Uncovering Large groups of active malicious accounts in online social networks Written by Qiang Cao, Xiaowei Yang, Jieqi Yu and Christopher Palow Presented by Rama Krishna Chaitanya Somavajhala

Overview Introduction Examples System overview System Design Parallelising user-pair comparison Implementation Security Analysis Evaluation Conclusion

Introduction Online social network (OSN) is the most popular target for attacking and exploiting. To defend against these attacks, this paper introduces malicious account detection system called SynchroTrap. SynchroTrap has been deployed in common OSN such as Facebook and Instagram and has observed precision higher than 99%. The authors of this paper have analysed the behavioural patterns of social network accounts to differentiate between malicious accounts and legitimate ones.

Introduction The SynchroTrap is an incremental processing system which makes it practical to be deployable at large OSN. This system overcomes all the design challenges such as detecting weak signal from large amount of noisy data and to handle a few terabytes of data on a daily basis. Previous work was just to use a social network’s connectivity to infer if it is fake or real. Another approach was build machine learning classifiers to infer malicious accounts.

Example(1) The graph compares the photo-uploading activities of malicious users to those of normal users at Facebook. The graph (a) plots the photo uploads with timestamps from a group of 450 malicious accounts over a week. The graph (b) shows the photo uploads of 450 randomly chosen accounts which have never been flagged as malicious.

Example(2) The figure compares user-following activities between 1,000 malicious users and 1,000 normal users. Malicious users in Instagram follow target users to inflate the number of their followers.

Economic constraints of attackers Cost on computing and operating resources. Revenue from missions with strict requirements: malicious accounts often perform loosely synchronized actions. The missions of attack campaigns constitute attackers' mission constraints and the limited Infrastructure to launch attack campaigns constitute resource constraints.

System Overview High level system architecture: main idea of SynchroTrap is clustering analysis. It measures pairwise user behaviour similarity and then uses a hierarchical clustering algorithm to group users with similar behaviour over a period of time together.

Challenges Scalability: The large volume of user activity data leads to a low signal-to-noise ratio, making it hard to achieve high detection accuracy. The sheer volume of activity data prohibits a practical implementation that can cope with generic actions. To handle massive user activities at Facebook-scale OSNs, we apply divide-and-conquer. We slice the computation of user comparison into smaller jobs along the time dimension and use parallelism to scale

Challenges Accuracy: The diversity of normal user behavior and the stealthness of malicious activity hinder high accurate detection. In order to achieve high accuracy, we design SynchroTrap based on our understanding of an attacker’s economic constraints. Adaptability to new applications : It is challenging to develop a generic solution that can adapt to new applications

System Design Partitioning activity data by applications: categorize a user’s actions into subsets according to the applications they belong to, which they call application contexts. Comparing user actions: In this system the user actions are taken as tuples each of which has an explicit constraint field that express both resource and mission constraints. The tuple abstraction can be denoted as ‹U,T,C› where U,T,C represents userID, action timestamp and constraint object.

System Design Pairwise user similarity metrics: the system introduces per constraint similarity to measure the fraction of matched actions on a single constraint object. Jaccard similarity, a widely used metric that measures similarity between two sets is used. This value ranges from 0 to 1. Scalable user clustering: clustering users based on their effectiveness and scalability.

System Design Making the algorithm suitable for parallel implementation: maximum similarity from all pairs of users are drawn from different cluster. User pair filter function: filtering functions are used to select user pairs with action similarity. First filtering criterion uncovers malicious user pairs that manifest loosely synchronised behaviour on a set of single constraint objects.

System Design Parallelizing user-pair comparison: large computation of user pair comparison on a bulk data is divided into smaller ones in the time dimension.

System Design Daily comparison and Hourly comparison with sliding windows

System Design Improving Accuracy: the volumes and synchronization levels of malicious attacks vary in different OSN applications. SynchroTrap allows OSN operators to tune a set of parameters to achieve the desired trade offs between false positives and false negatives. Computational Cost: cost can be reduced by taking only the user actions pertaining to the same target object.

Implementation SynchroTrap is built on top of Hadoop MapReduce stack at Facebook. Clustering module is done on Giraph and large graph processing platform based on the Bulk Synchronous Parallel (BSP) model.

Security Analysis Spread spectrum attacks: attackers could attempt to hide synchronization signal that SynchroTrap detects. SynchroTrap limits the total number of abusive actions on a constraint object irrespective of the number of malicious accounts an attacker controls. It uses jaccard similarity to evaluate the action sets of two users and this attack can be evaded by calculating the fraction of matched actions of malicious accounts to be below certain threshold.

Security Analysis Aggressive attacks: they are launched by controlling accounts to perform bulk actions within a short time period. SynchroTrap works together with existing anomaly detection schemes and complements them by targeting stealthier attacks. SynchroTrap limits the total number of abusive actions on a constraint object.

Evaluation: Validation of identified accounts Validation of identified accounts: SynchroTrap uncovers millions of accounts and cross validating the detected accounts is a big task. They study the network-level characteristics of the detected attacks, including the email domains and IP addresses used by malicious accounts. Precision: SynchroTrap allows Facebook and Instagram to identify and invalidate millions of malicious user actions in each application.

Evaluation: Validation of identified accounts Post-processing to deal with false positives: small user clusters are discarded and screen only large clusters which are more likely to result from large attacks. Scale of campaigns:

Evaluation: Validation of identified accounts How are the malicious accounts taken under control? The Facebook security team classifies the reviewed accounts into categories based on their campaigns.

Evaluation: New findings on malicious accounts Malicious accounts detected by SynhroTrap against those detected by existing approaches inside Facebook. SynchroTrap identifies a large number of previously unknown malicious accounts (almost 70% of them were not identified by existing approaches). Full deployment of SynchroTrap in each application on more OSN could yield more new findings and achieve higher rates of malicious accounts.

Evaluation: Social Connectivity of malicious accounts Attackers manipulate account with a variety degree of social connectivity to legitimate users. Ex: an account caught in photo upload is ranked high because attackers tend to use well connected accounts to spread spam photos to their friends.

Evaluation: Operation Experience Longitudinal study has been performed on number of users for first few weeks and the number of detected users decrease after first month in Facebook like and Instagram user following.

Evaluation: System Performance Daily jobs Aggregation jobs Single –linkage hierarchical clustering

Related Work Clickstream and CopyCatch pioneered the work in OSN users but there were few drawbacks which makes SynchroTrap efficient. Clickstream compares pairwise similarity, if a number of fake accounts are larger than a certain threshold then the cluster is classified as fake. CopyCatch assumes that a user can perform a malicious action only once. SynchroTrap uses the source IP addresses and tries to further reduce its computational complexity making it deployable at large scale network.

Conclusion SynchroTrap is a system that uses clustering analysis by adopting a clustering algorithm whose computational complexity grows linearly with the number of actions an account performs to detect large group of malicious users. It is an incremental processing system and it unveiled more than two million malicious accounts. This approach of detecting loosely synchronized actions can also uncover large attacks in other online services. It can analyze large volume of time independent data by reducing the requirements on their computing infrastructure.

QUESTIONS? Thankyou