 Hey guys. So this is a 2 o'clock weaponizing data science and social engineering. These are the guys and we're going to kick it off. All right, so DEF CON goons are no longer allowed to drink at red shirts nor are they allowed to do shot the noob. I'm going to keep this short. It is Phillips first time speaking at DEF CON. John spoke last year but wasn't able to get a shot. So let's do a shot with him and have a good time. Don't fuck it up. Hey guys, my name is John Seymour. So welcome to our talk on weaponizing data science for social engineering. Wow. Dude that was strong. Weaponizing data science for social engineering, automated end to end spear fishing on Twitter. So we think this talk is actually a pretty good fit for this conference, right? Every year Black Hat does this attendee survey and every year social media, you know, fishing, spear fishing, social engineering is near the top of their list of concerns. We wanted to try our hand and see how effective using AI to actually automate spear fishing would be. And so things like social engineering toolkit actually automates the back end of, you know, social engineering, right? So creating a malicious payload, things like that. We're actually interested in more of the front end sort of stuff. So actually generating links that users will click. Traditionally, there are two different types of approaches to this. There's fishing which is very low effort, you know, shotgunning tons and tons of messages, but it also has very, very low success between like 5 and 14%. There's also spear fishing which is highly manual. It takes like tens of minutes to actually research a target and create a message that's, you know, handcrafted to that actual person. But it also has very high success. The social media pen testing tool that we released today actually combines the automation of fishing campaigns with the effectiveness of spear fishing campaigns. And with that said, I'm John Seymour. My hacker handle is Delta Zero. I'm a data scientist at Zero Fox by day and by night. I'm a PhD student at the University of Maryland Baltimore County. And in my free time, I like to research malware data sets. All right. And my name is Phillip Tully. I'm a senior data scientist at Zero Fox. And in a past life, I was a PhD student at the University of Edinburgh and the Royal Institute of Technology in Stockholm. So in that past life, I studied recurrent neural networks, artificial intelligence, but in a much more kind of biologically oriented way, I was trying to figure out how you could combine neurons together and connect them up with synapses and simulate networks of neurons to try to get some storage and recall of memories. But nowadays, instead of combining different patterns of spikes to create some biological representation of a memory, combining text to try to, using AI, so using similar techniques to try to generate text. This is not necessarily anything new. The field is known as natural language processing. It's been around for a really long time. One of the kind of fundamental examples happened over 50 years ago with the Eliza Chatbot. So this was designed by a psychotherapist named Joseph Weisenbaum at MIT. And he used it in a very clinical setting. So he wanted to try to half his patients who were either on their death bed or close to death, be able to interact in some way with the computer. So it was very kind of naive, very ad hoc. It was based on parsing and keyword replacement. It would simply do something like if the input to the program was my head hurts, it would output something in response like, why do you say your head hurts or how bad does your head hurt? So something like this. And these kind of very early examples were inspiring for people because they passed some very simple versions of the Turing test, right? So using these kind of questions in this very ad hoc feedback, it was able to not really or fool people into believing that they might be talking to a human rather than a machine. Fast forward 50 years and we have Microsoft AI which came out with a neural network that was based, or it was called Tay and you. And so if you've seen this in the news recently, it was kind of a dynamically learning bot that was released on Twitter. And it was a really cool idea. So each time a user, a Twitter user tweeted at it, it would kind of learn from that tweet and then reply to it. It was a chat bot. And you see this a lot popping up now on Facebook and other kind of social media services for more of like a marketing twist. But what they didn't foresee was the fact that Twitter tends to be cesspool sometimes and tends to be filled with porn and sexually explicit content and overall kind of bad stuff. So what it actually turned into was a porn-ridden racist Nazi bot and it turned into quite like a PR disaster for Microsoft and they had to shut it down. So indeed we view infosec and machine learning as kind of prioritizing the defensive orientation, right? So you set up perimeter or you try to detect incoming threats or you try to remediate it once it's already happened. The adversary has to do something in order for you to react to it and defend your network or whatever it may be. So you have some examples here. These are historical black hat talks over the last 10 or 15 years. You have some machine learning talks one or two per year usually and they cover anything from spam filtering to botnet identification to network defense to intrusion detection. But what we wanted to propose here was rather that you could use artificial intelligence techniques and machine learning not only on defense but you can use data to drive an offensive capability. We call our tool snapper. It's the social network automated phishing and reconnaissance tool and it's split up into two separate phases. The first phase takes us input a set of users who you want to target. And it takes a set of users and extracts a subset of them that it deems as high value targets so it prioritizes them. We'll get into more about this later. And then the second phase of the tool takes those users and crafts a tweet directed at them based on the content that they have on their historical Twitter timeline. And the end result of this is a tweet with an app mention and the crafted machine generated text and then a shortened link which we measure success using click through rates. So with that if anyone wants to partake in the demo we're going to do later on in the talk please tweet at the hashtag snapper and that's hashtag SNAP underscore R. We're not going to target you with any kind of malicious payload. It'll be a shortened link that just redirects to Google.com or something like that. But if you want to have your timeline read dynamically and then have a tweet spit back out at you please do that in the next 20 or 25 minutes. So the talk will go I'll end it off to John to talk about machine learning on offense and then we'll go into the two parts of the tool target discovery and spear phishing and talk more in detail about how to generate the message content that's kind of the core of the tool. And then we'll talk about how we evaluate the tool and how that evaluation compares to other techniques that have been found in literature. All right cool. So the first question is like why is social media such a great place for spear phishing people right? Why Twitter in particular? There's a lot of answers to this and we put a few on the slide. First being a lot of these social networks have very bot friendly APIs right? Whenever you post something on Twitter then people can go and scrape your timeline, your activity records, things like that very easily because there are Python APIs for all the social networks just straight up available. Another thing is there's a very colloquial syntax on Twitter and social networks. For example when Nikita actually posted this tweet I really quick snapped her and said hey can we use this for our talk. 20 years ago you wouldn't have any idea what this meant. So the idea here is like basically machine learning tools especially generative models tend to be pretty bad if you've ever seen subreddit simulator and things like that. But the fact is the bar on Twitter is so low to have a good tweet that people will be interested in. Even generative models can do pretty freaking well. Some other things are like due to character limits. There are a lot of shortened links on Twitter I don't know if you've ever used it. So basically if you're trying to obfuscate a payload or something like that people don't actually think twice about clicking links on Twitter that are shortened because everything is actually shortened there. Then there's also the fact that people sort of seem to understand email or at least some people do at this point. Like Nigerian print scams, things like that. A lot of people actually can tell you hey you get an email check the link before you click. On Twitter and social media, social networks, people don't actually think about what they click on. You don't have that sort of years of awareness built up yet and that's one of the things we're trying to actually bring about with this talk. And then finally people actually want to share content on these social media networks. For example Reddit, you want to get up votes. Twitter you want people to share and like your content. So there's sort of this idea of like incentivizing data disclosure. If you're, you know, on Twitter you're sharing a lot of personal information about yourself about things that you like, things that you enjoy that can all be used against you. So we wanted to give a quick shout out. Actually at Shmukan there was a really really cool talk about you know fishing the fishers using Markov chains. And that was actually a huge inspiration for this talk so we just wanted to give a quick shout out. But getting right into the tool itself basically there are some things built into the tool directly and there are some things that we also add on top of the tool right. So things that the tool does directly are it pre-pens tweets with an app mention and on Twitter this actually changes what the tweets are categorized in their process right. Tweets that start with an app mention are called replies and only people who follow both the person tweeting and the target can actually see those tweets. So if our bot doesn't have any followers that means the only person who can see the tweet is the target itself which actually is very useful in determining whether or not an individual you know target has clicked. Another thing that's actually built into the tool is it shortens the payload uniquely per user and we'll get into that in a bit. So that way we can actually go through and each of our shortened links that we generate we can check whether or not that particular link was clicked and map that back to the user who clicked it. Also we triage users with respect to value and engagement so we have a machine learning model that we'll talk about in a bit that actually goes first before it actually fishes the person checks to see whether or not they're a valuable target whether they interact a lot with the platform for example. One reason this is useful is for example a lot of people have what's known as egg profiles or profiles where they haven't changed the default settings. These people tend not to post a lot they don't they're not very engaged and we don't want to waste API requests or you know waste like possible awareness of the bot right by trying to fish these people. So we just go ahead and actually triage these users out so that we don't have to worry about them. And then finally the tool itself obeys rate limits. This is because we sort of wanted to release it as an internal pentesting tool. Obviously you know people can get around that but we hope you guys don't. That's all I'll say about that. Some things that aren't actually built into the tool that are very very useful. First off Twitter is actually pretty good if you post every single post of yours has a link in it. They're good at finding that and shutting you down. So one of the things we recommend is post a couple you know non fishing posts in there or get ready to make a lot of accounts. And then another thing is if you yourself the bot have an egg profile you know nobody's going to actually click on your links because obviously they like to see believable profiles before they click links. So a very high level of design flow of the tool. First we have a list of Twitter users that we pass into the tool. It goes through each user and asks whether they're valid you know whether they're a high value high engagement user or not. And if they are it scrapes their timeline to a specified depth. So for example 200 or 400 tweets that they've sent and uses that to either seed a Markov model or a neural network model. And that generates the actual text of the post. After it's generated the text then it you can either have it schedule the tweet for a later time when they're most engaged and it actually calculates all that for you or you can post the tweet immediately and have the the tool suite to obey rate limits. And that's actually useful if you're doing an on-stage demo. But yeah cool so let's get into the tool. I'll talk about the first face here automated target discovery. So this is what Twitter looks like if anyone's been living under a rock for the last 10 years. Twitter is full of interesting information and personal information like John said. You have this incentivization structure for disclosing personal data. And by that I mean it's not necessarily just the content of the posts. So the last tweets that were made you also have super valuable information present in the description. People on Twitter tend to like to post about what their job title is and what their interests are generally. You get different kind of data not just text you have integers like how many followers and how many followers you have how many people are following you. How many lists you belong to. You have a lot of kind of Boolean fields like have you changed your background profile image have you changed any of your other default settings from the original instant instantiation of your registration. It's filled with different dates like you're created at date and URLs within the text that you post. So this is what the the raw API call looks like from Twitter when you when you grab when you grab it. So I'll use the example for this section of Eric Schmidt the former CEO of Google. So we we implement a clustering algorithm so it's based on machine learning and we go out and we grab a bunch of Twitter users and we extract features from these from these API calls across these different users and here I list a few of the most most interesting and most relevant features that we grab. So like I said in the description if you have words that tend to correspond to a job title like CEO CSO CISO even like recruiter or you know engineer or something like this. This is probably going to end up being someone who you might want to target right. They might have access to some sensitive information company information or whatever if you belong to some other organization. Also your level of engagement so how many people are following and following you and how many people you're following. You can imagine you don't want to you don't want to target somebody who's not very active on the platform. You want to make sure that someone who is actively engaged and is likely to click on links and is getting updates on their phone. The account age is a good piece of information to the created at date of the Twitter profile. You don't want to really target somebody who's just made the account and is just trying to get started up with the platform. Same thing for hashtag my first tweet. And then also a good indicator is the default settings. So people who tend to engage a lot in the platform will kind of make it fancy. They'll change all the default settings and they'll make it more matching to what their interests are and what they like. So in a nutshell this is how it works. If we take the clustering algorithm and we start out with our target Eric Schmidt, you can imagine now that each Twitter user is represented on this 2D plot as a single point. Again it's projecting it into two dimensions. Originally it was a very very high feature high dimensional feature space with all those different settings like the description, number of followers, etc. Projected into 2D and Eric Schmidt falls on this 2D plot somewhere there. Great what do we do with that? We pass it through the clustering algorithm that we have and I'll talk in the next slide about how we choose that. But once you do something like that then you actually get to extract a subset of these users that you might deem as a relevant target or a high value target. So up in the left hand corner the plot of red points there might be the group of people that you deem as high value targets and the users who belong in the blue and the green points you want to throw them aside, deprioritize them. So in the machine learning world there are many different clustering algorithms you could choose from and each of those algorithms have a certain set of hyperparameters that you could tune to kind of optimize your technique and optimize your clusters. How do we choose this? We throw a bunch of clustering algorithms into kind of like a grid search more or less. So we have k-means and a parameter for k-means clustering algorithm is the number of clusters that you choose from a priori for example and you take those and you fit the models for each of these different set of algorithms and their set of hyper parameters and you choose the one that maximizes the silhouette score. So the silhouette score is bounded between negative one and one and anywhere a positive number the more positive the better and anywhere from kind of point five to point seven up is is considered some kind of reasonable structure. The silhouette score kind of measures how similar a data point is to its own cluster so the cohesion within that cluster to how it compares with data points outside that cluster the separation of those data points. So on this plot each individual data points of each individual Twitter user is represented kind of as a horizontal bar and the hyper parameters are on the y-axis so if you look at the first the top plot there you have two different sets of hyper parameters for k-means one might have two clusters one might have three clusters. So you calculate the silhouette score for each individual data point and you calculate the average of that which is shown here by that red dotted line and basically you want to choose the algorithm that pushes that red dotted line all as far right as you possibly can get it to. All right cool so before we actually get into the cool machine learning models and stuff for generating text we're going to tease you guys a bit with some of the boilerplate that goes around the tweets. So one of the first things that we actually ran into was we wanted to choose a URL shortener right and we want a URL shortener with a lot of different qualities one of them being you know actually can shorten malicious links and so the first thing is we went out we found a malicious link we verified using virus total that it is indeed malicious and we actually went to it too in a sandbox and all of that and we tried it through a lot of different link shorteners and apparently goo.gl lets us shorten it right and so actually several others also let us shorten it but goo.gl gives us a lot of cool other things first off it gives us sort of like a timeline of when people click and apparently this link has already been shortened before and people have clicked it but that's you know a tale for another time. goo.gl also gives us a lot of cool analytics like who referred the link for example t.co what browser did the target use what country were they based in or at least you know that their like actual machine say they were and what platform they use so windows chrome you know those sorts of things android and all of that so yeah so goo.gl actually looks pretty legitimate I ran it by a few guys I know and they were like hey yeah like it comes from Google it's got to be safe right and no it can link to malicious sites so we verified that it also gives us really cool analytics which is very useful if you're you know trying to spearfish internally right you want to know which users clicked but some other cool things that it gives us is you're able to actually create shortened links on the fly using their apis so you can actually say hey here's this you know general payload www.google.com let's shorten it uniquely for each individual user and see you know which individual users actually click on the link and then you can also obtain all of these analytics programmatically so there's really like no manual you know a process that you need at all in this entire process and we'll we'll go ahead and give the note that we never actually posted any malicious links to any targets we just verified that you can actually shorten malicious links in here so please don't get mad at us about that and then finally another thing that the tool does in the box is it does some basic recon and profiling so two things that it does is it figures out what time the user is likely to engage the platform and it looks at what topics that they're interested in and tries to create a tweet based on one of those topics so for actually figuring out the scheduling the post of what time the user is active we just use a simple histogram for tweet times what which hours that that user tweets and over on the left you'll actually see my own tweet history timings so you can actually see that I'm most active at 11 p.m. at night take that what you will but it's it's actually very easy to find this data right and for topics we actually started like when we first started this project we were thinking really really complicated like you know super LDA all the things and whatnot but we found actually pretty early on was just a simple bag of words and counting frequency does really well for finding topics as long as you remove all the stop words so with these two things we can actually see the models in suite you know the tool to tweet at a time that the user is likely to respond and also tweet on something that they're likely to be engaged with great so so at this point now we've taken a bunch of input users and extracted a subset of them that we want to target and we calculated what they like to talk about the topic and we've also determined at which time they're most active with with Twitter or with the Twitter platform so now how do we go about getting getting them a tweet that they might be more likely to click on than your normal any random question so we do we do this in two separate ways and the first way is we leverage markoff models so markoff models they're popular for text generation like John said the subreddit simulator or in the info sect talk title bot but how it works is using Twitter API you can go and grab the last X posts on someone's timeline right two hundred five hundred thousand however many you want to grab and we call this the corpus so you take your corpus and you want to learn pairwise frequencies of of likeliness between these words right so for example you might you might have the word I that occurs a lot within this corpus sometimes it might be followed by the word don't other times it might be followed by the word like so based on the relative of co-occurrence of these words in your corpus you can then generate a model that probabilistically determines how likely it is to create kind of this string of sentences I like or I don't and you can continue this for the length of the entire tweet so it's based on purely transition probabilities from one word to the next on the other hand we train our current neural network and this is called LSTM and LSTM is an acronym for long short-term memory and so this is a bit more cumbersome it's less flexible than the markoff model we took five and a half days to to train this neural net we had to do it on an EC2 instance using a GPU cluster and the training set was comprised of approximately two million tweets we didn't go out and just grab your run in the mill any two million tweets because like I said Twitter Twitter is a variable cesspool so we had to go and find kind of legitimate looking tweets to do that Twitter has an account called at at verified and that account in turn follows all the verified accounts on Twitter all the ones with that blue check mark next to it and so our idea is that this the people that are that are verified accounts are probably more legitimate they're probably posting about some kind of relevant information and so we train it on this huge corpus of tweets the network properties we use three layers of this neural network and approximately 500 layers per unit units per layer sorry and the idea here is that neural networks are or at least this neural network in particular is is much better at learning long-term dependencies between words in a sentence so LSTM's are often deployed when people want to learn sequences of data and in this context you can imagine a tweet or a sentence being a sequence of words right so as the in in contrast to the Markov model which just cares about the pairwise frequency the word that follows this word there are current network neural network on the other hand considers longer term dependencies because what I talk about in the beginning of my sentence might also relate to something that comes later on this is common in all all languages in English and most common in German actually you have these long term dependencies you might not know what the context of the sentence is until someone finally finishes the word at the end of it so what were the differences between these two approaches the LSTM as I mentioned took a few days to train so it's a bit less flexible whereas the Markov train Markov chain you can deploy it and it can learn within a matter of milliseconds and that kind of scales depending on how many tweets you choose to train it on the accuracy for both surprisingly was super high so even though the LSTM is a bit more generic and by that I mean it learns like a kind of a deeper representation of what it means to be a Twitter post and I I caution myself not to call it English because as John said this isn't English this is kind of Twitter ease it's filled with hashtags and and different kind of syntactical oddities and abbreviations so the availability of both of these tools is public you can go out you can download an LSTM model using different Python libraries or otherwise Markov chain as well and the size of these LSTM is much much larger the story on disk compared to the Markov chain but like I said the Markov chain tends to overfit on each specific user the idea being let's say you're posting today or in the next week about the Olympics or something like that maybe two months from now if I go back and I read your historical timeline posts and I I tweet back at you with something about the Olympics it might raise your eyebrows because the Olympics have been over for a while and you don't really care about that anymore the cool thing about Markov models though is that you don't need to retrain it every time like I said it's very flexible you can deploy it very fast what this means is that it generalizes out of the box to different languages it's language agnostic so if you're posting on Twitter and you're posting in Spanish or even Russian or Chinese entirely different character sets because it's based on these powers probabilities it's going to dynamically learn you know what word likes to be followed by the next and you're able to post a tweet back at somebody based on the language there they're typing in so here's an example that's in Spanish and if anyone is from a foreign country here with a lot of foreign language tweets and wants to volunteer for the demo again please tweet at that hashtag snapper so we don't like to think of this necessarily also as a Twitter vulnerability so to speak this can be applied to other social networks as well they all have pretty accessible API's but the idea here is that kind of like with the rate with the rise of AI the rise of machine learning and the democratization of this as it becomes more and more possible to do this without a PhD for example and the technology grows and grows and becomes more available this is going to be become more and more of a problem right so the weak point here is a human this is a classic social engineering cool yes so before we get into the evaluation results and demo I just want to say on the tool is public so for example there's a version on your conference CDs and there will also be a github link that will tweet out as soon as we get back home to Baltimore but we first we first trained our first couple of models and started wild testing it and we were surprised it did really really well I don't know if you can actually see some of the pictures but for example we got a guy in the top right the first post is what our buck posted and the second is like the guy responding saying hey thanks but the link's broken right we actually saw this quite a bit and on the bottom you can see some of the example tweets from the first models that we made so we we use these first couple models and we did some pilot experiments we grabbed 90 users from hashtag cat because cats are awesome and we went ahead and tried to spearfish all of these users again with benign links and we were actually surprised at how well the model did right out the box after two hours 17% of those users had clicked through and after two days we had you know between a 30 and 65% 66% sorry click-through rate and so why that range is so huge actually is because there are a lot of bots crawling Twitter clicking on links so we actually don't know exactly how many actual humans click through if we use the actual strictest definition of what a human might be so making sure that for example the referrers t.co and the location matches up with the location listed on their profile and those sorts of things that's where we get that 30% number if we if we use a little bit more relaxed criteria for judging whether it's a human or a bot we actually can get up to like the number of people that we think click might be up to 66% and so actually a funny story with these initial models also we saw how well they created and an information security professional who will remain unnamed tweeted us saying hey proof of concept or get the fuck out of here so we went ahead and used him as a guinea pig and it did actually he did click the link so we will say that cool so so then we iterated on the model some and we decided we wanted to test this against a human right see how well the human could spearfish or fish people versus how well that the tool could and so we had two hours we scheduled on our calendar and the person was able in these two hours to target 129 people and he did so mostly by just copying and pasted you know pre-made messages to these different hashtags that we talked about previously I think they were Pokemon go info sec and something about the DNC and so we he was able to tweet at 129 people in these two hours which comes out to be 1.075 tweets per minute and he got a total of 49 click-throughs we used one instance of our tool so one instance of snapper running and in those same two hours snapper tweeted at 819 people which comes out to 6.85 tweets per minute and 275 of those people had clicked through and we sort of want to emphasize that this is actually arbitrarily scalable with the number of machines you have the major rate the major limiting factors are actually rate limiting and the posting mechanism so sort of a TLDR this tool that we've made there are two traditional ways of you know creating tweets or messages that people will click on the first is you know fishing which is mostly automated already and has a very very low click-through rate between five and 14 percent there's also this other method called spear fishing which takes tens of minutes to do it's highly manual you have to actually go out research your target find out what they enjoy doing what time they're interested in posting at things like that you get the best spear fishing campaigns actually get up to a 45% accuracy from what we've seen and we actually kind of split the difference we actually combine the automated characteristics of actually fishing but we still get pretty close to what the actual effectiveness of spear fishing and with that demo God's willing we'll do a live demo of this cool right so I just want to see so about a hundred fifty one of you have actually tweeted so this is the actual command to run the tool and we're gonna go ahead and run it hopefully cool I'm actually the first person on the list because I actually you know wanted to make sure that something worked right so what it's doing is actually it pulled down the user's timeline and generated a tweet for that person and cool actually okay so here's it's starting to come out so here's that actual post that it generated and it posted you know at my hashtag the text that it grabbed from my profile in the short and late and so you can see that that actually works and we're not just saying things so notice that on my actual you know timeline you can't actually see that post right and this is because it's actually called a reply but hopefully yep so here's where it actually shows up it shows up in your notifications not your actual tweet history and so you're the only one who can actually see that and so as you can tell yeah I just got spearfished if I click this link so it's actually running through all of you guys now who tweeted at the link and generating text for you and posting them so we'll leave that running as long as possible but it probably won't get through all of you guys while we wrap up the talk cool thank you demo guys right then just a few words to wrap up why did we do this we want to generally just raise awareness and educate people about the the susceptibility and the danger of social media security like john said people usually think about email very cautiously you would never open a link in an email from someone you've never interacted with before we want to have that same culture be instantiated on Twitter now and on another kind of social networks another way that you could use this tool is to if you belong to a company or in some other kind of organization you want to do some internal pentesting to see how susceptible your employees might be to some kind of attack like this this could generate good statistics for you and help you refine your kind of educational awareness programs you can also use this for general social engagement and staff recruiting reading stuff of people's timelines and then crafting a tweet geared at them might be a good way to recruit people or even for advertising the click the rates here we have our our pretty huge compared to your general generic advertising campaigns so like I said ML is becoming more and more automated data science is growing a lot more companies are hiring data scientists and the tools in the toolbox are becoming a lot more democratized you can you can easily go out there's free software you can use to train these models including the one that will release today so the enemy will have this or the adversary will be able to use this leverage this kind of technology sooner rather than later one way you can try to prevent these kind of attacks is to enable protected account on your Twitter on your Twitter user so if you protect your account we can't go out with the through the public APIs and grab your data there might also be ways to detect this stuff using as I said in the beginning to talk automated methods like machine learning classifiers or or whatever have you and also if you're ever unsure always always report a user or report a poster if you see a tweet like this maybe Twitter is pretty good at actually responding to these reports and we use google.com as our shortened link that you redirect to so feel safe to click it because if we if we did something more funny like redirect to our black hat talk people might get pissed and try to report us we don't want our bot to get our bot to get banned and so in conclusion ML can only be used in a defensive way but you can use it to automate an attack Twitter is especially nice for this kind of thing because the people don't really care if the message is in perfect English it's slang laden it's abbreviation laden and these things actually help the accuracy of our tool and finally data is out there it's publicly available and it can be leveraged against someone to social engineer them and with that we'll take some questions so just step up to the microphone if you have a question so do you I can hear it so have you tried implementing anything like change point detection for because I know that some research has been done in using Twitter for like threat analysis as well as like trying to pinpoint users who say we're for like isle or isis and have you done any research using like Markov chains or prior distribution detection systems alright so we haven't done any research for the purpose of this talk into that but it's definitely a cool thing that we'd like to look into so if you want to talk to us a bit more after the talk about it we can get some you know information and trade some ideas great presentation quick question pertaining to the environment of a mobile platform as a supplies because I know you guys touched on mobile you mentioned phone or smart phone say could you kind of just give me any additional thoughts on that area I'm sure so we haven't actually measured like the differences between how many click on mobile versus how many click you know from a PC or something like that but it's something that we can definitely do so if you're interested in it you know tweet at us and we can crunch the numbers for you you're mentioning that your neural network version of the text prediction performed better than the Markov model in terms of like temporal accuracy what about the neural network cause that over the Markov model and what would prevent that from talking about the Olympics a month from now I'm admittedly a new bed neural networks yeah sure you know I definitely recommend looking at some documentation about LSTMs neural networks in principle can kind of replicate any any kind of arbitrary function this is a special kind of neural network that has different gates in between each each layer of the LSTM and these gates kind of turn on and off dynamically and so it allows you to remember words at like a certain depth back in time and it learns these connections on the fly and it's able to turn it off and on and because of that you're able to like learn longer to contextual information in these words great president I just have a question I wanted to see what kind of considerations you had for trying to prevent bias in your training set and what were some like time biases or even just using the approved Twitter handles might introduce some bias in terms of the data you're looking at could discuss on that yeah that's that's definitely some valid criticism so you want to avoid you know comment pit falls like overfitting to specific users especially in the in the clustering thing yeah we we didn't do any kind of formal evaluation of the LSTM we have a loss that we tried to minimize over time but in terms of the markoff model we just kind of tuned it until it looked good enough and it worked in in terms of like you know we we had several different tests in the wild and as soon as we started getting pretty high click the rates we got pretty confident that it was working so fascinating work with some pretty groundbreaking implications I mean given the fact that your intent is to fake people out to believe that these are real have you sort of passed a Twitter touring test if you will yeah it's a really good question so that the Turing test now is it's really interesting I think there's even conferences dedicated to having machines try to bypass or try to pass the Turing test and so there was kind of the much simpler version that was introduced much 50 years ago or 40 years ago or however long ago it may be and nowadays you actually have to check a lot more boxes in order to get past it yeah I mean given our click through rates it seems like Twitter is is super super easy to do this kind of thing on I mean I would argue that each kind of positive result here in our statistics is more or less passing of the Turing test right in the Twitter Turing test there as it as it were yeah for training the transitional probabilities on the markoff model did you only use by grams or did you consider using a bigger window right only only by grams only by grams thanks all right thanks again thank you