Toward Worm Detection in Toward Worm Detection in Online Social NetworksOnline Social Networks
Wei Xu, Fangfang Zhang, and Sencun ZhuACSAC 2010
1
Introduction - WormIntroduction - WormWorm
◦ Scanning◦ Attack string
XSS Worm◦ XSS Vulnerability
OSN(Online Social Networking) Worm◦ Messages◦ Url link
3
Twitter XSS WormTwitter XSS Wormvar xss =
urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');
4
Related WorkRelated WorkWorm detection, early warning and
response based on local victim information. ACSAC(2004)
And many Worm detection approach…◦ Rely on scanning traffic/detailed infection
procedure
Fast detection and suppression of instant messaging malware in enterprise-like networks. ACSAC(2007)◦ HoneyIM
6
IdeaIdeaOSN
◦ High clustering property◦ Monitor the “popular” user
“Decoy friend”◦ Idea of honeypot◦ Add into a normal user’s friends list
7
System DesignSystem DesignConfiguration module
◦ Social graphEvidence collecting module
◦ Gathers suspicious worm propagation evidence
Worm detection module◦ Identifies and reports worm
Communication module◦ Just for communicate
9
Evidence collecting Evidence collecting modulemoduleDecoy friend
◦ As a low-interactive honeypot◦ Receive worm evidence
Questions of decoy friend◦ Information leak◦ User’s reluctance◦ How to collect only suspicious worm
evidence
10
Configuration moduleConfiguration moduleSelecting normal users and assigning
decoy friends to these users◦ Two decoy friends for each user
Selecting normal users ◦ Limiting the number of decoy friends◦ Preserving the detection effectiveness
11
Configuration moduleConfiguration moduleQuestion: A directed graph G = (V,E)
user connection between two users
Extended dominating set problem◦ Minimum vertex set◦ ◦ Or exists a path form to where
and the length of this path is at most hops.
12
SvVv Sww v
r
S
VE
Configuration moduleConfiguration moduleMake it simple◦ Sets r = 2
Not necessary to cover the entire social graph
◦ Power law distribution◦ 20% of users have no connections
Maximum Coverage Problem◦ Given a social graph G=(V,E) and a number k, choose a set
of vertices with size of at most k such that the number of other vertices that are covered by this set with coverage redius r=2 reaches the maximum
13
Worm detection moduleWorm detection moduleDef: suspicious propagation evidence
list(SPEL)◦ {decoy friend ID, receiving time, content}
Event: get any SPEL◦ Keep it for a short period of time◦ Step1:Local Correlation
Compare two decoy friends(from same user)
◦ Step2:Network Correlation Compare all saved SPEL
14
Worm detection moduleWorm detection moduleCompare SPEL
◦ If a similarity over 90% → Alert
Similarity◦ Edit distance of content in SPEL◦
15
)(1
1)(
,
,,
baba
ba
EEeditDistEEsim
SPELsEE
EvaluationEvaluationFlickr
◦ 1,846,198 users◦ 22,613,981 friend links
1.Test Koobface worm and Mikeyy worm
2.Different worm behavior3.Different size of selected users
set(with decoy friends)
17
EvaluationEvaluation11KoobfaceDifferent messagesAll friends
MikeyySame messagesAll friends
Maximum infection2420 (0.13%)
18
LimitationLimitation && DiscussionDiscussionFalse positive?
◦Outbreak of a large-scale event◦A posted link in a suspicious
message is pointed to well-known website – OK
◦Otherwise – rare case, manual checking?
Time delay◦ Keep messages longer
21