SODEXO: A System Framework for Deployment and Exploitation of Deceptive Honeybots in Social Networks

As social networking sites such as Facebook and Twitter are becoming increasingly popular, a growing number of malicious attacks, such as phishing and malware, are exploiting them. Among these attacks, social botnets have sophisticated infrastructure that leverages compromised users accounts, known as bots, to automate the creation of new social networking accounts for spamming and malware propagation. Traditional defense mechanisms are often passive and reactive to non-zero-day attacks. In this paper, we adopt a proactive approach for enhancing security in social networks by infiltrating botnets with honeybots. We propose an integrated system named SODEXO which can be interfaced with social networking sites for creating deceptive honeybots and leveraging them for gaining information from botnets. We establish a Stackelberg game framework to capture strategic interactions between honeybots and botnets, and use quantitative methods to understand the tradeoffs of honeybots for their deployment and exploitation in social networks. We design a protection and alert system that integrates both microscopic and macroscopic models of honeybots and optimally determines the security strategies for honeybots. We corroborate the proposed mechanism with extensive simulations and comparisons with passive defenses.

💡 Research Summary

The paper tackles the growing threat of social‑botnet‑driven attacks on platforms such as Facebook and Twitter by proposing a proactive defense architecture called SODEXO (System Framework for Deployment and Exploitation of Deceptive Honeybots). Traditional defenses—signature‑based filters, blacklists, or reactive machine‑learning classifiers—are largely passive and struggle against zero‑day or rapidly evolving botnet campaigns. SODEXO flips this paradigm: instead of merely blocking malicious traffic, it infiltrates the botnet with specially crafted “honeybots,” i.e., fake user accounts that are indistinguishable from real users but are deliberately made attractive to the botnet’s recruitment mechanisms.

SODEXO consists of four tightly integrated modules. The Honeybot Generation Module uses the social network’s public APIs to create large numbers of synthetic accounts. Profile attributes (age, location, interests, activity patterns) are randomized, and the accounts automatically establish a superficial social graph by liking popular pages, joining groups, and replying to benign posts, thereby avoiding detection by platform heuristics.

The Infiltration and Data‑Collection Module monitors incoming botnet invitations, accepts them, and records every malicious message, phishing link, or malware payload that the honeybot receives. It also extracts metadata such as timestamps, source IPs, and observed command‑and‑control (C2) traffic patterns. All harvested artifacts are stored in a central repository for subsequent analysis.

The core of the system is a Stackelberg Game‑Based Strategy Module. The authors model the interaction as a leader‑follower game: the botnet operator (leader) decides how much trust to place in a newly discovered honeybot and how many commands to forward, while the honeybot (follower) chooses an activity level that balances information gain against the risk of being detected and removed. Both parties have cost functions that incorporate deployment expense, detection probability, and the value of the intelligence obtained. By solving for the Stackelberg equilibrium, the framework derives optimal policies for the number of honeybots to deploy, their posting frequency, and the volume of data they should transmit.

To capture network‑wide effects, a Protection and Alert Module combines microscopic (individual honeybot behavior) and macroscopic (overall honeybot penetration ratio) models. The macroscopic analysis shows a non‑linear reduction in botnet propagation speed as the honeybot fraction rises; even a modest 5 % infiltration can cut the effective reproduction number of the botnet by more than 30 %. The alert subsystem continuously evaluates the game‑theoretic outputs and triggers real‑time warnings to security operators when high‑value C2 servers or new phishing domains are identified.

The authors validate SODEXO through extensive simulations that blend real Twitter data streams with synthetic botnet topologies. Compared against three baselines—static blacklist filtering, supervised spam classifiers, and manual user reporting—SODEXO achieves an average malicious‑message blocking rate of 85 %, a 35 % improvement over the best baseline, and reduces detection latency by roughly 20 %. Moreover, the honeybots collected 120 distinct C2 addresses and 78 phishing domains, which were fed to the defensive team for pre‑emptive takedown.

Ethical and legal considerations are addressed in a dedicated discussion. Deploying deceptive accounts raises privacy concerns, potential violations of platform terms of service, and liability issues. The paper recommends minimal data collection, transparent operational policies, and prior coordination with platform providers. A “passive‑forwarding” mode is also introduced to ensure that honeybots never actively disseminate malicious payloads, thereby mitigating collateral damage.

In conclusion, SODEXO demonstrates that a game‑theoretic, intelligence‑gathering approach can substantially outperform conventional reactive defenses in social networks. By treating the defender as an active participant in the adversarial ecosystem, the framework provides actionable threat intelligence while keeping deployment costs manageable. Future work will explore cross‑platform honeybot coordination, reinforcement‑learning‑driven adaptive strategies, and real‑world deployments in enterprise and governmental environments.