Spectrum Based RLA Detection Spectral property : the eigenvector entries for the attacking nodes,, has the normal distribution with mean and variance bounded by: Collaborative Attack & Graph Spectrum Collaborative attacks in matrix form: A n : the adjacency matrix of legitimate nodes; B: b_ij=1 if node i is attacked by attacker j; C: the adjacency matrix of the inner-structure of the attackers. The eigenvalues and eigenvectors are given by: Original:, eigenvalue:, eigenvector: After attacks:, eigenvalue:, eigenvector: Spectral coordinate of node u is its location in the k-dimensional spectral space: Approximation of eigenvector entries for the attacking and regular nodes: Spectrum Based Fraud Detection in Social Networks Xiaowei Ying, Xintao Wu, Daniel Barbará* University of North Carolina at Charlotte, * George Mason University 17th ACM Conference on Computer and Communications Security, Oct. 2010, Chicago, IL. Evaluation Data Set and Setting. Web Spam Challenge 2007 data, million pages in 114,529 hosts in the.UK domain. There are 1,836,228 links among hosts. We add 8 simulating attacking groups in the network. The 8 groups either form an ER graph or a power law degree distribution among themselves. Acknowledgments This work was supported in part by U.S. National Science Foundation IIS and CNS first order second order Introduction Social networks are vulnerable to various attacks such as spam s, viral marketing, etc. It is difficult to detect collaborative attacks based on the topology of a large social network. In our work, we project the topology of the network to the spectral space. Our theoretical study shows that the spectral coordinates of the collaborative attackers are mainly determined by that of the victims, and the inner structure among the attackers has negligible impact. In particular, we focus on Random Link Attacks (RLAs). We present an effective algorithm to detect RLAs using the set of suspects filtered by their spectral characteristics. Experimental results show that our spectrum based detection technique is very effective in detecting those attackers and outperforms topology based techniques. Random Link Attack (RLA) Attackers create some fake nodes and randomly connect to regular nodes; Fake nodes form some inner structure among themselves to evade detection. A Topology Based Approach [1] Mechanism randomly selected victims of RLAs have few links among them, while the neighbors of regular nodes form more triangles. Outline of algorithm 1.Testing step: mark a node as suspect if it satisfies either of the following two properties: a)Clustering Property: the node has few triangles round it; b)Neighborhood Independence Property: neighborhood of the node contains a large independent set. 2.Grouping step (Greedy): examine cliques in the neighborhood of each suspect, repeatedly include a new node or filter out a suspect, and check whether they form RLA groups. Drawbacks 1.Difficult to detect collaborative attacks; 2.May only detect part of the collaborative attacking groups; 3.High complexity. [1] N. Shrivastava, A. Majumder, R. Rastogi. Mining (Social) Network Graphs to Detect Random Link Attacks, ICDE08 Outline of Spectral RLA Detection Algorithm 1.Compute the leading eigenvalues, eigenvectors of the adjacency matrix, and the associated means and standard deviations; 2.Identify suspects in the spectral space; 3.Find dense subgraphs in the graph formed by suspects. These dense subgraphs are very likely formed by the collaborative RLA attackers.