{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,10]],"date-time":"2026-02-10T16:52:22Z","timestamp":1770742342530,"version":"3.49.0"},"reference-count":62,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2023,8,10]],"date-time":"2023-08-10T00:00:00Z","timestamp":1691625600000},"content-version":"vor","delay-in-days":221,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100000269","name":"Economic and Social Research Council","doi-asserted-by":"publisher","award":["ES\/S008853\/1"],"award-info":[{"award-number":["ES\/S008853\/1"]}],"id":[{"id":"10.13039\/501100000269","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023,1,5]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>Propagation of malicious code on online social networks (OSNs) is often a coordinated effort by collusive groups of malicious actors hiding behind multiple online identities (or digital personas). Increased interaction in OSN has made them reliable for the efficient orchestration of cyberattacks such as phishing click bait and drive-by downloads. URL shortening enables obfuscation of such links to malicious websites and massive interaction with such embedded malicious links in OSN guarantees maximum reach. These malicious links lure users to malicious endpoints where attackers can exploit system vulnerabilities. Identifying the organized groups colluding to spread malware is non-trivial owing to the fluidity and anonymity of criminal digital personas on OSN. This paper proposes a methodology for identifying such organized groups of criminal actors working together to spread malicious links on OSN. Our approach focuses on understanding malicious users as \u2018digital criminal personas\u2019 and characteristics of their online existence. We first identify those users engaged in propagating malicious links on OSN platforms, and further develop a methodology to create a digital fingerprint for each malicious OSN account\/digital persona. We create similarity clusters of malicious actors based on these unique digital fingerprints to establish \u2018collusive\u2019 behaviour. We evaluate the ability of a cluster-based approach on OSN digital fingerprinting to identify collusive behaviour in OSN by estimating within-cluster similarity measures and testing it on a ground-truth dataset of five known colluding groups on Twitter. Our results show that our digital fingerprints can identify 90% of cyber personas engaged in collusive behaviour and 75% of collusion in a given sample set.<\/jats:p>","DOI":"10.1093\/cybsec\/tyad014","type":"journal-article","created":{"date-parts":[[2023,8,10]],"date-time":"2023-08-10T13:49:16Z","timestamp":1691675356000},"source":"Crossref","is-referenced-by-count":4,"title":["Digital fingerprinting for identifying malicious collusive groups on Twitter"],"prefix":"10.1093","volume":"9","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1700-293X","authenticated-orcid":false,"given":"Ruth","family":"Ikwu","sequence":"first","affiliation":[{"name":"School of Social Sciences, Cardiff University , Cardiff CF10 3WT , UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Luca","family":"Giommoni","sequence":"additional","affiliation":[{"name":"School of Social Sciences, Cardiff University , Cardiff CF10 3WT , UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Amir","family":"Javed","sequence":"additional","affiliation":[{"name":"School of Computer Science and Informatics, Cardiff University , CF24 4AG , UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Pete","family":"Burnap","sequence":"additional","affiliation":[{"name":"School of Computer Science and Informatics, Cardiff University , CF24 4AG , UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Matthew","family":"Williams","sequence":"additional","affiliation":[{"name":"School of Social Sciences, Cardiff University , Cardiff CF10 3WT , UK"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"286","published-online":{"date-parts":[[2023,8,10]]},"reference":[{"key":"2023081012295235700_bib1","first-page":"2133","article-title":"Automated crime tweets classification and geo-location prediction using big data framework","volume":"12","author":"Santhiya","year":"2021","journal-title":"Turkish Journal of Computer and Mathematics Education (TURCOMAT)"},{"key":"2023081012295235700_bib2","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1007\/s13278-022-00944-2","article-title":"Disrupting drive-by download networks on Twitter","volume":"12","author":"Javed","year":"2022","journal-title":"Soc Netw Anal Min"},{"key":"2023081012295235700_bib3","doi-asserted-by":"crossref","first-page":"54","DOI":"10.1109\/MC.2013.68","article-title":"Who am I? Analyzing digital personas in cybercrime investigations","volume":"46","author":"Rashid","year":"2013","journal-title":"Computer"},{"key":"2023081012295235700_bib4","volume-title":"The Mueller Report: The Final Report of the Special Counsel into Donald Trump, Russia, and Collusion Simon and Schuster","author":"Mueller","year":"2019"},{"key":"2023081012295235700_bib5","doi-asserted-by":"crossref","first-page":"857","DOI":"10.1145\/3038912.3052677","article-title":"An army of me: Sockpuppets in online discussion communities","volume-title":"Proceedings of the 26th International Conference on World Wide Web","author":"Kumar","year":"2017"},{"key":"2023081012295235700_bib6","doi-asserted-by":"crossref","first-page":"195","DOI":"10.1109\/SRDS.2013.28","article-title":"Analysis of malware propagation in Twitter","volume-title":"2013 IEEE 32nd International Symposium on Reliable Distributed Systems","author":"Sanzgiri","year":"2013"},{"key":"2023081012295235700_bib7","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/eCrime.2012.6489521","article-title":"PhishAri: automatic realtime phishing detection on Twitter","volume-title":"2012 eCrime Researchers Summit","author":"Aggarwal","year":"2012"},{"key":"2023081012295235700_bib8","first-page":"259","article-title":"Identity theft in cyberspace: crime control methods and their effectiveness in combating phishing attacks","volume":"20","author":"Lynch","year":"2005","journal-title":"Berkeley Tech LJ"},{"key":"2023081012295235700_bib9","doi-asserted-by":"crossref","first-page":"837","DOI":"10.2307\/2095954","article-title":"The social organization of conspiracy: illegal networks in the heavy electrical equipment industry","volume":"58","author":"Baker","year":"1993","journal-title":"Am Sociol Rev"},{"key":"2023081012295235700_bib10","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3408894","article-title":"Emotions behind drive-by download propagation on Twitter","volume":"14","author":"Javed","year":"2020","journal-title":"ACM Trans Web (TWEB)"},{"key":"2023081012295235700_bib11","first-page":"250","article-title":"Click traffic analysis of short URL spam on Twitter","volume-title":"9th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing","author":"Wang","year":"2013"},{"key":"2023081012295235700_bib12","first-page":"2016","article-title":"Characterizing cyberspace: past, present and future","volume-title":"MIT CSAIL, Version","author":"Clark","year":"2010"},{"key":"2023081012295235700_bib13","doi-asserted-by":"crossref","first-page":"801","DOI":"10.1093\/ia\/iiz101","article-title":"A power for the future? Global Britain and the future character of conflict","volume":"95","author":"Uttley","year":"2019","journal-title":"Int Aff"},{"key":"2023081012295235700_bib14","article-title":"Cyberspace and Governance - A Primer","author":"Klimburg","year":"2012"},{"key":"2023081012295235700_bib15","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/ECRIME.2016.7487943","article-title":"Profiling underground merchants based on network behavior","volume-title":"2016 APWG Symposium on Electronic Crime Research (eCrime)","author":"Sundaresan","year":"2016"},{"key":"2023081012295235700_bib16","first-page":"207","article-title":"Characterizing eve: Analysing cybercrime actors in a large underground forum","volume-title":"21st International Symposium, RAID 2018","author":"Pastrana","year":"2018"},{"key":"2023081012295235700_bib17","first-page":"15","article-title":"Clustering of Twitter networks based on users\u2019 structural profile","volume-title":"Pattern Recognition. MCPR 2022","author":"Flores-Garrido","year":"2022"},{"key":"2023081012295235700_bib18","article-title":"Social Network Analysis","author":"Knoke","year":"2019"},{"key":"2023081012295235700_bib19","doi-asserted-by":"crossref","first-page":"8","DOI":"10.1109\/MALWARE.2009.5403023","article-title":"Malware propagation in online social networks","volume-title":"2009 4th International Conference on Malicious and Unwanted Software (MALWARE)","author":"Faghani","year":"2009"},{"key":"2023081012295235700_bib20","first-page":"102","article-title":"Detecting and analyzing automated activity on Twitter","volume-title":"Passive and Active Measurement. PAM 2011","author":"Zhang","year":"2011"},{"key":"2023081012295235700_bib21","article-title":"Bots in the Twittersphere","author":"Wojcik","year":"2018"},{"key":"2023081012295235700_bib22","doi-asserted-by":"crossref","first-page":"4802","DOI":"10.1007\/s11227-018-2641-x","article-title":"Twitter spam account detection based on clustering and classification methods","volume":"76","author":"Adewole","year":"2020","journal-title":"J Supercomput"},{"key":"2023081012295235700_bib23","doi-asserted-by":"crossref","first-page":"14","DOI":"10.1007\/978-3-319-47874-6_2","article-title":"Identifying correlated bots in Twitter","volume-title":"International Conference on Social Informatics","author":"Chavoshi","year":"2016"},{"key":"2023081012295235700_bib24","doi-asserted-by":"crossref","first-page":"242","DOI":"10.1109\/ASONAM.2018.8508801","article-title":"Retweet us, we will retweet you: spotting collusive retweeters involved in blackmarket services","volume-title":"2018 IEEE\/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM)","author":"Dutta","year":"2018"},{"key":"2023081012295235700_bib25","doi-asserted-by":"crossref","first-page":"1935","DOI":"10.1109\/TIFS.2019.2953331","article-title":"Blackmarket-driven collusion among retweeters\u2013analysis, detection, and characterization","volume":"15","author":"Dutta","year":"2019","journal-title":"IEEE Trans Inf Forensics and Secur"},{"key":"2023081012295235700_bib26","doi-asserted-by":"crossref","first-page":"41","DOI":"10.1016\/j.jnca.2016.11.030","article-title":"Malicious accounts: dark of the social networks","volume":"79","author":"Adewole","year":"2017","journal-title":"J Netw Comput Appl"},{"key":"2023081012295235700_bib27","article-title":"Python requests essentials","author":"Chandra","year":"2015"},{"key":"2023081012295235700_bib28","doi-asserted-by":"crossref","first-page":"20","DOI":"10.1007\/978-3-642-16161-2_2","article-title":"Analyzing and exploiting network behaviors of malware","volume-title":"Security and Privacy in Communication Networks: 6th Iternational ICST Conference, SecureComm 2010","author":"Morales","year":"2010"},{"key":"2023081012295235700_bib29","article-title":"Security and privacy implications of URL shortening services","volume-title":"Proceedings of the Workshop on Web 2.0 Security and Privacy","author":"Neumann","year":"2010"},{"key":"2023081012295235700_bib30","doi-asserted-by":"crossref","first-page":"699","DOI":"10.1007\/s00521-016-2374-9","article-title":"Malicious URL detection via spherical classification","volume":"28","author":"Astorino","year":"2017","journal-title":"Neural Comput Appl"},{"key":"2023081012295235700_bib31","first-page":"1","article-title":"Malicious URL detection using machine learning: a survey","volume-title":"arXiv:1701.07179","author":"Sahoo","year":"2017"},{"key":"2023081012295235700_bib32","first-page":"971","article-title":"URLDeep : continuous prediction of malicious URL with dynamic deep learning in social networks","volume":"21","author":"Wanda","year":"2019","journal-title":"Int J Netw Secur"},{"key":"2023081012295235700_bib33","article-title":"Conspiracy (Drives Us Together)","volume-title":"We are anonymous","author":"Olson","year":"2013"},{"key":"2023081012295235700_bib34","first-page":"66","article-title":"Spammers are becoming \u201cSmarter\u201d on Twitter","volume-title":"IT Professional","author":"Chen","year":"2016"},{"key":"2023081012295235700_bib35","article-title":"Social media as a vector for cyber crime","author":"Ackerman","year":"2015"},{"key":"2023081012295235700_bib36","first-page":"494","article-title":"Mapping networks of influence: tracking Twitter conversations through time and space","volume":"12","author":"Willis","year":"2015","journal-title":"Journal of Audience & Reception Studies"},{"key":"2023081012295235700_bib37","doi-asserted-by":"crossref","first-page":"675","DOI":"10.1145\/1963405.1963500","article-title":"Information credibility on Twitter","volume-title":"Proceedings of the 20th International Conference on World Wide Web","author":"Castillo","year":"2011"},{"key":"2023081012295235700_bib38","doi-asserted-by":"crossref","first-page":"38","DOI":"10.1109\/EISIC.2013.13","article-title":"Probability analysis of cyber attack paths against business and commercial enterprise systems","volume-title":"Proceedings - 2013 European Intelligence and Security Informatics Conference, EISIC 2013","author":"Dudorov","year":"2013"},{"key":"2023081012295235700_bib39","first-page":"154","article-title":"Facebook profiles clustering","volume-title":"6th International Conference on Information Society and Technology ICIST","author":"Arsic","year":"2016"},{"key":"2023081012295235700_bib40","article-title":"Neural machine translation by jointly learning to align and translate","author":"Bahdanau","year":"2014"},{"key":"2023081012295235700_bib41","first-page":"37","article-title":"Stylometric analysis for authorship attribution on Twitter","volume-title":"Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)","author":"Bhargava","year":"2013"},{"key":"2023081012295235700_bib42","first-page":"354","article-title":"Authorship attribution using variable length part-of-speech patterns","volume-title":"Proceedings of the 8th International Conference on Agents and Artificial Intelligence - Volume 2: ICAART","author":"Pokou","year":"2016"},{"key":"2023081012295235700_bib43","doi-asserted-by":"crossref","first-page":"1093","DOI":"10.1016\/j.asej.2014.04.011","article-title":"Sentiment analysis algorithms and applications: a survey","volume":"5","author":"Medhat","year":"2014","journal-title":"Ain Shams engineering journal"},{"key":"2023081012295235700_bib44","first-page":"171","article-title":"Part-of-speech tagging from 97% to 100%: is it time for some linguistics?","volume-title":"Processing: 12th International Conference, CICLing","author":"Manning","year":"2011"},{"key":"2023081012295235700_bib45","doi-asserted-by":"crossref","first-page":"570","DOI":"10.1016\/j.pisc.2016.06.023","article-title":"Clustering of people in social network based on textual similarity","volume":"8","author":"Singh","year":"2016","journal-title":"Perspect Sci"},{"key":"2023081012295235700_bib46","doi-asserted-by":"crossref","first-page":"412","DOI":"10.1027\/1618-3169\/a000123","article-title":"The word frequency effect","volume":"58","author":"Brysbaert","year":"2011","journal-title":"Experimental Psychology"},{"key":"2023081012295235700_bib47","doi-asserted-by":"crossref","first-page":"208","DOI":"10.3115\/v1\/S14-2033","article-title":"Coooolll: a deep learning system for Twitter sentiment classification","volume-title":"Proceedings of the 8th International Workshop on Semantic Evaluation (SemEval 2014)","author":"Tang","year":"2014"},{"key":"2023081012295235700_bib48","doi-asserted-by":"crossref","first-page":"529","DOI":"10.1177\/053901882021004003","article-title":"A psychoevolutionary theory of emotions","volume":"21","author":"Plutchik","year":"1982","journal-title":"Soc Sci Inf"},{"key":"2023081012295235700_bib49","doi-asserted-by":"crossref","first-page":"433","DOI":"10.1109\/TAFFC.2018.2807817","article-title":"Emotion recognition on twitter: comparative study and training a unison model","volume":"11","author":"Colneri\u010d","year":"2018","journal-title":"IEEE Trans Affect Comput"},{"key":"2023081012295235700_bib50","doi-asserted-by":"crossref","DOI":"10.1002\/9781119205005","article-title":"Big Data Sources","volume-title":"Big Data Analytics: Turning Big Data into Big Money","author":"Ohlhorst","year":"2012"},{"key":"2023081012295235700_bib51","first-page":"79","article-title":"Emotxt: a toolkit for emotion recognition from text","volume-title":"Seventh International Conference on Affective Computing and Intelligent Interaction Workshops and Demos (ACIIW)","author":"Calefato","year":"2017"},{"key":"2023081012295235700_bib52","doi-asserted-by":"crossref","first-page":"e26752","DOI":"10.1371\/journal.pone.0026752","article-title":"Temporal patterns of happiness and information in a global social network: hedonometrics and Twitter","volume":"6","author":"Dodds","year":"2011","journal-title":"PLoS One"},{"key":"2023081012295235700_bib53","doi-asserted-by":"crossref","first-page":"68","DOI":"10.1016\/j.kint.2020.07.035","article-title":"A practical guide to multiple imputation of missing data in nephrology","volume":"99","author":"Blazek","year":"2021","journal-title":"Kidney Int"},{"key":"2023081012295235700_bib54","doi-asserted-by":"crossref","first-page":"472","DOI":"10.1080\/1540496X.2020.1825935","article-title":"Missing data preprocessing in credit classification: one-hot encoding or imputation?","volume":"58","author":"Yu","year":"2022","journal-title":"Emerg Mark Finance Trade"},{"key":"2023081012295235700_bib55","volume-title":"Multivariate Data Analysis: An Overview","author":"Hair","year":"2009"},{"key":"2023081012295235700_bib56","first-page":"90","article-title":"Review on determining number of cluster in k-means clustering","volume":"1","author":"Kodinariya","year":"2013","journal-title":"Int J"},{"key":"2023081012295235700_bib57","doi-asserted-by":"crossref","first-page":"1529","DOI":"10.1007\/s10462-019-09712-9","article-title":"A review of alignment based similarity measures for web usage mining","volume":"53","author":"Luu","year":"2020","journal-title":"Artif Intell Rev"},{"key":"2023081012295235700_bib58","first-page":"1","article-title":"Semantic cosine similarity","volume-title":"The 7th international student conference on advanced science and technology ICAST, Vol. 4","author":"Rahutomo","year":"2012"},{"key":"2023081012295235700_bib59","volume-title":"Complete Guide to Shodan","author":"Matherly","year":"2015"},{"key":"2023081012295235700_bib60","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3407023.3409181","article-title":"Cyberspace threats: not only hackers and criminals. Raising the awareness of selected unusual cyberspace actors\u2013cybersecurity researchers\u2019 perspective","volume-title":"15th International Conference on Availability, Reliability and Security","author":"Pawlicka","year":"2020"},{"key":"2023081012295235700_bib61","doi-asserted-by":"crossref","first-page":"239","DOI":"10.1145\/2757401.2757408","article-title":"Tweeting propaganda, radicalization and recruitment: Islamic state supporters multi-sided twitter networks","volume-title":"16th Annual International Conference on Digital Government Research","author":"Chatfield","year":"2015"},{"key":"2023081012295235700_bib62","first-page":"21","article-title":"Detection of terrorism-related twitter communities using centrality scores","volume-title":"Proceedings\u00a0of\u00a0the\u00a02nd\u00a0International\u00a0Workshop\u00a0on\u00a0Multimedia\u00a0Forensics\u00a0and\u00a0Security","author":"Gialampoukidis","year":"2017"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/9\/1\/tyad014\/51084262\/tyad014.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/9\/1\/tyad014\/51084262\/tyad014.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,8,10]],"date-time":"2023-08-10T13:50:06Z","timestamp":1691675406000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyad014\/7240368"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,1,1]]},"references-count":62,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2023,1,5]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyad014","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2023,1,1]]},"published":{"date-parts":[[2023,1,1]]},"article-number":"tyad014"}}