1 / 22

Toward Worm Detection in Online Social Networks

Toward Worm Detection in Online Social Networks. Wei Xu, Fangfang Zhang, and Sencun Zhu ACSAC 2010. OUTLINE. Introduction Related Work System Design Evaluation Limitation and Discussion Conclusion. Introduction - Worm. Worm Scanning Attack string XSS Worm XSS Vulnerability

Download Presentation

Toward Worm Detection in Online Social Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Toward Worm Detection in Online Social Networks Wei Xu, Fangfang Zhang, and Sencun Zhu ACSAC 2010

  2. OUTLINE • Introduction • Related Work • System Design • Evaluation • Limitation and Discussion • Conclusion

  3. Introduction - Worm • Worm • Scanning • Attack string • XSS Worm • XSS Vulnerability • OSN(Online Social Networking) Worm • Messages • Url link

  4. Twitter XSS Worm • var xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');

  5. Introduction – OSN Worm

  6. Related Work • Worm detection, early warning and response based on local victim information. ACSAC(2004) • And many Worm detection approach… • Rely on scanning traffic/detailed infection procedure • Fast detection and suppression of instant messaging malware in enterprise-like networks. ACSAC(2007) • HoneyIM

  7. Idea • OSN • High clustering property • Monitor the “popular” user • “Decoy friend” • Idea of honeypot • Add into a normal user’s friends list

  8. System Design • Like lightweight NIDS

  9. System Design • Configuration module • Social graph • Evidence collecting module • Gathers suspicious worm propagation evidence • Worm detection module • Identifies and reports worm • Communication module • Just for communicate

  10. Evidence collecting module • Decoy friend • As a low-interactive honeypot • Receive worm evidence • Questions of decoy friend • Information leak • User’s reluctance • How to collect only suspicious worm evidence

  11. Configuration module • Selecting normal users and assigning decoy friends to these users • Two decoy friends for each user • Selecting normal users • Limiting the number of decoy friends • Preserving the detection effectiveness

  12. Configuration module • Question: A directed graph G = (V,E) user connection between two users • Extended dominating set problem • Minimum vertex set • Or exists a path form to where and the length of this path is at most hops.

  13. Configuration module • Make it simple • Sets r = 2 • Not necessary to cover the entire social graph • Power law distribution • 20% of users have no connections • Maximum Coverage Problem • Given a social graph G=(V,E) and a number k, choose a set of vertices with size of at most k such that the number of other vertices that are covered by this set with coverage redius r=2 reaches the maximum

  14. Worm detection module • Def: suspicious propagation evidence list(SPEL) • {decoy friend ID, receiving time, content} • Event: get any SPEL • Keep it for a short period of time • Step1:Local Correlation • Compare two decoy friends(from same user) • Step2:Network Correlation • Compare all saved SPEL

  15. Worm detection module • Compare SPEL • If a similarity over 90% → Alert • Similarity • Edit distance of content in SPEL

  16. Evaluation

  17. Evaluation • Flickr • 1,846,198 users • 22,613,981 friend links • 1.Test Koobface worm and Mikeyy worm • 2.Different worm behavior • 3.Different size of selected users set(with decoy friends)

  18. Evaluation1 • Koobface Different messages All friends • Mikeyy Same messages All friends Maximum infection 2420 (0.13%)

  19. Evaluation2 • Infection Number versus Different Percentages of Friends lists

  20. Evaluation3 • 2937.85(0.16%)

  21. Limitation&Discussion • False positive? • Outbreak of a large-scale event • A posted link in a suspicious message is pointed to well-known website – OK • Otherwise – rare case, manual checking? • Time delay • Keep messages longer

  22. Conclusion • A new problem – OSN worm • Monitor a few hundreds of users to detect OSN worm • Effectively detect OSN worm (0.13%)

More Related