Understanding and Defending Against Malicious Identities in Online Social Networks

Serving more than one billion users around the world, today's online

social networks (OSNs) pervade our everyday life and change the way people

connect and communicate with each other. However, the open nature of

OSNs attracts a constant interest in attacking and exploiting them.

In particular, they are vulnerable to various attacks launched through

malicious accounts, including fake accounts and compromised real user

accounts. In those attacks, malicious accounts are used to send out

spam, spread malware, distort online voting, etc.

In this dissertation, we present practical systems that we have designed

and built to help OSNs effectively throttle malicious accounts. The overarching

contribution of this dissertation is the approaches that leverage the fundamental

weaknesses of attackers to defeat them. We have explored defense schemes along

two dimensions of an attacker's weaknesses: limited social relationships

and strict economic constraints.

The first part of this dissertation focuses on how to leverage social

relationship constraints to detect fake accounts. We present SybilRank, a novel

social-graph-based detection scheme that can scale up to OSNs with billions of

users. SybilRank is based on the observation that the social connections between

fake accounts and real users, called attack edges, are limited. It formulates

the detection as scalable user ranking according to the landing probability of

early-terminated random walks on the social graph. SybilRank generates an informative

user-ranked list with a substantial fraction of fake accounts at the bottom,

and bounds the number of fake accounts that are ranked higher than legitimate

users to O(log n) per attack edge, where n is the total number of users. We have

demonstrated the scalability of SybilRank via a prototype on Hadoop MapReduce,

and its effectiveness in the real world through a live deployment at Tuenti,

the largest OSN in Spain.

The second part of this dissertation focuses on how to exploit an attacker's

economic constraints to uncover malicious accounts. We present SynchroTrap, a system

that uncovers large groups of active malicious accounts, including both fake

accounts and compromised accounts, by detecting their loosely synchronized actions.

The design of SynchroTrap is based on the observation that malicious accounts usually

perform loosely synchronized actions to accomplish an attack mission, due to

limited budgets, specific mission goals, etc. SynchroTrap transforms the detection

into a scalable clustering algorithm. It uncovers large groups of accounts

that act similarly at around the same time for a sustained period of time. To

handle the enormous volume of user action data in large OSNs, we designed SynchroTrap

as an incremental processing system that processes small data chunks on a daily

basis but aggregates the computational results over the continuous data stream.

We implemented SynchroTrap on Hadoop and Giraph, and we deployed it on Facebook

and Instagram. This deployment has resulted in the unveiling of millions of malicious

accounts and thousands of large attack campaigns per month.