Early filtering of ephemeral malicious accounts on Twitter

Cybercriminals exploit a large number of ephemeral malicious accounts for conducting large-scale simple attacks such as spam distribution on online social networks. However, conventional detection schemes relying on account or message information take a considerable time to collect such information before running detection algorithms so criminals utilize their accounts until suspension and exploit others again. In this paper, we propose a new detection scheme to filter potentially malicious account groups around their creation time. Our scheme utilizes the differences between algorithmically generated account names and human-made account names to identify malicious accounts generated using the similar algorithms. For accounts created within a short period of time, we apply a clustering algorithm to group accounts sharing similar name-based features and a classification algorithm to classify malicious account clusters. As a case study, we analyze 4.7 million accounts collected from Twitter. Even though our scheme only relies on account names and their creation time, it achieves reasonable accuracy. Therefore, we can use it as a fast filter against malicious account groups to selectively conduct an in-depth analysis.