370 likes | 485 Views
Andrew G. West , Jian Chang, Krishna Venkatasubramanian, Oleg Sokolsky, and Insup Lee CEAS `11 – September 1, 2011. Link Spamming Wikipedia for Profit. Overview/Outline. How do wikis/Wikipedia prevent link spam? How common is wiki/Wikipedia link spam?
E N D
Andrew G. West,Jian Chang, Krishna Venkatasubramanian, Oleg Sokolsky, and Insup Lee CEAS `11 – September 1, 2011 Link Spamming Wikipedia for Profit
Overview/Outline • How do wikis/Wikipedia prevent link spam? • How common is wiki/Wikipedia link spam? • How “successful” are the attack vectors? • Might there be more effective ones? (yes) • How would one defend against them?
Defining Link Spam • Any violation of external link policy [2] • Commercial • Non-notable sources: fan pages, blogs, etc. • Two dimensions • Destination (URL) • Presentation • HTML nofollow Link spam example
Motivations Spam not uncommon in collaborative/UGC apps (surveyed in [9,12]) • Wikipedia/wikis are unique: • Edit-anywhere (no append-only semantics) • Global editing (not network limited) • Community-driven mitigation • Extremely high traffic (#7 in Alexa) • Potential for traffic/profit (e.g., Amazon [14])
Single-link Mitigation Assume a “clean” account adds a “new” spam link:
Aggregate Mitigation Problematic URLs Malicious Accounts • URL blacklists [3] • Manually maintained • Local + global versions • ≈17k entries in combo. • Warning system [10] • 4 warnings without • consequence • 5th blocks account Malicious Collectives Unauthorized Bots • Either Sybil “sock-puppets” • or actual collectives • Manual signature detection • or IP correlation Bots can be very fast Rate-limits CAPTCHAs [15] Special software
Aggregate Mitigation Problematic URLs Malicious Accounts • URL blacklists [3] • Manually maintained • Local + global versions • ≈17k entries in combo. • Warning system [10] • 4 warnings without • consequence • 5th blocks account Malicious Collectives Unauthorized Bots • Either Sybil “sock-puppets” • or actual collectives • Manual signature detection • or IP correlation Bots can be very fast Rate-limits CAPTCHAs [15] Special software
Aggregate Mitigation Problematic URLs Malicious Accounts • URL blacklists [3] • Manually maintained • Local + global versions • ≈17k entries in combo. • Warning system [10] • 4 warnings without • consequence • 5th blocks account Malicious Collectives Unauthorized Bots • Either Sybil “sock-puppets” • or actual collectives • Manual signature detection • or IP correlation Bots can be very fast Rate-limits CAPTCHAs [15] Special software
Aggregate Mitigation Problematic URLs Malicious Accounts • URL blacklists [3] • Manually maintained • Local + global versions • ≈17k entries in combo. • Warning system [10] • 4 warnings without • consequence • 5th blocks account Malicious Collectives Unauthorized Bots • Either Sybil “sock-puppets” • or actual collectives • Manual signature detection • or IP correlation Bots can be very fast Rate-limits CAPTCHAs [15] Special software
Aggregate Mitigation Problematic URLs Malicious Accounts • URL blacklist • Manually maintained • Local + global versions • ≈17k entries in combo. • Warning system • 4 warnings without • consequence • 5th blocks account • TAKEAWAY: • * Only humans can catch “new” instances • * Aggregate mechanisms must wait for atomic instances to compound before they can take affect • HUMAN LATENCY! Malicious Collectives Unauthorized Bots • Either Sybil “sock-puppets” • or actual collectives • Manual signature detection • or IP correlation Bots can be very fast Rate-limits CAPTCHAs Special software
Corpus Creation • “Spam” edits are those that: • Added exactly one external link • Made no changes outside context of that link • Were “rolled-back” (expedited admin. undo) • Edits meeting: if(1 && 2 && !3) = “Ham” • Edits meeting: if(3) = “Damaging”
Corpus Example (1) Because the link was the ONLY change made. The privileged user’s decision to roll-back that edit speaks DIRECTLY to that link’s inappropriateness.
Spam Genres TAKEAWAY: Spam is: • Categorically diverse • “Subtlety”: Info. adjacent services • Not monetarily-driven? Spam by ODP/DMOZ category
Spam Placement TAKEAWAY: • Conventions followed • Subtlety for persistence?
Bad Domains + Blacklist TAKEAWAYS: • Wiki spammers ≠ email spammers Email Spam URLS Wiki SpamURLs ø • Domain statistics don’t suggest max. utility • Only 2 of 25 worst were blacklisted • Only 14 domains appear 10+ times in {SPAM}
Spam Perpetrators • 57% of spam added by non-registered users • Yet we will show registered accounts beneficial • Worst users map onto worst domains • Dedicated spam accounts; most blocked Geo-locating spammers
Spam Life/Impact Spam lifespan • 19 minutes at median • 85 secs. for damage • Reason for difference Spam page views • Proxy for “link views” • Metric of choice • 6.05 views per spam link
Broadening Search • Maybe our corpus just missed something? • Archives show some abuse (but non-automated) • Deleted revisions; media coverage • SUMMARY: Status quo strategies unsuccessful • ≈ 6 views/link not likely to be profitable • Patrollers un-fooled by subtle strategies which seem to aim for “link persistence” • Cause or effect of unsophisticated strategies?
A NOVEL ATTACK MODEL (inspired by [15])
Attack Summary MODEL: Abandon deception, aggressively exploit latency of human detection process. Attack characterized by 4 vectors: • Target high-traffic pages • Autonomous attainment of privileged accounts; mechanized operation thereof • Prominent link placement/style • Distributed
Popular Pages (1) • Imagine 85 seconds on these pages! • Why not just protect these somehow? • Next: Account-level vulnerabilities
Privileged Accounts • Becoming autoconfirmed • Outsource the CAPTCHA solve [15] • Requires 10 good edits (or warnings/block) • Non-vetted namespaces; helpful bots; thesaurus attacks • Conduct campaigns via API [1] at high-speed • “Anti-bot” software found ineffective
Prominent Placement <p style="font-size:5em;font-weight:bolder"> [http://www.example.com Example link]</p>
Distributed Attack Two notions of “distributed”: • Need IP-agility to avoid IP (range) blocks • What spammer doesn’t? • Use open-proxies, existing botnet, etc. • There are many sites one can target • Wiki language editions; WMF sister-sites • Universal API [1] into MediaWiki installs
User Responses • Administrative response • Expected flow to campaign termination • Very conservative example: • 1 min. account survival = 70 links placed • Top 70 articles @ 1 min. each = 2,100 active views • Reader response • Sources of link exposure • Active views: Link in default version • Inactive views: Version histories and watchlisters • Content scrapers and mashup apps. • Click-through desensitization (email spam? [13])
Economics • Cost of campaigns (about $1 marginal) • Affiliate programs; 50% commissions [13] • CAPTCHA per account; $1 per thousand [15] • Domain names; $1-$2 each • Minimal labor costs (< 100 LOC) • Expected return-on-investment; extrapolate from “male enhancement pharmacy” study [13] • 2100 exposures -> 20 click-through -> $5.20 gross • Affiliate fees: $5.20 -> $2.60 net >> $1 marginal • Why not seen live? Naivety? Scale?
Defense Strategies (1) • Ethical issues; WMF notification • Focus on technical defense (sociological aspects) • Require explicit approval • Prevent from going live until vetted • Controversial “Flagged Revisions” proposal • Privilege configuration • Edit count is a poor metric (see [8]) • No human can do 70 edits/min. – maybe 5 edits/min.? • Tool-expedited users should have separate status
Defense Strategies (2) • Autonomous signature-driven detection [19] • Human latency gone (dwindling workforce [11]) • Machine-learning classifier over: • Wikipedia metadata [5] (URL addition rates, editor permissions) • Landing-site analysis [7] (Commercial intent, SEO) • Third-party data (Alexa web crawler, Google Safe Browsing) • Implemented and operational on English Wikipedia • Offline analysis: 66% status-quo spam catch-rate at 0.5% FP-rate Anti-spam algorithm Wikipedia STiki Client STiki Services Scoring STiki Client IRC #enwiki# Edit Queue Fetch Edit Likely vandalism Likely vandalism Wiki-API Likely vandalism Display ------------------- Likely innocent Maintain Classify Bot Logic if(score) > thresh: REVERT else:
References (1) [01] MediaWiki API. http://en.wikipedia.org/w/api.php [02] Wikipedia: External links. http://en.wikipedia.org/wiki/WP:EL [03] Wikipedia spam blacklists. http://en.wikipedia.org/wiki/WP:BLACKLIST [04] WikiProject spam. http://en.wikipedia.org/wiki/WP:WPSPAM [05] B. Adler, et al. Wikipedia vandalism detection: Combining natural language, metadata, and reputation features. In CICLing 2011. [06] J. Antin and C. Cheshire. Readers are not free-riders: Reading as a form of participation on Wikipedia. In CSCW 2010. [07] H. Dai, et al. Detecting online commercial intention (OCI). In WWW 2006. [08] P. K.-F. Fong and R. P. Biuk-Aghai. What did they do? Deriving high-level edit histories in wikis. In WikiSym 2010. [09] H. Gao, et al. Detecting and characterizing social spam campaigns. In CCS’10. [10] R. S. Geiger and D. Ribes. The work of sustaining order in Wikipedia: The banning of a vandal. In CSCW 2010.
References (2) [11] E. Goldman. Wikipedia’s labor squeeze and its consequences. Journal of Telecomm. and High Tech. Law, 8, 2009. [12] P. Heymann, et al. Fighting spam on social web sites: A survey of approaches and future challenges. IEEE Internet Comp., 11(6):36–45, 2007. [13] C. Kanich, et al. Spamalytics: An empirical market analysis of spam marketing conversion. In CCS 2008. [14] C. McCarthy. Amazon adds Wikipedia to book-shopping. http://news.cnet.com/8301-13577_3-20024297-36.html, 2010. [15] M. Motoyama, et al. Re: CAPTCHAs - Understanding CAPTCHA-solving services in an economic context. In USENIX Security 2010 [16] R. Priedhorsky, et al. Creating, destroying, and restoring value in Wikipedia. In GROUP 2007, the ACM Conference on Supporting Group Group [17] Y. Shin, et al. The nuts and bolts of a forum spam automator. In LEET 2011. [18] B. E. Ur and V. Ganapathy. Evaluating attack amplification in online social networks. In W2SP 2009, Web 2.0 Security and Privacy [19] A. G. West, et al. Autonomous link spam detection in purely collaborative environments. In WikiSym 2011.