Content uploaded by Maxim Kolomeets
Author content
All content in this area was uploaded by Maxim Kolomeets on May 13, 2023
Content may be subject to copyright.
Technique for investigating attacks on a
company’s reputation on a social media platform
Maxim Kolomeets[0000000278732733 ], Andrey Chechulin[0000000170566972],
and Lidia Vitkova[0000000249456151]
St. Petersburg Federal Research Center of the Russian Acadeny of Science,
St. Petersburg, 18th line of V.O., 39, Russia
{kolomeec,chechulin,vitkova}@comsec.spb.ru
Abstract. In this paper, we present the technique for investigating at-
tacks on a company’s reputation on a social media platform as a part
of an arsenal of digital forensics investigators. The technique consists of
several methods, including (1) identifying the attack based on sentiment
analysis, (2) identifying the actors of the attack, (3) determining the at-
tack’s impact, and (4) determining core actors to identify the strategy
of the attacker, including (4a) usage of bots, (4b) attempts to conflict
initiation, (4c) competitor promotion, (4d) uncoordinated user attack.
In the paper we also present the evaluation of this technique using the
real investigation of use-case, where we investigate the attack on a retail
company X, that occurs after the company changed its policy dedicated
to COVID-19 QR codes for their visitors.
Keywords: Digital forensics ·social media attacks ·disinformation ·
social media bots ·conflict initiation ·competitor promotion.
1 Introduction
Social networks have become a convenient tool for establishing feedback and
communication between commercial companies, non-profit organizations, ac-
tivists, civil society, governments, and other actors. For that reason, social plat-
forms became very attractive to attackers, where they can try to manipulate
opinion, spread misinformation, rumors, and conspiracy theories, create a fake
reputation, fraud, and even suppress political competitors. Therefore, one of the
fastest-growing attack vectors in information security are attacks on social media
platforms and interference in social relations.
In this paper, we propose the technique for investigation of attacks on a
companies’ reputation, when an attacker creates a negative opinion about the
company among visitors of social media platform. To do this, we use a number
of selected computer science methods that already exist in order to answer a
number of questions that form the proposed investigation pipeline:(1) is there
an attack? (2) is there any damage? (3) what was the strategy of an attacker?
The scientific novelty of the proposed method is in the union of investigation
techniques into a single pipeline for the purposes of real-life attack investigations.
This preprint has not undergone peer review or any post-submission improvements or
corrections. The Version of Record of this article is published in
Intelligent Distributed Computing XV, IDC 2022, and is available online at
https://doi.org/10.1007/978-3-031-29104-3_26
2M.Kolomeetsetal.
The scientific contribution of this paper lies in the technique that allows an
investigator to (1) determine the fact of an attack, (2) identify the actors of the
attack, (3) determine the attack’s impact, and (4) determine the core actors to
identify strategy of the attacker, including (4a) usage of bots, (4b) attempts to
conflict initiation, (4c) competitor promotion, (4d) uncoordinated user attack.
We also present a real-world example – we used the proposed technique to in-
vestigate the case when the company’s page on VKontakte social media was
attacked by the anti-vaccination community.
The paper has the following structure. In the 2nd section, we present related
research in the field of social media attacks investigation. In the 3rd section, we
present the proposed technique. The 4th section contains the use-case evaluation.
The 5th section finalizes the paper with discussion.
2 Related research
From the point of view of information security, social networks threats can be
considered as part of the CIA triad, including:
1. Confidentiality. Attacks are aimed at deceiving users through social engi-
neering in order to obtain their personal data. This data can be used by an
attacker for blackmail, bypassing security systems based on secret knowledge,
competitive intelligence, etc. Separately, one can single out attacks on pri-
vacy, including a non-ethical collection of user data, which some researchers
consider as part of confidentiality.
2. Integrity. Attacks aimed at deceiving users by changing social network met-
rics. Such attacks include various ways to cheat on reputation (can also
damage the reputation of competitors), create bots that look like real peo-
ple, interfere with internet voting/polls/contests, etc.
3. Availability. Attacks are aimed at disinformation, and social DoS. Such
attacks include the spread of fake news to make information less avail-
able/trusted, or attack methods when the defense mechanisms of a social
network block the victim (for example, because of the attacker’s bot activ-
ity).
In a real-world scenario, such attacks can be multi-step and include several
components of the CIA triad at once. For example, bots are often used to spread
disinformation [5] and fake news [9] [10] (availability). But in order to efficiently
spread such information, bots need to distort the metrics of the social network
to reinforce the user’s trust (integrity).
At the same time, most of the research on attacks in social media is devoted
to the creation of certain tools to solve one specific problem. While real-life
analysis is usually a combination of such tools. There are many separate methods
and technologies for analyzing attacks and impact [7] on social network users
including analysis of sentiments [11] [1] [8], fake news [4] [9] [10] detection, bot
detection [2] [4] [5] and so on.
In this paper, we present a methodology that combines such di↵erent tools
to solve a specific problem - discrediting a company in a social network.
Investigating attacks on a company’s reputation on a SM 3
3 Proposed methodology
We consider attacks whose main impact is damage to the company’s reputation.
The main consequence of such an attack is a bad impression about the company
among users who have visited its page on the social network.
To analyze the attack, the analyst should answer 3 questions: (1) is there an
attack? (2) is there any damage? (3) what was the strategy of an attacker? To
answer these questions, we proposed the technique in form of an investigation
pipeline. Decomposition of this pipeline consists of the following methods:
1. Attack identification - the 1st step is to fix the moment of the attack to
determine the start time of the attack and narrow the time frame for analysis.
2. Attack actors identification - the 2nd step is to identify the accounts that
are attacking among all accounts.
3. Impact assessment - the 3rd step is to assess the impact on the reputation
of the company, which was done by attacking accounts.
4. Attack strategy identification - the last step is to determine which methods
the attacker is using, among: (a) bots usage - attackers use many fake profiles;
(b) conflict initiation attempts - the attacker uses a small number of accounts
for conflict initiation; (c) competitor promotion - the attacker uses the attack
to promote their goods or services; (d) uncoordinated user attack - many
users attack the company on the call of someone, or on their own.
3.1 Attack identification
To determine the presence of an attack, it is proposed to evaluate the dynamics
of negative content on the company page. Such an analysis can be carried out
using sentiment analysis of each message that was posted by visitors. For this
can be used a number of models [8] such as GPT3 [11], Dostoevsky [1] and other.
These models can assess the probability of belonging of message to ”negative”,
”positive”, ”neutral”, or other classes. As we suspect that shift in dynamics of
negative content is unnatural and caused by attack, it is logical to select users
who generate content with negative sentiments as a target for further analysis.
It is proposed to use the message toxicity metric )<:
)<=⇢(=(<),if (=(<)>(
?(<),<2"
(?(<),if (=(<)6(?(<),<2",(1)
where <- a single message, (=(<)- negative assessment of message (proba-
bility that message is negative), where (?(<)- positive assessment of message
(probability that message is positive), and "- set of messages.
As the next step, we propose to form a timeline from )<values and calculate
the average toxicity metric )<over an N-hour window. Based on this timeline,
the expert verifies that there was a shift in dynamic of negative content (that
can be caused by attack and verified in the following steps), and can choose
the time interval for further analysis. We also suggest giving the expert visual
analytic tools (as shown in the experiments section, in Figure 1), to simplify this
process.
4M.Kolomeetsetal.
Fig. 1. Timeline of toxicity message )<.
3.2 Attack actors identification
In order to identify potential attackers that post negative messages, it is proposed
to determine the summary of toxicity metric for user’s account )D. Since positive
messages have a toxicity metric )<>0, and negative ones )<<0, the toxicity
metric for each account was calculated as the sum of the toxicity of the account’s
messages. A toxic account is defined as an account that has a more negative
impact, and a non-toxic user is a user who has a more positive impact. Therefore:
)D=Õ#D
8=1)<8
*C>G82 ={D|)D<0}
*!C>G82 ={D|)D>0},
(2)
where D- user’s account, #D- number of messages for user, *C>G82 - set of toxic
accounts, *!C>G82 - set of non-toxic accounts.
3.3 Assess impact
We assess impact with the following measures:
1. Metric of accounts number for toxic (#C>G82) and not toxic (#!C>G82) accounts:
#C>G82 =|*C>G82|
#!C>G82 =|*!C>G82|(3)
2. Metric of activity for toxic (C>G82) and not toxic ( !C>G82) accounts:
C>G82 =ÕD2*C>G82 #D
!C>G82 =ÕD2*!C>G82 #D(4)
Investigating attacks on a company’s reputation on a SM 5
3. Metric of impact for toxic (C>G82) and not toxic (C>G82) accounts:
C>G82 =ÕD2*C>G82 )D
!C>G82 =ÕD2*!C>G82 )D(5)
Using these metrics, one can determine how large the impact of an attack is.
3.4 Identify core actors
To identify an attack strategy, it is proposed to analyze the core of the attacking
users. To do this, it is proposed to reduce the sample of toxic accounts *C>G82 in
order to eliminate the errors of the sentiment classifier. It is proposed to choose
core of toxic accou nts õ
*C>G82 that: (a) left more than 3 comments (had more
than one activity); (b) had high toxicity (account’s impact <1). Therefore:
õ
*C>G82 ={D|D2*C>G82,#
D>3,)
D<1}(6)
Based on õ
*C>G82 it is proposed to identify an attack strategy.
3.5 Identify bots usage
In the study, a bot is understood as an account with an automatic or automated
behavior model, as well as real users who perform the necessary actions for
money (when an attacker on an exchange platform hires real users to perform
malicious actions).
It is proposed to use a ”bot / not a bot” AI classifier with a known value
of balanced accuracy (as ex., Botometer [12], BotSentinel [13], etc. depending
on analysed social network). After, taking into account the balanced accuracy
of classifier, it is necessary to verify the results of classifier by testing the right-
tailed hypothesis of the binomial distribution, where the number of success is
the number of bots detected by the classifier. It is necessary to make sure that
the found result is not false-positive inference. The result of this test is a p-value.
With a p-value >0.05, it can be argued that the number of classifier errors lies
in the expected error range. With a p-value <0.05, it can be argued that it
was possible to detect a statistically significant number of bots, which is not a
classifier error. Therefore:
0:|*1>CB |
|*|61Balanced Accuracy,
1:|*1>CB |
|*|>1Balanced Accuracy,
p-value <0.05 )reject 0,
(7)
where 1- attacker used bots, 0attacker does not use bots, *1>CB - set of
users accounts that were identified as bots by AI classifier, *- set of accounts,
⌫0;0=243 22DA02H - balanced accuracy of the bot detection classifier.
6M.Kolomeetsetal.
3.6 Identify conflict initiation attempts
To identify an attempt to initiate a conflict, it is proposed to assess the com-
munications of accounts with each other (which accounts responded to which
accounts by mentioning in the messages).
All accounts who mentioned another account in their messages are selected
for analysis. It is proposed to build the communication graph ⌧2. From graph
⌧2analyst extract clusters ⇠!C>G82, that there is at least one toxic account
(D2*C>G82) connected to all another users in that cluster. If analyst extracts
such cluster, it can be argued that toxic account initiate a conflict by responding
to many accounts who do not seek to communicate. Therefore,
⇠!C>G82 ={2;|2; ⇢⌧2,24=C4A(2;)2*C>G82,⌧2={+,⇢}},(8)
where ⇠!C>G82 - set of toxic cluster, 2; - one cluster extracted by analyst, 24=C4A(2;)
- returns the center of the cluster (user connected to all other users in the clus-
ter), ⌧2- communication graph, +- an account, ⇢- response of one account to
another.
To analyze such a graph by an analyst, we suggest using visual analytics
methods (as in the experiment, in Figure 2). The hypothesis can be defined as:
0:|⇠!C>G82|62,
1:|⇠!C>G82|>2,
|2;DBC4AB(⌧2)| >2)reject 0,
(9)
where 1- there is conflict initiation, 0there is no conflict initiation, 2- criteria
that defined by analyst, 2;DBC4A B() - function for clusters extraction.
3.7 Identify competitor promotion
To identify possible competitor promotions, we analyze users’ messages. Since
the operator cannot analyze the entire set of messages, we propose to reduce the
sample. For this, a communication graph ⌧2is used. On this graph using the
PageRank algorithm %'C>G82(⌧2,#)can be selected #leaders !that 2*C>G82:
!={D|D2*C>G82,%'
C>G82(⌧2,#)},(10)
where !- set of leaders.
The operator can look at leaders, who mentioned competitor companies:
!% ={D|D2!,?A><>(D)=)AD4},(11)
where !% - set of leaders that promoted another company, ?A ><>(D)- return
)AD4 if user Dmentioned another company in messages.
0:|!%|62,
1:|!%|>2,
|!%|>2)reject 0,
(12)
where 1- there is competitor promotion, 0there is no competitor promotion,
2- criteria that defined by analyst (our suggestion is to define 2>#⇤0.2).
Investigating attacks on a company’s reputation on a SM 7
3.8 Identify uncoordinated user attack
We propose to conclude that there is no attacker, and there are many users
attack the company on their own, if all 3 previous techniques (usage of bots,
conflict initiation, competitor promotion) didn’t reject 0.
4 Evaluation
As a use case we used an incident that occurred with a commercial company on
the social network VKontakte. Company X contacted us in January 2022 with
a suspicion of an information attack on their community. We investigated this
case using the proposed methodology.
In January, community administrators detected that an information attack
was being carried out on them since a large number of new users and the same
type of negative comments appeared in their community (in the microblog, photo
albums, and discussions). Many other users entered into controversy with them.
Company X asked us to investigate this incident to understand if it is a natural
process (discontent related to recent company policy) or artificial (information
attack).
4.1 Assess the presence of an attack
We analyzed comments for the second half of December 2021 and the first half
of January 2022. For that, we used the Dostoevsky model [1]. Dostoyevsky is a
machine learning model for the Russian language that classifies text correspond-
ing to the sentiment of the text. Dostoevsky does not take into account hashtags
and emoticons. The classification accuracy is 76%, which makes it possible to
determine the average binary sentiment of a set of messages. For this study, 2
categories are used: negative, and positive.
With that, we built the toxicity chart that is shown in Figure 1. Y-axis repre-
sents the message toxicity value )and X-axis represents the time. We calculate
toxicity )<(Equation 1) for each message and represent it as a dot with color
from green ()<=1) to yellow ()<=1). Red bars represent the time windows,
for which we calculate the average toxicity of messages )<in this time window.
It can be seen that negative comments began to prevail from the 2nd of
January. So we can conclude that there is an attack, and define the time interval
is the time between 2nd and 11th of January.
4.2 Identify attack’s actors
At this stage, users that left comments from January 2nd to 11th were investi-
gated to identify a possible attack’s actors. We calculated the level of toxicity
of each user using Equation 2. As a result, we got the sets of toxic users and
non-toxic users.
8M.Kolomeetsetal.
4.3 Assess impact
At this stage, we analyse toxic and not toxic accounts to evaluate an impact. We
calculated the metric of accounts number #(Equation 3), activity (Equation
4) and impact (Equation 5). The results presented in Table 1.
Tabl e 1 . Impact metrics evaluation
Group #
toxic 511 2786 -394
!toxic 391 505 +35
It can be seen that the number of toxic and non-toxic users did not di↵er
much (511 and 391 or 56.65% and 43.34%), toxic users had much more activity
and left more comments (84.65% of all comments), and their comments had a
much more pronounced negative assessment (impact is 11.25 times bigger).
4.4 Identify core actors and attack strategy
To identify an attack strategy in the following steps, we formed a core of attack-
ing users by the Equation 6. As the result, we had 46 high toxicity users that
perform multiple actions.
Identify usage of bots. Using the VKontakte AI bot detection tool [2],
among 46 users, 6 were identified as bots and 40 as real users. Taking into account
the balanced accuracy (⇡0.9) of the used classifier, we carried out statistical
testing of the right-hand hypothesis of the binomial distribution (Equation 7).
According to the test results, no statistically significant number of bots was
found (p-value =0.31 with a threshold value of statistical significance <0.05).
Thus, 6 accounts were identified as bots, which lies within the classifier error.
Identify attempts of conflict initiation. For the interaction analysis, we
selected all users who mentioned another user in their posts since January 2nd
and built the communication graph ⌧2according to Equation 8. The graph is
shown in Figure 2. The analysis showed the presence of 1 cluster with centralized
activity (Equation 8), that is lower than selected threshold 2=3 (Equation 9).
Identify competitor promotion. For promotion identification we calcu-
late Page Rank centrality measure [3] on communication graph and got a set
of top 10 leaders according to Equation 10. For #=10 leaders of opinion, we
form a table of their messages for manual analysis and found 47 comments to use
products of company Y. All of these messages were posted by one user, therefore,
according to Equation 11, |!%|=1. But since we select criteria 2=#⇤0.2=2,
according to Equation 12, the fact of a competitor attack cannot be confirmed
with certainty.
Identify uncoordinated user attack. As all 3 previous techniques (bot
usage identification, conflict initiation and competitor promotion) didn’t reject
H0, we can conclude that there are many users attack the company on their
own, due the changing of company’s policy.
Investigating attacks on a company’s reputation on a SM 9
Fig. 2. Communication graph with cluster that highlighted with orange frame.
5 Discussion and conclusion
On the example of a use-case, we showed the process of applying the proposed
methodology, which can confirm or deny the fact of an attack on a company’s
reputation and determine some of the characteristics of this attack.
The use-case investigation showed that the process of shifting the tone of
user comments in a negative direction was most likely natural, due to the imple-
mentation of QR codes by company X on January 2, 2022. The negative activity
is the result of the actions of real users and activists who are fighting against
the implementation of QR codes.
In the comments, a sign of the use of the incident by competitors to advertise
their services was found, but due to the extremely limited activity (only 1 user
showed such activity), it is not possible to confirm or deny with certainty that
this activity is an attack by competitors.
This methodology is a full cycle of analysis of an attack on a company. The
strength of the proposed methodology is a significant degree of automation.
The use of expert evaluation is necessary only at the stage of detecting clusters
on the communication graph and determining comments on the promotions of
other companies. But these stages can also be replaced by automated analysis,
although automated methods can be less accurate. For example, to detect clus-
ters (Equation 8), it is also possible to use clustering algorithms and to detect a
promotion (Equation 11), various NLP methods can be used.
The disadvantage of the proposed method - the use of sentiment analysis.
The negative tone of the message does not indicate the hostility of the user to
the company. For example, users who support a company may argue with other
10 M. Kolomeets et al.
users, which can cause their tone to shift in a negative direction. Thus, if one
use the classification ”supports/does not support” (the company) instead of the
”toxic/non-toxic” classifier, one can achieve a more accurate identification of
users who are involved in the attack. This can be achieved using systems for
building automatic classifiers, but this will require the creation of a training
sample, since for each use case it is necessary to create its own models. On the
other hand, reducing toxicity is important to a company’s reputation, so toxicity
analysis provides a broader picture of incident.
In the future, we plan to increase the degree of automation of the presented
technique that will allow to get estimation of presented approach on multiple
use-cases, and implement presented pipeline for Twitter, so we can measure it
efficiency in comparison with another tools.
Acknowledgments. The work is performed by the grant of RSF No. 18-71-
10094-P in SPC RAS.
References
1. Sentiment analysis library for russian language (Dostoevsky),
https://github.com/bureaucratic-labs/dostoevsky. Last accessed 20 Apr 2022
2. Kolomeets, M., Chechulin, A., Kotenko, I.: Bot detection by friends graph in so-
cial networks. Journal of Wireless Mobile Networks, Ubiquitous Computing, and
Dependable Applications (JoWUA). 2(12), 141–159 (2021)
3. Page, L., Brin, S., Motwani, R., Winograd, T.: The PageRank citation ranking:
Bringing order to the web. Stanford InfoLab. (1999)
4. Shao, C., Ciampaglia, G.L., Varol, O., Flammini, A., Menczer, F.: The spread of
fake news by social bots. arXiv preprint arXiv:1707.07592, 96:104 (2017)
5. Ferrara, E.: covid-19 on twitter: Bots, conspiracies, and social media activism. arXiv
preprint (2004.09531) (2020)
6. Pierri, F., Artoni, A., Ceri, S.: Investigating italian disinformation spreading on
twitter in the context of 2019 european elections. PloS one 15(1:e0227821) (2020).
7. Mendoza M., Tesconi, M., Cresci, S.: Bots in social and interaction networks: de-
tection and impact estimation. ACM Transactions on Information Systems (TOIS).
39(1) 1–32 (2020)
8. Zhang, L., Wang, S., Liu, B.: Deep learning for sentiment analysis: A survey. Wiley
Interdisciplinary Reviews: Data Mining and Knowledge Discovery. 8(4) e1253 (2018)
9. Zhang, X., Ghorbani, A.A.: An overview of online fake news: Characterization,
detection, and discussion. Information Processing & Management. 57(2) (2020)
10. Zhou, X., Zafarani, R.: A survey of fake news: Fundamental theories, detection
methods, and opportunities. ACM Computing Surveys (CSUR). 53(5) 1–40 (2020)
11. OpenAI GPT3, https://openai.com/api/. Last accessed 20 Apr 2022
12. A Python API for Botometer by OSoMe, https://github.com/IUNetSci/botometer-
python. Last accessed 30 July 2022
13. Bot Sentinel platform, https://botsentinel.com. Last accessed 30 July 2022
View publication stats
