Uncovering Social Network Sybils in the Wild

Unveiling the presence of malicious Sybil accounts on large online social networks like Renren, this research delves into understanding Sybil behavior in the wild to enhance detection mechanisms. Leveraging ground-truth data on over 560K Sybils on Renren, a measurement-based real-time Sybil detector was developed, resulting in the identification and banning of 100K additional Sybils in six months. The study highlights the effectiveness of the improved Sybil detector and the low false positive rate achieved in detecting spam accounts.

• Investigation
• Social Networks
• Sybils
• Online Security
• Malicious Activity

jand_a Follow

Uploaded on Oct 04, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Uncovering Social Network Sybils in the Wild Zhi Yang Christo Wilson Christo Wilson UC Santa Barbara Xiao Wang Peking University Peking University Tingting Gao Renren Inc. Ben Y. Zhao UC Santa Barbara Yafei Dai Peking University

2. 2 Sybils on OSNs Large OSNs are attractive targets for Spam dissemination Theft of personal information Sybil, s b l, Noun: a fake account that attempts to create many friendships with honest users Friendships are precursor to other malicious activity Does not include benign fakes Research has identified malicious Sybils on OSNs Twitter [CCS 2010] Facebook [IMC 2010]

3. 3 Understanding Sybil Behavior Prior work has focused on spam Content, dynamics, campaigns Includes compromised accounts Open question: What is the behavior of Sybils in the wild? Important for evaluating Sybil detectors Important for evaluating Sybil detectors Partnership with largest OSN in China: Renren Leverage ground-truth data on 560K Sybils Develop measurement-based, real-time Sybil detector Deployed, caught additional 100K Sybils in 6 months

4. 4 Outline Outline Introduction Sybils on Renren Sybil Analysis Conclusion

5. 5 Sybils on Renren Renren is the oldest and largest OSN in China 160M users Facebook s Chinese twin Ad-hoc Sybil detectors Threshold-based spam traps Keyword and URL blacklists Crowdsourced account flagging 560K Sybils banned as of August 2010

6. 6 Sybil Detection 2.0 Developed improved Sybil detector for Renren Analyzed ground-truth data on existing Sybils Identified four reliable Sybil indicators 1. Friend Request Frequency 2. Outgoing Friend Requests Accepted 3. Incoming Friend Requests Accepted 4. Clustering Coefficient Evaluated threshold and SVM detectors Similar accuracy for both SVM SVM Threshold Threshold Sybil 98.68% Sybil 98.99% Non-Sybil 99.34% Non-Sybil 99.5% Deployed threshold, less CPU intensive, real real- -time time

7. 7 Detection Results Caught 100K Sybils in the first six months Vast majority are spammers Many banned before generating content Low false positive rate Use customer complaint rate as signal Complaints evaluated by humans 25 real real complaints per 3000 bans (<1%) Spammers attempted to recover banned Sybils by complaining to Renren customer support!

8. 8 Outline Outline Introduction Sybils on Renren Sybil Analysis Conclusion

9. 9 Community-based Sybil Detectors Prior work on decentralized OSN Sybil detectors SybilGuard, SybilLimit, SybilInfer, Sumup Key assumption: Sybils form tight Sybils form tight- -knit communities knit communities Edges Between Sybils

10. 10 Do Sybils Form Connected Components? 100 100 90 90 80 80 70 70 Vast majority of Sybils blend completely into the social graph Few communities to detect 60 60 CDF CDF 50 50 80% have degree = 0 Sybils, Edges Between Sybils Only 40 40 No edges to other Sybils! 30 30 Sybils, All Edges 20 20 Normal Users 10 10 0 0 0 1 1 10 100 1000 . . Degree Degree

11. 11 Can Sybil Components be Detected? 10000 1000 Attack Edges Attack Edges 100 Sybil components are internally sparse Not amenable to community detection 10 1 1 10 100 1000 10000 Edges Between Sybils Edges Between Sybils

12. 12 Sybil Cluster Analysis Are edges between Sybils formed intentionally? Temporal analysis indicates random formation How are random edges between Sybils formed? Surveyed Sybil management tools Edges Between Sybils Edges Between Sybils Creation Order Creation Order Renren Marketing Assistant V1.0 Renren Super Node Collector V1.0 Renren Almighty Assistant V5.8 Biased sampling for friend request targets Likelihood of Sybils inadvertently friending is high Sybil Accounts Sybil Accounts

13. 13 Outline Outline Introduction Sybils on Renren Sybil Analysis Conclusion

14. 14 Conclusion First look at Sybils in the wild Ground-truth from inside a large OSN Deployed detector is still active Sybils are quite sophisticated Cheap labor very realistic fakes Created and managed by-hand Need for new, decentralized Sybil detectors Results may not generalize beyond Renren Evaluation on other large OSNs

15. 15 Questions? Slides and paper available at http://www.cs.ucsb.edu/~bowlin Christo Wilson UC Santa Barbara bowlin@cs.ucsb.edu

16. 16 Backup Slides Only use in case of emergency!

17. 17 Creation of Edges Between Sybils Edges Between Sybils Edges Between Sybils Creation Order Creation Order The majority of edges between Sybils form randomly Sybil Accounts Sybil Accounts

18. 18 Friend Target Selection 100 90 80 High degree nodes are often Sybils! Sybils unknowingly friend each other 70 60 CDF CDF 50 40 30 All Users 20 10 Sybil Friend Request Targets 0 0 200 400 600 800 1000 Degree Degree