Innovative Malicious Account Detection System for Online Social Networks

written by qiangcao xiaoweiyang jieqi n.w
1 / 29
Embed
Share

"Discover SynchroTrap, a cutting-edge system designed to identify and mitigate malicious accounts on popular online social networks like Facebook and Instagram. Learn how this incremental processing solution overcomes complex challenges to ensure a safer online environment. Explore real-world attack examples and the importance of cost-effective resource management in combating online threats."

  • Innovative System
  • Malicious Account Detection
  • Online Social Networks
  • Security Analysis
  • Real-World Attacks
rayaanacharya
mika_229 Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Written by QiangCao, XiaoweiYang, Jieqi Yu and Christopher Palow Presented by Manasa Suthram

  2. Introduction Examples System overview System Design Parallelising user-pair comparison Implementation Security Analysis Evaluation Conclusion

  3. Online social network (OSN) is a constant interest for attacking and exploiting. To prevent this, this paper introduces malicious account detection system called SynchroTrap. SynchroTrap has been deployed in common OSN such as Facebook and Instagram and has observed precision higher than 99%. The authors of this paper have analysed the behavioural patterns of social network accounts to differentiate between malicious accounts and legitimate ones.

  4. The SynchroTrap is an incremental processing system which makes it practical to be deployable at large OSN. This system overcomes all the design challenges such as detecting weak signal from large amount of noisy data and to handle a few terabytes of data on a daily basis.

  5. Two real world attack examples have been discussed which are Facebook photo upload and inflating followers on Instagram. A graph has been plotted to explain about the photo uploads with timestamps from a group of 450 malicious accounts over a week.

  6. Malicious users in Instagram follow target users to inflate the number of their followers. The following figure compares user activities between 1000 malicious users and 1000 normal users.

  7. Cost on computing and operating resources. Revenue from missions with strict requirements: malicious accounts often perform loosely synchronized actions. The missions of attack campaigns constitute attackers' mission constraints and the limited Infrastructure to launch attack campaigns constitute resource constraints.

  8. High level system architecture: main idea of SynchroTrap is clustering analysis. It measures pairwise user behaviour similarity and then uses a hierarchical clustering algorithm to group users with similar behaviour over a period of time together.

  9. Scalability: large volume of user activity leads to low signal to noise ratio. We have to deal with various applications in online social networks. We need a solution that is generic to different application context. We face a system challenge to process an enormous amount of user data. Facebook has terabytes of daily user data in each application and we have to examine user activities over a certain period of time.

  10. Accuracy: the goal of the system is to reduce both false positive and negative rates which are inversely proportional. To achieve high accuracy the system is designed based on the understanding of an attacker s economic constraints. Adaptability to new applications

  11. Partitioning activity data by applications: to mitigate the impact of irrelevant actions, the authors categorize actions into subsets according to their applications. Comparing user actions: In this system the user actions are taken as tuples each of which has an explicit constraint field that express both resource and mission constraints. The tuple abstraction can be denoted as U,T,C where U,T,C represents userID, action timestamp and constraint object.

  12. Pairwise user similarity metrics: the system introduces per constraint similarity to measure the fraction of matched actions on a single constraint object. Jaccard similarity, a widely used metric that measures similarity between two sets is used. This value ranges from 0 to 1. Scalable user clustering: clustering users based on their effectiveness and scalability.

  13. Making the algorithm suitable for parallel implementation: maximum similarity from all pairs of users are drawn from different cluster. User pair filter function: filtering functions are used to select user pairs with action similarity. First filtering criterion uncovers malicious user pairs that manifest loosely synchronised behaviour on a set of single constraint objects.

  14. Parallelizing user-pair comparison: large computation of user pair comparison on a bulk data is divided into smaller ones in the time dimension.

  15. Daily comparison and Hourly comparison with sliding windows

  16. Improving Accuracy: malicious attacks vary in different OSN applications. SynchroTrap allows OSN operators to tune a set of parameters to achieve the desired trade offs between false positives and false negatives. Computational Cost: cost can be reduced by taking only the user actions pertaining to the same target object.

  17. SynchroTrap is built on top of Hadoop MapReduce stack at Facebook. Clustering module is done on Giraph and large graph processing platform based on the Bulk Synchronous Parallel (BSP) model.

  18. Spread spectrum attacks: attackers could attempt to hide synchronization signal that SynchroTrap detects. SynchroTrap limits the total number of abusive actions on a constraint object irrespective of the number of malicious accounts an attacker controls. It uses jaccard similarity to evaluate the action sets of two users and this attack can be evaded by calculating the fraction of matched actions of malicious accounts to be below certain threshold.

  19. Aggressive attacks: they are launched by controlling accounts to perform bulk actions within a short time period. SynchroTrap works together with existing anomaly detection schemes and complements them by targeting stealthier attacks. SynchroTrap limits the total number of abusive actions on a constraint object. SynchroTrap uses the Jaccard similarity to evaluate the action sets of two users.

  20. Validation of identified accounts: SynchroTrap uncovers millions of accounts and cross validating the detected accounts is a big task. Precision: SynchroTrap allows Facebook and Instagram to identify and invalidate millions of malicious user actions in each application.

  21. Post-processing to deal with false positives: small user clusters are discarded and screen only large clusters which are more likely to result from large attacks. Scale of campaigns:

  22. How are the malicious accounts taken under control? The Facebook security team classifies the reviewed accounts into categories based on their campaigns.

  23. Malicious accounts detected by SynhroTrap against those detected by existing approaches inside Facebook. SynchroTrap identifies a large number of previously unknown malicious accounts (almost 70% of them were not identified by existing approaches). Full deployment of SynchroTrap in each application on more OSN could yield more new findings and achieve higher rates of malicious accounts.

  24. Attackers manipulate account with a variety degree of social connectivity to legitimate users. Ex: an account caught in photo upload is ranked high because attackers tend to use well connected accounts to spread spam photos to their friends.

  25. Longitudinal study has been performed on number of users for first few weeks and the number of detected users decrease after first month in Facebook like and Instagram user following.

  26. Daily jobs Aggregation jobs Single linkage hierarchical clustering

  27. Clickstream and CopyCatch pioneered the work in OSN users but there were few drawbacks which makes SynchroTrap efficient. Clickstream compares pairwise similarity, if a number of fake accounts are larger than a certain threshold then the cluster is classified as fake. CopyCatch assumes that a user can perform a malicious action only once. SynchroTrap uses the source IP addresses and tries to further reduce its computational complexity making it deployable at large scale network.

  28. SynchroTrap a system that uses clustering analysis to detect large group of malicious users. It is an incremental processing system and it unveiled more than two million malicious accounts. It can also uncover large attacks in other onine services. It can analyze large volume of time independent data.

  29. THANK YOU!

Related


No related presentations.

More Related Content