Written by Qiang Cao, Xiaowei Yang, Jieqi Yu and Christopher Palow

Slides:

Advertisements

Similar presentations

A Comparison of Implicit and Explicit Links for Web Page Classification Dou Shen 1 Jian-Tao Sun 2 Qiang Yang 1 Zheng Chen 2 1 Department of Computer Science.

Advertisements

An analysis of Social Network-based Sybil defenses Bimal Viswanath § Ansley Post § Krishna Gummadi § Alan Mislove ¶ § MPI-SWS ¶ Northeastern University.

Semantics and Evaluation Techniques for Window Aggregates in Data Streams Jin Li, David Maier, Kristin Tufte, Vassilis Papadimos, Peter A. Tucker SIGMOD.

Indexing DNA Sequences Using q-Grams

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

1 Evaluation Rong Jin. 2 Evaluation  Evaluation is key to building effective and efficient search engines usually carried out in controlled experiments.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.

Chunyi Peng, Guobin Shen, Yongguang Zhang, Yanlin Li, Kun Tan BeepBeep: A High Accuracy Acoustic Ranging System using COTS Mobile Devices.

LEARNING INFLUENCE PROBABILITIES IN SOCIAL NETWORKS Amit Goyal Francesco Bonchi Laks V. S. Lakshmanan University of British Columbia Yahoo! Research University.

Variance reduction techniques. 2 Introduction Simulation models should be coded such that they are efficient. Efficiency in terms of programming ensures.

Fighting Fire With Fire: Crowdsourcing Security Solutions on the Social Web Christo Wilson Northeastern University

SMS WATCHDOG: PROFILING SOCIAL BEHAVIORS OF SMS USERS FOR ANOMALY DETECTION Authors: Guanhua Yan, Stephan Eidenbenz, Emannuele Galli Presented by: Ishtiaq.

Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

On the Construction of Energy- Efficient Broadcast Tree with Hitch-hiking in Wireless Networks Source: 2004 International Performance Computing and Communications.

1 BotGraph: Large Scale Spamming Botnet Detection Yao Zhao EECS Department Northwestern University.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

ANOMALY DETECTION AND CHARACTERIZATION: LEARNING AND EXPERIANCE YAN CHEN – MATT MODAFF – AARON BEACH.

BotGraph: Large Scale Spamming Botnet Detection Yao Zhao Yinglian Xie *, Fang Yu *, Qifa Ke *, Yuan Yu *, Yan Chen and Eliot Gillum ‡ EECS Department,

A Search-based Method for Forecasting Ad Impression in Contextual Advertising Defense.

SocialFilter: Introducing Social Trust to Collaborative Spam Mitigation Michael Sirivianos Telefonica Research Telefonica Research Joint work with Kyungbaek.

Models of Influence in Online Social Networks

Network and Systems Security By, Vigya Sharma (2011MCS2564) FaisalAlam(2011MCS2608) DETECTING SPAMMERS ON SOCIAL NETWORKS.

SpotRank : A Robust Voting System for Social News Websites

Presented by Tienwei Tsai July, 2005

Tracking with Unreliable Node Sequences Ziguo Zhong, Ting Zhu, Dan Wang and Tian He Computer Science and Engineering, University of Minnesota Infocom 2009.

UOS 1 Ontology Based Personalized Search Zhang Tao The University of Seoul.

Collusion-Resistance Misbehaving User Detection Schemes Speaker: Jing-Kai Lou 2015/10/131.

Uncovering Social Network Sybils in the Wild Zhi YangChristo WilsonXiao Wang Peking UniversityUC Santa BarbaraPeking University Tingting GaoBen Y. ZhaoYafei.

Selfishness, Altruism and Message Spreading in Mobile Social Networks September 2012 In-Seok Kang

TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.

BEHAVIORAL TARGETING IN ON-LINE ADVERTISING: AN EMPIRICAL STUDY AUTHORS: JOANNA JAWORSKA MARCIN SYDOW IN DEFENSE: XILING SUN & ARINDAM PAUL.

BotGraph: Large Scale Spamming Botnet Detection Yao Zhao, Yinglian Xie, Fang Yu, Qifa Ke, Yuan Yu, Yan Chen, and Eliot Gillum Speaker: 林佳宜.

Secure In-Network Aggregation for Wireless Sensor Networks

DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.

DATA MINING WITH CLUSTERING AND CLASSIFICATION Spring 2007, SJSU Benjamin Lam.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.

Socialbots and its implication On ONLINE SOCIAL Networks Md Abdul Alim, Xiang Li and Tianyi Pan Group 18.

Big traffic data processing framework for intelligent monitoring and recording systems 學生 : 賴弘偉教授 : 許毅然作者 : Yingjie Xia a, JinlongChen a,b,n, XindaiLu.

ApproxHadoop Bringing Approximations to MapReduce Frameworks

1 Friends and Neighbors on the Web Presentation for Web Information Retrieval Bruno Lepri.

Speaker : Yu-Hui Chen Authors : Dinuka A. Soysa, Denis Guangyin Chen, Oscar C. Au, and Amine Bermak From : 2013 IEEE Symposium on Computational Intelligence.

Anomaly Detection. Network Intrusion Detection Techniques. Ştefan-Iulian Handra Dept. of Computer Science Polytechnic University of Timișoara June 2010.

From Use Cases to Implementation 1. Structural and Behavioral Aspects of Collaborations  Two aspects of Collaborations Structural – specifies the static.

CopyCatch: Stopping Group Attacks by Spotting Lockstep Behavior in Social Networks (WWW2013) BEUTEL, ALEX, WANHONG XU, VENKATESAN GURUSWAMI, CHRISTOPHER.

Sybil Attacks VS Identity Clone Attacks in Online Social Networks Lei Jin, Xuelian Long, Hassan Takabi, James B.D. Joshi School of Information Sciences.

From Use Cases to Implementation 1. Mapping Requirements Directly to Design and Code  For many, if not most, of our requirements it is relatively easy.

DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.

CrowdTarget: Target-based Detection of Crowdturfing in Online Social Networks Jenny (Bom Yi) Lee.

Written by Qiang Cao, Xiaowei Yang, Jieqi Yu and Christopher Palow

Presenter: Siddharth Krishna Sinha Instructor: Jing Gao

What Is Cluster Analysis?

Pagerank and Betweenness centrality on Big Taxi Trajectory Graph

Introduction to Wireless Sensor Networks

Rule Induction for Classification Using

QianZhu, Liang Chen and Gagan Agrawal

Evaluation of IR Systems

Measuring and Mitigating OAuth Access Token Abuse by Collusion Networks Shehroze Farooqi1, Fareed Zaffar2, Nektarios Leontiadis3, Zubair Shafiq1 University.

Analyzing Security and Energy Tradeoffs in Autonomic Capacity Management Wei Wu.

Cloud Data Anonymization Using Hadoop Map-Reduce Framework With Qos Evaluation and Behaviour analysis PROJECT GUIDE: Ms.S.Subbulakshmi TEAM MEMBERS: A.Mahalakshmi( ).

Flavio Toffalini, Ivan Homoliak, Athul Harilal,

Roland Kwitt & Tobias Strohmeier

th IEEE International Conference on Sensing, Communication and Networking Online Incentive Mechanism for Mobile Crowdsourcing based on Two-tiered.

Location Recommendation — for Out-of-Town Users in Location-Based Social Network Yina Meng.

iSRD Spam Review Detection with Imbalanced Data Distributions

GhostLink: Latent Network Inference for Influence-aware Recommendation

ReStore: Reusing Results of MapReduce Jobs

Presentation transcript:

Uncovering Large groups of active malicious accounts in online social networks Written by Qiang Cao, Xiaowei Yang, Jieqi Yu and Christopher Palow Presented by Manasa Suthram

Overview Introduction Examples System overview System Design Parallelising user-pair comparison Implementation Security Analysis Evaluation Conclusion

Introduction Online social network (OSN) is a constant interest for attacking and exploiting. To prevent this, this paper introduces malicious account detection system called SynchroTrap. SynchroTrap has been deployed in common OSN such as Facebook and Instagram and has observed precision higher than 99%. The authors of this paper have analysed the behavioural patterns of social network accounts to differentiate between malicious accounts and legitimate ones.

Introduction The SynchroTrap is an incremental processing system which makes it practical to be deployable at large OSN. This system overcomes all the design challenges such as detecting weak signal from large amount of noisy data and to handle a few terabytes of data on a daily basis.

Examples Two real world attack examples have been discussed which are Facebook photo upload and inflating followers on Instagram. A graph has been plotted to explain about the photo uploads with timestamps from a group of 450 malicious accounts over a week.

Examples Malicious users in Instagram follow target users to inflate the number of their followers. The following figure compares user activities between 1000 malicious users and 1000 normal users.

Economic constraints of attackers Cost on computing and operating resources. Revenue from missions with strict requirements: malicious accounts often perform loosely synchronized actions. The missions of attack campaigns constitute attackers' mission constraints and the limited Infrastructure to launch attack campaigns constitute resource constraints.

System Overview High level system architecture: main idea of SynchroTrap is clustering analysis. It measures pairwise user behaviour similarity and then uses a hierarchical clustering algorithm to group users with similar behaviour over a period of time together.

Challenges Scalability: large volume of user activity leads to low signal to noise ratio. We have to deal with various applications in online social networks. We need a solution that is generic to different application context. We face a system challenge to process an enormous amount of user data. Facebook has terabytes of daily user data in each application and we have to examine user activities over a certain period of time.

Challenges Accuracy: the goal of the system is to reduce both false positive and negative rates which are inversely proportional. To achieve high accuracy the system is designed based on the understanding of an attacker’s economic constraints. Adaptability to new applications

System Design Partitioning activity data by applications: to mitigate the impact of irrelevant actions, the authors categorize actions into subsets according to their applications. Comparing user actions: In this system the user actions are taken as tuples each of which has an explicit constraint field that express both resource and mission constraints. The tuple abstraction can be denoted as ‹U,T,C› where U,T,C represents userID, action timestamp and constraint object.

System Design Pairwise user similarity metrics: the system introduces per constraint similarity to measure the fraction of matched actions on a single constraint object. Jaccard similarity, a widely used metric that measures similarity between two sets is used. This value ranges from 0 to 1. Scalable user clustering: clustering users based on their effectiveness and scalability.

System Design Making the algorithm suitable for parallel implementation: maximum similarity from all pairs of users are drawn from different cluster. User pair filter function: filtering functions are used to select user pairs with action similarity. First filtering criterion uncovers malicious user pairs that manifest loosely synchronised behaviour on a set of single constraint objects.

System Design Parallelizing user-pair comparison: large computation of user pair comparison on a bulk data is divided into smaller ones in the time dimension.

System Design Daily comparison and Hourly comparison with sliding windows

System Design Improving Accuracy: malicious attacks vary in different OSN applications. SynchroTrap allows OSN operators to tune a set of parameters to achieve the desired trade offs between false positives and false negatives. Computational Cost: cost can be reduced by taking only the user actions pertaining to the same target object.

Implementation SynchroTrap is built on top of Hadoop MapReduce stack at Facebook. Clustering module is done on Giraph and large graph processing platform based on the Bulk Synchronous Parallel (BSP) model.

Security Analysis Spread spectrum attacks: attackers could attempt to hide synchronization signal that SynchroTrap detects. SynchroTrap limits the total number of abusive actions on a constraint object irrespective of the number of malicious accounts an attacker controls. It uses jaccard similarity to evaluate the action sets of two users and this attack can be evaded by calculating the fraction of matched actions of malicious accounts to be below certain threshold.

Security Analysis Aggressive attacks: they are launched by controlling accounts to perform bulk actions within a short time period. SynchroTrap works together with existing anomaly detection schemes and complements them by targeting stealthier attacks. SynchroTrap limits the total number of abusive actions on a constraint object. SynchroTrap uses the Jaccard similarity to evaluate the action sets of two users.

Evaluation: Validation of identified accounts Validation of identified accounts: SynchroTrap uncovers millions of accounts and cross validating the detected accounts is a big task. Precision: SynchroTrap allows Facebook and Instagram to identify and invalidate millions of malicious user actions in each application.

Evaluation: Validation of identified accounts Post-processing to deal with false positives: small user clusters are discarded and screen only large clusters which are more likely to result from large attacks. Scale of campaigns:

Evaluation: Validation of identified accounts How are the malicious accounts taken under control? The Facebook security team classifies the reviewed accounts into categories based on their campaigns.

Evaluation: New findings on malicious accounts Malicious accounts detected by SynhroTrap against those detected by existing approaches inside Facebook. SynchroTrap identifies a large number of previously unknown malicious accounts (almost 70% of them were not identified by existing approaches). Full deployment of SynchroTrap in each application on more OSN could yield more new findings and achieve higher rates of malicious accounts.

Evaluation: Social Connectivity of malicious accounts Attackers manipulate account with a variety degree of social connectivity to legitimate users. Ex: an account caught in photo upload is ranked high because attackers tend to use well connected accounts to spread spam photos to their friends.

Evaluation: Operation Experience Longitudinal study has been performed on number of users for first few weeks and the number of detected users decrease after first month in Facebook like and Instagram user following.

Evaluation: System Performance Daily jobs Aggregation jobs Single –linkage hierarchical clustering

Related Work Clickstream and CopyCatch pioneered the work in OSN users but there were few drawbacks which makes SynchroTrap efficient. Clickstream compares pairwise similarity, if a number of fake accounts are larger than a certain threshold then the cluster is classified as fake. CopyCatch assumes that a user can perform a malicious action only once. SynchroTrap uses the source IP addresses and tries to further reduce its computational complexity making it deployable at large scale network.

Conclusion SynchroTrap a system that uses clustering analysis to detect large group of malicious users. It is an incremental processing system and it unveiled more than two million malicious accounts. It can also uncover large attacks in other onine services. It can analyze large volume of time independent data.

THANK YOU!