1. Itus: Behavior-based Spamming Groups.Detection on g
Meng-Jia Yan
Meng-Jia Yan

2. Outline Introduction Background Design of Itus Implementation
Experimental Result
Related Work
Conclusion 2

3. Introduction 3

4. Spam Floods Facebook
Facebook is the largest online social network, and its total number of daily active users is more than 802 million in March [1]
Unfortunately, attackers are also expanding their territory to Facebook to propagate spam.
One of the popular ways to propagate spam on Facebook is using Groups.
[1] Facebook Newsroom. Company Info. 4

5. Facebook Terminology The Group’s Wall Post
allows members to post content such as links, media, events, and comments on these items. When someone produced a new post on the wall, all members in Groups will receive the notifications by default.
Post
represents the basic unit of information shared by a poster on Facebook. A member can leave a literal or image message on the Group’s wall if he obtains the permission. 5

6. Spamming Group Wall Example
A post on the wall
購物社團有6千多個成員
貼文是圖片型式
按讚的人非常的少 6

7. Facebook Terminology Like button Invitation Mechanism of Group
is a social networking feature on Facebook, allowing users to express their appreciation of content such as status updates, comments, and photos. If a post is interesting, the post will get a lot of “like” from members.
Invitation Mechanism of Group
volunteers
invitees 7

8. Spamming Group Post Example
Poster ←
Image post ←
Liker ← 8

9. Abuse of Invitation Mechanism
Group members can share content (e.g., literal message, links, and image) on Group’s Wall, and invite their friends to join the Group without invitees’ permission.
Using fake or compromised accounts, attackers can spread invitation to all friends
Not only the compromised account, but also all his friends become the victims. 9

10. User Experience on Facebook
The questionnaire analysis [2] shows that the rate of people who joined Group, invited by their friends is around 98.6%.
Around 77.8% of users believe their friends were hacked when their friends invited them to a spamming Group.
One-third of them would lose the confidence on their friends, even deleted these friends from their friend lists.
[2] Ya-Shan You. A Study on Facebook for Spamming Group Detection. August, 2013 10

11. User Experience on Facebook
[2] Ya-Shan You. A Study on Facebook for Spamming Group Detection. August, 2013 11

12. Motivation
The victims receive notifications by default when any member posts messages on the Groups’ wall, even though they have not visited these Groups.
The number of Groups which a Facebook user can join is limited to 6,000. 12

13. Motivation
These posts from spamming Groups are not only annoying, but also possibly damaging.
Using social engineering techniques, the malicious posts attempt to sell clothes, electronics, animals, and illegal pharmaceuticals at discounted prices [3].
ROC’s Criminal Investigation Bureau received 112 fraud cases on Facebook Group from Jan. to Feb. in 2014, and the highest payment is about $1,200 [4].
[3] CIB. Fraud uncovered on Facebook Group.
[4] CIB. Fraud on Facebook Group increased. 13

14. Facebook Report Mechanism
The Facebook report mechanism cannot effectively detect spamming Groups
It still relies on users to report abnormal Groups when they encounter some harassed spam [5].
Many active spamming Groups (332/346) still survived for five months (2013/12~2014/4) at least.
大多數的購物社團存活超過五個月以上，
P.S 蒐集的346個惡意的社團中有14個是掛掉的（在蒐集的過程中，我們有要求那些人不要向Facebook回報）
[5] Facebook. What is Facebook doing to protect me from spam? 14

15. Email Spam vs. Facebook Spam
Defenses against spam are insufficient for identifying Facebook spam.
A low overlap (10%) between the keywords associated with spam and those they found on Facebook. [7]
[7] Md Sazzadur Rahman, Ting-Kai Huang, Harsha V. Madhyastha, Michalis Faloutsos. Efficient and Scalable Socware Detection in Online Social Networks. USENIX Security Symposium, 2012. 15

16. Background 16

17. Observed Characteristics of Spamming Groups
Each Spamming Group has a large number of members.
Members’ posting permissions are limited.
Posts on spamming Groups are usually accompanied with an image.
Normal users seldom volunteer to join the spamming Groups.
Only few members actually participate in Groups activities. 17

18. OAuth 2.0 Protocol Go to the app Authorization request Facebook User
Authorization grant
Grant & app secret Key
Access token
Protected resource
Third-party
Application
Facebook User
(Resource Owner)
Authorization Server
Facebook
(Resource Server) 18

19. Flow Chart of Itus

20. Feature Description The number of members The number of image posts
The number of distinct posters
The number of distinct likers
The number of invitees
Member score - Accumulated score of all members
Liker score - Accumulated score of all likers
Feature Set 1
(FS1)
Feature Set 2
(FS2)

21. Feature Description
The number of members

22. Feature Description The number of image posts
The number of distinct posters
The number of distinct likers
The number of invitees
Member score - Accumulated score of all members
Liker score - Accumulated score of all likers

23. Feature Description Distinct posters: Alice and Jessica Post 1
The number of distinct posters
Post 1
Distinct posters: Alice and Jessica
Poster: Alice
Liker: Alice, Bob
Post 2
Poster: Jessica
Liker: Bob
Post 3
Poster: Jessica
Liker: Bob

24. Feature Description Distinct likers: Alice and Bob Post 1
The number of distinct likers
Post 1
Distinct likers: Alice and Bob
Poster: Alice
Liker: Alice, Bob
Post 2
Poster: Jessica
Liker: Bob
Post 3
Poster: Jessica
Liker: Bob

25. Feature Description The number of members The number of image posts
The number of distinct posters
The number of distinct likers
The number of invitees
Member score - Accumulated score of all members
Liker score - Accumulated score of all likers
Feature Set 1
(FS1)
Feature Set 2
(FS2)
set 2最下面這幾個feature必須額外取得社團成員的族譜才能計算

26. Find Genealogical Chart
Invitation Record
Alice
Group Genealogical Chart
1. Admin: Alice
2. Bob added by Alice.
3. Jessica added by Alice.
4. John joined.
Bob
Jessica
John
根據社團成員的邀請紀錄，可以分析出社團的族譜
從邀請紀錄中，可以知道是Alice是管理員，
他分別邀請了Bob和Jessica加入社團，而John是自己自願加入社團

27. Group Genealogical Chart
這邊是一個比較複雜的族譜，
下面那一類是自願加入的Volunteers
那我們由最上層開始看，管理員是根節點，管理員邀請了底下的成員 A,B,C,D, 而A又邀請了兩位成員 E,F, E又邀請了三位成員 I,J,K
根據邀請的關係 我們將這些人放在不同的level，而在不同level下的成員也會有不同的weight
Volunteers是最傾向於normal user的人，在這個case中，會被歸類在leverl 5的位置
For all levels, n, the weight of each level is wi and the number of members is mi, where 1≤𝑖 ≤𝑛. The member score is 𝑛 𝑖=1 𝑚 𝑖 × 𝑤 𝑖 𝑛 𝑖=1 𝑚 𝑖 .

28. Implementation Environment Setup
Register a Facebook App to get ID and Secret used for developer authentication.
Request user_Groups permission to support our works
Query
Response
/{user-id}/groups
The Facebook Groups that a person is a member of.
/{group-id}
The information of this Group, such as id, name and description.
{group-id}/feed
The feed of posts (including status updates) and links published to this Group.

29. Request user_Groups from a User
<script>
FB.getLoginStatus(function(response) {
if (response.status == 'connected') {
console.log('Logged in.'); }
else {
FB.login();
});
FB.login(function(){}, {scope: 'user_Groups'});
</script>

30. Collect Group Information of a User
<script>
FB.api(
"/me/groups",
function (response) {
if (response && !response.error) {
/* handle the result */ } );
</script>

31. Group Member List Document (Web Page)
URL: id}&edge=groups%3Amembers, which {group-id} can be replaced by any Group’s ID
Content:

32. Auxiliary Crawling Program (ACP)
The features (i.e, abuse of invitation, member score, and liker score) which Facebook does not provide due to the privacy concern need to be extracted manually.
We wrote a program called ACP to collect the above features from a Group member list document.

33. Functionality of ACP A Google Chrome Extension For each Group
analyze the document (i.e., Group member list page)
collect the list of members in the Group
find each member’s level in a genealogical chart

34. Results of ACP

35. Classifier Use a support vector machine (SVM)
LibSVM [15]　is an efficient solver for SVM classification.
Given labeled training data (supervised learning), when new data come, the algorithm can predict which set they should belong to.
[15] LibSVM

36. Classifier Unlabeled Group samples SVM model normal spamming
Training
spamming
SVM是將有一群已知的Group samples，一部分是正常的社團，一部分是惡意的社團，
(click)經過Training後歸類成SVM model
(click)現在如果把未知的Group sample
(click)放進Model中，
(click)就能預測出這些Group的特徵分類為Spamming或是normal group
Spamming
Normal
Labeled Group Samples
SVM model

37. Experimental Results Dataset
The Spamming Groups are collected from National Central University students (about 100 students) over a three-month period from December, 2013 to February, 2014.
Dataset
Model Evaluation
System Evaluation
Total
Normal
100
104
204
Spamming
232
346-14(dead)

38. Performance Real-time detection The average time
API response time: 100~200ms [16]
Training phase: 691ns
Extracting features of a Group: 0.186s
CPU
Intel(R) core(TM) 3.00GHz
RAM 8G OS
Windows 7 x64
在效能的部分，如果一個user擁有100個group，大概需要20秒的時間
[16] Facebook. Platform Status.

39. Accuracy False positive rate False negative rate
the number of instances incorrectly classified as spamming Groups the total number of normal instances
False negative rate
the number of instances incorrectly classified as normal Groups the total number of spamming instances

40. The total error rate of FS2 is less than FS1
Accuracy
The total error rate of FS2 is less than FS1
set 2的準確率較高，多加的那三個必須另外取得的feature確實能幫助我們偵測購物社團

41. False Negative Analysis
The spamming Groups classified into normal Groups usually have a good reputation.
Few members (2/7)
Open advertising (3/7)
Physical store (2/7)

42. False Positive Analysis
Our mechanism misjudges four normal Groups because:
Most posts of the normal Group were image type and the number of posts is too few to be properly effective for detection. (1/4)
The normal Groups have a large number of members but low social activity. (3/4)

43. Related Work
[6] TonyQ. Facebook Advertisement Checker.

44. Related Work Text filtering mechanism
Group’s name, description and posts

45. Related Work
Image recognization
Google Images Search

46. Related Work
Image recognization
Spamming post example

47. Limitations and Future work
Cooperate with Facebook, accessing these sensitive data which had become anonymous
Explore other useful features
Integrate the information about members of every Group to find whether a member had been hacked and used to invite friend to join spamming Groups.

48. Conclusion Facebook Groups have been abused by spammers.
Experimental results showed that Itus could effectively detect spamming Groups with a low error rate 3.27%
At last, we will report these spamming Groups to Facebook to prevent more users from being harassed by these Groups.

49. Demo