1. Toward Worm Detection in Online Social Networks Wei Xu, Fangfang Zhang, and Sencun Zhu ACSAC 2010 1

2. OUTLINE Introduction Related Work System Design Evaluation Limitation and Discussion Conclusion 2

3. Introduction - Worm Worm ◦ Scanning ◦ Attack string XSS Worm ◦ XSS Vulnerability OSN(Online Social Networking) Worm ◦ Messages ◦ Url link 3

4. Twitter XSS Worm var xss = urlencode('http://www.stalkdaily.com"> <a '); 4

5. Introduction – OSN Worm 5

6. Related Work Worm detection, early warning and response based on local victim information. ACSAC(2004) And many Worm detection approach… ◦ Rely on scanning traffic/detailed infection procedure Fast detection and suppression of instant messaging malware in enterprise-like networks. ACSAC(2007) ◦ HoneyIM 6

7. Idea OSN ◦ High clustering property ◦ Monitor the “popular” user “Decoy friend” ◦ Idea of honeypot ◦ Add into a normal user’s friends list 7

8. System Design Like lightweight NIDS 8

9. System Design Configuration module ◦ Social graph Evidence collecting module ◦ Gathers suspicious worm propagation evidence Worm detection module ◦ Identifies and reports worm Communication module ◦ Just for communicate 9

10. Evidence collecting module Decoy friend ◦ As a low-interactive honeypot ◦ Receive worm evidence Questions of decoy friend ◦ Information leak ◦ User’s reluctance ◦ How to collect only suspicious worm evidence 10

11. Configuration module Selecting normal users and assigning decoy friends to these users ◦ Two decoy friends for each user Selecting normal users ◦ Limiting the number of decoy friends ◦ Preserving the detection effectiveness 11

12. Configuration module Question: A directed graph G = (V,E) user connection between two users Extended dominating set problem ◦ Minimum vertex set ◦ ◦ Or exists a path form to where and the length of this path is at most hops. 12

13. Configuration module Make it simple ◦ Sets r = 2 Not necessary to cover the entire social graph ◦ Power law distribution ◦ 20% of users have no connections Maximum Coverage Problem ◦ Given a social graph G=(V,E) and a number k, choose a set of vertices with size of at most k such that the number of other vertices that are covered by this set with coverage redius r=2 reaches the maximum 13

14. Worm detection module Def: suspicious propagation evidence list(SPEL) ◦ {decoy friend ID, receiving time, content} Event: get any SPEL ◦ Keep it for a short period of time ◦ Step1:Local Correlation  Compare two decoy friends(from same user) ◦ Step2:Network Correlation  Compare all saved SPEL 14

15. Worm detection module Compare SPEL ◦ If a similarity over 90% → Alert Similarity ◦ Edit distance of content in SPEL ◦ 15

16. Evaluation 16

17. Evaluation Flickr ◦ 1,846,198 users ◦ 22,613,981 friend links 1.Test Koobface worm and Mikeyy worm 2.Different worm behavior 3.Different size of selected users set(with decoy friends) 17

18. Evaluation 1 Koobface Different messages All friends Mikeyy Same messages All friends Maximum infection 2420 (0.13%) 18

19. Evaluation 2 Infection Number versus Different Percentages of Friends lists 19

20. Evaluation 3 2937.85(0.16%) 20

21. Limitation & Discussion False positive ？ ◦ Outbreak of a large-scale event ◦ A posted link in a suspicious message is pointed to well-known website – OK ◦ Otherwise – rare case, manual checking ？ Time delay ◦ Keep messages longer 21

22. Conclusion A new problem – OSN worm Monitor a few hundreds of users to detect OSN worm Effectively detect OSN worm (0.13%) 22