With a daily granularity, Johnson et al. collect large-scale datasets consisting of longitudinal records of online activities of pro-ISIS aggregates (pages) on VKontakte, a social network in Russia. First of all, they propose an approach to predict the onset time of real-world events by exploiting the proliferations of aggregates ahead of such events. Secondly, they build a fragmentation-coalescence model to capture the shape-skin pattern that the aggregate size has shown across time. Finally, they analyze the adaptations of aggregates have performed to escape from anti-ISIS entities. This work helps to forecast the favorable conditions for future attacks and it only needs digital data collected from social media, instead of relying on real-world events.
Due to the high speed and global coverage of social networks, extremist organizations like ISIS start to use them as platforms to propagate information and recruit followers. Prior studies attempt to reveal the relationship between general online buzz (such as mentioning ISIS or protests) and real-world events. Unfortunately, such individual behaviors are insufficient to predict sudden attacks or clarify any long-term buildup stage ahead of those events. Therefore, it leaves the issues unresolved, like how to explain how support for extremist organizations evolve in social networks, and how to forecast a sudden attack.
They choose VKontakte, an analog of Facebook based in Russia, to collect longitudinal records of pro-ISIS activities and narratives. Instead of collecting casually online buzz, they pay close attention to self-organized pro-ISIS aggregates, an analog of pages in Facebook. Those aggregates are under huge pressures from predatory entities such as police cybergroups and individual hackers.
They manually build up a list of pro-ISIS aggregates. On a daily basis, they update the list by identifying all relevant narratives using common hashtags in multiple languages, and then trace them down to find aggregates. Only those with a strong allegiance to ISIS are included into the list. The criterion of inclusion is the group explicitly expressed its support for ISIS, and judgment is made by some experts. Once the aggregates supporting ISIS are found, an additional search using their followers and aggregates to whom they linked is performed on that same day. Such iterative process is terminated until the search leads to aggregates that have already been added into the lists. In addition to maintaining the list of aggregates, they also develop a web scraping software to help collect additional information – such as followers, posts in aggregates and comments, the Boolean variables to indicate whether the aggregate is alive or has been shut-down.
Methods & Results:
Proliferation of aggregates before real-world events.
They employ a well-known Moore’s Law of development to fit the online creations of aggregates, in which is the time-interval between the appearance of the and aggregates and is the time-interval between the first two, the escalation parameter is positive and diverge over time ( is function of ), indicating an increasing escalations of online proliferation of aggregates. Next, they use the inverse algebraic formula to estimate b’s divergence with matching the actual onset of attacks. Real data fitting suggests that the divergence of escalation parameter for aggregate proliferations coincides with real-world onset at time . By contrast, neither time-series analysis of online buzz nor prior on-street events provide any long-range predictive power. This method is unable to predict those attacks conducted by a few individuals.
Coalescence-fragmentation model for online aggregate ecology.
The sizes of aggregates exhibit distinctive shark-fin shapes – expansion followed by an abrupt drop (due to the shutdown of aggregates). They take two factors – coalescence and fragmentation – into account and construct a model to capture the system-level shark-fin feature. Fragmentation means the abrupt drop of aggregates caused by predators, and coalescence indicates that individual followers sporadically link into existing aggregates (like growth of one aggregate) while existing aggregates sporadically link into each other (combination of two aggregates). Mathematical analysis reveals that aggregate size in steady-state follows a power-low distribution with . This is similar to the empirical value for ISIS data.
They also show that predatory agencies can thwart development of large aggregates by breaking down smaller ones. They modify the model by introducing time delay to describe time cost that aggregates need to be noticed, analyzed and finally shut down. Simulation results show that breaking down smaller-sized aggregates is more efficient than hunting large ones.
They found that aggregates show various evolutionary adaptations to protect themselves from predatory entities, by changing names, becoming invisible and reincarnation.