1. Meng-Jia Yan Itus: A Generic Feature-based Detection for Facebook Spamming Groups Meng-Jia Yan Presenter: Fu-Hau Hsu National Central University R.O.C. (Taiwan)

2. Outline Introduction Background Design of Itus Implementation Experimental Result Related Work Conclusion 2

3. Introduction 3

4. Spam Floods Facebook Facebook is the largest online social network, and its total number of daily active users is more than 802 million in March 2014. [1] Unfortunately, attackers are also expanding their territory to Facebook to propagate spam. Groups – One of the popular ways to propagate spam on Facebook is using Groups. 4 [1] Facebook Newsroom. Company Info. http://newsroom.fb.com/company-info/http://newsroom.fb.com/company-info/

5. Facebook Terminology The Group’s Wall – allows members to post content such as links, media, events, and comments on these items. When someone produced a new post on the wall, all members in Groups will receive the notifications by default. Post – represents the basic unit of information shared by a poster on Facebook. A member can leave a literal or image message on the Group’s wall if he obtains the permission. 5

6. 6 Spamming Group Wall Example A post on the wall

7. Facebook Terminology Like button – is a social networking feature on Facebook, allowing users to express their appreciation of content such as status updates, comments, and photos. If a post is interesting, the post will get a lot of “like” from members. Invitation Mechanism of Group – volunteers – invitees 7

8. 8 Spamming Group Post Example Poster ← Liker ← Image post ←

9. Abuse of Invitation Mechanism Group members can share content (e.g., literal message, links, and image) on Group’s Wall, and invite their friends to join the Group without invitees’ permission. Using fake or compromised accounts, attackers can spread invitation to all friends – Not only the compromised account, but also all his friends become the victims. 9

10. User Experience on Facebook The questionnaire analysis [2] shows that the rate of people who joined Group, invited by their friends is around 98.6%. – Around 77.8% of users believe their friends were hacked when their friends invited them to a spamming Group. – One-third of them would lose the confidence on their friends, even deleted these friends from their friend lists. 10 [2] Ya-Shan You. A Study on Facebook for Spamming Group Detection. August, 2013 10

11. User Experience on Facebook 11 [2] Ya-Shan You. A Study on Facebook for Spamming Group Detection. August, 2013 11

12. Motivation The victims receive notifications by default when any member posts messages on the Groups’ wall, even though they have not visited these Groups. The number of Groups which a Facebook user can join is limited to 6,000. 12

13. Motivation These posts from spamming Groups are not only annoying, but also possibly damaging. – Using social engineering techniques, the malicious posts attempt to sell clothes, electronics, animals, and illegal pharmaceuticals at discounted prices [3]. – ROC’s Criminal Investigation Bureau received 112 fraud cases on Facebook Group from Jan. to Feb. in 2014, and the highest payment is about $1,200 [4]. 13 [3] CIB. Fraud uncovered on Facebook Group. http://goo.gl/fTLE9Hhttp://goo.gl/fTLE9H [4] CIB. Fraud on Facebook Group increased. http://goo.gl/cBiUfXhttp://goo.gl/cBiUfX

14. Facebook Report Mechanism The Facebook report mechanism cannot effectively detect spamming Groups – It still relies on users to report abnormal Groups when they encounter some harassed spam [5]. – Many active spamming Groups (332/346) still survived for five months (2013/12 ~ 2014/4) at least. 14 [5] Facebook. What is Facebook doing to protect me from spam? http://goo.gl/SZshWPhttp://goo.gl/SZshWP

15. Email Spam vs. Facebook Spam Defenses against email spam are insufficient for identifying Facebook spam. – A low overlap (10%) between the keywords associated with email spam and those they found on Facebook. [7] 15 [7] Md Sazzadur Rahman, Ting-Kai Huang, Harsha V. Madhyastha, Michalis Faloutsos. Efficient and Scalable Socware Detection in Online Social Networks. USENIX Security Symposium, 2012.

16. Background 16

17. Observed Characteristics of Spamming Groups Each Spamming Group has a large number of members. Members’ posting permissions are limited. Posts on spamming Groups are usually accompanied with an image. Normal users seldom volunteer to join the spamming Groups. Only few members actually participate in Groups activities. 17

18. 18 OAuth 2. 0 Protocol Third-party Application Third-party Application Facebook User (Resource Owner) Facebook User (Resource Owner) Authorization Server Facebook (Resource Server) Facebook (Resource Server) 1.Go to the app 2.Authorization request 3. Authorization grant 4.Grant & app secret Key 5.Access token 6.Access token 7.Protected resource

19. 19 Flow Chart of Itus

20. 20 Feature Description The number of members The number of image posts The number of distinct posters The number of distinct likers The number of invitees Member score - Accumulated score of all members Liker score - Accumulated score of all likers Feature Set 2 (FS 2 ) Feature Set 1 (FS 1 )

21. 21 Feature Description The number of members

22. 22 Feature Description The number of image posts The number of distinct posters The number of distinct likers The number of invitees Member score - Accumulated score of all members Liker score - Accumulated score of all likers

23. 23 Feature Description The number of distinct posters Poster: Alice Liker: Alice, Bob Post 1 Poster: Jessica Liker: Bob Post 2 Poster: Jessica Liker: Bob Post 3 Distinct posters: Alice and Jessica

24. 24 Feature Description The number of distinct likers Poster: Alice Liker: Alice, Bob Post 1 Poster: Jessica Liker: Bob Post 2 Poster: Jessica Liker: Bob Post 3 Distinct likers: Alice and Bob

25. 25 Feature Description The number of members The number of image posts The number of distinct posters The number of distinct likers The number of invitees Member score - Accumulated score of all members Liker score - Accumulated score of all likers Feature Set 2 (FS 2 ) Feature Set 1 (FS 1 )

26. 26 Find Genealogical Chart 1. Admin: Alice 2. Bob added by Alice. 3. Jessica added by Alice. 4. John joined. Invitation Record Bob Jessica John Alice Group Genealogical Chart

27. 27 Group Genealogical Chart

28. 28 Auxiliary Crawling Program (ACP) ٥The features (i.e, abuse of invitation, member score, and liker score) which Facebook does not provide due to the privacy concern need to be extracted manually. ٥We wrote a program called ACP to collect the above features from a Group member list document.

29. 29 Functionality of ACP ٥A Google Chrome Extension ٥For each Group ٥analyze the document (i.e., Group member list page) ٥collect the list of members in the Group ٥find each member’s level in a genealogical chart

30. 30 Results of ACP

31. 31 Classifier ٥Use a support vector machine (SVM) ٥ LibSVM [15] is an efficient solver for SVM classification. ٥Given labeled training data (supervised learning), when new data come, the algorithm can predict which set they should belong to. [15] LibSVM http://www.csie.ntu.edu.tw/~cjlin/libsvm/http://www.csie.ntu.edu.tw/~cjlin/libsvm/

32. Labeled Group Samples Training SVM model 32 SpammingNormal Unlabeled Group samples Classifier SVM model normal spamming

33. Experimental Results Dataset –The Spamming Groups are collected from National Central University students (about 100 students) over a three-month period from December, 2013 to February, 2014. DatasetModel EvaluationSystem EvaluationTotal Normal 100104204 Spamming100232346-14(dead) 33

34. Performance Real-time detection The average time –API response time: 100~200ms [16] –Training phase: 691ns –Extracting features of a Group: 0.186s CPUIntel(R) core(TM) i5-4430 @ 3.00GHz RAM8G OSWindows 7 x64 34 [16] Facebook. Platform Status. https://developers.facebook.com/status/https://developers.facebook.com/status/

35. Accuracy 35

36. Accuracy 36 The total error rate of FS 2 is less than FS 1

37. False Negative Analysis The spamming Groups classified into normal Groups usually have a good reputation. –Few members (2/7) –Open advertising (3/7) –Physical store (2/7) 37

38. False Positive Analysis Our mechanism misjudges four normal Groups because: –Most posts of the normal Group were image type and the number of posts is too few to be properly effective for detection. (1/4) –The normal Groups have a large number of members but low social activity. (3/4) 38

39. Related Work [6] TonyQ. Facebook Advertisement Checker. http://spamGroup.tonyq.org/ http://spamGroup.tonyq.org/ 39

40. Related Work Text filtering mechanism –Group’s name, description and posts 40

41. Related Work Image recognization –Google Images Search 41

42. Related Work Image recognization Spamming post example 42

43. Limitations and Future work Cooperate with Facebook, accessing these sensitive data which had become anonymous Explore other useful features Integrate the information about members of every Group to find whether a member had been hacked and used to invite friend to join spamming Groups. 43

44. Conclusion Facebook Groups have been abused by spammers. Experimental results showed that Itus could effectively detect spamming Groups with a low error rate 3.27% At last, we will report these spamming Groups to Facebook to prevent more users from being harassed by these Groups. 44