Upload
cameron-nicholson
View
49
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Toward Worm Detection in Online Social Networks. Wei Xu, Fangfang Zhang, and Sencun Zhu ACSAC 2010. OUTLINE. Introduction Related Work System Design Evaluation Limitation and Discussion Conclusion. Introduction - Worm. Worm Scanning Attack string XSS Worm XSS Vulnerability - PowerPoint PPT Presentation
Citation preview
Toward Worm Detection in Toward Worm Detection in Online Social NetworksOnline Social Networks
Wei Xu, Fangfang Zhang, and Sencun ZhuACSAC 2010
1
Introduction - WormIntroduction - WormWorm
◦ Scanning◦ Attack string
XSS Worm◦ XSS Vulnerability
OSN(Online Social Networking) Worm◦ Messages◦ Url link
3
Twitter XSS WormTwitter XSS Wormvar xss =
urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');
4
Related WorkRelated WorkWorm detection, early warning and
response based on local victim information. ACSAC(2004)
And many Worm detection approach…◦ Rely on scanning traffic/detailed infection
procedure
Fast detection and suppression of instant messaging malware in enterprise-like networks. ACSAC(2007)◦ HoneyIM
6
IdeaIdeaOSN
◦ High clustering property◦ Monitor the “popular” user
“Decoy friend”◦ Idea of honeypot◦ Add into a normal user’s friends list
7
System DesignSystem DesignConfiguration module
◦ Social graphEvidence collecting module
◦ Gathers suspicious worm propagation evidence
Worm detection module◦ Identifies and reports worm
Communication module◦ Just for communicate
9
Evidence collecting Evidence collecting modulemoduleDecoy friend
◦ As a low-interactive honeypot◦ Receive worm evidence
Questions of decoy friend◦ Information leak◦ User’s reluctance◦ How to collect only suspicious worm
evidence
10
Configuration moduleConfiguration moduleSelecting normal users and assigning
decoy friends to these users◦ Two decoy friends for each user
Selecting normal users ◦ Limiting the number of decoy friends◦ Preserving the detection effectiveness
11
Configuration moduleConfiguration moduleQuestion: A directed graph G = (V,E)
user connection between two users
Extended dominating set problem◦ Minimum vertex set◦ ◦ Or exists a path form to where
and the length of this path is at most hops.
12
SvVv Sww v
r
S
VE
Configuration moduleConfiguration moduleMake it simple◦ Sets r = 2
Not necessary to cover the entire social graph
◦ Power law distribution◦ 20% of users have no connections
Maximum Coverage Problem◦ Given a social graph G=(V,E) and a number k, choose a set
of vertices with size of at most k such that the number of other vertices that are covered by this set with coverage redius r=2 reaches the maximum
13
Worm detection moduleWorm detection moduleDef: suspicious propagation evidence
list(SPEL)◦ {decoy friend ID, receiving time, content}
Event: get any SPEL◦ Keep it for a short period of time◦ Step1:Local Correlation
Compare two decoy friends(from same user)
◦ Step2:Network Correlation Compare all saved SPEL
14
Worm detection moduleWorm detection moduleCompare SPEL
◦ If a similarity over 90% → Alert
Similarity◦ Edit distance of content in SPEL◦
15
)(1
1)(
,
,,
baba
ba
EEeditDistEEsim
SPELsEE
EvaluationEvaluationFlickr
◦ 1,846,198 users◦ 22,613,981 friend links
1.Test Koobface worm and Mikeyy worm
2.Different worm behavior3.Different size of selected users
set(with decoy friends)
17
EvaluationEvaluation11KoobfaceDifferent messagesAll friends
MikeyySame messagesAll friends
Maximum infection2420 (0.13%)
18
LimitationLimitation && DiscussionDiscussionFalse positive?
◦Outbreak of a large-scale event◦A posted link in a suspicious
message is pointed to well-known website – OK
◦Otherwise – rare case, manual checking?
Time delay◦ Keep messages longer
21