SocialFilter: Introducing Social Trust to Collaborative Spam Mitigation Michael Sirivianos Telefonica Research Joint work with Kyungbaek Kim (UC Irvine) and Xiaowei Yang (Duke)
Download ReportTranscript SocialFilter: Introducing Social Trust to Collaborative Spam Mitigation Michael Sirivianos Telefonica Research Joint work with Kyungbaek Kim (UC Irvine) and Xiaowei Yang (Duke)
SocialFilter: Introducing Social Trust to Collaborative Spam Mitigation Michael Sirivianos Telefonica Research Joint work with Kyungbaek Kim (UC Irvine) and Xiaowei Yang (Duke) Motivation Spam is becoming increasingly sophisticated Millions of malicious email senders (bots) Impossible to filter when relying on a small number of spam detectors Email reputation systems To cope, we deployed distributed email blacklisting/ reputation infrastructures with multiple detectors They rely on the fact that each bot sends spam to multiple receivers Email reputation systems Report repository Spammer report : S is spammer Spammer report : S is spammer Email server Spam detector A Spam SMTP request Spam SMTP request Spammer host S Blocked Email reputation systems But they have a limited number of spam detectors A few thousand Partly so they can manually assess the trustworthiness of their spammer reports And most are proprietary Collaborative spam mitigation Open, large scale, peer-to-peer systems Can use millions of spam detecting email servers who share their experiences with email servers that cannot classify spam fast enough, or at all Collaborative spam mitigation SpamWatch/ADOLR & ALPACAS use a DHT repository of spam reports do not assess how trustworthy the spammer reports of peers are Repuscore uses a centralized repository It does compute the reputation of spam reporters, but assigns low trustworthiness to lying peers only if they themselves send spam Collusion Report repository Spammer report : S is spammer Spammer report : S is NOT spammer Email server B Email server A Spam SMTP request Spammer host S Spammer report : S is NOT spammer Email server C Sybil attack Report repository Spammer report : S is spammer Email server A Spam SMTP request Spammer host S Spammer report : S is NOT spammer Email server Spammer report : S is NOT spammer Sybil email server Sybil email server Sybil email server Introducing the Social Network Admins of email servers join social networks we can associate a SocialFilter node with an OSN identity Why Social Trust? It requires effort to built up social relationships The social graph can be used to defeat Sybils Online Social Networks (OSN) help users to organize and manage their social contacts Easy to augment the OSN UI, with features that allow users to declare who they trust and and by how much Our Objective An email server that encounters a host can query SocialFilter (SF)isfor the belief in the Spammer belief a value in [0,1] andhost it has a being spammer Bayesian interpretation: host with 0% spammer belief is very unlikely Itashould be difficult for spammers to make to be a spammer, whereas a host with 100% their SMTP connections appear legitimate spammer belief is very likely to be one. It should be difficult for spammers to make legitimate SMTP connections appear spamming Design Overview SocialFilter nodes submit spammer reports to the centralized repository spammer reports include host IP and confidence Submitted spammer reports are weighted by the product of two trust values computed by the repository and concerning the SocialFilter nodes Reporter Trust Identity Uniqueness Reporter Trust (RT) To deal with colluders Trust graph in which the edges reflect similarity of spammer reports between friend nodes Similarity initialized with user-defined trust Maximum trust path from a pre-trusted node to all other nodes. Costs O(|E| log | V |) Belief in a node’s reports being trustworthy Identity Uniqueness (IU) To deal with Sybil colluders SybilLimit [S&P 09] over the social graph of admins SybilLimit relies on a special type of random walks (random routes) and the Birthday Paradox Costs O(|V|√|E| log|V|) Belief in a node not being Sybil How SocialFilter works How SocialFilter works How SocialFilter works How SocialFilter works How SocialFilter Works i confidencei RTi IUi Spammer belief = i RTi IUi How SocialFilter Works Outline Motivation Design Evaluation Conclusion Evaluation How does SocialFilter compare to Ostra [NSDI 08]? Ostra annotates social links with credit-balances and bounds An email can be sent if the balance in the links of the social path connecting sender and destination does not exceed the bounds How important is Identity Uniqueness? Does SocialFilter block spam effectively? 50K-user real Facebook social graph sample Spammers report each other as legitimate Each FB user corresponds to a SF email server 10% of honest nodes can instantly classify spam Honest nodes send 3 emails per day If a host has > 50% belief of being spammer, his emails are blocked Spammers send 500 emails per day to random hosts In SF, a spam detection event can reach all nodes In Ostra it affects only nodes that receive the spam over the social link of the detector Does SocialFilter block legitimate email? SF does not block legitimate email connections In Ostra, spammer and legitimate senders may share blocked social links towards the destinations Is Identity Uniqueness needed? 0.5% spammers 10% of Sybils sends spam Sybils report that spammers are legitimate Sybils report legitimate as spammers w/o Identity Uniqueness Sybils are a lot more harmful Conclusion Introduced social trust to assess spammer reports in collaborative spam mitigation An alternative use of the social network for spam mitigation Instead of using it for rate-limiting spam over social links, employ it to assign trust values to spam reporters Yields comparable spam blocking effectiveness Yields no false positives in the absence of reports that incriminate legitimate senders Thank You! Source and datasets at: http://www.cs.duke.edu/nds/wiki/socialfilter Questions?