Toward Worm Detection in Online Social Networks Wei Xu, Fangfang Zhang, and Sencun Zhu ACSAC

OUTLINE Introduction Related Work System Design Evaluation Limitation and Discussion Conclusion 2

Introduction - Worm Worm ◦ Scanning ◦ Attack string XSS Worm ◦ XSS Vulnerability OSN(Online Social Networking) Worm ◦ Messages ◦ Url link 3

Twitter XSS Worm var xss = urlencode(' <a '); 4

Introduction – OSN Worm 5

Related Work Worm detection, early warning and response based on local victim information. ACSAC(2004) And many Worm detection approach… ◦ Rely on scanning traffic/detailed infection procedure Fast detection and suppression of instant messaging malware in enterprise-like networks. ACSAC(2007) ◦ HoneyIM 6

Idea OSN ◦ High clustering property ◦ Monitor the “popular” user “Decoy friend” ◦ Idea of honeypot ◦ Add into a normal user’s friends list 7

System Design Like lightweight NIDS 8

System Design Configuration module ◦ Social graph Evidence collecting module ◦ Gathers suspicious worm propagation evidence Worm detection module ◦ Identifies and reports worm Communication module ◦ Just for communicate 9

Evidence collecting module Decoy friend ◦ As a low-interactive honeypot ◦ Receive worm evidence Questions of decoy friend ◦ Information leak ◦ User’s reluctance ◦ How to collect only suspicious worm evidence 10

Configuration module Selecting normal users and assigning decoy friends to these users ◦ Two decoy friends for each user Selecting normal users ◦ Limiting the number of decoy friends ◦ Preserving the detection effectiveness 11

Configuration module Question: A directed graph G = (V,E) user connection between two users Extended dominating set problem ◦ Minimum vertex set ◦ ◦ Or exists a path form to where and the length of this path is at most hops. 12

Configuration module Make it simple ◦ Sets r = 2 Not necessary to cover the entire social graph ◦ Power law distribution ◦ 20% of users have no connections Maximum Coverage Problem ◦ Given a social graph G=(V,E) and a number k, choose a set of vertices with size of at most k such that the number of other vertices that are covered by this set with coverage redius r=2 reaches the maximum 13

Worm detection module Def: suspicious propagation evidence list(SPEL) ◦ {decoy friend ID, receiving time, content} Event: get any SPEL ◦ Keep it for a short period of time ◦ Step1:Local Correlation  Compare two decoy friends(from same user) ◦ Step2:Network Correlation  Compare all saved SPEL 14

Worm detection module Compare SPEL ◦ If a similarity over 90% → Alert Similarity ◦ Edit distance of content in SPEL ◦ 15

Evaluation 16

Evaluation Flickr ◦ 1,846,198 users ◦ 22,613,981 friend links 1.Test Koobface worm and Mikeyy worm 2.Different worm behavior 3.Different size of selected users set(with decoy friends) 17

Evaluation 1 Koobface Different messages All friends Mikeyy Same messages All friends Maximum infection 2420 (0.13%) 18

Evaluation 2 Infection Number versus Different Percentages of Friends lists 19

Evaluation (0.16%) 20

Limitation & Discussion False positive ？ ◦ Outbreak of a large-scale event ◦ A posted link in a suspicious message is pointed to well-known website – OK ◦ Otherwise – rare case, manual checking ？ Time delay ◦ Keep messages longer 21

Conclusion A new problem – OSN worm Monitor a few hundreds of users to detect OSN worm Effectively detect OSN worm (0.13%) 22