February 2019 Forecasting Suspicious Account Activity at Large-Scale Online Service Providers Hassan Halawa 1 , Konstantin Beznosov 1 , Baris Coskun 2 , Meizhu Liu 3 , Matei Ripeanu 1 1 University of British Columbia 2 Amazon Web Services 3 Yahoo! Research
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
February 2019
Forecasting Suspicious Account Activity at
Large-Scale Online Service ProvidersHassan Halawa1, Konstantin Beznosov1, Baris Coskun2, Meizhu Liu3, Matei Ripeanu1
1 University of British Columbia2 Amazon Web Services
3 Yahoo! Research
Automated attacks
2
operating on alarge-scaleexploiting
unsafe decisionsmade by
individual users
■ Phishing
3
■ Phishing □ Online Services
4
5
■ Phishing■ Overview □ Current vs. Proposed Current Defenses Proposed
Reactive
Signatures
Proactive
Anomalies
EvolvingAttacks
FalsePositives
Forecasting
EarlyWarning
identifyingattack/attacker patterns
miningbehavioral /usage patterns
6
■ Phishing■ Overview □ Current vs. Proposed □ Highlights
■ Experiment at a Large-Scale Online Service Provider(4 months production data / 100+ million users / 100+ billion login events)
■ Promising Performance as an Early Warning System (AUROC ~ 0.92 / FPR ~ 0.5% / ACC ~ 99.5% / REC ~ 50.6% / PRE ~ 18.3% using only a 1 week historical trace and predicting 1 month in advance)
■ Supervised ML Pipeline for Forecasting(predict future suspicious account activity from historical traces)
■ Experiment at a Large-Scale Online Service Provider(4 months production data / 100+ million users / 100+ billion login events)
■ Promising Performance as an Early Warning System (AUROC ~ 0.92 / FPR ~ 0.5% / ACC ~ 99.5% / REC ~ 50.6% / PRE ~ 18.3% using only a 1 week historical trace and predicting 1 month in advance)
■ Supervised ML Pipeline for Forecasting(predict future suspicious account activity from historical traces)
“Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.”
■ Discussion □ Social Engineering
■ Cost of attack
■ Multi-Stage Attacks
■ Similar dynamics to epidemics
24
■ Discussion □ Focusing on the Vulnerable Population as a key defense Element
■ Targeted
■ Efficient
■ Proactive
■ Robust
25
■ Discussion □ Advantages of Proposed Paradigm
26
■ Discussion □ Robustness
■ Current defenses are attack/attacker centric
■ Based on attacker-controlled behavior/features
■ Attackers can employ adversarial strategies
■ Discussion □ Reactive Defenses
Focus on identifying attacks/attackers
27
[SNS’11] Tao Stein, Erdong Chen, and Karan Mangla. 2011. Facebook immune system. In Proceedings of the 4th Workshop on Social Network Systems (SNS'11). ACM, pp. 8, New York, NY, USA.
Begin Attack
Initial Detection
DefenderResponds
AttackerDetects
Attack
Mutate
Detect
Defense
Attacker Controls
Defender Controls
28
■ Discussion □ User Education
■ First line of defense
■ Direct cost (attack) vs. Indirect cost (effort)
■ Distribute cost proportional to user vulnerability
■ Paternalism
■ Fairness (Service Discrimination)
29
■ Discussion □ Legal/Ethical Considerations
■ Feasibility to develop a vulnerability classifier
■ Inaccuracies in predicting the vulnerable population
■ Some defense mechanisms may violate user expectations
■ Targeted protection may be confusing / complex
30
■ Discussion □ Adoption Challenges
■ Offline Worlds
■ Online Worlds
■ Our Experience
31
■ Discussion □ Related Work
■ Large-scale social-bot infiltration feasible
■ Defense system leveraging the proposed paradigm
■ Deployed at Telefonica’s OSN Tuenti (50+ million users)
32
■ Discussion □ Our Experience (Integro)
33
■ Discussion □ Integro
[ECS’16] Boshmaf, Y., Logothetis, D., Siganos, G., Lería, J., Lorenzo, J., Ripeanu, M., Beznosov, K., and Halawa, H. (2016). Íntegro: Leveraging Victim Prediction for Robust Fake Account Detection in Large Scale OSNs.Elsevier Computers & Security. 61: 142-168.