Profiling Online Social Behaviors for Compromised Account Detection

Abstract

Introduction

COMPROMISED accounts in Online Social Networks (OSNs) are more favorable than sybil accounts to spammers and other malicious OSN attackers. Malicious parties exploit the well-established connections and trust relationships between the legitimate account owners and their friends, and efficiently distribute spam ads, phishing links, or malware, while avoiding being blocked by the service providers. Offline analyses of tweets and Facebook posts [10], [12] reveal that most spam are distributed via compromised accounts, instead of dedicated spam accounts.

Recent large-scale account hacking incidents [1], [2] in popular OSNs further evidence this trend. Unlike dedicated spam or sybil accounts, which are created solely to serve malicious purposes, compromised accounts are originally possessed by benign users, While dedicated malicious accounts can be simply banned or removed upon detection, compromised accounts cannot be handled likewise due to potential negative impact to normal user experience (e.g., those accounts may still be actively used by their legitimate benign owners). Major OSNs today employ IP geolocation logging to battle against account compromisation .

However, this approach is known to suffer from low detection granularity and high false positive rate. Previous research on spamming account detection  mostly cannot distinguish compromised accounts from sybil accounts, with only one recent study by Egele et al.  features compromised accounts detection. Existing approaches involve account profile analysis , and message content analysis(e.g. embedded URL analysis  and message clustering). However, account profile analysis is hardly applicable for detecting compromised accounts, because their profiles are the original common users’ information which is likely to remain intact by spammers. URL blacklisting has the challenge of timely maintenance and update, and message clustering introduces significant overhead when subjected to a large number of real-time messages. Instead of analyzing user profile contents or message contents, we seek to uncover the behavioral anomaly of compromised accounts by using their legitimate owners’ history social activity patterns, which can be observed in a lightweight manner.

To better serve users’ various social communication needs, OSNs provide a great variety of online features for their users to engage in, such as building connections, sending messages, uploading photos, browsing friends’ latest updates, etc. However, how a user involves in each activity is completely driven by personal interests and social habits. As a result, the interaction patterns with a number of OSN activities tend to be divergent across a large set of users. While a user tends to conform to its social patterns, a hacker of the user account who knows little about the user’s behavior habit is likely to diverge from the patterns. Therefore, as long as an authentic user’s social patterns are recorded, checking the compliance of the account’s upcoming behaviors with the authentic patterns can detect account compromisation. Even though a user’s credential is hacked, a malicious party cannot easily obtain the user’s social behavior patterns without the control of the physical machines or the clickstreams. Moreover, considering that for a spammer, who carries very different social interests from those of regular users (e.g., mass spam distribution vs. entertaining with friends), it is very costly to mimic different individual user’s social interaction patterns, as it will significantly reduce spamming efficiency.

In sight of the above intuition and reasoning, we first conduct a study on online user social behaviors by collecting and analyzing user clickstreams  of a well known OSN website. Based on our observation of user interaction with different OSN services, we propose several new behavioral features that can effectively quantify user differences in online social activities. For each behavioral feature, we deduce a behavioral metric by obtaining a statistical distribution of the value ranges, observed from each user’s clickstreams. Moreover, we combine the respective behavioral metrics of each user into a social behavioral profile, which represents a user’s social behavior patterns. To validate the effectiveness of social behavioral profile in detecting account activity anomaly, we apply the social behavioral profile of each user to differentiate clickstreams of its respective user from all other users. We conduct multiple cross-validation experiments, each with varying amount of input data for building social behavioral profiles. Our evaluation results show that social behavioral profile can effectively differentiate individual OSN users with accuracy up to 98.6%, and the more active a user, the more accurate the detection.