Understanding and Defending Against Malicious Identities in Online Social Networks
Serving more than one billion users around the world, today's online
social networks (OSNs) pervade our everyday life and change the way people
connect and communicate with each other. However, the open nature of
OSNs attracts a constant interest in attacking and exploiting them.
In particular, they are vulnerable to various attacks launched through
malicious accounts, including fake accounts and compromised real user
accounts. In those attacks, malicious accounts are used to send out
spam, spread malware, distort online voting, etc.
In this dissertation, we present practical systems that we have designed
and built to help OSNs effectively throttle malicious accounts. The overarching
contribution of this dissertation is the approaches that leverage the fundamental
weaknesses of attackers to defeat them. We have explored defense schemes along
two dimensions of an attacker's weaknesses: limited social relationships
and strict economic constraints.
The first part of this dissertation focuses on how to leverage social
relationship constraints to detect fake accounts. We present SybilRank, a novel
social-graph-based detection scheme that can scale up to OSNs with billions of
users. SybilRank is based on the observation that the social connections between
fake accounts and real users, called attack edges, are limited. It formulates
the detection as scalable user ranking according to the landing probability of
early-terminated random walks on the social graph. SybilRank generates an informative
user-ranked list with a substantial fraction of fake accounts at the bottom,
and bounds the number of fake accounts that are ranked higher than legitimate
users to O(log n) per attack edge, where n is the total number of users. We have
demonstrated the scalability of SybilRank via a prototype on Hadoop MapReduce,
and its effectiveness in the real world through a live deployment at Tuenti,
the largest OSN in Spain.
The second part of this dissertation focuses on how to exploit an attacker's
economic constraints to uncover malicious accounts. We present SynchroTrap, a system
that uncovers large groups of active malicious accounts, including both fake
accounts and compromised accounts, by detecting their loosely synchronized actions.
The design of SynchroTrap is based on the observation that malicious accounts usually
perform loosely synchronized actions to accomplish an attack mission, due to
limited budgets, specific mission goals, etc. SynchroTrap transforms the detection
into a scalable clustering algorithm. It uncovers large groups of accounts
that act similarly at around the same time for a sustained period of time. To
handle the enormous volume of user action data in large OSNs, we designed SynchroTrap
as an incremental processing system that processes small data chunks on a daily
basis but aggregates the computational results over the continuous data stream.
We implemented SynchroTrap on Hadoop and Giraph, and we deployed it on Facebook
and Instagram. This deployment has resulted in the unveiling of millions of malicious
accounts and thousands of large attack campaigns per month.
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Rights for Collection: Duke Dissertations