Presentation is loading. Please wait.

Presentation is loading. Please wait.

Written by Qiang Cao, Xiaowei Yang, Jieqi Yu and Christopher Palow

Published byCharla Berry Modified over 6 years ago

Similar presentations

Presentation on theme: "Written by Qiang Cao, Xiaowei Yang, Jieqi Yu and Christopher Palow"— Presentation transcript:

1 Uncovering Large groups of active malicious accounts in online social networks
Written by Qiang Cao, Xiaowei Yang, Jieqi Yu and Christopher Palow Presented by Manasa Suthram

2 Overview Introduction Examples System overview System Design
Parallelising user-pair comparison Implementation Security Analysis Evaluation Conclusion

3 Introduction Online social network (OSN) is a constant interest for attacking and exploiting. To prevent this, this paper introduces malicious account detection system called SynchroTrap. SynchroTrap has been deployed in common OSN such as Facebook and Instagram and has observed precision higher than 99%. The authors of this paper have analysed the behavioural patterns of social network accounts to differentiate between malicious accounts and legitimate ones.

4 Introduction The SynchroTrap is an incremental processing system which makes it practical to be deployable at large OSN. This system overcomes all the design challenges such as detecting weak signal from large amount of noisy data and to handle a few terabytes of data on a daily basis.

5 Examples Two real world attack examples have been discussed which are Facebook photo upload and inflating followers on Instagram. A graph has been plotted to explain about the photo uploads with timestamps from a group of 450 malicious accounts over a week.

6 Examples Malicious users in Instagram follow target users to inflate the number of their followers. The following figure compares user activities between 1000 malicious users and 1000 normal users.

7 Economic constraints of attackers
Cost on computing and operating resources. Revenue from missions with strict requirements: malicious accounts often perform loosely synchronized actions. The missions of attack campaigns constitute attackers' mission constraints and the limited Infrastructure to launch attack campaigns constitute resource constraints.

8 System Overview High level system architecture: main idea of SynchroTrap is clustering analysis. It measures pairwise user behaviour similarity and then uses a hierarchical clustering algorithm to group users with similar behaviour over a period of time together.

9 Challenges Scalability: large volume of user activity leads to low signal to noise ratio. We have to deal with various applications in online social networks. We need a solution that is generic to different application context. We face a system challenge to process an enormous amount of user data. Facebook has terabytes of daily user data in each application and we have to examine user activities over a certain period of time.

10 Challenges Accuracy: the goal of the system is to reduce both false positive and negative rates which are inversely proportional. To achieve high accuracy the system is designed based on the understanding of an attacker’s economic constraints. Adaptability to new applications

11 System Design Partitioning activity data by applications: to mitigate the impact of irrelevant actions, the authors categorize actions into subsets according to their applications. Comparing user actions: In this system the user actions are taken as tuples each of which has an explicit constraint field that express both resource and mission constraints. The tuple abstraction can be denoted as ‹U,T,C› where U,T,C represents userID, action timestamp and constraint object.

12 System Design Pairwise user similarity metrics: the system introduces per constraint similarity to measure the fraction of matched actions on a single constraint object. Jaccard similarity, a widely used metric that measures similarity between two sets is used. This value ranges from 0 to 1. Scalable user clustering: clustering users based on their effectiveness and scalability.

13 System Design Making the algorithm suitable for parallel implementation: maximum similarity from all pairs of users are drawn from different cluster. User pair filter function: filtering functions are used to select user pairs with action similarity. First filtering criterion uncovers malicious user pairs that manifest loosely synchronised behaviour on a set of single constraint objects.

14 System Design Parallelizing user-pair comparison: large computation of user pair comparison on a bulk data is divided into smaller ones in the time dimension.

15 System Design Daily comparison and Hourly comparison with sliding windows

16 System Design Improving Accuracy: malicious attacks vary in different OSN applications. SynchroTrap allows OSN operators to tune a set of parameters to achieve the desired trade offs between false positives and false negatives. Computational Cost: cost can be reduced by taking only the user actions pertaining to the same target object.

17 Implementation SynchroTrap is built on top of Hadoop MapReduce stack at Facebook. Clustering module is done on Giraph and large graph processing platform based on the Bulk Synchronous Parallel (BSP) model.

18 Security Analysis Spread spectrum attacks: attackers could attempt to hide synchronization signal that SynchroTrap detects. SynchroTrap limits the total number of abusive actions on a constraint object irrespective of the number of malicious accounts an attacker controls. It uses jaccard similarity to evaluate the action sets of two users and this attack can be evaded by calculating the fraction of matched actions of malicious accounts to be below certain threshold.

19 Security Analysis Aggressive attacks: they are launched by controlling accounts to perform bulk actions within a short time period. SynchroTrap works together with existing anomaly detection schemes and complements them by targeting stealthier attacks. SynchroTrap limits the total number of abusive actions on a constraint object. SynchroTrap uses the Jaccard similarity to evaluate the action sets of two users.

20 Evaluation: Validation of identified accounts
Validation of identified accounts: SynchroTrap uncovers millions of accounts and cross validating the detected accounts is a big task. Precision: SynchroTrap allows Facebook and Instagram to identify and invalidate millions of malicious user actions in each application.

21 Evaluation: Validation of identified accounts
Post-processing to deal with false positives: small user clusters are discarded and screen only large clusters which are more likely to result from large attacks. Scale of campaigns:

22 Evaluation: Validation of identified accounts
How are the malicious accounts taken under control? The Facebook security team classifies the reviewed accounts into categories based on their campaigns.

23 Evaluation: New findings on malicious accounts
Malicious accounts detected by SynhroTrap against those detected by existing approaches inside Facebook. SynchroTrap identifies a large number of previously unknown malicious accounts (almost 70% of them were not identified by existing approaches). Full deployment of SynchroTrap in each application on more OSN could yield more new findings and achieve higher rates of malicious accounts.

24 Evaluation: Social Connectivity of malicious accounts
Attackers manipulate account with a variety degree of social connectivity to legitimate users. Ex: an account caught in photo upload is ranked high because attackers tend to use well connected accounts to spread spam photos to their friends.

25 Evaluation: Operation Experience
Longitudinal study has been performed on number of users for first few weeks and the number of detected users decrease after first month in Facebook like and Instagram user following.

26 Evaluation: System Performance
Daily jobs Aggregation jobs Single –linkage hierarchical clustering

27 Related Work Clickstream and CopyCatch pioneered the work in OSN users but there were few drawbacks which makes SynchroTrap efficient. Clickstream compares pairwise similarity, if a number of fake accounts are larger than a certain threshold then the cluster is classified as fake. CopyCatch assumes that a user can perform a malicious action only once. SynchroTrap uses the source IP addresses and tries to further reduce its computational complexity making it deployable at large scale network.

28 Conclusion SynchroTrap a system that uses clustering analysis to detect large group of malicious users. It is an incremental processing system and it unveiled more than two million malicious accounts. It can also uncover large attacks in other onine services. It can analyze large volume of time independent data.

29 THANK YOU!

Download ppt "Written by Qiang Cao, Xiaowei Yang, Jieqi Yu and Christopher Palow"

Similar presentations

A Comparison of Implicit and Explicit Links for Web Page Classification Dou Shen 1 Jian-Tao Sun 2 Qiang Yang 1 Zheng Chen 2 1 Department of Computer Science.

A Comparison of Implicit and Explicit Links for Web Page Classification Dou Shen 1 Jian-Tao Sun 2 Qiang Yang 1 Zheng Chen 2 1 Department of Computer Science.
An analysis of Social Network-based Sybil defenses Bimal Viswanath § Ansley Post § Krishna Gummadi § Alan Mislove ¶ § MPI-SWS ¶ Northeastern University.

An analysis of Social Network-based Sybil defenses Bimal Viswanath § Ansley Post § Krishna Gummadi § Alan Mislove ¶ § MPI-SWS ¶ Northeastern University.
Semantics and Evaluation Techniques for Window Aggregates in Data Streams Jin Li, David Maier, Kristin Tufte, Vassilis Papadimos, Peter A. Tucker SIGMOD.

Semantics and Evaluation Techniques for Window Aggregates in Data Streams Jin Li, David Maier, Kristin Tufte, Vassilis Papadimos, Peter A. Tucker SIGMOD.
Indexing DNA Sequences Using q-Grams

Indexing DNA Sequences Using q-Grams
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
1 Evaluation Rong Jin. 2 Evaluation  Evaluation is key to building effective and efficient search engines usually carried out in controlled experiments.

1 Evaluation Rong Jin. 2 Evaluation  Evaluation is key to building effective and efficient search engines usually carried out in controlled experiments.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.
Chunyi Peng, Guobin Shen, Yongguang Zhang, Yanlin Li, Kun Tan BeepBeep: A High Accuracy Acoustic Ranging System using COTS Mobile Devices.

Chunyi Peng, Guobin Shen, Yongguang Zhang, Yanlin Li, Kun Tan BeepBeep: A High Accuracy Acoustic Ranging System using COTS Mobile Devices.
LEARNING INFLUENCE PROBABILITIES IN SOCIAL NETWORKS Amit Goyal Francesco Bonchi Laks V. S. Lakshmanan University of British Columbia Yahoo! Research University.

LEARNING INFLUENCE PROBABILITIES IN SOCIAL NETWORKS Amit Goyal Francesco Bonchi Laks V. S. Lakshmanan University of British Columbia Yahoo! Research University.
Variance reduction techniques. 2 Introduction Simulation models should be coded such that they are efficient. Efficiency in terms of programming ensures.

Variance reduction techniques. 2 Introduction Simulation models should be coded such that they are efficient. Efficiency in terms of programming ensures.
Fighting Fire With Fire: Crowdsourcing Security Solutions on the Social Web Christo Wilson Northeastern University

Fighting Fire With Fire: Crowdsourcing Security Solutions on the Social Web Christo Wilson Northeastern University
SMS WATCHDOG: PROFILING SOCIAL BEHAVIORS OF SMS USERS FOR ANOMALY DETECTION Authors: Guanhua Yan, Stephan Eidenbenz, Emannuele Galli Presented by: Ishtiaq.

SMS WATCHDOG: PROFILING SOCIAL BEHAVIORS OF SMS USERS FOR ANOMALY DETECTION Authors: Guanhua Yan, Stephan Eidenbenz, Emannuele Galli Presented by: Ishtiaq.
Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.

Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
On the Construction of Energy- Efficient Broadcast Tree with Hitch-hiking in Wireless Networks Source: 2004 International Performance Computing and Communications.

On the Construction of Energy- Efficient Broadcast Tree with Hitch-hiking in Wireless Networks Source: 2004 International Performance Computing and Communications.
1 BotGraph: Large Scale Spamming Botnet Detection Yao Zhao EECS Department Northwestern University.

1 BotGraph: Large Scale Spamming Botnet Detection Yao Zhao EECS Department Northwestern University.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
ANOMALY DETECTION AND CHARACTERIZATION: LEARNING AND EXPERIANCE YAN CHEN – MATT MODAFF – AARON BEACH.

ANOMALY DETECTION AND CHARACTERIZATION: LEARNING AND EXPERIANCE YAN CHEN – MATT MODAFF – AARON BEACH.

Similar presentations

Ads by Google