FRAppE: Detecting Malicious Facebook Applications

Slides:



Advertisements
Similar presentations
Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.
Advertisements

Finding your friends and following them to where you are by Adam Sadilek, Henry Kautz, Jeffrey P. Bigham Presented by Guang Ling 1.
What you want is not what you get: Predicting sharing policies for text-based content on Facebook Arunesh Sinha*, Yan Li †, Lujo Bauer* *Carnegie Mellon.
SGNIC’s Measures Against Domain Name Abuses 26 August 2011 Lim Choon Sai General Manager (SGNIC)
Masoud Valafar †, Reza Rejaie †, Walter Willinger ‡ † University of Oregon ‡ AT&T Labs-Research WOSN’09 Barcelona, Spain Beyond Friendship Graphs: A Study.
UNDERSTANDING VISIBLE AND LATENT INTERACTIONS IN ONLINE SOCIAL NETWORK Presented by: Nisha Ranga Under guidance of : Prof. Augustin Chaintreau.
SESSION ID: #RSAC Chaz Lever Characterizing Malicious Traffic on Cellular Networks A Retrospective MBS-W01 Researcher Damballa,
Web queries classification Nguyen Viet Bang WING group meeting June 9 th 2006.
Towards Online Spam Filtering in Social Networks Hongyu Gao, Yan Chen, Kathy Lee, Diana Palsetia and Alok Choudhary Lab for Internet and Security Technology.
SocialFilter: Introducing Social Trust to Collaborative Spam Mitigation Michael Sirivianos Telefonica Research Telefonica Research Joint work with Kyungbaek.
Mark Kashman Senior Product Manager –
Norman SecureSurf Protect your users when surfing the Internet.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Projects for Online Advertising. 2 AD BEHAVIOR IN PANDORA PROJECT 1 Arindam Paul du
Detecting Spammers on Social Networks Gianluca Stringhini, Christopher Kruegel, Giovanni Vigna (University of California) Annual Computer Security Applications.
A Distributed and Privacy Preserving Algorithm for Identifying Information Hubs in Social Networks M.U. Ilyas, Z Shafiq, Alex Liu, H Radha Michigan State.
Multigraph Sampling of Online Social Networks Minas Gjoka, Carter Butts, Maciej Kurant, Athina Markopoulou 1Multigraph sampling.
Social Media Attacks By Laura Jung. How the Attacks Start Popularity of these sites with millions of users makes them perfect places for cyber attacks.
Authors: Gianluca Stringhini Christopher Kruegel Giovanni Vigna University of California, Santa Barbara Presenter: Justin Rhodes.
John P., Fang Yu, Yinglian Xie, Martin Abadi, Arvind Krishnamurthy University of California, Santa Cruz USENIX SECURITY SYMPOSIUM, August, 2010 John P.,
Discovery of Emergent Malicious Campaigns in Cellular Networks Nathaniel Boggs, Wei Wang, Suhas Mathur, Baris Coskun, Carol Pincock © 2013 AT&T Intellectual.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Network and Systems Security By, Vigya Sharma (2011MCS2564) FaisalAlam(2011MCS2608) DETECTING SPAMMERS ON SOCIAL NETWORKS.
The „MENTA” concept Creating a new and practical tool as an everyday solution of health-related problems Richárd Faller.
SURF:SURF: Detecting and Measuring Search Poisoning Long Lu, Roberto Perdisci, and Wenke Lee Georgia Tech and University of Georgia.
Kristina Lerman Aram Galstyan USC Information Sciences Institute Analysis of Social Voting Patterns on Digg.
Using Transactional Information to Predict Link Strength in Online Social Networks Indika Kahanda and Jennifer Neville Purdue University.
FaceTrust: Assessing the Credibility of Online Personas via Social Networks Michael Sirivianos, Kyungbaek Kim and Xiaowei Yang in collaboration with J.W.
Click to edit Master title style Click to edit Master text styles –Second level Third level –Fourth level »Fifth level June 10 th, 2009Event details (title,
Understanding Cross-site Linking in Online Social Networks Yang Chen 1, Chenfan Zhuang 2, Qiang Cao 1, Pan Hui 3 1 Duke University 2 Tsinghua University.
Poking Facebook: Characterization of OSN Applications Minas Gjoka, Michael Sirivianos, Athina Markopoulou, Xiaowei Yang University of California, Irvine.
 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.
Permission-based Malware Detection in Android Devices REU fellow: Nadeen Saleh 1, Faculty mentor: Dr. Wenjia Li 2 Affiliation: 1. Florida Atlantic University,
External user invited This creates invitation in Access Request List Invitation sent to guest with invitation URL Guest clicks URL. Verification.
1 Impact of IT Monoculture on Behavioral End Host Intrusion Detection Dhiman Barman, UC Riverside/Juniper Jaideep Chandrashekar, Intel Research Nina Taft,
Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.
Cross-Analysis of Botnet Victims: New Insights and Implication Seungwon Shin, Raymond Lin, Guofei Gu Presented by Bert Huang.
By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.
POP-SNAQ: Privacy-preserving Open Platform for Social Network Application Queries Brian Thompson Huijun Xiong.
Lexical Feature Based Phishing URL Detection Using Online Learning Reporter: Jing Chiu Advisor: Yuh-Jye Lee /3/17Data.
Reporter: Jing Chiu Advisor: Yuh-Jye Lee /3/17 1 Data Mining and Machine Learning Lab.
Twitter Games: How Successful Spammers Pick Targets Vasumathi Sridharan, Vaibhav Shankar, Minaxi Gupta School of Informatics and Computing, Indiana University.
The Koobface Botnet and the Rise of Social Malware Kurt Thomas David M. Nicol
Detecting and Characterizing Social Spam Campaigns Yan Chen Lab for Internet and Security Technology (LIST) Northwestern Univ.
Authors: Yazan Boshmaf, Lldar Muslukhov, Konstantin Beznosov, Matei Ripeanu University of British Columbia Annual Computer Security Applications Conference.
Identifying “Best Bet” Web Search Results by Mining Past User Behavior Author: Eugene Agichtein, Zijian Zheng (Microsoft Research) Source: KDD2006 Reporter:
A Framework for Detection and Measurement of Phishing Attacks Reporter: Li, Fong Ruei National Taiwan University of Science and Technology 2/25/2016 Slide.
Don’t Follow me : Spam Detection in Twitter January 12, 2011 In-seok An SNU Internet Database Lab. Alex Hai Wang The Pensylvania State University International.
Fabricio Benevenuto, Gabriel Magno, Tiago Rodrigues, and Virgilio Almeida Universidade Federal de Minas Gerais Belo Horizonte, Brazil ACSAC 2010 Fabricio.
Unveiling Zeus Automated Classification of Malware Samples Abedelaziz Mohaisen Omar Alrawi Verisign Inc, VA, USA Verisign Labs, VA, USA
Presented by Tyler Bjornestad and Rodney Weakly.  One app, all your favorite news feeds  Customizable  Client-server  Uses Bayesian algorithm to make.
“What the is That? Deception and Countermeasures in the Android User Interface” Presented by Luke Moors.
WHAT THE APP IS THAT? DECEPTION AND COUNTERMEASURES IN THE ANDROID USER INTERFACE.
Meng-Jia Yan Itus: A Generic Feature-based Detection for Facebook Spamming Groups Meng-Jia Yan Presenter: Fu-Hau Hsu National Central University R.O.C.
How to Buy Real FB Likes for Photos
What we mean by Big Data and Advanced Analytics
Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks Sumayah Alrwais, Xiaojing Liao, Xianghang.
Uncovering Social Spammers: Social Honeypots + Machine Learning
BotTracer: Bot User Detection Using Clustering Method in RecDroid
Online Social Network: Threats &
Content Reuse and Interest Sharing in Tagging Communities
TriggerScope: Towards Detecting Logic Bombs in Android Applications
Itus: Behavior-based Spamming Groups.Detection on g
Measuring and Mitigating OAuth Access Token Abuse by Collusion Networks Shehroze Farooqi1, Fareed Zaffar2, Nektarios Leontiadis3, Zubair Shafiq1 University.
BotCatch: A Behavior and Signature Correlated Bot Detection Approach
Understanding Operating System Configurations
Gateway to Competency Portability
Binghui Wang, Le Zhang, Neil Zhenqiang Gong
IASP 470 PROJECT PROPOSAL MALWARE DETECTION
Top-Rated AngularJs Development Company in India
Presentation transcript:

FRAppE: Detecting Malicious Facebook Applications Md Sazzadur Rahman, Ting-Kai Huang, Harsha Madhyastha, Michalis Faloutsos University of California, Riverside In this presentation, we show malicious facebook apps are rampant and Some machine learning technique with appropriate features are very effective identifying malicious apps

Problem Statement Social malware is rampant on Facebook The motivation of our work stem from the fact that social malware is rampant

Problem Statement MyPageKeeper can detect social malware* Facebook app, launched June, 2011 20,000 user installed, monitors 3M wall Crawls user’s wall post and news feed continuously Identify malicious posts and notify infected user Major enabling factor – malicious Facebook app *Appeared in USENIX Security, 2012

Problem Statement Malicious Post Benign Malicious App ID Benign MyPageKeeper Post Malicious Benign ? App ID Malicious Benign How to identify malicious Facebook apps given an app ID? No commercial service or tool available to identify malicious apps

How malicious Facebook apps operate Malicious hackers make posts into compromised user’s wall. Their friends see the post, click the link which leads to the malicious app installation page Once installed, they redirect users to different pages for collecting victims personal information and Make her complete surveys so that they can earn money Once the app is installed, hackers get permission to post any time on the victims wall. So, they make the same post and appears victims friends news feed and thus the cycle repeats and the app spreads in facebook

Malicious Facebook apps affect a large no of users Motivation Malicious Facebook apps affect a large no of users 40% of malicious apps have a median of at least 1K MAU! 60% malicious apps get at least 100K clicks on the posted URLs! 3,800 malicious apps posted 5700 bit.ly URLs Using We query bit.ly using API for click through of these URLs

Contributions Malicious Facebook apps are prevalent 13% of the observed apps are malicious Highlight differences between malicious & benign apps Malicious apps require fewer permissions than benign Developed FRAppE to detect malicious apps Achieves 99% accuracy with low FP and FN rates Identify the emergence of AppNets Malicious apps collude at massive scale

Roadmap Profiling malicious and benign apps FRAppE: Detecting malicious apps Emergence of AppNets Conclusion

Data Collection Data collected from MyPageKeeper From June 2011 to March 2012 Apps with known ground truth 6,273 malicious apps 6,273 benign apps Collected different stats App summary App permissions Posts in app profile We collect data from MyPageKeeper, a security app in Facebook we developed and deployed 2011. MyPageKeeper primarily detects malicious posts in Facebook and notify victims. Our dataset contains 111K Facebook apps. D-Sample dataset contains apps for which we know the ground truth, either they are malicious or not. For collecting sample malicious apps, we use a hurestic: if a post is flagged by MyPageKeeper as malicious which is posted by an app, they app is malicious. For collect same amount of benign apps to make the comparison fair. Benign apps are those apps who are not part of malicious apps and also vetted by socialbaker.com, a website collects app statictics. D-Summary dataset contains the summary of apps which we collect using graph api. Summary includes app description, company name, category etc. D-Inst dataset contains the permission set required by an app. D-ProfiledFeed dataset contains the number of posts in apps timeline in facebook

Malicious apps have incomplete summary A popular app, FarmVille contains different information such as category, description, company etc. A malicious app “Profile_viewer” contains no such information

Malicious apps require fewer permissions 97% of malicious apps require only one permission from users https://www.facebook.com/dialog/oauth?client_id=242780702516269& redirect_uri=http://apps.facebook.com/gfhyfte/& scope=publish_stream,offline_access App installation URL contains the list of permission it requires. For example, “Profile viewez” malicious apps two permissions, “publish stream” which is the ability to post any time in users wall And “offline access” which gives the ability to access users data any time.

Malicious apps often share app names 6,273 malicious apps have 1,019 unique names 627 app IDs have ‘The App’ name 470 app IDs have ‘Pr0file Watcher’ name 6,273 benign apps have 6,019 unique names We computed similarity threshold by using normalized Damerau-Levenshtein edit distance

Malicious apps post external links often 80% benign apps do not post any external link 40% malicious apps have one external link per post Some post may contain multiple URLs, that why the ration is > 1 for some case

Roadmap Profiling malicious and benign apps FRAppE: Detecting malicious apps Emergence of AppNets Conclusion

FRAppE – Facebook’s Rigorous App Evaluator FRAppE Lite Based on Support Vector Machine Use features crawled on-demand No. of permissions required by an app Domain reputation of redirect URI Can be used user side FRAppE Addition of two aggregation based features: Similarity of app names Whether posted links are external Can be used only OSN side FRAppE Lite App ID Malicious Benign FRAppE App ID Malicious Benign Features are obtained either opengraph API or instrumented browser

FRAppE Lite and FRAppE are accurate Used cross-validation on known ground truth dataset Accuracy False Positives False Negatives FRAppE Lite 99% 0.1% 4.4% FRAppE 99.5% 0% 4.1%

Detecting more malicious apps with FRAppE 100K more apps for which we lack of ground truth Train FRAppE with 12K apps and test on 100K apps 8,144 apps flagged by FRAppE 98.5% validated using complementary techniques Criteria # of apps validated Cumulative Deleted from Facebook graph 81% App name similarity 74% 97% Post similarity 20% Typo squatting of popular apps 0.1% Manual validation 1.8% 98.5% We applied FRAppE on 100K apps for which we don’t know the ground truth.

FRAppE is Robust Some features are not robust Robust features App summary (description, category, company etc) No. of posts in profile Robust features No. of permissions required by app Reputation of domain app redirects FRAppE is accurate even with only robust features 98.2% accuracy with 0.4% FP and 3.2% FN

Roadmap Profiling malicious and benign apps FRAppE: Detecting malicious apps Emergence of AppNets Conclusion

Cross promotion is rampant for malicious apps Direct cross promotion App cross-promotion is forbidden according to Facebook platform policy; however, it is rampant malicious apps “Which cartoon character are you” malicious app post links in victims wall; When the link is clicked it redirects to the installation page of another malicious app

Highly sophisticated fast-flux like cross promotion External website with redirector Javascript We identified 103 URLs pointing to such redirectors When the malicious URL is clicked in the post, it redirects user to an javascript redirector controlled by the malicious hacker Which randomly takes users to different malicious app installation pages

AppNets form large and dense groups Promoter Promotee Collaborative graph High connectivity 70% of apps collude with more than 10 other apps High density 25% of apps have local clustering coefficient more than 0.74 44 connected components Size of the largest connected component 3,484 Real snapshot of 770 highly collaborating apps We call the colaborative graph as AppNet. It shows high collusion: And high density

Malicious post by the app Malicious link in the post App Piggybacking Popular apps abused for spreading malicious posts Popular App Malicious post by the app Malicious link in the post Farm Ville WOW I just got 5000 Facebook Credits for Free http://offers5000credit.blogspot.com Facebook for iPhone NFL Playoffs Are Coming! Show Your Team Support! http://SportsJerseyFever.com/NFL Mobile WOW! I Just Got a Recharge of Rs 500. http://ffreerechargeindia.blogspot.com/ In our dataset, we found popular apps have posted malicious links.. How?

Facebook API Exploitation https://www.facebook.com/dialog/feed?app_id=175473612514557& link=https://developers.facebook.com/docs/reference/dialogs/&picture=http://fbrell.com/f8.jpg&name=Facebook%20Dialogs&caption=Reference%20Documentation& description=Using%20Dialogs%20to%20interact%20with%20users.&redirect_uri=http://www.example.com/response Facebook Dialog API being exploited: When user click share, the post appears as if it is posted by the app “Mobile”. So, if Facebook maintains a whitelist of app (any post made by these apps are beingn), this malicious post will evade their system

Conclusion Malicious Facebook apps are rampant 40% of malicious apps have at least median 1000 MAU Highlight differences between malicious and benign apps Malicious apps require fewer permissions than benign FRAppE can detect malicious apps accurately 99% accuracy with low FP and FN AppNets form large and densely connected groups 70% apps collude with more than 10 other apps

Thank you! Questions? http://mypagekeeper.org

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.