In this paper, we present a novel framework, called SocialWatch,

to detect online service abuse attacks at a large scale. Such attacks

target normal users by sending spam, phishing links, or malware

from a large number of attacker-created accounts or hijacked ac-

counts.

To accurately and robustly detect such malicious behaviors, we

explore a set of social graph properties, ranging from those that

describe individual user behaviors, to those that capture the inter-

actions among users and their social affinities. Altogether, these

graph features effectively model the overall social activity and con-

nectivity patterns of online users. They are hard to mimic by design

and thus robust to attacker counter strategies. In particular, we se-

lect features such as shortest-path distance, degree, and PageRank

to detect attacker-created accounts and identify hijacked accounts,

demonstrating the robustness of some of these features towards at-

tacker counter strategies. We evaluate SocialWatch using a large

dataset from a major email provider with more than 682 million

users and over 5.75 billion directional relationships. SocialWatch

successfully detects 56.85 million attacker-created accounts with a

low false detection rate of 0.75% and a low false negative rate of

0.61%. In addition, this work also addresses the challenge of iden-

tifying hijacked accounts within the legitimate account set through

a Bayesian decision framework. SocialWatch successfully iden-

tified 1.95 million hijacked accounts—among which 1.23 million

were not detected previously—with a low false detection rate of

2%. Our work demonstrates the effectiveness of using large social

graphs at the scale of billions of edges to detect real attacks.

Publisher  Microsoft Technical Report
Copyright (c) 2013 Microsoft Corporation

Details