Uncovering Social Network Sybils in the Wild

undefined
Uncovering Social Network
Sybils in the Wild
Sybils on OSNs
 
Large OSNs are attractive targets for…
Spam dissemination
Theft of personal information
 
Sybil, 
, Noun: a fake account that attempts to
create many friendships with honest users
sɪbəl
Friendships are precursor to other malicious activity
Does not include benign fakes
 
Research has identified malicious Sybils on OSNs
Twitter [CCS 2010]
Facebook [IMC 2010]
2
Understanding Sybil Behavior
 
Prior work has focused on spam
Content, dynamics, campaigns
Includes compromised accounts
 
Open question: 
 
What is the behavior of Sybils in
 
the wild?
Important for evaluating Sybil detectors
 
Partnership with largest OSN in China: Renren
Leverage ground-truth data on 560K Sybils
Develop measurement-based, real-time Sybil detector
Deployed, caught additional 100K Sybils in 6 months
3
Introduction
Sybils on Renren
Sybil Analysis
Conclusion
4
Sybils on Renren
 
Renren is the oldest and largest OSN in China
160M users
Facebook’s Chinese twin
 
Ad-hoc Sybil detectors
Threshold-based spam traps
Keyword and URL blacklists
Crowdsourced account flagging
 
560K Sybils banned as of August 2010
5
Sybil Detection 2.0
 
Developed improved Sybil detector for Renren
Analyzed ground-truth data on existing Sybils
Identified four reliable Sybil indicators
 
Evaluated threshold and SVM detectors
Similar accuracy for both
 
 
 
 
Deployed threshold, less CPU intensive, 
real-time
6
 
1.
Friend Request Frequency
2.
Outgoing Friend Requests Accepted
3.
Incoming Friend Requests Accepted
4.
Clustering Coefficient
Detection Results
 
Caught 100K Sybils in the first six months
Vast majority are spammers
Many banned before generating content
 
Low false positive rate
Use customer complaint rate as signal
Complaints evaluated by humans
25 
real 
complaints per 3000 bans (<1%)
7
Introduction
Sybils on Renren
Sybil Analysis
Conclusion
8
Community-based Sybil Detectors
Prior work on decentralized OSN Sybil detectors
SybilGuard, SybilLimit, SybilInfer, Sumup
Key assumption:
Sybils form tight-knit communities
9
Do Sybils Form Connected Components?
10
Vast majority of Sybils blend
completely into the social graph
Few communities to detect
Can Sybil Components be Detected?
11
Sybil components are
internally sparse
Not amenable to
community detection
Sybil Cluster Analysis
12
 
Are edges between Sybils formed intentionally?
Temporal analysis indicates random formation
 
How are random edges between Sybils formed?
Surveyed Sybil management tools
 
 
 
 
Biased sampling for friend request targets
Likelihood of Sybils inadvertently friending is high
Introduction
Sybils on Renren
Sybil Analysis
Conclusion
13
Conclusion
 
First look at Sybils in the wild
Ground-truth from inside a large OSN
Deployed detector is still active
 
Sybils are quite sophisticated
Cheap labor 
 very realistic fakes
Created and managed by-hand
 
Need for new, decentralized Sybil detectors
Results may not generalize beyond Renren
Evaluation on other large OSNs
14
undefined
Questions?
Slides and paper available at
http://www.cs.ucsb.edu/~bowlin
Christo Wilson
UC Santa Barbara
bowlin@cs.ucsb.edu
15
P.S.: I’m on the
job market…
undefined
Backup Slides
Only use in case of emergency!
16
Creation of Edges Between Sybils
17
The majority of edges
between Sybils form
randomly
Friend Target Selection
18
High degree nodes
are often Sybils!
Sybils unknowingly
friend each other
Slide Note
Embed
Share

Unveiling the presence of malicious Sybil accounts on large online social networks like Renren, this research delves into understanding Sybil behavior in the wild to enhance detection mechanisms. Leveraging ground-truth data on over 560K Sybils on Renren, a measurement-based real-time Sybil detector was developed, resulting in the identification and banning of 100K additional Sybils in six months. The study highlights the effectiveness of the improved Sybil detector and the low false positive rate achieved in detecting spam accounts.

  • Investigation
  • Social Networks
  • Sybils
  • Online Security
  • Malicious Activity

Uploaded on Oct 04, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Uncovering Social Network Sybils in the Wild Zhi Yang Christo Wilson Christo Wilson UC Santa Barbara Xiao Wang Peking University Peking University Tingting Gao Renren Inc. Ben Y. Zhao UC Santa Barbara Yafei Dai Peking University

  2. 2 Sybils on OSNs Large OSNs are attractive targets for Spam dissemination Theft of personal information Sybil, s b l, Noun: a fake account that attempts to create many friendships with honest users Friendships are precursor to other malicious activity Does not include benign fakes Research has identified malicious Sybils on OSNs Twitter [CCS 2010] Facebook [IMC 2010]

  3. 3 Understanding Sybil Behavior Prior work has focused on spam Content, dynamics, campaigns Includes compromised accounts Open question: What is the behavior of Sybils in the wild? Important for evaluating Sybil detectors Important for evaluating Sybil detectors Partnership with largest OSN in China: Renren Leverage ground-truth data on 560K Sybils Develop measurement-based, real-time Sybil detector Deployed, caught additional 100K Sybils in 6 months

  4. 4 Outline Outline Introduction Sybils on Renren Sybil Analysis Conclusion

  5. 5 Sybils on Renren Renren is the oldest and largest OSN in China 160M users Facebook s Chinese twin Ad-hoc Sybil detectors Threshold-based spam traps Keyword and URL blacklists Crowdsourced account flagging 560K Sybils banned as of August 2010

  6. 6 Sybil Detection 2.0 Developed improved Sybil detector for Renren Analyzed ground-truth data on existing Sybils Identified four reliable Sybil indicators 1. Friend Request Frequency 2. Outgoing Friend Requests Accepted 3. Incoming Friend Requests Accepted 4. Clustering Coefficient Evaluated threshold and SVM detectors Similar accuracy for both SVM SVM Threshold Threshold Sybil 98.68% Sybil 98.99% Non-Sybil 99.34% Non-Sybil 99.5% Deployed threshold, less CPU intensive, real real- -time time

  7. 7 Detection Results Caught 100K Sybils in the first six months Vast majority are spammers Many banned before generating content Low false positive rate Use customer complaint rate as signal Complaints evaluated by humans 25 real real complaints per 3000 bans (<1%) Spammers attempted to recover banned Sybils by complaining to Renren customer support!

  8. 8 Outline Outline Introduction Sybils on Renren Sybil Analysis Conclusion

  9. 9 Community-based Sybil Detectors Prior work on decentralized OSN Sybil detectors SybilGuard, SybilLimit, SybilInfer, Sumup Key assumption: Sybils form tight Sybils form tight- -knit communities knit communities Edges Between Sybils

  10. 10 Do Sybils Form Connected Components? 100 100 90 90 80 80 70 70 Vast majority of Sybils blend completely into the social graph Few communities to detect 60 60 CDF CDF 50 50 80% have degree = 0 Sybils, Edges Between Sybils Only 40 40 No edges to other Sybils! 30 30 Sybils, All Edges 20 20 Normal Users 10 10 0 0 0 1 1 10 100 1000 . . Degree Degree

  11. 11 Can Sybil Components be Detected? 10000 1000 Attack Edges Attack Edges 100 Sybil components are internally sparse Not amenable to community detection 10 1 1 10 100 1000 10000 Edges Between Sybils Edges Between Sybils

  12. 12 Sybil Cluster Analysis Are edges between Sybils formed intentionally? Temporal analysis indicates random formation How are random edges between Sybils formed? Surveyed Sybil management tools Edges Between Sybils Edges Between Sybils Creation Order Creation Order Renren Marketing Assistant V1.0 Renren Super Node Collector V1.0 Renren Almighty Assistant V5.8 Biased sampling for friend request targets Likelihood of Sybils inadvertently friending is high Sybil Accounts Sybil Accounts

  13. 13 Outline Outline Introduction Sybils on Renren Sybil Analysis Conclusion

  14. 14 Conclusion First look at Sybils in the wild Ground-truth from inside a large OSN Deployed detector is still active Sybils are quite sophisticated Cheap labor very realistic fakes Created and managed by-hand Need for new, decentralized Sybil detectors Results may not generalize beyond Renren Evaluation on other large OSNs

  15. 15 Questions? Slides and paper available at http://www.cs.ucsb.edu/~bowlin Christo Wilson UC Santa Barbara bowlin@cs.ucsb.edu

  16. 16 Backup Slides Only use in case of emergency!

  17. 17 Creation of Edges Between Sybils Edges Between Sybils Edges Between Sybils Creation Order Creation Order The majority of edges between Sybils form randomly Sybil Accounts Sybil Accounts

  18. 18 Friend Target Selection 100 90 80 High degree nodes are often Sybils! Sybils unknowingly friend each other 70 60 CDF CDF 50 40 30 All Users 20 10 Sybil Friend Request Targets 0 0 200 400 600 800 1000 Degree Degree

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#