Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zhen Xie, Sencun Zhu, Qing Li, Wenjing Wang

Published byLetitia Chambers Modified over 6 years ago

Similar presentations

Presentation on theme: "Zhen Xie, Sencun Zhu, Qing Li, Wenjing Wang"— Presentation transcript:

1 Zhen Xie, Sencun Zhu, Qing Li, Wenjing Wang
You Can Promote, But You Can’t Hide:Large-Scale Abused App Detection in Mobile App Stores Zhen Xie, Sencun Zhu, Qing Li, Wenjing Wang Presented by Shamili Ramasubramanian

2 Introduction With hundreds of thousands apps in the app market, the competition to attract customers becomes more furious than ever. Many sites like BestReviewApp have emerged in recent years with their business focusing on manipulating app ratings and reviews. Paid ratings and reviews are forbidden by app store vendors and FTC (Federal Trade Commission). Existing detection mechanism will not work as the review content for app stores are generally short. The reviews highlighted in pink containing the same review content by different users.

3 Proposed Technique Four basic attack signatures, which reflect the effect of attacks (e.g., abnormal change of average ratings) and the collaboration of attackers (e.g., burstiness of biased ratings).Such collusive features can be barely generated by biased raters, individual attackers, or small groups. A special mutual dependency relationship exists between the suspicious levels of rater groups and the apps they have rated – the more suspicious a rater group, the more suspicious its rated apps, and vice versa. A linear-time search algorithm is used, to iteratively enumerate adjacent communities one by one.

4 What is a collusion group?
Group of users who post positive ratings and review on an app irrespective of its quality. The different apps and reviewers from a bipartite graph. Temporal maximal biclique is formed by a subgroup of raters. The adjacent subgroups and their rated apps result in overlapping maximal bicliques, which form a biclique community. Similarly, multiple overlapping temporal maximal bicliques (TMBs) form a community, which is called a temporal biclique community (TBC).

5 Challenges The first challenge is due to the need for accurate detection under specific conditions and constraints such as incomplete bipartite graph. The second challenge is due to the need for large-scale graph processing. Insights Posting bulk biased ratings in a short time would cause a bursty growth of high ratings. Bursty time could indicatethe existence of collusive attackers. As many reviewers co-rate many apps, their collaboration would cause the burstiness to exist in other apps they promoted. The basic reviewers tend to post positive reviews, which means that the rate of positive reviews would be much higher during that time frame.

6 Attack Signatures High Burstiness of Biased Ratings
For the effectiveness of attacks, collusion groups often generate lots of biased ratings in a small attack window in order to improve the rating score quickly. This burstiness is observed only once unless another manipulation takes place. It can be seen that 5-star rating is concentrated while the rating for other rating scores are distributed. Each of these occurrence forms a TMB.

7 High Co-rating Frequency
Biased ratings from the same group of users can be observed multiple times. Accounts are reused to manipulate multiple apps. The higher frequency of co-rating, the more likely of being a collusion group. If a group of raters are found to be the cause of multiple occurrences of high burstiness and the number of their co- rated apps is more they form a TMB.

8 Correlation Coefficient Abnormality
For an app that is not manipulated, the ratings for the same version remains almost equal for weeks. On the other hand, for a manipulated app, the average weekly ratings would be higher on the week collusion attackers rate and the average rating would decrease for the upcoming week. The correlation coefficient between weekly average ratings and weekly rater numbers for the same version of app can indicate whether collusive attackers exist. The Correlation coefficient abnormality signature is used to measure the abnormality of the relationship between the variations of average ratings and variations of rater numbers.

9 Rating Score Distribution Abnormality
For ratings within the attack time window, the percentage of positive ratings increases dramatically. This could be an indication that this app has been abused in that week. Indicates whether the suspicious group of raters have actually caused the deviation of rating score distribution. To measure RSDA of an app, we calculate the ratio of number of raters giving positive ratings to number of raters giving negative ratings. # of raters giving 4 or 5 stars in ith week + 1 r(i) = # of raters giving 1 or 2 stars in ith week + 1

10 Calculation of TMB Suspicious Level
Both subgroups and apps in a TMB will be assigned suspicious level ratings. The suspicious level of an app, depends on whether there exists a collusive subgroup among its raters. On the other hand, the suspicious level of a subgroup, depends on the suspicious status of their commonly rated apps. To calculate the suspicious level of a TMB, we combine the four attack signatures. Initial subgroup suspicious level: If the size of the collusive group is greater, the suspicious level of the subgroup also increases. Initial app suspicious: If the suspicious level of an app has been calculated previously in the context of this TMB, this app will retain the suspicion value calculated earlier. The average suspicious level of the n co-rated apps is raised based on the suspicion of the group that had rated it.

11 Experimental Analysis
Applied tool to inspect Apple App Store of China on July 17, 2013. Only ran our tool for 33 hours and 31 minutes. Tool examined 2, 188 apps with 4, 841, 720 reviews and 1, 622, 552 reviewers on the fly. It reported 108 abused apps, among which 104 apps were finally confirmed to be abused. Tool reported 57 malicious temporal biclique communities.

12 Suggestions and Improvements
Single attacker can emulate the behavior of multiple users by forging multiple identities. The time period of rating can be increased. The members of the group can be changed for each attack. Apps have not been removed by app stores.

13 Thank you!

Download ppt "Zhen Xie, Sencun Zhu, Qing Li, Wenjing Wang"

Similar presentations

By Venkata Sai Pulluri ( ) Narendra Muppavarapu ( )

By Venkata Sai Pulluri ( ) Narendra Muppavarapu ( )
Marketing Research Aaker, Kumar, Day and Leone Tenth Edition Instructor’s Presentation Slides 1.

Marketing Research Aaker, Kumar, Day and Leone Tenth Edition Instructor’s Presentation Slides 1.
Spring 2013. INTRODUCTION There exists a lot of methods used for identifying high risk locations or sites that experience more crashes than one would.

Spring INTRODUCTION There exists a lot of methods used for identifying high risk locations or sites that experience more crashes than one would.
Aaker, Kumar, Day Ninth Edition Instructor’s Presentation Slides

Aaker, Kumar, Day Ninth Edition Instructor’s Presentation Slides
Chapter 13 Forecasting.

Chapter 13 Forecasting.
Efficient Estimation of Emission Probabilities in profile HMM By Virpi Ahola et al Reviewed By Alok Datar.

Efficient Estimation of Emission Probabilities in profile HMM By Virpi Ahola et al Reviewed By Alok Datar.
Transcription control reprogramming in genetic backup circuits Literature search WANG Chao 4/6/2005.

Transcription control reprogramming in genetic backup circuits Literature search WANG Chao 4/6/2005.
Demand Planning: Forecasting and Demand Management

Demand Planning: Forecasting and Demand Management
Adversarial Information Retrieval The Manipulation of Web Content.

Adversarial Information Retrieval The Manipulation of Web Content.
SpotRank : A Robust Voting System for Social News Websites

SpotRank : A Robust Voting System for Social News Websites
Frame by Frame Bit Allocation for Motion-Compensated Video Michael Ringenburg May 9, 2003.

Frame by Frame Bit Allocation for Motion-Compensated Video Michael Ringenburg May 9, 2003.
+ Equity Audit & Root Cause Analysis University of Mount Union.

+ Equity Audit & Root Cause Analysis University of Mount Union.
1 DATA DESCRIPTION. 2 Units l Unit: entity we are studying, subject if human being l Each unit/subject has certain parameters, e.g., a student (subject)

1 DATA DESCRIPTION. 2 Units l Unit: entity we are studying, subject if human being l Each unit/subject has certain parameters, e.g., a student (subject)
A Statistical Comparison of Weather Stations in Carberry, Manitoba, Canada.

A Statistical Comparison of Weather Stations in Carberry, Manitoba, Canada.
Bivariate Distributions Overview. I. Exploring Data Describing patterns and departures from patterns (20%-30%) Exploring analysis of data makes use of.

Bivariate Distributions Overview. I. Exploring Data Describing patterns and departures from patterns (20%-30%) Exploring analysis of data makes use of.
Time Series Data Analysis - I Yaji Sripada. Dept. of Computing Science, University of Aberdeen2 In this lecture you learn What are Time Series? How to.

Time Series Data Analysis - I Yaji Sripada. Dept. of Computing Science, University of Aberdeen2 In this lecture you learn What are Time Series? How to.
Correlation Analysis. A measure of association between two or more numerical variables. For examples height & weight relationship price and demand relationship.

Correlation Analysis. A measure of association between two or more numerical variables. For examples height & weight relationship price and demand relationship.
Time Series Analysis and Forecasting

Time Series Analysis and Forecasting
Objectives 2.1Scatterplots  Scatterplots  Explanatory and response variables  Interpreting scatterplots  Outliers Adapted from authors’ slides © 2012.

Objectives 2.1Scatterplots  Scatterplots  Explanatory and response variables  Interpreting scatterplots  Outliers Adapted from authors’ slides © 2012.
Causal inferences Most of the analyses we have been performing involve studying the association between two or more variables. We often conduct these kinds.

Causal inferences Most of the analyses we have been performing involve studying the association between two or more variables. We often conduct these kinds.

Similar presentations

Ads by Google