Enhancing Security in Social Networks through Machine Learning: Detecting and Mitigating Sybil Attacks with SybilSocNet

Abstract

This study contributes to the Sybil node-detecting algorithm in online social networks (OSNs). As major communication platforms, online social networks are significantly guarded from malicious activity. A thorough literature review identified various detection and prevention Sybil attack algorithms. An additional exploration of distinct reputation systems and their practical applications led to this study’s discovery of machine learning algorithms, i.e., the KNN, support vector machine, and random forest algorithms, as part of our SybilSocNet. This study details the data-cleansing process for the employed dataset for optimizing the computational demands required to train machine learning algorithms, achieved through dataset partitioning. Such a process led to an explanation and analysis of our conducted experiments and comparing their results. The experiments demonstrated the algorithm’s ability to detect Sybil nodes in OSNs (99.9% accuracy in SVM, 99.6% in random forest, and 97% in KNN algorithms), and we propose future research opportunities.

1. Introduction

1.1. Background and Motivation

In this current era, Wi-Fi and various peer-to-peer (P2P) networks are integral to our daily lives. Safeguarding such networks and their sensitive data from various cyberattacks is paramount. Sybil attacks have emerged as a prominent concern (Saxena et al. [1]), targeting and exploiting the vulnerabilities of distributed and P2P networks, thus infiltrating and compromising networks. Thus, these attacks pose serious risks to applications ranging from military operations to social networks and everyday activities like connected commuting [2,3,4,5]. Given increasing sophistication and prevalence of Sybil attacks, they pose a significant threat to the integrity and security of many distributed systems, like online voting systems, social media platforms, and even blockchain networks, among others. In all these cases, the attacker creates and controls multiple fake nodes or identities within a network, with aims of compromising user privacy, manipulating voting outcomes, and  undermining the consensus mechanisms of the system. The consequences for a network that becomes a victim of a Sybil attack is more than just immediate compromise: empowering the attackers to manipulate the network through fake identities, thus identifying newer vulnerabilities [1]. This study’s comprehensive literature review focused on such growing challenges posed by Sybil attacks and prevention strategies, with the aim of contributing a novel machine learning technique to detect Sybil attacks [6].

So, the primary motivations for continued research in Sybil node detection and attack prevention are preserving the integrity, reliability, and trustworthiness of distributed systems. Sybil attack resistance is a challenging goal that often requires significant compromises in terms of complexity, performance, and cost [7]. The development of effective detection techniques for the constantly changing configurations and dynamics in social networks is an important but not an easy task. The aim is to protect the core functionalities of the system and ensure that all are legitimate nodes but still preserving the users’ anonymity. Otherwise, Sybil attacks may have severe social and economic consequences. Sybil attackers can influence a voting process to favor their interests, leading to an unfair distribution of rewards or gaining control over a network. They can also track user behavior, spread misinformation, and influence public opinion [8,9]. Effective detection and prevention techniques can help safeguard user privacy and protect against identity theft. Novel detection algorithms or methods of detecting Sybil nodes are based on network topology, patterns of behavior, and some other factors depending on specific characteristics or cases. There are also techniques to prevent the creation and propagation of Sybil nodes, such as reputation systems, cryptographic techniques, and game-theoretic approaches [10].

1.2. Problem Statement and Research Question

Previous research [11,12,13] has leveraged machine learning (ML) algorithms, extreme learning machine (ELM), and support vector machine (SVM) to detect Sybil attacks. In online social networks (OSNs), ML-based detection methods are promising but remain under-researched. Hence, this study built upon the works of Du et al. [14] and other scholars, e.g., [15,16,17,18], to delve into Sybil attacks within OSNs. Sybil attacks manifest across various network types, e.g., wireless sensor networks (WSNs), mobile ad hoc networks (MANETs), and online social networks (OSNs) [16]. WSNs consist of interconnected nodes equipped with sensors for data processing and analysis. MANETs, featuring mobile nodes without fixed infrastructure, find applications in vehicular networks. OSNs, encompassing platforms such as Facebook and Twitter, offer attackers opportunities to introduce malicious nodes and undermine the network’s integrity [19]. The literature reports on the different patterns exhibited by Sybil attacks, such as direct and indirect attacks, stolen identities, or fabricated attacks [3,20]. In direct attacks, malicious nodes mimic legitimate ones, directly communicating with authentic nodes. Indirect attacks involve manipulated communications between legitimate nodes, confusing while altering information flow. Stolen identity or fabricated attacks involve malicious nodes claiming legitimate credentials and sometimes replacing authentic nodes without being detected [21,22,23]. Amidst the escalating Sybil attacks within OSNs, scholars are studying user identity protection from rampant fake identities (bots) [21,22]. Notably, networks can be exploited as propaganda tools if Sybil attacks persist; a paramount motivation of this study was to develop an innovative algorithm named “SybilSocNet”, designed to identify and counteract Sybil nodes within OSNs to address this challenge. The proposed algorithm harnesses ML methodologies such as K-nearest neighbors (KNN), support vector machine (SVM), and random forest, to optimize detection accuracy by extracting useful information from a large amount of raw data.

The research question in this case was as follows: How can the SybilSocNet algorithm, using machine learning techniques such as KNN, SVM, and random forest, effectively detect and mitigate Sybil attacks in online social networks (OSNs) by efficiently processing and analyzing large-scale raw data into informative matrices?

1.3. This Paper’s Significance and Contribution

As technology becomes increasingly intertwined with our daily lives, it is imperative to protect the integrity of networks. This study highlights the importance of addressing Sybil attacks and their potential consequences. The proposed algorithm, powered by robust machine learning techniques, contributes to global efforts to enhance network security in the face of ever-evolving cyber threats. Regarding the remainder of this article, Section 2 provides a comprehensive review of the literature on cybersecurity, network security, Sybil attacks, machine learning, social network security, and algorithmic and machine-learning-based detection. Our research aimed to investigate how the SybilSocNet algorithm can effectively identify and mitigate Sybil attacks in online social networks (OSNs) by leveraging a combination of machine learning techniques, including nearest neighbors (KNN), support vector machine (SVM), and random forest, via the extraction of patterns from raw data preprocessed as matrices.

Section 3 outlines the details of our algorithm. We begin by preprocessing the raw data to create matrices containing relevant information that can be used by the machine learning algorithms to detect patterns. To manage the large dataset efficiently, we divide the raw data into seventy-one smaller matrices rather than working with a single, massive matrix, which would require significant computational resources. This approach allows us to process the data using workstations instead of a supercomputer. Interestingly, the combined size of these seventy-one smaller matrices is still substantially smaller than the size of a single, large matrix, without compromising the valuable information needed for the machine learning methods.

Section 3 explains the research methodology applied in this study, followed by Section 4, presenting an analysis of the collected secondary open-source data. Section 5 discusses the findings, as well as reports on implications and limitations, and concludes with some open questions for future research.

2. Theoretical Foundation and Sybil Attack Landscape

2.1. Sybil Attacks: Concepts, Core Characteristics, Varieties, and Impact on Network Integrity

Scholars are concerned about how cybercrime is escalating rapidly, with unprecedented incidents. Considering that modern technologies facilitate swift data transfer through various communication protocols, with the key communication player being wireless technologies, e.g., 5G and WLAN, security must be assured for such wireless technologies [24]. By compromising robust security measures, numerous essential applications like mobile phones, satellites, access points, and wireless internet may face vulnerabilities, such as data breaches via such devices [25]. Researchers are keen to counter the security attacks on such technologies. Such wireless technology, due to its extensive usage across a wide spectrum of applications, is vulnerable, according to the Pew Research Center (2023), which highlights that about 97% of Americans own mobile phones, 85% of which are smartphones, with the reported American population being roughly 307 million [26]. According to Vincent [27], the count of mobile phones in 2010 was around 4.5 billion, a sizable target pool for attackers. As per NBC News [26], three-quarters of Americans possess laptops or desktops, which are thus sizable, vulnerable targets. Thus, considering their data sensitivity, an initiative to safeguard such a large pool of targets is required, particularly when such targets use wireless sensors in their modern applications, causing security concerns to escalate further. One drawback of wireless communication systems is unrestricted data and media sharing over networks, which are susceptible to signal interception, allowing potential attackers to spoof crucial information for launching attacks. When wireless networks are exploited, information necessary for successful attacks, i.e., an identity-based attack, is exploited. The literature sheds light on two simple yet destructive identity-based attacks: spoofing and Sybil attacks. Spoofing attacks are where attackers monitor targeted networks, gather legitimate user information, e.g., IP or MAC addresses, and pose as legitimate users to gain access to unauthorized services and data. A Sybil attack is a malicious node network infiltration to form multiple fake nodes that claim to legitimately deceive neighboring nodes by forwarding inappropriate information. By spoofing and legitimate information, attackers gradually introduce newer fake nodes, assuming control over time, thus enabling unauthorized data access and launching various attacks, e.g., denial of service attacks and data manipulation [28]. A Sybil attack targets P2P networks to create and control multiple fake identities, allowing an attacker to launch deceptive activities. Through an attacker’s multiple created and controlled identities, they can concurrently deploy multiple nodes, misleading the network into granting unauthorized data access, like a reviewer fabricating numerous product reviews on Amazon to fake positive customer feedback or creating multiple accounts on Twitter to influence users. Also, sensor networks suffer from Sybil attacks when attackers pose as legitimate nodes, cascading to deceptively obtaining precise user information through social engineering or network spoofing. Such private information fuels Sybil’s attacks, eventually granting attackers undue network influence [29].

According to Douceur [8], Sybil nodes illicitly claim multiple identities or fake IDs. Figure 1 depicts a Sybil attack, where a yellow node denotes legitimate ones and red nodes represent Sybil nodes. Sybil misleads the victim network during an attack when posing as legitimate, consequently redirecting traffic. For instance, node (A) mimics (H) to node (L) and (J) to node (K), causing traffic heading to node (A), which either forwards, alters, or blocks messages. Such a tactic extends to other red nodes. Attackers exploit victim nodes to wreak havoc, breach data, or lurk and launch attacks, yielding diverse outcomes. Such actions lead to malfunctioning networks with halted functions and data breaches entailing spoofed traffic between legitimate nodes. Also, it leaves manipulated networks that now meet attackers’ wishes, e.g., altered weather predictions that declare specific regions disaster zones [30].

2.2. Targeted Networks and Vulnerabilities

Sybil attacks target diverse networks of four types: (1) OSN platforms such as Twitter connect millions worldwide. An attack, as publicized by NBC [26], can impact masses and even nations. (2) Online store platforms such as Amazon can end up hosting fake product reviews, inflating a product’s image to drive sales; tactics like such often involve payment for generating fake reviews. (3) Vehicular ad hoc networks (VANETs) are a subset of mobile ad hoc networks (MANETs), where VANETs enable vehicular communication protocols like vehicle-to-vehicle (V2V), vehicle-to-roadside (V2R), and vehicle-to-infrastructure (V2I) connections. VANETs Sybil attacks vary, including those that impersonate by fabricating MAC addresses or certificates when attackers infiltrate by breaching sensitive data or disrupting vehicle traffic. Moreover, (4) wireless sensor networks (WSNs) include weather-related networks for environment tracking, disaster management, and industrial automation. Sybil attacks are apparent through nodes simulating sensors to transmit false data, overloading networks with malware, or deploying data spoofing or resource exhaustion tactics.

2.3. Unleashing Defense Strategies: Safeguarding against Sybil Attacks

Various techniques protect against Sybil attacks by mitigating their likelihood. However, no efficient solution can prevent such a threat [15,31,32,33]. Rahbari et al. [4] suggested a cryptography-based approach with overheads; Almesaeed et al. [17] proposed controllable overheads. From the view of the authors of this study, an optimal approach should balance security and performance, as also elaborated by Rahbari et al. [4]. It is essential to assess the widely recognized techniques for mitigating Sybil attacks, categorized by protection, detection, and mitigation. Such frequently cited strategies/techniques/approaches can be categorized into six types: (1) Certifications are recognized mitigation approaches involving certifying nodes through authorized identification [22]. Douceur and John exemplified VeriSign as a certification system that foils Sybil attacks, though challenges emerge without central certification. (2) Resource testing in known resource networks like sensor arrays [34], where nodes’ physical resources validate legitimacy through commonly known resource allocation statistics [3]. Consider a network of temperature sensors where all sensors possess identical computational power, memory, and battery capacity. In this mitigation approach, nodes’ physical resources are examined to ascertain their alignment with the attributes of legitimate nodes. While nodes execute tasks, reputation systems assess if the node is legitimate or Sybil. Lee et al. [35] used the resource-testing approach to detect Sybil nodes in wireless networks. Their system determines whether a node is Sybil based on how each node responds to a request. Newsome et al. (2004) showed how attackers use a single physical device to introduce multiple nodes into a network. Additionally, (3) in incentive-based detection, where Margolin et al. [13] proposed an economic detection protocol for Sybil attacks, an attacker is financially incentivized for two or more controlled identities. (4) Location/position and timing verification is based on detecting a Sybil attack based on its location. To demonstrate legitimacy, every node must be in a specific location. It detects the Sybil attackers by discovering if multiple nodes are in an exact location or moving in a coordinated or synchronous pattern [18]. (5) Random key pre-distribution, where nodes receive unique identifying keys before deployment [14], is a more suitable approach for Wireless Sensor Networks (WSNs) due to their limited computational and energy capabilities. Eschenauer et al. [36] and Dhamodharan and Vayanaperumal [37] introduced key management schemes specifically designed for distributed sensor networks. (6) Privilege attenuation, where Fong [12] counters Sybil attacks in Facebook-style social network systems (FSNSs) with privilege attenuation, an approach aligned with Denning’s principle of privilege attenuation, to limit and prevent Sybil attacks such as access restrictions among friends to reduce Sybil attack risks in FSNSs. Sybil detection algorithms have been deployed to detect if a Sybil attack is occurring. They determine nodes’ legitimacy by differencing malicious from legitimate nodes. Several scholars [2,31,32,38] have explored techniques for preventing and mitigating Sybil attacks. Quevedo et al. [39] suggested a SyDVELM mechanism employing the extreme learning machine (ELM) algorithm to detect Sybil attacks in VANETs. Yu et al. [40] proposed a SybilLimit protocol to counter Sybil attacks in OSNs. Patel et al. [16] examined Sybil detection algorithms for wireless sensor networks where nodes function as sensors. Often, WSNs are deployed for monitoring purposes, e.g., military applications, and their unattended nature renders them susceptible to Sybil attacks and cyber threats, such as a network of sensors measuring air speed and temperature to predict future weather. In this scenario, the sensor network’s communication becomes compromised when a new sensor is introduced under the guise of legitimacy but is, in fact, malicious. Such deceptive nodes can discriminate against fake results, distort weather forecasts, and propagate misleading data to other nodes. Furthermore, malicious nodes might persistently introduce seemingly legitimate nodes by mimicking the behavior of genuine ones. In both scenarios, successful infiltration by a node can profoundly disrupt the network’s functionality. In critical infrastructure, e.g., traffic systems, such a disruption can result in city-wide chaos, causing severe accidents. Similarly, a swarm of compromised military drones could result in significant casualties. To safeguard against such threats, constant network monitoring for Sybil attacks is crucial. Hence, this study aimed to comprehend the Sybil attack detection techniques within P2P networks.

2.4. Sybil Detection Algorithms

In WSNs, Dhamodharan et al. [37] formulated a Sybil detection algorithm: message authentication with a Random Password Generation (RPG) algorithm to identify and neutralize Sybil attacks. RPG generates routing tables for network nodes, comparing node details during message transmission to identify unauthorized nodes. The Compare and Match-Position Verification Method (CAM-PVM) detects Sybil attacks. Data are rerouted through verified nodes, omitting known Sybil nodes. However, due to the high computational demands, Dhamodharan et al. [37] advocate prevention prioritization over detection. CAM-PVM is selectively employed when data-sending nodes suspect a recipient, ensuring efficiency.

Regarding Sybil attack detection in mobile ad hoc networks (MANETs), Abbas et al. [41] introduced a detection scheme for versatile MANETs, widely applied across various fields. MANETs self-organize into versatile typologies driven by application needs with wireless nodes that connect/disconnect dynamically based on bandwidth. However, such wireless connectivity reduces capacities compared to those of wired connections. Security is challenging due to autonomy and the absence of centralized authority, rendering MANETs vulnerable to diverse cyber threats. All nodes in MANETs function as hosts/routers, enhancing their configurations while compromising their security. While wireless connectivity boosts data transfer rates, latency is introduced due to constrained resources like battery-powered small units. Despite these complexities, the unique properties of MANETs have led to their diverse applications.

Newsome et al. [42] examined security threats in sensor networks. Due to the cost-efficiency requirement for mass production, sensor nodes often lack advanced hardware, computational power, and storage space, limitations that hinder the use of robust cryptography algorithms, leaving networks vulnerable to threats like Sybil attacks. For instance, in a weather prediction ad hoc network, a Sybil node could manipulate forecasts to predict extreme conditions, or, in a military application’s MANET, a Sybil node breaching the network might endanger lives.

Abbas et al. [41] proposed the received Signal Strength (RSS)-based localization algorithm as a solution for Sybil attacks. An algorithm was leveraged by Chen et al. [43] for the identification of Sybil attacks within sensor networks. Chen et al. recognized its key role as a promising strategy for detecting Sybil attacks in MANETs. They benchmarked it as a measure of the signal’s strength received from a specific node at a given location. The RSS value varies depending on the signal’s source node location. According to Abbas et al. [41], one way to distinguish between Sybil and legitimate nodes is by analyzing the nodes’ entry and exit behaviors within the network. RSS is the measurement of signal strength received by a receptor, typically gauged at the receiver’s antenna. Several factors influence RSS, e.g., transmitter–receiver distance, transmission medium, and receiver signal power. RSS applications are crucial in detecting and estimating the geographical location of a transmitter. Abbas et al. [41] examined network nodes as they joined and exited a network assessing proximity and signal strength to distinguish legitimate from Sybil nodes. When a newly Sybil node enters a network, it is expected to exhibit a high RSS. Conversely, legitimate nodes tend to join a network upon receiving a signal, which results in a lower RSS value during network entry. Such discrepancy arises from the fact that Sybil nodes are spawned by nodes already in the network.

In contrast, legitimate nodes, drawn by proximity, promptly join the network with weaker signals, leaning toward a lower RSS value. The detection mechanism involves storing communication histories between neighboring nodes in individual nodes such that each node maintains a table that encompasses the entire communication history. Such a table becomes the foundation for each node’s assessment of whether its neighbor node is a Sybil. Such a table includes the signal strength measurements for the surrounding nodes. This information enables the algorithm to classify the investigated node. The data accumulated in such tables are obtained during direct node-to-node communication or even when an indirect node is engaged. Abbas et al. conducted two experiments to discern distinctive behaviors between Sybil and legitimate nodes. In experiment 1, they focused on distinguishing between the behaviors of Sybil and legitimate nodes, which was achieved by monitoring a node’s RSS over time. A legitimate node typically enters another node’s range gradually, strengthening its RSS as it becomes closer to the intended connections. Conversely, as it moves farther away, the RSS weakens. Figure 2 depicts the RSS progression values over time for both Sybil and legitimate nodes. For legitimate nodes naturally entering and exiting a network, the plot generates a bell-shape RSS curve (Figure 2A) versus a Sybil node, which exhibits a higher RSS compared to a legitimate node, as depicted in Figure 2B, resulting in a constant line followed by a negatively sloping curve, signifying that the nodes enter with consistently high RSS values that diminish as the node departs the network.

In the second experiment, the pace at which nodes entered the network significantly influenced the establishment of the threshold RSS value. It becomes crucial to ascertain the extent to which a node can traverse a specific node’s range before being detected. To investigate the relationship between node speed, penetration distance, and RSS value, Abbas et al. [41] experimented on node X and Y, where Y’s movement initiated away from X at varying speeds, while recording RSS values. Their findings revealed that a higher rate of movement allows nodes to penetrate into the range of other nodes while undetected. Such insights established the system threshold, assuming that no node could surpass a predetermined maximum speed.

3. Methodology: Proposed SybilSocNet Algorithm

This study employed ML algorithms to develop predictive models that are capable of identifying Sybil nodes within social networks. Considering the widespread popularity of such platforms, e.g., Twitter and Facebook, they are the basis for millions to convene globally. Hence, Sybil attacks occur within such networks by penetrating fake user accounts, so individuals can falsely assume identities. Such fraudulent accounts are employed to influence the public or manipulate network dynamics, involving propagating specific ideologies through orchestrated campaigns [44]. The modus operandi involves a Sybil attacker who controls multiple Sybil nodes while orchestrating fraudulent reports on the social network admin, where such reports falsely implicate legitimate accounts as fraudulent or compromised. Subsequently, the administrator proceeds with automated actions that restrict the legitimate users’ network access or even ban them. Cases of cybercrimes have been observed where social media was exploited to sway public opinion during elections, convincing votes for specific political parties. For instance, a hacker in Russia commissioned approximately 25,000 fake accounts, generating about 440,000 tweets that influenced public sentiment after a country’s parliamentary election [45]. To construct a supervised ML model skilled at discerning Sybil nodes in social networks and to distinguish Sybil nodes from legitimate ones, it is vital to acquire a dataset comprising labeled tweets or posts categorized as Sybil or legitimate. Such a dataset becomes the foundation for employing diverse unsupervised ML algorithms to train a model to differentiate malicious users, posts, or tweets from authentic ones.

Our research took the work by Binghui Wang et al. and their algorithm SybilSCAR as our base [46] to detect Sybil nodes from the raw dataset of the Twitter follower–followee graph with the nodes labeled as “benign” or “Sybil” [47]. They did not use machine learning at all: they used two structure-based methods, one was the Random Walk (RW)-based method and the other was the Loop Belief Propagation (LBP)-based method, applying a (different) local rule to every user. Even though we use the same raw dataset, our approach is quite different, and we still obtained essentially the same results.

Our algorithm begins by cleaning and preprocessing the raw data. Python code was used to reformat the raw data into a matrix that is suitable for input into the machine learning algorithms. We trained multiple machine learning models on our formatted data and evaluated their performance on validation data to identify the most effective model for this research problem. Figure 3 provides an overview of the deployed dataset.

We present here in the Algorithm 1 the pseudocode for the splitting of the data. This algorithm generates seventy one smaller data blocks from the dataset. It starts by reading the first line of the dataset and then skips seventy nodes. It captures each new node encountered after the skipping and adds it to a block. This process is repeated until the end of the dataset is reached, creating the first block. The algorithm then repeats all over again but now starting from the second line, beginning the creation of a second block, and continues this process until all seventy one blocks are generated.

Algorithm 1: Pseudocode for splitting the data

Algorithm 1 outlines the pseudocode for this initial part of the algorithm. After the seventy one data blocks are formed, a matrix is created from each block, similar to the one shown in Figure 4.

Next, we use these 71 matrices to train the SVM, KNN, and Random Forest algorithms. The first column, in green, represents the user ID. The remaining columns, in white, indicate the other users who follow the user from the first column. The last column, in yellow, labels users (from the first column) as ‘1’ if they are detected as Sybil or ‘0’ if they are considered legitimate users. This matrix includes all users and their connections.

The pseudocode for the creation of these 71 matrices is portrayed in Algorithm 2.

For example, the first row shows data for user 1, followed by 2, 7, 90, and 111, which are labeled as Sybil users. The second row corresponds to user 5, followed by user 7, which are legitimate users. The matrix continues to include all users in the dataset [47] and their connections. In the second-to-last column (on the right side of the table in Figure 4), an “X” indicates either the node with the highest index or zero if the node is not followed. This is denoted by $X_i$, where $X_i\in \{0,M\}$, and M is the value of the highest index among the sorted nodes before being included in the matrix (See Algorithm 2).

Algorithm 2: Pseudocode for the Creation of Matrices

3.1. ML Terminologies and Methodologies Applied in This Study

3.1.1. Machine Learning

ML enables learning like the human brain without explicit programming. For instance, training a computer to distinguish between cats and dogs using labeled pictures constitutes ML or training computers to recognize individual voices. Many AI-driven companies use ML emulating human intelligence by learning from the environment [48], having widespread applications spanning sectors from software to medical and military domains such as image detection, face recognition, and voice assistants like Siri [49] or Alexa [50]. Home security cameras employ ML for movement and face detection. Radiology employs it for diagnosing tumors. This study investigated various ML methods, supervised and unsupervised learning, to detail the algorithmic approach and findings.

3.1.2. Supervised Learning

ML algorithms are classified based on training methods, with one type being supervised learning, where algorithms learn by mapping inputs to outputs via a labeled dataset containing input–output pairs [51], i.e., the algorithm is trained on instances with known labels. Supervised learning effectiveness arises from having correct target outputs, while the algorithm continually refines its output by calculating a value from a loss function, a value that guides adjustments to the model’s weights for achieving the desired output. For instance, when predicting car prices via feature data, e.g., previous prices, model number, brand, mileage, and accident history, an algorithm predicts the car value via inputs like model, make, and mileage. Supervised learning, with broad applications like image recognition, natural language processing (NLP), and speech recognition, were employed in this study in supervised ML to distinguish Sybil from legitimate social media Twitter accounts via two key types: classification and regression. A classification problem concerns categorizing data into specified classes, e.g., classifying animal images into cats or dogs, or segregating individuals by age, either 20–30 or greater than 30. Such exemplary classification ML algorithm tasks determine the group where an instance belongs. Common classification algorithms are decision trees, support vector machines, and random forests, which are trained on labeled data to classify new data but the prerequisite is first choosing the right algorithm relying on factors like dataset size, training methods, and desired accuracy. Sahami et al. [52] tackles classification problems via a naïve Bayes classifier to distinguish spam from legitimate emails through automated filters for classifying inbox emails, to enhance user experience by excluding unwanted content. Unlike classification, where the ML algorithm predicts a predetermined class, regression predicts a value, e.g., car selling price or a person’s due date. Unlike supervised learning, unsupervised learning omits labeled data for training, instead analyzing unlabeled data, revealing patterns and relationships, being applicable in clustering and anomaly detection [53]. The K-nearest neighbors (KNN) algorithm, a flexible supervised method, learns from labeled data to predict labels for unlabeled instances. It memorizes patterns during training, then utilizes them for predicting new instance labels, serving both classification and regression tasks based on its training.To label a new instance, KNN compares memorized instances and assigns labels using similarities [54]. Next, this study illustrates real-world KNN functions for predicting housing price trends for investors’ decision making. Initially, when employing the KNN algorithm as a classifier, classes are distinguished, and the model’s accuracy is assessed via labeled instances by splitting the dataset for training and testing using various techniques, e.g., cross-validation, including resubstitution validation, K-fold cross-validation, and repeated K-fold cross-validation, each with its strengths and applications. Next, the KNN algorithm determines the number of neighbors (K) for predicting class, influencing accuracy. Optimal K selection balances pattern detection and sensitivity. Next, compute distances between the instance and its neighbors. The closest K neighbors’ classes decide the predicted class using distance metrics (e.g., Euclidean, Manhattan, Minkowski). Refer to Formula (1) for these methods [55]. Another distance-measuring method is cosine similarity, depicted in Formula (2), commonly used in text retrieval, as discussed by Lu [15]. Additionally, the KNN equation employs diverse distance formulas from Batchelor [18] to introduce the Minkowski distance Formula (3), the chi formula (Formula (4)), and the correlation equation (Formula (5)) by Michalski and Stepp [56], which constitute distinct distance metrics for KNN’s neighbor distance calculation.

$$dist(A,B)=\sqrt{{\displaystyle \frac{{\sum }_{i=1}^m{(x_i-y_i)}^2}{m}}}$$

(1)

$$sim(A,B)={\displaystyle \frac{\overrightarrow{A}·\overrightarrow{B}}{\left|\overrightarrow{A}\right|\left|\overrightarrow{B}\right|}}$$

(2)

$$dist\text{\_}Minkowsky(A,B)={\left(\sum _{i=1}^m{\left|x_i-y_i\right|}^r\right)}^{1/r}$$

(3)

$$dist\text{\_}Chi\text{-}square(A,B)=\sum _{i=1}^m{\displaystyle \frac{1}{su{m}_i}}{\left({\displaystyle \frac{x_i}{siz{e}_Q}}-{\displaystyle \frac{y_i}{siz{e}_I}}\right)}^2$$

(4)

$$dist\text{\_}correlation(A,B)={\displaystyle \frac{{\sum }_{i=1}^m(x_i-{\mu }_i)(y_i-{\mu }_i)}{\sqrt{{\sum }_{i=1}^m{(x_i-{\mu }_i)}^2{\sum }_{i=1}^m{(y_i-{\mu }_i)}^2}}}$$

(5)

Each equation is used to calculate the distances between the instance under study and other instances in the dataset, leading to varying outputs and accuracy measurements. These aspects were explored in ongoing research projects. Medjahed et al. [57] investigated breast cancer diagnoses using KNN algorithms and their dependency on diverse distance metrics. Iswanto et al. [31] conducted comparable studies on the impact of these distance equations in stroke disease detection. After calculating the distances between the studied instance and all other dataset instances, the algorithm picks K-nearest neighbors, i.e., K determining the count of neighbors. For instance, with K set to 100, it chooses the closest 100 neighbors, with such neighbors bearing the smallest distances to the instance. However, this step can be computationally intensive, especially for large datasets, requiring distance calculations and comparison operations. Once the K-nearest neighbors are identified, the algorithm predicts the instance’s class based on their classes, a step called “Voting”, offering Weighted and Majority options. Weighted Voting assigns varying weights to classes, while Majority Voting treats all classes equally, so adaptability accommodates developers aiming to emphasize specific class attributes.

3.1.3. Support Vector Machine Algorithm (SVM)

SVM, a supervised learning algorithm, operates on labeled datasets, aiming to learn a hyperplane that separates data points into distinct classes [58]. Its training optimizes the hyperplane’s position for effective classification of new points [59]. When assessing a new point’s position relative to the hyperplane, SVM assigns it to an appropriate class. In Figure 5, the hyperplane visually separates red dots from green stars, with dashed lines indicating the distance between the hyperplane and the nearest support vectors [27,60]. Such support vector positioning during training determines the hyperplane’s position and margin size [40]. In this testing phase, the hyperplane functions as the class boundary [61], classifying new instances. SVM’s hyperplane is crucial for classification and regression tasks, predicting class or value for new instances, relying upon the new instance’s position with respect to the hyperplane [62,63].

Based on the hyperplane distance, the instance receives a specific class or value based on the problem type. For instance, in a classification problem, the trained SVM algorithm predicts the class of a new instance. After training and hyperplane positioning, the algorithm assigns an instance to a class. If the brown rhombus falls to the hyperplane’s left side, associated with green stars, the algorithm predicts it as a duck (assuming green stars are ducks and red dots are lions). Similarly, the purple triangle and pink hexagon on the hyperplane’s right side belong to the lion class. Consequently, the algorithm predicts them as lions. Even the pink hexagon, on the right margin, is classified as a lion as it is on the right-side, regardless of being on the margin. Margins are only deployed during training to optimize hyperplane positioning and are unused during testing or applications. SVM optimizes the hyperplane in training via margins to solve the optimization problem; hence, margins play no role in classifying new instances during testing. Hyperplanes take diverse shapes based on dataset and feature count. With one feature, they are points, e.g., grading students as pass/fail. Two features yield lines or shapes, three form planes, and M features create an M-dimensional hyperplane. Formulas (1)–(5) and Figure 5 depict such variations, showcasing blue and red circles representing classes, with the hyperplane depicted as a brown line or circle, as shown in Figure 6, which also depicts a three-dimensional hyperplane, distinct from the line and circle, where a hyperplane correlates with a dataset bearing three features, X, Y, and Z axes, when working with N features to allow the hyperplane to gain N dimensions, a concept easier to grasp when observing the one to the two and then finally to the three dimensions.

Implementing an SVM involves five steps:

• Data Preparation: As SVM is supervised, labeled data are deployed for training. Instances must be associated with specific classes, where data collection takes various routes like downloading datasets from platforms like Kaggle [64] or customizing existing ones.
• Feature Scaling: SVM gives weight to features based on values where scaling ensures fairness among features. While some features have a larger magnitude, maintaining equitable treatment prevents bias. Scaling methods like standardization and normalization are often employed.
• Kernel Selection: SVM utilizes the kernel trick, mapping data to higher dimensions for easier classification. Kernels are of various types, suited to different data and applications. Optimal kernel choice impacts computational efficiency.
• Training and Optimization: After the kernel is selected, training involves determining the hyperplane position. This necessitates solving an optimization problem, minimizing the cost function while considering margin and regularization factors. Different algorithms, e.g., SMO and quadratic programming can be deployed.
• Testing: SVM can handle classification and regression. In classification, algorithm predictions are compared to known instances. For regression, SVM predicts values based on the point’s distance from the hyperplane.

3.1.4. Random Forest Algorithm

Random forest, an ensemble supervised method, combines small models to form a larger model for problem solving. Such an algorithm operates in stages: small models tackle subproblems, their solutions contribute to the final prediction through a voting system. The large model is a collection of trees, with each tree handling a subset of features, with the five steps characterizing the random forest algorithm:

• Dataset preparation: Like prior algorithms, it requires labeled data for training with a dataset consisting of features linked to corresponding classes, e.g., car quality correlates with attributes like make, model, and price.
• Decision tree: This is the creation and grouping of the data via a central tree consisting of smaller decision trees that predict outcomes via the dataset’s distinct portions without all features being related to target outputs to form a diverse set of trees, akin to people uniquely solving problems. Ensemble voting aggregates their solutions to determine the final prediction.
• Trees’ feature selection: Different randomly chosen features are assigned to each tree, to curb overfitting.
• Bootstrapping: This involves the newly created dataset’s data samples, generating variations for each tree to avoid uniformity. Bootstrapping introduces randomness, yielding a diverse array of perspectives on the problem, crucial to preventing overfitting (Figure 7).
• Output Prediction: The algorithm predicts the output, either class for classification or value for regression. All decision trees contribute predictions, and a voting mechanism selects the majority class for classification or the average output for regression.

The random forest algorithm offers adjustable parameters, including tree count, bootstrap dataset percentages, and decision tree node count, catering to the application’s complexity [65].

4. Data Analysis

4.1. Steps, Results, and Validation

This section reviews the steps and results of this empirical study’s experiments using the dataset by Jethava and Rao [66], previously utilized by Patel and Mistry [16]. First, data were cleansed and reformatted so they could be used to train different ML algorithms to detect Sybil nodes. The Twitter user dataset consists of followers and followees, i.e., it indicates what accounts each account follows. Figure 3 signifies part of the Jethava and Rao [66] dataset, indicating that user ID 1 is following 4, 5, 7, etc., up to the end of the dataset.

Figure 8 depicts user 5’s connections 1, 4, 7, etc. A separate dataset segment consists of a two-row file containing Sybil and legitimate node IDs. This study carefully processed and restructured the dataset for input into its ML algorithms, accompanied by the matrix generation process using pseudocode, portrayed earlier in this article. This entailed crafting a comprehensive matrix where rows represented user IDs, followed by followers’ IDs in subsequent columns, and the last column indicated user legitimacy (0 for non-Sybil, 1 for Sybil), derived from ‘269640_test.txt’ dataset row 2 (Jethava and Rao [66]).

This study generated a single matrix for training ML algorithms, followed by experiments to optimize accuracy. Due to the dataset’s extensive size, a need arose for significant computational resources, e.g., supercomputers, but, lacking access to one, we split the data into seventy-one samples to generate corresponding smaller matrices for training and testing. Such an approach eased the computational demands, crucial due to the initial matrix’s massive 117 GB size. Each of the seventy-one matrices was approximately 299.62 MB, totaling 20.77 GB. Despite such a size reduction, the original data remained intact and, as a result, were organized into independent matrices, thus enhancing manageability and computational feasibility. Next was the ML algorithm phase in this study, where ML algorithms were deployed, i.e., KNN, SVM, and random forest algorithms, and the respective training was conducted to differentiate Sybil nodes from legitimate nodes on the previously mentioned seventy-one matrices. In the next section, this study reports the distinct accuracy outcomes of each algorithm. While training, a challenge was encountered when training the SVM on four matrices once extensive training times elapsed, though KNN and random forest trained successfully. Hence, this study opted to analyze the algorithms’ results on sixty-seven matrices omitting the four problematic ones. All ML algorithms utilized the aforementioned seventy-one matrices as the input for training. Segmented data blocks served for training and testing, yielding high accuracy. The algorithms produced a uniform output format, enabling direct comparison with their outputs represented by a 2 × 2 matrix (Figure 9).

In Figure 9, a common 2 × 2 output matrix is observed from the ML models and can be interpreted as follows:

$$\left[\begin{array}{cc}{I}_{00}& I_{01}\\ I_{10}& I_{11}\end{array}\right]$$

• Element I₀₀: True positives for non-Sybil instances, a value representing legitimate nodes correctly detected by the algorithm as such.
• Element I₀₁: False positives for Sybil instances, signifying nodes falsely labeled as Sybil by the algorithm. Ideally, this value is minimal or zero, preventing the mislabeling of legitimate nodes as Sybil.
• Element I₁₀: Sybil nodes undetected by the algorithm. The general aim is to keep this count to a minimum to ensure Sybil detection.
• Element I₁₁: Sybil instances’ true positives, indicating correctly identified Sybil nodes.

Consider the SVM algorithm’s output matrix (Figure 9), where I₀₀ = 719 represents the correctly detected legitimate nodes, I₀₁ = 0 means no false positives for Sybil nodes, which is desirable, I₁₀ = 2 indicates that two Sybil nodes went undetected that were labeled as legitimate. And, I₁₁ = 336 specifies the correct and accurate detection of Sybil nodes. The algorithm’s accuracy in this case was 99.81%, calculated by adding I₀₀ and I₁₁ and dividing it by the sum of all the elements in the matrix. The accuracy was computed for every algorithm after processing each matrix. This study encountered issues obtaining SVM outputs for some of the matrices; this is not uncommon [2,11,31,57]. In our study, we employed a linear kernel for the training phase; other kernel types might yield less or no issues with SVM computing.

4.2. Data Overview

This study compared the performance of various ML algorithms in terms of accuracy.

Table 1. Mean value and standard deviation comparison.

	K Nearest Neighbor	Support Vector Machine	Random Forest
Mean Value	96.759	99.394	99.213
Std. Dev.	0.0038	0.0061	0.0029

summarizes the results, including the mean value and standard deviation for each algorithm we examined. Table 1 reveals that the SVM algorithm achieved the highest accuracy, trailed by the random forest algorithm. KNN ranked last in accuracy. In terms of standard deviation, the random forest algorithm demonstrated the lowest value, with KNN following in second place, and the SVM algorithm exhibiting the highest standard deviation. The data presented are the output accuracy for the K-nearest neighbor, random forest, and SVM algorithms. The tables for these algorithm’s data are portrayed in Appendix A, Appendix B, and Appendix C, respectively.

Figure 10 and Figure 11 depict the KNN accuracy results for the different matrices. As depicted, the accuracy had a maximum of approximately 97% and a minimum of around 96%.

Figure 12 and Figure 13 depict the accuracy for the random forest algorithm and the SVM algorithm, respectively.

When comparing the performance of the different ML algorithms regarding accuracy, Table 1 depicts the results revealing the mean value and standard deviation for each examined ML algorithm, highlighting that the SVM algorithm had the highest accuracy, followed by the random forest algorithm. KNN ranked last in terms of accuracy. Regarding standard deviation, the random forest algorithm bears the lowest standard deviation; KNN ranks second, followed by the SVM algorithm, having the highest standard deviation. Figure 14, Figure 15, Figure 16 and Figure 17 depict the different performance outcomes of all the examined algorithms.

Furthermore, the KNN algorithm had high accuracy levels; however, these accuracy levels were relatively lower than those of the support vector machine algorithm and the random forest algorithm. The constant number K that was chosen was investigated alongside the dataset’s size. As depicted in Figure 18, KNN has a normal distribution with accuracies ranging between 96% and 97.5%, with 96.6 having the highest frequency of occurring. While training the three ML algorithms, the SVM algorithm needed a relatively long time compared with the random forest and the KNN algorithm. It is important to notice that the SVM algorithm was taking too long to train on the matrices [11,13,31,57], so we decided to skip these matrices. The average time the SVM took to train on the other matrices was about 2 min. The normal distribution graph for the support vector machine algorithm shown in Figure 19 indicates that the algorithm has a high probability of producing an accuracy value between 99.5% and 99.9% with a relatively low probability of having an accuracy between 97% and 99%.

During SCM training of the three ML algorithms, the SVM algorithm needed a relatively long time compared with the random forest and the KNN algorithm. It is noted that the SVM algorithm also took too long to train on the matrices for Medjahed et al. [57], Iswanto et al. [31], Margolin and Levine [13], and Misra et al. [11]. After several days of not finishing with the computation, we decided to skip these matrices. The average time the SVM took to train on the other matrices was about 2 min. The normal distribution graph for the support vector machine algorithm shown in Figure 19 indicates that the algorithm has a high probability of producing an accuracy value between 99.5% and 100% with a relatively low probability of having an accuracy between 97% and 99%. In the case of the Random Forest algorithm it has a high probability of producing a value with an accuracy between 99.1% and 99.4% as shown in Figure 20. Random forest had high accuracy rates and the lowest standard deviation value among the machine learning algorithms. Also, the time required to train the random forest algorithm was relatively short compared to the time required to train the support vector machine algorithm. The random forest algorithm had a normal distribution with an accuracy span ranging between 98.4% and 99.6%, with a high probability of accuracy between 99.0% and 99.5%. Mounica et al. [45] achieved an accuracy of 93%; their approach was only for wireless networks. Nevertheless, our algorithm works for wired and wireless networks with higher accuracy. Lu et al. [15] achieved an AUC value of 0.93 with their proposed Sybil detection method. Patel and Mistry [16] had an AUC value of 0.82 for a large Twitter dataset. Our accuracy results ranged from 96% (KNN) to 99% (SVM).

5. Conclusions, Limitations, and Future Recommendations

5.1. Conclusions

This study began with a literature review on Sybil attacks and their targeting of different types of networks. This review delved into the protection and prevention algorithms employed to secure networks vulnerable to Sybil attacks. It also included an overview of reputable systems and an outline of our research methodologies. This study concluded by detailing the steps taken, analyzing results, explaining research limitations, and proposing future research directions. In this study, we developed an algorithm to detect Sybil nodes in an online social network, specifically Twitter, using the number of direct connections as a criterion. This algorithm can function as part of a reputation system within online social networks to identify Sybil nodes. The algorithms yielded high detection accuracy rates, ranging between 96% and 97% for the KNN algorithm, 97% and 100% for the SVM algorithm, and 98.4% to 99.6% for the random forest algorithm. Notably, these algorithms exhibited reliability with minimal standard deviations, all under 0.0061%, with the random forest algorithm showing the lowest deviation of 0.0029%. These outcomes are attainable using standard workstation or desktop computers.

The algorithm developed in this study depends solely on connection data and their directions. In contrast, the approach by Patel and Mistry [16] necessitates more parameters to ascertain whether a node is a Sybil or not. Our accuracy results are notably high. Furthermore, the scalability of this algorithm is noteworthy. We efficiently divided large datasets into smaller matrices, enhancing computation speed and enabling parallel execution. This matrix division also significantly reduces the total size of the matrices used for training, contributing to improved performance and stability.

5.2. Limitations

One notable study limitation pertains to the inability to train the SVM algorithm on the aforementioned four matrices. Additionally, due to the lack of access to a supercomputer, the scholars of this study faced constraints in conducting broader testing.

5.3. Future Research Opportunities

In the future, there are several avenues that offer opportunities for investigation and exploration. These are the possible propositions that can direct future research directions for readers’ consideration: First, the study’s algorithms can get tested on a supercomputer using the complete, undivided matrix is of interest. Such an exploration aims to assess how results might be influenced when all data are consolidated into a single, large matrix. Second, future research endeavors could explore the extension or reconfiguration of the data to make them applicable to other ML algorithms. Third, by examining the application of this algorithm to various online social networks (OSNs) and wireless sensor networks (WSNs) could yield valuable insights. Finally, the possibility of reducing the variables to reduce the matrix size and minimize the algorithm’s memory footprint is a worthwhile pursuit.