Bot Detection: Open-Source Community Project

[oren-cloutavista]

Hello everyone!

We at Cloutavista would like to ask the community for feedback and contributions to the open-source bot detection proposal we have here.

Please let us know what you think, either here in this discussion or at the repository, especially in terms of the following topics:

• Project goals and purpose
• Data (including bot/not-bot labels)
• Models (including ML&DL)
• Project Structure
• How to best involve the community

Thank you and hope to hear from everyone :)

[daniel-keyes]

To summarize, we've put together an initial project to help build community-driven bot-detection algorithms.

• The general idea is to create a dataset of bots and problematic accounts that is tagged and labeled by the community. We started with an initial list we built ourselves, but down the line, I think it would be best for the dataset to be voted on and maintained by the community. One method we used to find bots was to search for content that exactly copied and mimicked other accounts, for example (https://cloutavista.com/bitclout/posts?search_type=exact_phrase&text=In+an+age+of+abundance)

• Next, we've set up the infrastructure to allow developers to take that dataset and train and test bot-detection algorithms.

• Finally, Nodes and devs can then choose which algorithms to integrate into their own projects to mitigate problematic bot behavior.

Looking forward to hearing if you all think this is a good idea or direction to develop!

[tijno]

I think this is a great idea and very important in a decentralised network where traditional "in browser" detection of bots is insufficient due to bad actors using their own nodes.

Of course not all bots are bad. So im referring here to bad-bots.

Some initial thoughts on the above and the other repo.

To date we have seen several forms of bad bot attacks:

• follow / unfollow spam
• $0 coin purchase spam
• like spam
• emoji comments
• reclout spam
• post copy spam
• DM spam
• impersonation
• nft bid spam (not seen this yet)
• nft minting spam (seen 1)

Most of these bots could be identified relatively consistently using transaction velocitity, but they are smarter now by adopting a combination of the above methods to appear more "real".

This will only get worse.

Re proposals

Here are some thoughts about the points @daniel-keyes @oren-cloutavista made above.

create a dataset of bots and problematic accounts

• How do we decide what is and is not problematic?
• What method is there for removing false positives
• How do we prevent bots attacking the dataset by mislabelling users at scale

infrastructure to allow developers to take that dataset and train and test bot-detection algorithms

• can we detect it from raw blockchain data ?
• postgres rollout will hopefully make this a lot easier
• how would this be funded?

choose which algorithms to integrate

• interesting - so rather then "centrally" decide whether user A is bad bot or not - the nodes implement an algorythm to determine it in real time
• would this not waste considerable resource where each node basically for probably at least 50% of bots do exactly the same work to flag them as a bot

Project goals and purpose

Critical to get right early on.

Models

ML would be interesting for sure as it may result in algorithms that are much harder to reverse engineer and circumvent.

But we know from facebook experience that they can also result in many many false positives.

Concerns

The concern I have is that whatever methods the community comes up with - if its economically beneficial to circumvent and produce bad bots - they will continue to exist.

And in our fight against the "bad bots" - the real users and legit bot operators will suffer.

[daniel-keyes]

@tijno I think you hit a critical point. We need a way to tag bots by their type. Not all are bad.

How do we decide what is and is not problematic?

Perhaps the better alternative is to try and tag bot behaviour with more descriptive tags such as "alerts", "spam", "programmatic", etc. Then each node can decide what behaviour to allow or block.

What method is there for removing false positives

If we use a community-driven consensus tagging system, we can randomly attribute requests for reevaluating false positives to multiple taggers. If there is a certain level of agreement, we can change the classification of that account.

How do we prevent bots attacking the dataset by mislabelling users at scale

Great question! Maybe we can use GitHub, and a users contribution, as a proxy for their voting rights. More so, if down the line, most of the tagging is done by algorithms, we could leave the exceptions, or false positives, to validated taggers.

can we detect it from raw blockchain data ?

Possibly, but I would imagine that this is the first thing that bad actors could work on in order to mirror real users.

how would this be funded?

Maybe the core team can allocate CLOUT to incentivize the community to vote and help regulate bots.

Do any other ideas come to mind? What do you think is the best way to jump-start this?

[arhebbar]

Perhaps the better alternative is to try and tag bot behaviour with more descriptive tags such as "alerts", "spam", "programmatic", etc. Then each node can decide what behaviour to allow or block.

This is good. Then each node can decide whether to block all bots of a certain type and also have a SPAM Indicator % (if a user's posts are > 50% SPAM, block it. How to decide if it is a spam, it has to be user driven. See below.

How do we prevent bots attacking the dataset by mislabelling users at scale
I think there's already efforts to prevent bots from doing much on BitClout. That hopefully should suffice. But, good point. We need to keep an eye out for this.

Great question! Maybe we can use GitHub, and a users contribution, as a proxy for their voting rights. More so, if down the line, most of the tagging is done by algorithms, we could leave the exceptions, or false positives, to validated taggers.
Github may not work because most users don't have github accounts. Blocking users is an idea. We could add an option there to say "Report SPAM" like it is there in Twitter and in the next window - bot can be an option or we give a separate "Report Bot" option. Only risk is over time, like in Twitter, people will start ganging up to mass-report a person or a post as SPAM. So, the actual blocking should happen from the individual node.

can we detect it from raw blockchain data ?
Yes, this should be possible. My thought is that it starts with rules to supervised learning and then towards unsupervised learning over time.

Maybe the core team can allocate CLOUT to incentivize the community to vote and help regulate bots.
This is definitely a great idea. And we need to prepared for more attacks now, especially with the FREE 10$.

Do any other ideas come to mind? What do you think is the best way to jump-start this?

Expanding on my earlier comment here, a repository of all users whose posts are being blocked in large numbers especially in the early days of them creating an account could be a starting point.

[FreeTrade]

Thanks for this proposal. Briefly, I'm in favor of flagging bots, but not in favor of 'banning' bots. Banning any account is not in the spirit of a decentralized and uncensorable network. The approach I'd favor is a distributed one, where anyone could run a flagging agent that would flag accounts it believed to be of low value. This flagging information could be available onchain and sites could then aggregate and weight this information as appropriate.

[tijno]

I think this is a fair point - decisions to block/ban (even spam bots) on one node should not affect another node unless that node makes that specific decision.

Node operators may need to follow local legislation to block certain accounts or content. But this should not affect nodes not affected by the same legislation.

[daniel-keyes]

This is a great point @FreeTrade. I agree that the decisions should be local to each node. They should be able to decide, collectively, the behaviour of programmatic accounts/ bots. I can even imagine Nodes where bots play a main roll (i.e. for alerts or reminders)

[arhebbar]

Finally got myself to come in here and spend some time. Since it's my first comment, excuse any miss in how to comment / respond.

Thanks for this proposal. @tijno has made a great comment about classifying the type of bots. One simple way I feel to ensure that this is community driven is to look for % of people blocking a certain id. For almost all of the below, my first reaction has been to block them. If each of us are just doing that as a behavior when attacked by a bot, pretty soon, the profile will get enough blocks and that should be the community's way of blocking/banning that bot.

I have noticed that there's a greylist / blacklist option. At least on the Bitclout.com node, if we set a rule that any bot that gets 10x the # of blocks as the # of posts (where 10 is a parameter that can be changed at the node level) especially after the bot has been active for say 7 days or has made say 100 posts, I would say that it is a safe way to prevent bots.

Of course, the risk is that bots could be built to get other handles to get blocked. So, we might have to ensure only handles with a certain # of followers or active since so many days and their blocks are considered.

By the way: this is @randhir on BitClout.

[F041]

I tried to build something after this post: https://bitclout.com/posts/a2f63f0a4cdbb07f493e672f6601fdb76487bfdad0274affdeed23f3aa2f52b7

at that time I used data from cloutgate to gather the data, and had problems because, for example it doesn't show the followed amount. In fact the code results incomplete: https://github.com/F041/Bitclout/blob/main/rugPullPatrol.R

My approach would have resulted in flagging barbiegraveyard as a bot, because she has high followed/followers ratio.

Anyway I'd not go for a supervised ML approach but a not supervised one, like self organizing maps.

I fear the KYC update would make this effort worthless