Enhancing CAN

8/13/2019 Enhancing CAN

http://slidepdf.com/reader/full/enhancing-can 1/24

Enhancing and Identifying CloningAttacks

in Online Social Networks



Contents• Introduction• Background• Motivation• Objective• Methodology• Results• Limitations•

Possible Improvements• Conclusion• References



Introduction

• Online Social Networks(OSN)• Prosperity in OSNs has given rise to the spread of spam and malicious

content propagated by many attackers.• People want to get rid of these friend requests from spammers and

phishers, but sometimes they cannot distinguish them, as each spammershave their ways to disguise themselves.

• Traditional attacks- Mere manipulation of multiple random accounts andsend quantities of friend requests.

• Aggressive and oriented attack pattern- Cloning attack or social phishing.



Background• Sybil attacks are one of the most prevalent attack patterns in online social

networks. Algorithms as SybilGuard , Sybil-Limit , SybilInfer, SybilDefender andSumUp are used to detect Sybil accounts on social networks.

• These algorithms are mainly based on the assumption that Sybil accountsusually form tight clusters and seldom make friends with normal users.

• Cloning attack is the automated theft theft of existing user profiles andsending of friend requests to the contacts of the cloned victim.

• The procedure of attack is divided into two parts-First, the crawler componentwill crawl some normal users to get their basic information, including name,city, school, even photos and blogs. So the attacker can get this information toestablish a cloning account , or a clone for short, that is a new account

registered with some similarity in profile with the original normal user.• Then, the message sender component will use the cloning accounts to

automatically send friend requests to the people in the friends ’ list. Since thecloning accounts’ basic information are the same to the people they arefamiliar with, it is highly possible for these normal users to accept the request.



• Online Social Networks – Security Problems!

• Cloning Attack

6

Motivation

Jack Clone “Jack”

Cloneprofile Friend request

Jack’s Friends



Objective

• Improve a threatening attack pattern towardsOSNs

• Test its effectiveness in real systems.

• To provide an effective defense method to

detect cloning attacks, which is real-time andlightweight



Methodology• According to the limitations of the original cloning attack pattern , we

make two major improvements to the strategy

• Snowball Sampling : a general iterative sampling technique.

It takes full advantage of the friends who have accepted friend requests sentby cloning accounts. This enhancement is a kind of combination of cloningattack and the traditional attack by typical spammers. After some users agreeto be friends to the cloning accounts, the attackers will send requests topeople who are these people’s friends. Because of the increasing number of

existing common friends and the accordant profile data, the clone will soongain credibility among the community, and acquire a boosting speed ongaining new friends.



9

Enhanced Cloning Attack: SnowballSampling

Jack Jack’s Friends

Attacker

Clone “Jack”

Other FriendsIn the community

Friend request: I amanother ID of Jack!

Commonfriends

Easier to get cheated



Methodology(contd..)• Iteration Attack : Another kind of enhancement is that once a

user accept the request, attackers will have access to moreinformation in detail of this person.

• Therefore the attacker can register a new cloning account using thedetailed profile and even copy photos and blogs to become more“genuine” to others. Consequently, it is difficult for normal peopleto detect this kind of fake friend requests.

• The greatest profit for launching an iteration attack is to inject

multiple Sybil accounts into a community, so that the attack willgain larger influence in this community, and can use multipleaccounts to launch spamming, phishing, advertisements and otheractivities



11

Enhanced Cloning Attack: IterationAttack

Jack Jack’s Friends

Attacker

Clone “Jack”

Create

Other users in the community

Friend request

Clone “Alice” Clone “Bob”

Alice Bob

Cloneprofile of

Jack’sfriends



• Based on the profile similarity between the clones , i.e. cloningaccounts, and the victims , i.e. original accounts, we classifyour clones into three levels:

The first level of clones only share the same name with thevictims.The second level shares the name, birthday and school.

The third level uses more information that can fool others totrust them: we pick a previous profile photo of the originaluser to be the clones’ profile photo.



Statistics TraditionalSybil Attack Basic Cloning Attack Cloning +SnowballSampling

Profilesimilarity

N/A Low Medium High Low

Acceptedrequests(avg.) (%)

11.3% 26.3% 47.1% 45.8% 52.1%

15

Experiment Results

1.Cloning attack is much powerful than traditional sybilattacks2.Snowball sampling makes cloning attack stronger3.Higher profile similarity leads to more successful attacks



Detecting Cloning Attacks• We divide our detecting methods into two major categories.

• The first is Content-free Detecting Approach , which makes judgments according to physical information and actualconnections, but neglecting user-generated content.

• The second is Content-related Detecting Approach . It checkspotential attacker’s user content and compares them with thereal user’s.



CloneSpotter: A Real time ContentFree Detector

• ALGORITHM : Detector Architecture• Input:• U: the set of all users• Friendsi: the friend list of user i (i ∈ U)• IPSi: login IP sequence of user i (i ∈ U)• Pro f ilei: profile data of user i (i ∈ U)• Similarityx,y: the similarity of profile x and y (x, y ∈ Pro f ile)

• Procedure:• 1: for all friend requests from A to B (A,B ∈ U) do• 2: S = φ • 3: for u ∈ FriendsB do• 4: if u.name = A.name then• 5: S = S∪ {u}• 6: end if• 7: end for• 8: for u ∈ S do



• 9: if SimilarityProfileu,ProfileA < λ then • 10: S = S−{u} • 11: end if• 12: if IPSU ∩IPSA = φ then • 13: S = S−{u} • 14: end if• 15: end for• 16: if S = φ then • 17: return A is not a clone.•

18: else• 19: return A is a clone of users in S.• 20: end if• 21: end for



19

CloneSpotter: Architecture

JackJack’s Friend

Another “Jack”

Friend request: I amanother ID of Jack!

Check:

1. High profile similaritywith Jack?

2. Disjoint login IPsequence with Jack?

Ban this ID!

83.24.*.*167.31.*.*162.105.*.*

90.25.*.*

87.200.*.*

Birthday: 10/20/1990,EECS, Peking University

Birthday: 10/20/1990,EECS, Peking University



System Evaluation of CloneSpotter• The first strength of our detector is real-time. Real-time

detectors are more powerful at preventing the maliciousattacks in time, rather than scanning the systems after theSybils have been widely accepted by users in the community.It can shield the system instantly whenever a cloning attack islaunched.

• The second benefit is low cost. In terms of storage overhead,the system database shall maintain a distinct login IP prefix

sequence for each user. Four slots for the sequence is enough,each slot with 16 bits, thus there will be 64 bits data neededfor each user, which is of slight overhead.



Limitations

• The detector based on IP address is vulnerableagainst IP spoofing.

• Another potential drawback of the detector isthat, we cannot guarantee the detected usersto be malicious, in the case that normal users

change their IP address and simultaneouslychange the account, or when normal userschange IP suffixes every time.



Possible Improvements• To tackle IP spoofing, In this case, we can dig

more into the Content-free information on theserver.

•

Compare the action time pattern of thesuspected clone and its target. If they are thesame person, they are likely to be active in similartime periods.

• Compare their click pattern in the users’ actionlog. If they are the same person, they are likely tohave similar patterns in visiting the OSNs.



References• P. Biernacki and D. Waldorf. Snowball sampling:

Problems,techniques and chain-referral sampling.Sociological Methods And Research

• J. Douceur. The sybil attack. In P. Druschel, F. Kaashoek,and A. Rowstron, editors, Peer-to-Peer Systems , volume2429 of Lecture Notes in Computer Science , pages 251 –260. Springer Berlin / Heidelberg

• M. Huber, M. Mulazzani, E. Weippl, G. Kitzler, and S.Goluch. Friend-in-the-middle attacks: Exploiting socialnetworking sites for spam. Internet Computing, IEEE

• http://www.webopedia.com/TERM/I/IP_spoofing.html



THANK YOU !

Enhancing CAN

Documents

Transcript of Enhancing CAN