on Knowledge Discovery and Data Mining. 2014: 1186-1195.
[64]	YU H , KAMINSKY M , GIBBONS P B ,et al. Sybilguard:defending against sybil attacks via social networks[C]// ACM Sigcomm Computer Communication Review. 2006: 267-278.
[65]	YU H , GIBBONS P B , KAMINSKY M ,et al. Sybillimit:a near-optimal social network defense against sybil attacks[C]// IEEE Symposium on Security and Privacy. 2008: 3-17.
[66]	WEI W , XU F , TAN C C ,et al. Sybildefender:Defend against sybil attacks in large social networks[C]// IEEE INFOCOM. 2012: 1951-1959.
[67]	GONG N Z , FRANK M , MITTAL P . Sybilbelief:a semi-supervised learning approach for structure-based sybil detection[J]. IEEE Transactions on Information Forensics and Security, 2014,9(6): 976-987.

异常用户种类	主要存在平台
Spammer（垃圾信息制造者）	Twitter，微博平台，CNN，亚马逊，Yelp
Hoaxes（文化攻击者）	维基百科
Bot（机器人）	Twitter
Sockpuppet（马甲）	维基百科，Twitter，Facebook，CNN
Troll（钓鱼者）	Slashdot zoo，维基百科
Fake user（虚假用户）	Google，Twitter，Amazon
Vandal（恶意用户）	Twitter，维基百科，TCP

数据获取方式	相关工作
合成数据集	文献[12～16]
爬取数据集	文献[17～20]
API获取数据集	文献[21～25]
合作数据集	文献[26,27]
公开数据集	文献[13,28～36]

检测特征	特点	关键	特征评估
属性特征	采用人为设计方法，容易被攻击者绕过，算法设计简单，效率低，准确率相对较低，数据量级小，具有严格隐私保护	突破隐私保护	不常用
内容特征	采用自然语言处理方式，容易被攻击者绕过，算法设计复杂，效率低，准确率相对较低，数据量级大，具有轻微隐私保护	设计复杂算法，合理语言模式	常用
网络特征	采用复杂网络处理方式，不易被攻击者绕过，算法设计简单，效率低，准确率相对较低，数据量级大，不具有隐私保护	掌握全局结构	主流
活动特征	采用行为模式分析处理方式，不易被攻击者绕过，算法设计简单，效率高，准确率高，数据量级大，具有轻微隐私保护	选取区分度最大的活动信息	主流
辅助特征	采用时间序列模型分析，不易被攻击者绕过，算法设计复杂，效率高，准确率高，数据量级小，具有轻微隐私保护	有效利用时间维度信息	热门

	算法	思想	算法关键问题
监督算法	单一分类算法	分类	选取具有最大区分度的关键特征
	集成分类算法
无监督算法	从上到下的分解挖掘	聚类	选取合理的相似性指标
	从下到上的聚类挖掘
图算法	谱分解	图异常点检测	处理大规模稀疏的图数据
	随机游走

检测算法	优点	缺点
监督算法	1) 准确率高	1) 需要含标签数据
	2) 检测速度快，效率高	2) 需要提前训练
	3) 算法设计成熟，部署技术成熟	3) 需要选取区分度特征
	4) 实时性好	4) 选取特征易被攻击者绕过，未知模式检测效果差
无监督算法	1) 仅仅需要不含标签数据	1) 准确率低
	2) 不需要提前训练	2) 算法设计复杂，效率低
	3) 有效检测未知模式	3) 实时性差
图算法	1) 只需要图数据	1) 准确率低，实时性差
	2) 不需要提前训练	2) 理论假设条件复杂，现实不成立
	3) 有效检测未知模式	3) 算法设计复杂，效率低
		4) 社交网络存在不同的差异