1

Enhancing and Identifying Cloning Attacks

in Online Social NetworksZifei Shan, Haowen Cao, Jason Lv, Cong Yan,

Annie LiuPeking University, China

2

Motivation Background: Cloning Attack An enhanced attack pattern Experiment: Attacking Renren Detecting Cloning Attacks Conclusion

Outline

3

Online Social Networks◦ Security Problems!

Cloning Attack

Motivation

Jack Clone “Jack”

Clone profile Friend request

Jack’s Friends

4

Cloning Attack

Jack Jack’s Partial Friend list

Attacker

Clone “Jack”Peek, get a

partial friend list

Create

Clone profile

Friend request: I am another ID of Jack!

Cheated, add back

5

Enhanced Cloning Attack: Snowball Sampling

Jack Jack’s Friends

Attacker

Clone “Jack”

Other Friends In the community

Friend request: I am another ID of Jack!

Common friends

Easier to get cheated

6

Enhanced Cloning Attack: Iteration Attack

Jack Jack’s Friends

Attacker

Clone “Jack”

Create

Other users in the community

Friend request

Clone “Alice”Clone “Bob”

Alice Bob

Clone profile of

Jack’s friends

7

Renren: Chinese largest online social network

We conduct a series of experiments to test the threat of traditional sybil attacks, original cloning attacks, and improved cloning attacks.

Experiments: Attacking Renren

Experiment

different attack

patterns

8

Statistics

Traditional Sybil Attack

Basic Cloning Attack Cloning + Snowball Sampling

Profile similarity

N/A Low Medium High Low

Accepted requests (avg.) (%)

11.3% 26.3% 47.1% 45.8% 52.1%

Experiment Results

1.Cloning attack is much powerful than traditional sybil attacks2.Snowball sampling makes cloning attack stronger3.Higher profile similarity leads to more successful attacks

9

Real-time, server-side, lightweight detector to be deployed into real OSNs.

Initial Filter: (Called on friend requests)◦ Same name ◦ >5 common friends (requests)◦ High profile similarity

school, city… tweets, blogs…

Judging Condition --- Login IP Sequence◦ Login IP Sequence of two IDs

Joint: another real account Disjoint: cloning account

CloneSpotter: Real-Time Content-free Detector

10

CloneSpotter: Architecture

Jack Jack’s Friend

Another “Jack”Friend request: I am another ID of Jack!

Check:1. High profile

similarity with Jack?2. Disjoint login IP

sequence with Jack?

Ban this ID!

83.24.*.*167.31.*.*162.105.*.*

90.25.*.*87.200.*.*

Birthday: 10/20/1990, EECS, Peking University

Birthday: 10/20/1990, EECS, Peking University

11

Strengths:◦ Real-time: called on friend requests◦ low cost:

Storage: need login IP sequence for users Time: O(d) for each incoming request, d is social

degree Weaknesses:

◦ Vulnerable against IP spoofing

Evaluation of CloneSpotter

“All your contacts are belong to us: automated identity theft attacks on social networks”, Leyla Bilge, Thorsten Strufe, Davide Balzarotti, Engin Kirda, in Proceedings of the 18th international conference on World wide web (WWW ‘09)

12

Contributions

Define the cloning attack pattern

Test attack feasibility in a real system (Facebook)Enhance the cloning attack pattern by Snowball sampling and Iteration attacksExperiments of improved cloning attacks in real OSN (Renren)

Provide effective defense methods to detect cloning attacks

Our Contribution

Previous Work

13

Deploy into real systems Measure detected users

◦ Action patterns◦ Malicious activities

Further detecting methods◦ Content-free: User action logs, Click-patterns,

Action Time◦ Content-related: semantics analysis

Future work

14

Thanks!Contact: Zifei ShanPeking University, Chinashanzifei@pku.edu.cnhttp://www.zifeishan.org