Wikipedia:WikiAudit

WikiAudit

Example WikiAudit report
Developer(s)	Andrew G. West (west.andrew.g)
Initial release	January 2012
Stable release	0.1a / July 2, 2015; 8 years ago (2015-07-02)
Written in	Cross-platform
Available in	English
Type	Wikipedia/wiki analysis
License	GNU General Public License
Website	http://www.andrew-g-west.com

WikiAudit is a utility that, given a set of IP addresses as input, outputs a report (see the screenshot image) summarizing the contributions and behavior of those IPs on some wiki (i.e., English Wikipedia). In particular, heuristics direct attention to malicious/unconstructive behaviors.

We envision WikiAudit being useful for:

1. Institutional/organizational network administrators who want to monitor the contributions coming from their IP space. From the organization's perspective, this can help protect reputation and misuse of organizational resources. Similarly, organizations who take steps to prevent future mis-behavior help benefit the wiki.
2. Casual readers who use the tool to conduct security investigations and reveal organizational
   might be
   inappropriately promotional or scrub factual criticism.

• WikiAudit – Current version released 2015-07-02

Executable

GUI

.

• Source code for WikiAudit is included with the STiki source-code distribution (visit that page)

The projects share a code-base; core WikiAudit code is in the [audit_tool/] subdirectory

To control the content of the output report, WikiAudit exposes several parameters:

• IP addresses - The most basic input is a list of IP addresses for analysis (of course, we can only report on
  CIDR notation
  (127.0.0.0/8)
• Connection string - Users provide a path to the
  template
  -driven analysis is en.wiki specific. Compatibility with foreign-language installations is untested.
• Time boundaries - So only events occurring after a particular date will be reported. Useful for periodic updates of IP activity.

These parameters produce a report (a simple HTML document) with the following features:

• Aggregate statistics: quantity of IPs that edited, number of contributions, revert quantity, blocked users, etc.
• A high-level look at user/IP participation: (1) Whether the IP has a
  block history
  exists for the IP.
• The contributions from the IP space are also exhaustively enumerated: Basic metadata is provided, along with helpful links. More uniquely, a simple heuristic is used to determine whether the subsequent edit
  reverted or rolled-back
  the contribution (indicating its poor nature).
• Where malicious activity is suspected, the edit/user is colored red to draw attention.

Efficiency & responsible use: WikiAudit operates by making batch calls to the wiki's API. The speed of operation depends on the network connection and the density of IP editing activity in the input range. For perspective, on a residential network it is generally possible to produce a report for ~65,000 IPs (i.e., a /16 CIDR) in about 5-minutes time. Producing reports for a massive quantity of IPs at once (say, a /8 CIDR) is not recommended and may lead to API throttling or temporary loss of API access.

Motivation: WikiAudit's creation was inspired by the

). WikiAudit extends this functionality by: (1) enabling programmatic operation, (2) allowing for the input of multiple IP ranges, and (3) providing heuristics for unproductive users/contributions, so administrators do not have to engage in brute-force investigations.

WikiAudit was written by Andrew G. West (west.andrew.g), a doctoral student in computer science at the University of Pennsylvania under the advisement of Insup Lee. The work was supported in part by ONR-MURI-N00014-07-1-0907. Queries not addressed by documentation should be addressed to WikiAudit's authors.

• 
  WikiAudit terminal operation/arguments
• 
  Snippet of WikiAudit output report