Uncovering Social Network Sybils in the Wild Zhi Yang Peking University Christo Wilson UC Santa Barbara Xiao Wang Peking University Tingting Gao Renren Inc. Ben Y.
Download ReportTranscript Uncovering Social Network Sybils in the Wild Zhi Yang Peking University Christo Wilson UC Santa Barbara Xiao Wang Peking University Tingting Gao Renren Inc. Ben Y.
Uncovering Social Network Sybils in the Wild Zhi Yang Peking University Christo Wilson UC Santa Barbara Xiao Wang Peking University Tingting Gao Renren Inc. Ben Y. Zhao UC Santa Barbara Yafei Dai Peking University 2 Sybils on OSNs • Large OSNs are attractive targets for… ▫ Spam dissemination ▫ Theft of personal information • Sybil, sɪbəl, Noun: a fake account that attempts to create many friendships with honest users ▫ Friendships are precursor to other malicious activity ▫ Does not include benign fakes • Research has identified malicious Sybils on OSNs ▫ Twitter [CCS 2010] ▫ Facebook [IMC 2010] 3 Understanding Sybil Behavior • Prior work has focused on spam ▫ Content, dynamics, campaigns ▫ Includes compromised accounts • Open question: What is the behavior of Sybils in the wild? Important for evaluating Sybil detectors • Partnership with largest OSN in China: Renren ▫ Leverage ground-truth data on 560K Sybils ▫ Develop measurement-based, real-time Sybil detector ▫ Deployed, caught additional 100K Sybils in 6 months 4 Introduction Sybils on Renren Sybil Analysis Conclusion 5 Sybils on Renren • Renren is the oldest and largest OSN in China ▫ 160M users ▫ Facebook’s Chinese twin • Ad-hoc Sybil detectors ▫ Threshold-based spam traps ▫ Keyword and URL blacklists ▫ Crowdsourced account flagging • 560K Sybils banned as of August 2010 6 Sybil Detection 2.0 • Developed improved Sybil detector for Renren ▫ Analyzed ground-truth data on existing Sybils ▫ Identified four reliable Sybil indicators 1. Friend Request Frequency 2. Outgoing Friend Requests • Evaluated threshold and SVMAccepted detectors 3. Incoming Friend Requests Accepted ▫ Similar accuracy for both 4. Clustering Coefficient SVM Threshold Sybil Non-Sybil Sybil Non-Sybil 98.99% 99.34% 98.68% 99.5% ▫ Deployed threshold, less CPU intensive, real-time 7 Detection Results • Caught 100K Sybils in the first six months ▫ Vast majority are spammers ▫ Many banned before generating content • Low false positive rate ▫ Use customer complaint rate as signal ▫ Complaints evaluated by humans ▫ 25 real complaints per 3000 bans (<1%) Spammers attempted to recover banned Sybils by complaining to Renren customer support! 8 Introduction Sybils on Renren Sybil Analysis Conclusion 9 Community-based Sybil Detectors • Prior work on decentralized OSN Sybil detectors ▫ SybilGuard, SybilLimit, SybilInfer, Sumup ▫ Key assumption: Sybils form tight-knit communities Edges Between Sybils 10 Do Sybils Form Connected Components? 100 100 90 90 80 80 70 70 Vast majority of Sybils blend completely into the social graph 5080% have degree = 0 Sybils, Edges Few communities to detect Between Sybils Only 40 No edges to other Sybils! CDF 60 60 50 40 30 30 20 20 10 10 0 0 0 Sybils, All Edges Normal Users 1 . 10 100 Degree 1000 11 Can Sybil Components be Detected? Attack Edges 10000 1000 100 Sybil components are internally sparse Not amenable to community detection 10 1 1 10 100 1000 Edges Between Sybils 10000 12 Sybil Cluster Analysis • Are edges between Sybils formed intentionally? ▫ Temporal analysis indicates random formation Edges Between Sybils Creation Order • How are random edges between Sybils formed? ▫ Surveyed Sybil management tools Renren Marketing Assistant V1.0 Renren Super Node Collector V1.0 Renren Almighty Assistant V5.8 ▫ Biased sampling for friend request targets ▫ Likelihood of Sybils inadvertently friending is high Sybil Accounts 13 Introduction Sybils on Renren Sybil Analysis Conclusion 14 Conclusion • First look at Sybils in the wild ▫ Ground-truth from inside a large OSN ▫ Deployed detector is still active • Sybils are quite sophisticated ▫ Cheap labor very realistic fakes ▫ Created and managed by-hand • Need for new, decentralized Sybil detectors ▫ Results may not generalize beyond Renren ▫ Evaluation on other large OSNs 15 Questions? Slides and paper available at http://www.cs.ucsb.edu/~bowlin Christo Wilson UC Santa Barbara [email protected] 16 Backup Slides Only use in case of emergency! 17 Edges Between Sybils Creation Order Creation of Edges Between Sybils The majority of edges between Sybils form randomly Sybil Accounts 18 CDF Friend Target Selection 100 90 80 70 60 50 40 30 20 10 0 High degree nodes are often Sybils! Sybils unknowingly friend each other All Users Sybil Friend Request Targets 0 200 400 600 Degree 800 1000