The deep implementation of social media in daily life is huge, and its advantage is that the participants of communication can quickly express their opinions to a large audience and share media files. Nowadays, social networks play not only the role of a means of communication, but also a tool for information dissemination. One of the obvious problems of information security in modern society is the spread of malicious information. Terrorist and criminal groups are increasingly using the means of information influence, developing strategies to expand their influence and attract new supporters through social networks. Therefore, one of the key elements of information security is to control, analyze and actively counteract malicious information in social networks. The concept of "malicious information" is considered by experts from various sciences, but no consensus has yet been reached.
Currently, the problem of combating malicious information has an insufficient number of scientific and technical solutions. The known means of detecting and counteracting malicious information in social networks do not meet the requirements for speed, completeness, accuracy and adequacy of decisions. This is due to several reasons, including the division of systems into two independent modules (Figure 1): monitoring and counteraction.
In between these modules is the operator, which plays a central role. In addition, social networks have a complex structure and contain many different messages, which is often not taken into account when defining countermeasure targets, such as message type, message source and other parameters. It is important to note that huge volumes of messages need to be processed in real time and targets for countermeasures need to be identified quickly. Manually, a countermeasure operator cannot completely stop the spread of malicious information.
Figure 1: System modules for detecting and countering malicious information on a social network Consequently, the main problem in combating malicious information in social networks is directly related to the current trends in the development of the information sphere, namely: (1) increasing the volume of messages containing malicious information; (2) increasing the speed of malicious information dissemination; (3) increasing the speed of message replication; (4) increasing the speed of new sources of information dissemination in social networks; (5) increasing the number of ways to attract the attention of the audience; (6) increasing the level of heterogeneity; (7) increasing the number of ways to attract the audience's attention; and ( 8) increasing the level of information dissemination in social networks. This requires improved effectiveness in combating malicious information on social networks, including more rapid and well-founded countermeasures.
Thus, the task that this study addresses -developing models, algorithms and methods to combat malicious information in social networks -is highly relevant.
The goal of this work is to increase the effectiveness of countering malicious information in social networks by analyzing the sources of malicious information and automating the process of selecting countermeasures.
The theoretical significance of this work lies in its contribution to the development of information security theory and methodology. The proposed approach makes it possible to define scientifically sound requirements for solving problems related to analyzing the sources of malicious information in social networks and counteracting both the message itself and its source. In addition, the developed models, algorithms, methodology and architecture can be included in the operator's decision support system to combat malicious information.
The emergence of online social networking platforms has completely transformed how students interact with information and one another. With the internet's ascent and the interactive nature of online spaces, a global phenomenon known as social networking has emerged. This encompasses a wide array of activities, ranging from the creation of virtual communities to casual conversations and blogging. A study [1] explores the extensive utilization of Social Networking Sites and their influence, particularly on student. The primary objective of the research [2] was to explore the dynamics of knowledge sharing within academic social networks among university students. The results of the study revealed a notable correlation between perceived personal outcome expectations, perceived social expectations, and knowledge sharing among students.
As social media usage escalates, individuals using these platforms become increasingly susceptible to their negative impacts. Detecting cyberbullying on social media platforms poses a significant challenge, particularly due to the constant evolution of slang. Nonetheless, in the paper [3] proposes a practical solution-an application designed to identify cyberbullying across various social media platforms, leveraging data from Twitter and Wikipedia. The paper utilizes Deep Learning techniques to accomplish this task effectively.
In the study [4], two prevalent algorithms for network community detection were examined: Agglomerative Hierarchical Clustering and the Louvain Method. The research delved into their Operator Monitoring Opposition mechanisms, investigating and contrasting their implementation nuances and the outcomes of their clustering behavior on a standardized dataset. Advancements in technology have resulted in the accumulation of vast amounts of data from diverse sources, such as biological and social networking data. Consequently, there has been significant interest in social network analysis, given the abundance of raw datasets that can be conceptualized using a network framework. The majority of these datasets can be represented as social networks, characterized by a graph structure comprising actors and their relationships. Numerous tools have been developed for social network analysis, aimed at extracting insights from these networks. In [5], an enhanced version of NetDriller is presented, incorporating new essential features, including the construction of social networks through data collected from platforms like Twitter, IEEE, and DBLP.
As machine learning techniques increasingly intersect with real-world scenarios, the application contexts for these algorithms become progressively complex. Various domains across different fields have embraced and profited from the implementation of diverse machine learning algorithms. This complexity is particularly pronounced within the realm of social networks [6].
Unfortunately, there are limited studies that have explored the integration of convolutional neural networks for automating opinion discretization. In their paper [7], the authors introduce a novel distributed architecture aimed at addressing the challenge of opinion classification mining. With experimental results yielding high accuracy (72.99% ± 3.64), it can be inferred that implementing the authors' proposed distributed framework for opinion discretization on Facebook is indeed viable.
The study outlined in reference [8,9] explores primary categories of social networks and their respective analytical methodologies. It delves into various types of connections and scrutinizes issues pertaining to ties within social networks. Additionally, it investigates and confirms the correlation between graph theory principles and the analysis of social networks.
Social networks have experienced significant success in facilitating online social interaction. However, malicious users exploit these platforms to disseminate rumors. Recent studies indicate that integrating social applications can enhance efficiency. Regrettably, new security challenges arise as malicious users exploit this integration to spread rumors across multiple social networks. In paper [10], which addresses cross propagation in multilayer social networks, the S2IR2 model is introduced to analyze the dynamics of rumor spreading.
The research [11] examines several network metrics, including modularity-based algorithms for community detection and dsynamics within and between groups. Additionally, it explores network measures such as Degree centrality, betweenness centrality, closeness centrality, authority, and hub, which could correspond to essential leadership qualities such as influence, attentiveness, communication, adaptability, dissemination of information, and social adeptness.
Social network analysis proves to be a valuable tool in addressing challenges such as money laundering, identity theft, network fraud, cyberattacks, and similar issues. Numerous researchers have dedicated their efforts to investigating the dynamics of social networks [12][13]. The works [14][15] is dedicated to exploring methods for detecting and combating malicious accounts and spammers within online social networks. The paper [16] explores countering misinformation campaigns on social media using social network analysis, addressing challenges in identifying and attributing campaigns, tracing information flows, and understanding spheres of influence, ultimately proposing tactical approaches for mitigation.
Based on the conducted research, a set of functional and non-functional properties of countermeasures against malicious information in social networks and requirements for countermeasures methodology are identified.
The following properties of countering malicious information in a social network are highlighted:
• Responsiveness -the time it takes to counter malicious information on social media; • validity -a set of considered parameters for the selected objects of influence and countermeasures in the process of counteraction; • resource consumption -the probability that the amount of resources used will not exceed an acceptable value. The input and output parameters for the study were determined. Given:
DATASET ⊆ {messages, sources},
where 𝑚𝑒𝑠𝑠𝑎𝑔𝑒𝑠 -is the set of messages containing malicious information, 𝑠𝑜𝑢𝑟𝑐𝑒𝑠 -is the set of sources of these messages. MESSAGE = < messageURL, source, activity, messageType >, (2) where 𝑚𝑒𝑠𝑠𝑎𝑔𝑒𝑈𝑅𝐿 is the address of the post on the social network, 𝑠𝑜𝑢𝑟𝑐𝑒 is the source of the post, 𝑚𝑒𝑠𝑠𝑎𝑔𝑒𝑇𝑦𝑝𝑒 is the post type (post, comment, or reply to a comment), and 𝑎𝑐𝑡𝑖𝑣𝑖𝑡𝑦𝑦 is the characteristics of the post.
where 𝑠𝑜𝑢𝑟𝑐𝑒𝐼𝐷 is the source's unique identifier, 𝑠𝑜𝑢𝑟𝑐𝑒𝑈𝑅𝐿 is the source's social media address.
ACTIVITY =< countLike, countRepost, countView, countComment >, (4) where 𝑐𝑜𝑢𝑛𝑡𝐿𝑖𝑘𝑒 is the number of "like" marks, 𝑐𝑜𝑢𝑛𝑡𝑅𝑒𝑝𝑜𝑠𝑡 is the number of "reposts" (copies with a link to the source), 𝑐𝑜𝑢𝑛𝑡𝑉𝑖𝑒𝑤 is the number of views, and 𝑐𝑜𝑢𝑛𝑡𝐶𝑜𝑚𝑚𝑒𝑛𝑡 is the number of comments.
Required Finding:
where 𝑚𝑒𝑠𝑠𝑎𝑔𝑒𝑠_𝑚𝑎𝑥 is the set of messages (𝑚𝑒𝑠𝑠𝑎𝑔𝑒𝑠) that will have the highest 𝑎𝑐𝑡𝑖𝑣𝑖𝑡𝑦 characteristics compared to other messages in the set 𝑚𝑒𝑠𝑠𝑎𝑔𝑒𝑠, and 𝑠𝑜𝑢𝑟𝑐𝑒𝑠_𝑚𝑎𝑥 is the set of sources (𝑠𝑜𝑢𝑟𝑐𝑒𝑠) that are associated with the maximum number of messages (𝑚𝑒𝑠𝑠𝑎𝑔𝑒𝑠) in the set 𝑚𝑒𝑠𝑠𝑎𝑔𝑒𝑠_𝑚𝑎𝑥.
The objective of the study is to develop: 1. malicious information models based on the social network model and source.; 2. a set of algorithms for analyzing sources of malicious information in social networks and ranking countermeasures. 3. techniques for countering malicious information on social media; 4. architecture and software prototypes of the components of a system for countering malicious information in social networks. The aim of the research is to improve the effectiveness of countering malicious information in social networks. In this paper, the effectiveness indicator is defined through the indicator of validity, as well as considering the requirements for efficiency and resource consumption.
Based on the models of social network and malicious information source, a theoreticalmultiple model of malicious information in a social network is developed, which includes such basic elements as:
• information object 𝐼𝑂 (from English information object),
𝑖𝑜 ∈ 𝑀𝐼𝑂𝑖 ⇔ ∃ 𝑇𝑜𝑘𝑒𝑛 𝑚𝑖𝑜 𝑖 : 𝑐ℎ𝑒𝑐𝑘𝐹𝑒𝑎𝑡𝑢𝑟𝑒 (𝑖𝑜, 𝑡) = 𝑇𝑟𝑢𝑒, where 𝐼𝑂 -is a set of information objects, 𝑖𝑜1 -is a single information object, 𝑇 -is a set of all possible attributes of an information threat, 𝑡𝑛 -is a single attribute, 𝑀𝐼𝑂 -is a set of malicious information (a set of malicious information objects), 𝑀𝐼𝑂𝑖 -is a separate class of malicious information, 𝑇𝑜𝑘𝑒𝑛 𝑚𝑖𝑜 𝑖 -a set of attributes characterizing 𝑀𝐼𝑂.
To form a set of attributes of malicious information, consider an information and attribute model that includes the following elements:
1. information threat -specified by the countermeasure system operator; 2. malicious information in the social network -specified by the countermeasure system operator by forming a set of keywords; 3. information features forming the set of all possible features. The developed set of models of social network, source and malicious information contains new classes and attributes of objects, new relations between them, and also allows to form requirements to algorithms for analyzing and evaluating sources and choosing countermeasures.
The set of algorithms for analyzing malicious information sources and ranking countermeasures (Fig. 1) consists of:
1. an algorithm for ranking sources by potential, 2. of the source estimation algorithm, 3. an algorithm for sorting the objects of influence, 4. a ranking algorithm for countermeasures. The formal notation of the complex of source analysis and countermeasure ranking is as follows:
where: 𝑆 -source, 𝐶 -countermeasure, 𝑓1(𝑆) -source potential index (𝐼 𝑝 𝑆 ) is equal to 0, 1, 2 depending on the number of messages in the analyzed dataset belonging to the source. It is calculated using the "source potential ranking algorithm". 𝑓2(𝑆)-source influence index (𝐼 𝑖 𝑆 ), whose value is between 0 and 2. The calculation of the inferentiality index follows the "source evaluation algorithm". 𝑓3(𝑆) is the priority of the source (𝐼 𝑝𝑟 𝑆 ) as an influence object in the analyzed dataset. The "impact object sorting algorithm" is applied to obtain the value. 𝑓(𝐶)ranked countermeasures based on their complexity. The ranking is done according to the countermeasure ranking algorithm.
At the output of the set of algorithms, lists of target-countermeasure pairs are generated, with the following rules for selecting objects of influence as targets (𝑡𝑎𝑟𝑔𝑒𝑡):
where 𝑇𝐴𝑅𝐺𝐸𝑇 is the set of objects of influence. The developed set of algorithms for analyzing sources of malicious information and ranking countermeasures differs from existing analogues by taking into account such attributes as source potential, user activity on the source page, and the number of views of messages with malicious information. The algorithm for ranking countermeasures differs from analogs by taking into account coefficients and complexity levels for each countermeasure. At the same time, the developed set of algorithms allows to form the requirements to the methodology of counteraction to malicious information and is the basis for the counteraction system.
Let's consider the methodology of countering malicious information in a social network. The methodology for countering malicious information in a social network consists of two stages: (1) the customization stage and (2) the exploitation stage. The operation stage of the technique consists of 3 steps and is presented in Figure 2. At the same time, the customization stage of the technique consists of two steps:
Step 1. "Query system customization", in which the operator defines information threats and their attributes, and the countermeasure system generates and stores lists of threats and their attributes.
Step 2. "Countermeasure ranking", in which the operator selects available implementation agents, and the system generates and saves lists of available implementation agents.
Next, the operator selects the available countermeasures, the system generates a list of countermeasures and selects the complexity coefficients of countermeasures based on expert judgment, then the system generates and saves the list of ranked countermeasures.
The outputs of the methodology are: 1. possible information threats, attributes, countermeasures and their coefficients, available agents of countermeasure realization; 2. different parameters of impact objects, according to which the operator distributes his attention and the order of decision making on countermeasures; 3. formed target-countermeasure pairs to counter malicious information in social networks through available realization agents. The developed methodology differs from the known ones by using the author's algorithms for analyzing sources and ranking countermeasures, which increases the validity of decision making about countering the target and choosing a countermeasure and reduces the operator's work time in the process of countering malicious information in the social network.
Starting a request to collect information
Social network
External systems
Actions of the countermeasures system Actions of operator
Sorting of impact objects
The architecture and software prototypes of the components of the anti-malware system are presented in Figure 3. 1. a software prototype of a social network source analysis and evaluation component that includes a source ranking algorithm, a source evaluation algorithm, and an impact object sorting algorithm; 2. a software prototype of a countermeasure selection component that includes a countermeasure ranking algorithm, an expert judgment algorithm for generating coefficients; 3. a software prototype of the Information Threat and Countermeasure Database (DBITandC), which contains information on countermeasures against malicious information in the social network, the types of information objects to which countermeasures may be applicable, and the implementation agents through which countermeasures may be implemented.
The experimental evaluation was carried out in several stages. First, the developed software prototypes and components were evaluated, then the operator's work time when countering malicious information without using a technique, and the operator's work time using a technique, were experimentally assessed. Resource consumption was assessed based on the data obtained in the two previous stages.
For experimental evaluation, data from the social network were collected, time measurements of the complex algorithms of source analysis and countermeasure ranking were made, CPU and RAM load indicators were obtained.
The information threat was chosen the dataset that contained to one of 19 categories: Adult English, Beer, Casino, Cigarette, Cigars, Cults, Dating, Religious, Marijuana, Occults, Prescription drugs, Racist groups, Religion, Spirits, Sport betting, Violence, Wine, Weapon, Other.
15,132 messages were collected from social networks, including posts, comments, and replies to comments. For each message, information was collected on the number of likes, comments, reposts, views, and information with the name of the source was obtained (Fig. 5). The data was obtained in csv format and converted into an excel workbook. Next, the large data set was divided into 10 small sets of 1000 messages each. Each small set was analyzed and ranked using a software prototype component for analysis and evaluation of sources in social networks, the following results and characteristics were obtained (Table 1, Table 2). In the Target1 column, Source is recommended as the object of influence and shows the number of sources with high priority for counteraction, which own 334 messages out of 1000 for 1 data set, 360 messages out of 1000 for the second, etc. The Target2 column shows the number of messages that have medium priority and require additional evaluation by the operator. 118 Column Target3 recommends MessageURL as the target and shows the number of such low priority messages for each set. Thus, the sequence of the operator's work according to the results obtained is as follows (for the 1st data set): 1) the operator needs to agree on 11 objects of influence (sources) with high priority to counter them; 2) the operator needs to analyze 96 objects of influence, taking into account all characteristics (number of comments, likes, views, reposts, activity index, viewability index, potential, influence index); 3) check 570 targets last, due to their low priority for counteraction. An experimental evaluation of a set of algorithms showed the efficiency of the approach to analyzing and sorting objects of influence. Next, an experimental evaluation of the countermeasure ranking algorithm was carried out. At the beginning, a list of countermeasures dependent on implementation agents was compiled. Then 10 experts were invited to participate in the experiment and were sent a voting questionnaire completed in the Google Forms service.
At the first stage of voting, experts assessed the possibility of using countermeasures to counter malicious information on social networks. Then a summary table was sent to the experts for the next vote, in which for each specified value the experts gave difficulty ratings from 1 to 10.
The following results were obtained at the output (Table 3, 10 lines out of 35). As a result of the experiment, countermeasures were ranked taking into account the coefficients and levels of complexity for each countermeasure.
For experimental evaluation, data from the social network were collected, time measurements of the complex algorithms of source analysis and countermeasure ranking were made, CPU and RAM load indicators were obtained. Further, research and experiments were conducted to form the initial data, it was found out that the most costly process in terms of operability is the operator work time at the stage of setting up the methodology at the 1st, 4th step at the stage of operation of the methodology. To evaluate the indicator of operator's work time to make a decision on counteraction with and without the methodology, experiments were conducted, in which 10 experts participated. According to the results of the experimental evaluation of operability, the probability of performing the technique in a given time was calculated, which is 𝑃 operability (𝑇 𝑚 ≤ 𝑇 𝑎𝑑𝑑𝑖𝑡𝑖𝑜𝑛𝑎𝑙 ) = 0,9942, which meets the requirements (𝑃 operability acceptable = 0.99) for responsiveness.
Resource consumption was assessed using a number of specific indicators typical for step 2 of the operation phase of the social network anti-malware technique. CPU load, RAM utilization, and operator work time were considered. It is shown that the resource utilization estimate meets the requirements 𝑃 res (𝑟 ≤ 𝑅 acceptable ) ≥ 𝑃 res acceptable , where 𝑃res is the probability that the resources 𝑟, spent on countering malicious information according to the methodology do not exceed the acceptable value 𝑅 acceptable = 75%, 𝑃 res acceptable is the acceptable probability value.
As part of the theoretical evaluation, the validity indicators for the developed methodology were compared with analogs, such as the solutions of Zerofox, ESET, Ithreat Cyber Group Inc. and others. It is shown that the developed methodology considers a larger number of parameters for the selected objects of influence and countermeasures in the course of countering malicious information in the social network, while meeting the requirements for other properties. Compared to analogs, the number of parameters taken into account when using the technique is larger, such that 𝑁 𝑝𝑎𝑟𝑎𝑚
A comparative analysis of the developed methodology with known methods in terms of the functionalities used, such as:
• A -possibility to form tasks of message collection and analysis for the monitoring system; • B -the ability to customize the available countermeasures in the system; • B-the ability to analyze the sources of messages in the resulting dataset; • D -possibility of ranking and sorting the objects of influence in the obtained dataset; • E -the ability to rank and sort the available countermeasures from the countermeasure database for each dataset; • G -the ability to select the target of influence for counteraction. The results are shown in Table 4 (the following designations and scores are used: "+"presence of the parameter in the work (1 point); "+/-" -partial compliance with the parameter (0.5 points); "-" -absence of the parameter (0 points).
The analysis of the results of comparing the methodology for countering malicious information in social networks with analogs allows us to draw the following conclusions. First, none of the techniques, except for the proposed one, satisfies all functional requirements at the same time. Second, all techniques allow ranking countermeasures to a greater or lesser extent. Third, the parameters of messages, sources, countermeasures are considered only in the proposed methodology and in the solution from Creopoint Inc. Fourth, the lag of the closest analogs from the proposed methodology ranges from 1.5 points to 4 points. That is, the proposed method wins over the closest analogs. Thus, the results obtained in the work allow us to assert the achievement of higher efficiency of the developed methodology compared to the known ones, which proves the realization of the final goal of the study -to increase the effectiveness of countermeasures against malicious information by analyzing the sources of malicious information and automating the choice of countermeasures.
The rise of the Internet poses a substantial risk to both personal and state data security. Consequently, the detection and mitigation of unsuitable content circulating on the worldwide web emerge as a matter of national significance.
The proposed models, algorithms, methodology and architecture, as well as their practical implementation together provide a solution to the actual scientific and technical problem of improving the effectiveness of countering the spread of malicious information in social networks. The results of the work constitute the following research outcomes:
1. A set of models of social network, source and malicious information is proposed, which differs from the existing analogs by the possibility of simultaneous consideration of the structure of information exchange in the social network, sources and malicious information.
2. A set of algorithms for analyzing malicious information sources and ranking countermeasures has been developed, which, unlike existing algorithms, takes into account connections and dependent attributes of objects in the social network, such as source potential, user activity on the page, number of message views, etc. The algorithms for ranking countermeasures take into account coefficients and complexity levels of each countermeasure. Countermeasure ranking algorithms take into account coefficients and difficulty levels for each countermeasure.
3. A methodology of countermeasures against malicious information in a social network is proposed, focused on automatic and automated selection of objects of influence and countermeasures against malicious information from a list of ranked countermeasures.
4. The architecture and program components of the system of countermeasures against malicious information are developed, which differs from existing architectures in that it supports ranking and selection of countermeasures available to the operator in the system for malicious information specified by the operator. The architecture contains original components for analyzing and evaluating the source of malicious information, a database with information on countermeasures for malicious information in social networks.
As recommendations for further development of the topic are to expand the class of algorithms for analyzing the behavior of sources and authors of messages, algorithms for analyzing the dissemination of information in a social network, integration of automatic and automated countermeasures mechanisms into existing architectures and systems.