Abstract
Detecting and elucidating botnets is an active area of research. Using explainable, highly scalable Apache Spark-based artificial intelligence, process mining technologies are presented which illuminate bot activity within terrorist Twitter data. A derived hidden Markov model suggests that bot logic uses information camouflage in order to disguise intentions similar to World War II Nazi propagandists and Soviet-era practitioners of information warfare enhanced with reflexive control. A future effort is presented which strings together best of breed techniques into a composite classification algorithm in order to improve continually the discovery of malicious accounts, understand cross-platform weaponized botnet dynamics, and model adversarial information warfare campaigns recursively.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Aalst Wvd (2016) Process mining: data science in action, 2nd edn. Springer-Verlag, Berlin Heidelberg. https://www.springer.com/gp/book/9783662498507
Alexander L (2015) Social network analysis reveals full scale of Kremlin’s twitter bot campaign. Global voices. https://globalvoices.org/2015/04/02/analyzing-kremlin-twitter-bots/
Alfifi M, Kaghazgaran P, Caverlee J, Morstatter F (2019) A large-scale study of ISIS social media strategy: community size, collective influence, and behavioral impact. In: Proceedings of the international AAAI conference on web and social media 13:58–67. https://www.aaai.org/ojs/index.php/ICWSM/article/view/3209
Anonymous CHR (2019) Cyber endeavour conference with non-attributional Chatham House rules
BBC (2018) Targeted pro-Brexit Facebook ads revealed. https://www.bbc.com/news/uk-politics-44966969
Beskow D, Carley K (2019a) Army must regain initiative in social cyberwar. https://www.ausa.org/articles/army-must-regain-initiative-social-cyberwar
Beskow D, Carley K (2019b) Social cybersecurity an emerging national security requirement. https://www.armyupress.army.mil/Journals/Military-Review/English-Edition-Archives/Mar-Apr-2019/117-Cybersecurity/
Bicknell JW (2019) Process mining technologies. ORMS Today. https://doi.org/10.1287/orms.2019.05.01
Bicknell JW, Krebs WG (2019a) FOCAL information warfare defense standard. ResearchGate. https://doi.org/10.13140/RG.2.2.12672.07687. https://www.researchgate.net/publication/333774135_FOCAL_Information_Warfare_Defense_Standard_TM
WG (2019b) Methods and systems for estimating process capacity. U.S. Patent Application No. 16/402,071. Washington, DC, U.S. Patent and Trademark Office
Bicknell JW, Krebs WG (2019c) Methods and systems for inferring behavior and vulnerabilities from process models. U.S. Patent Application No. 16/440,639. Washington, DC, U.S. Patent and Trademark Office
Bicknell JW, Krebs WG (2019d) Process mining: the missing piece in information warfare. ResearchGate. https://doi.org/10.13140/RG.2.2.23584.94722/1
Bicknell JW, Krebs WG (in press) Process mining organization email data and national security implications. Unifying themes in complex systems X: In: Proceedings of the tenth international conference on complex systems. Springer Proceedings in Complexity. Springer
Bott G (2000) Scorched Earth: Propaganda. https://www.amazon.com/Scorched-Earth-Propaganda-Unavailable/dp/B01DEFZUMA
Chotikul D (1986) The Soviet theory of reflexive control in historical and psychocultural perspective: preliminary study. PhD thesis, Naval Postgraduate School, Monterey, California. http://nsarchive.gwu.edu/dc.html?doc=3901091-Diane-Chotikul-The-Soviet-Theory-of-Reflexive
Contributors W (2019a) Attribution (marketing). https://en.wikipedia.org/w/index.php?title=Attribution_(marketing)&oldid=894868564, page Version ID: 894868564
Contributors W (2019b) PyPy. https://en.wikipedia.org/w/index.php?title=PyPy&oldid=928795613, page Version ID: 928795613
DoD (2019) Early detection of information campaigns by adversarial state and non-state actors. https://www.sbir.gov/sbirsearch/detail/1606357
Fuller RB (1970) I seem to be a verb: environment and man’s future, 1st edn. Bantam Books, New York
Giles K (2019) “Hybrid Threats”: what can we learn from Russia? https://www.baks.bund.de/en/working-papers/2019/hybrid-threats-what-can-we-learn-from-russia
Hanssens DM, Parsons LJ, Schultz RL (2003) Market response models: econometric and time series analysis, 2nd edn. Springer, Boston, MA
Hidalgo C (2015) Why information grows: the evolution of order, from atoms to economies. Basic Books, New York
Huang E (2019) Why China isn’t as skillful at disinformation as Russia. https://qz.com/1699144/why-chinas-social-media-propaganda-isnt-as-good-as-russias/
HyperspaceChallenge (2019) Large data aggregation from small satellites to determine patterns of life modifications. https://hyperspacechallenge.com/large-data-aggregation-from-small-satellites-to-determine-pattern-of-life-modifications/
IEEE (2016) IEEE standard for eXtensible event stream (XES) for achieving interoperability in event logs and event streams. IEEE Std 1849–2016:1–50. https://doi.org/10.1109/IEEESTD.2016.7740858
Iyengar R (2018) WhatsApp has been linked to lynchings in India. Facebook is trying to contain the crisis. https://www.cnn.com/2018/09/30/tech/facebook-whatsapp-india-misinformation/index.html
Kopp C (2005) Classical deception techniques and perception management vs. the four strategies of information warfare. In: Pye G, Warren M (eds) Protecting the Australian homeland. School of Information Systems, Deakin University, Geelong, VIC, pp 81–89
MacFarquhar N (2018) Inside the Russian Troll Factory: Zombies and a Breakneck Pace. The New York Times https://www.nytimes.com/2018/02/18/world/europe/russia-troll-factory.html
McLaughlin T (2018) How Facebook’s Rise Fueled Chaos and Confusion in Myanmar. Wired. https://www.wired.com/story/how-facebooks-rise-fueled-chaos-and-confusion-in-myanmar/
Mueller RS (2019) Report On The Investigation Into Russian Interference In The 2016 Presidential Election. Tech. rep., U.S. Department of Justice. https://www.hsdl.org/?abstract&did=824221
Novikov DA, Chkhartishvili AG (2014) Reflexion and control: mathematical models. CRC Press, Boca Raton. https://doi.org/10.1201/b16625
Paul C, Matthews M (2016) The Russian “Firehose of Falsehood” Propaganda Model: Why It Might Work and Options to Counter It. Tech. rep., RAND Corporation, Santa Monica, CA, https://www.rand.org/pubs/perspectives/PE198.html
Prigogine I, Nicolis G, Babloyantz A (1972) Thermodynamics of evolution. Physics Today 25(11):23–28. https://doi.org/10.1063/1.3071090
Seddon M (2014) Documents Show How Russia’s Troll Army Hit America. https://www.buzzfeednews.com/article/maxseddon/documents-show-how-russias-troll-army-hit-america
Singer PW, Brooking ET (2018) LikeWar: The Weaponization of Social Media. Eamon Dolan/Houghton Mifflin Harcourt
Snijders TAB (1996) Stochastic actor-oriented models for network change. J Math Sociol 21(1):149–172. https://doi.org/10.1080/0022250X.1996.9990178
Snijders TAB, van de Bunt GG, Steglich CEG (2010) Introduction to stochastic actor-based models for network dynamics. Soc Netw 32(1):44–60. https://doi.org/10.1016/j.socnet.2009.02.004
Soshnikov A (2015) The capital of political trolling. https://mr-7.ru/articles/112478/
Spruds A (2015) Internet Trolling as a hybrid warfare tool: the case of Latvia. Tech. rep., NATO Strategic Communications Center of Excellence, Riga, Latvia. https://www.stratcomcoe.org/internet-trolling-hybrid-warfare-tool-case-latvia-0
Sviridova A (2019) Vectors of the development of military strategy. Red Star. http://redstar.ru/vektory-razvitiya-voennoj-strategii/
Thomas T (2004) Russia’s reflexive control theory and the military. J Slavic Mil Stud 17(2):237–256. https://doi.org/10.1080/13518040490450529
Waltzman R (2017) SASC testimony: the weaponization of information. https://www.rand.org/pubs/testimonies/CT473.html
Whitehead AN (1979) Process and reality, 2nd edn. Free Press, New York
Zenko M (2015) Red team: how to succeed by thinking like the enemy, 1st edn. Basic Books, New York
Acknowledgements
The authors are grateful to Texas A&M University and the Texas A&M Cyber Security Center. Prof. James Caverlee and John Romero were particularly helpful. Prof. Caverlee provided access to the dataset used in this study, and John Romeo authorized More Cowbell Unlimited’s participation in the study. The authors are also grateful to the Texas A&M cadets who used our cloud SaaS software and provided valuable feedback regarding presentation of results and functionality. We appreciate the Air Force Research Laboratory (AFRL) for funding mentoring opportunities such as the Cyber Spectrum Collaborative Research Environment (C-SCoRE) program, which helps cadets develop operational skills that will be instrumental in combating cyber and electronic warfare in the interest of national security. And, finally, we are grateful to the Georgia Tech Research Institute (GTRI) for disseminating the C-SCoRE opportunity.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Bicknell, J.W., Krebs, W.G. Detecting botnet signals using process mining. Comput Math Organ Theory 27, 161–178 (2021). https://doi.org/10.1007/s10588-020-09320-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10588-020-09320-x