Toward Worm Detection in Toward Worm Detection in Online Social NetworksOnline Social Networks

Wei Xu, Fangfang Zhang, and Sencun ZhuACSAC 2010

1

OUTLINEOUTLINEIntroductionRelated WorkSystem DesignEvaluationLimitation and DiscussionConclusion

2

Introduction - WormIntroduction - WormWorm

◦ Scanning◦ Attack string

XSS Worm◦ XSS Vulnerability

OSN(Online Social Networking) Worm◦ Messages◦ Url link

3

Twitter XSS WormTwitter XSS Wormvar xss =

urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');

4

Introduction – OSN WormIntroduction – OSN Worm

5

Related WorkRelated WorkWorm detection, early warning and

response based on local victim information. ACSAC(2004)

And many Worm detection approach…◦ Rely on scanning traffic/detailed infection

procedure

Fast detection and suppression of instant messaging malware in enterprise-like networks. ACSAC(2007)◦ HoneyIM

6

IdeaIdeaOSN

◦ High clustering property◦ Monitor the “popular” user

“Decoy friend”◦ Idea of honeypot◦ Add into a normal user’s friends list

7

System DesignSystem DesignLike lightweight NIDS

8

System DesignSystem DesignConfiguration module

◦ Social graphEvidence collecting module

◦ Gathers suspicious worm propagation evidence

Worm detection module◦ Identifies and reports worm

Communication module◦ Just for communicate

9

Evidence collecting Evidence collecting modulemoduleDecoy friend

◦ As a low-interactive honeypot◦ Receive worm evidence

Questions of decoy friend◦ Information leak◦ User’s reluctance◦ How to collect only suspicious worm

evidence

10

Configuration moduleConfiguration moduleSelecting normal users and assigning

decoy friends to these users◦ Two decoy friends for each user

Selecting normal users ◦ Limiting the number of decoy friends◦ Preserving the detection effectiveness

11

Configuration moduleConfiguration moduleQuestion: A directed graph G = (V,E)

user connection between two users

Extended dominating set problem◦ Minimum vertex set◦ ◦ Or exists a path form to where

and the length of this path is at most hops.

12

SvVv Sww v

r

S

VE

Configuration moduleConfiguration moduleMake it simple◦ Sets r = 2

Not necessary to cover the entire social graph

◦ Power law distribution◦ 20% of users have no connections

Maximum Coverage Problem◦ Given a social graph G=(V,E) and a number k, choose a set

of vertices with size of at most k such that the number of other vertices that are covered by this set with coverage redius r=2 reaches the maximum

13

Worm detection moduleWorm detection moduleDef: suspicious propagation evidence

list(SPEL)◦ {decoy friend ID, receiving time, content}

Event: get any SPEL◦ Keep it for a short period of time◦ Step1:Local Correlation

Compare two decoy friends(from same user)

◦ Step2:Network Correlation Compare all saved SPEL

14

Worm detection moduleWorm detection moduleCompare SPEL

◦ If a similarity over 90% → Alert

Similarity◦ Edit distance of content in SPEL◦

15

)(1

1)(

,

,,

baba

ba

EEeditDistEEsim

SPELsEE

EvaluationEvaluation

16

EvaluationEvaluationFlickr

◦ 1,846,198 users◦ 22,613,981 friend links

1.Test Koobface worm and Mikeyy worm

2.Different worm behavior3.Different size of selected users

set(with decoy friends)

17

EvaluationEvaluation11KoobfaceDifferent messagesAll friends

MikeyySame messagesAll friends

Maximum infection2420 (0.13%)

18

EvaluationEvaluation22 Infection Number versus Different

Percentages of Friends lists

19

EvaluationEvaluation332937.85(0.16%)

20

LimitationLimitation && DiscussionDiscussionFalse positive？

◦Outbreak of a large-scale event◦A posted link in a suspicious

message is pointed to well-known website – OK

◦Otherwise – rare case, manual checking？

Time delay◦ Keep messages longer

21

ConclusionConclusionA new problem – OSN wormMonitor a few hundreds of users to

detect OSN wormEffectively detect OSN worm (0.13%)

22