Embed Size (px)
Citation preview
1
Enhancing and Identifying Cloning Attacks
in Online Social NetworksZifei Shan, Haowen Cao, Jason Lv, Cong Yan,
Annie LiuPeking University, China
2
Motivation Background: Cloning Attack An enhanced attack pattern Experiment: Attacking Renren Detecting Cloning Attacks Conclusion
Outline
3
Online Social Networks◦ Security Problems!
Cloning Attack
Motivation
Jack Clone “Jack”
Clone profile Friend request
Jack’s Friends
4
Cloning Attack
Jack Jack’s Partial Friend list
Attacker
Clone “Jack”Peek, get a
partial friend list
Create
Clone profile
Friend request: I am another ID of Jack!
Cheated, add back
5
Enhanced Cloning Attack: Snowball Sampling
Jack Jack’s Friends
Attacker
Clone “Jack”
Other Friends In the community
Friend request: I am another ID of Jack!
Common friends
Easier to get cheated
6
Enhanced Cloning Attack: Iteration Attack
Jack Jack’s Friends
Attacker
Clone “Jack”
Create
Other users in the community
Friend request
Clone “Alice”
Clone “Bob”
Alice Bob
Clone profile of
Jack’s friends
7
Renren: Chinese largest online social network
We conduct a series of experiments to test the threat of traditional sybil attacks, original cloning attacks, and improved cloning attacks.
Experiments: Attacking Renren
Experiment
different attack
patterns
8
Statistics
Traditional Sybil Attack
Basic Cloning Attack Cloning + Snowball Sampling
Profile similarity
N/A Low Medium High Low
Accepted requests (avg.) (%)
11.3% 26.3% 47.1% 45.8% 52.1%
Experiment Results
1.Cloning attack is much powerful than traditional sybil attacks2.Snowball sampling makes cloning attack stronger3.Higher profile similarity leads to more successful attacks
9
Real-time, server-side, lightweight detector to be deployed into real OSNs.
Initial Filter: (Called on friend requests)◦ Same name ◦ >5 common friends (requests)◦ High profile similarity
school, city… tweets, blogs…
Judging Condition --- Login IP Sequence◦ Login IP Sequence of two IDs
Joint: another real account Disjoint: cloning account
CloneSpotter: Real-Time Content-free Detector
10
CloneSpotter: Architecture
JackJack’s Friend
Another “Jack”
Friend request: I am another ID of Jack!
Check:1. High profile
similarity with Jack?2. Disjoint login IP
sequence with Jack?
Ban this ID!
83.24.*.*167.31.*.*162.105.*.*
90.25.*.*87.200.*.*
Birthday: 10/20/1990, EECS, Peking University
Birthday: 10/20/1990, EECS, Peking University
11
Strengths:◦ Real-time: called on friend requests◦ low cost:
Storage: need login IP sequence for users Time: O(d) for each incoming request, d is social
degree Weaknesses:
◦ Vulnerable against IP spoofing
Evaluation of CloneSpotter
“All your contacts are belong to us: automated identity theft attacks on social networks”, Leyla Bilge, Thorsten Strufe, Davide Balzarotti, Engin Kirda, in Proceedings of the 18th international conference on World wide web (WWW ‘09)
12
Contributions
Define the cloning attack pattern
Test attack feasibility in a real system (Facebook)
Enhance the cloning attack pattern by Snowball sampling and Iteration attacks
Experiments of improved cloning attacks in real OSN (Renren)
Provide effective defense methods to detect cloning attacks
Our Contribution
Previous Work
13
Deploy into real systems Measure detected users
◦ Action patterns◦ Malicious activities
Further detecting methods◦ Content-free: User action logs, Click-patterns,
Action Time◦ Content-related: semantics analysis
Future work
