Cybersecurity System IDs Malware Hidden in Short Twitter Links

A machine classification system can identify harmful website links on Twitter within seconds of being clicked

Photo: iStockphoto
Advertisement

Twitter and Facebook users can all too easily get a computer virus when they click on malware links shared by unsuspecting friends. To identify such malicious links on social media, UK researchers have developed a system that recognizes potential cyber attacks within seconds of clicking on a shortened Twitter link.

The “machine classifier” system has learned to identify malware activity in the system logs of infected machines just moments after clicking on suspicious links, according to a Cardiff University press release. It proved capable of identifying possible cyber attacks within five seconds with up to 83 percent accuracy. Given half a minute, it could identify cyber attacks with up to 98 percent accuracy.

“URLs are always shortened on Twitter due to character limitations in posts, so it’s incredibly difficult to know which are legitimate,” said Pete Burnap, director of the Social Data Science Lab at Cardiff University in the UK, in a press release statement. “Once infected the malware can turn your computer into a zombie computer and become part of a global network of machines used to hide information or route further attacks.”

Shortened links pose an identification challenge for current anti-virus software as well as for social media users. That’s in part because many anti-virus solutions have a tough time detecting previously unseen cyber attacks without knowing their code signatures, Burnap said. By analyzing the machine logs for suspicious patterns, the new cybersecurity research could eventually help develop a real-time system capable of protecting Twitter and Facebook users.

The machine classifier system trained itself by analyzing tweets containing shortened URLs from the 2015 Super Bowl and cricket world cup finals. Burnap and his colleagues from several other UK universities hope to stress-test the system by analyzing Twitter traffic from the European Football Championships coming up next summer.

To collect and analyze those Twitter links, researchers used an open-source “client honeypot” called Capture HPC, which was originally developed by Victoria University of Wellington in New Zealand. The client honeypot acts as a security device capable of monitoring and isolating data to investigate it for suspicious activity.

In this case, Capture HPC looked for possible patterns of malicious activity related to malware by monitoring changes in the files, registry files and processes. It also ran within a Virtual Machine environment to further isolate the malware’s changes to the system. More details on the research come from a paper presented at the 2015 IEEE / ACM International Conference on Advances in Social Networks Analysis and Mining in August 2015.

The Tech Alert Newsletter

Receive latest technology science and technology news & analysis from IEEE Spectrum every Thursday.

About the Tech Talk blog

IEEE Spectrum’s general technology blog, featuring news, analysis, and opinions about engineering, consumer electronics, and technology and society, from the editorial staff and freelance contributors.