Junxian Huang, Yinglian Xie, Fang Yu, Qifa Ke, Martin Abadi, Eliot Gillum, and Z. Morley Mao
20 February 2013
In this paper, we present a novel framework, called SocialWatch, to detect online service abuse attacks at a large scale. Such attacks target normal users by sending spam, phishing links, or malware from a large number of attacker-created accounts or hijacked ac- counts. To accurately and robustly detect such malicious behaviors, we explore a set of social graph properties, ranging from those that describe individual user behaviors, to those that capture the inter- actions among users and their social affinities. Altogether, these graph features effectively model the overall social activity and con- nectivity patterns of online users. They are hard to mimic by design and thus robust to attacker counter strategies. In particular, we se- lect features such as shortest-path distance, degree, and PageRank to detect attacker-created accounts and identify hijacked accounts, demonstrating the robustness of some of these features towards at- tacker counter strategies. We evaluate SocialWatch using a large dataset from a major email provider with more than 682 million users and over 5.75 billion directional relationships. SocialWatch successfully detects 56.85 million attacker-created accounts with a low false detection rate of 0.75% and a low false negative rate of 0.61%. In addition, this work also addresses the challenge of iden- tifying hijacked accounts within the legitimate account set through a Bayesian decision framework. SocialWatch successfully iden- tified 1.95 million hijacked accounts—among which 1.23 million were not detected previously—with a low false detection rate of 2%. Our work demonstrates the effectiveness of using large social graphs at the scale of billions of edges to detect real attacks.
|Publisher||Microsoft Technical Report|
Copyright (c) 2013 Microsoft Corporation