Compromised accounts in Online Social Networks (OSNs) are more favorable than sybil accounts to spammers and other malicious OSN attackers. Malicious parties exploit the wellestablished connections and trust relationships between the legitimate account owners and their friends, and efficiently distribute spam ads, phishing links, or malware, while avoiding being blocked by the service providers. Unlike dedicated spam or sybil accounts, which are created solely to serve malicious purposes, compromised accounts are originally possessed by benign users, While dedicated malicious accounts can be simply banned or removed upon detection, compromised accounts cannot be handled likewise due to potential negative impact to normal user experience (e.g., those accounts may still be actively used by their legitimate benign owners). We propose to use spam campaigns, instead of individual spam messages, as the objects for spam classification. We solve the challenge of reconstructing campaigns in real-time by adopting incremental clustering and parallelization. We identify six features that distinguish spam campaigns from legitimate message clusters in OSNs. We develop and evaluate an accurate and efficient system that can be easily deployed at the OSN server side to provide online spam filtering.
In the first module, we develop the Online Social Networking (OSN) system module. We build up the system with the feature of Online Social Networking. Where, this module is used for new user registrations and after registrations the users can login with their authentication.
Where after the existing users can send messages to privately and publicly, options are built. Users can also share post with others. The user can able to search the other user profiles and public posts. In this module users can also accept and send friend requests.
With all the basic feature of Online Social Networking System modules is build up in the initial module, to prove and evaluate our system features.
In this module, we develop the system by building social behavior features module. We categorize user social behaviors on an OSN into two classes, extroversive behaviors and introversive behaviors.
Extroversive behaviors, such as uploading photos and sending messages, result in visible imprints to one or more peer users; introversive behaviors, such as browsing other users’ profiles and searching in message inbox, however, do not produce observable effects to other users. Extroversive Behaviors directly reflect how a user interacts with its friends online, and thus they are important for characterizing a user’s social behaviors.
Although invisible to peer users, introversive behaviors make up the majority of a user’s OSN activity; as studied in previous work the dominant (i.e., over 90%) user behavior on an OSN is browsing. Through introversive activities users gather and consume social information, which helps them to form ideas and opinions, and eventually, establish social connections and initiate future social communications. Hence, introversive behavior patterns make up an essential part of a user’s online social behavioral characteristics.
In this module we develop the data collection process using the Click Streams. The clickstreams in our dataset are organized in units of “sessions”. We denote the start of a session when a user starts to visit our OSN in any window or tab of a browser; the end of a session is denoted when the user closes all windows or tabs that visit our OSN, or navigates away from our OSN in all windows or tabs of the browser. Clickstreams from concurrently opened tabs/windows are grouped into a single session, but are recorded individually (i.e., events from one window/tab are not merged with those from another window/tab).
We further process each clickstream before performing detailed measurement analysis. We detect and remove clickstreams in the “idle” periods—significantly long time intervals in which no user activity is observed, by analyzing the request timestamp and URLs. For example, users may go away from their computers while leaving their browsers running. With idle periods removed, we plot the “effective” cumulative clickstream lengths for each participating user.
We observe that the clickstream lengths follow exponential distribution. During a three-week period, the least active user only accumulates half an hour of activities. We also plot the Cumulative Distribution Function (CDF) of single session lengths across all users. It is evident that the distribution of single session length is heavy-tailed.
In this module, we first detail the formation of a user social behavioral profile using our proposed behavioral features.
Based on our OSN measurement study, we quantify OSN user behavior patterns into a set of three metrics that correspond to the social behavioral features.
The social behavior profile of an individual user can thus be built by combining the respective social behavioral metrics. Then, we describe the application of social behavior profiles in differentiating users and detecting compromised accounts.
The social behavioral profile depicts various aspects of a user’s online social behavior patterns, and it enables us to quantitatively describe the differences in distinct user social behaviors. In this module, we first describe how to compare social behavioral profiles by calculating their difference. Then, we discuss the application of social behavioral profile comparison to distinguishing different users and detecting compromised accounts. Together with the self variance, we can apply profile comparison to distinguish different users and detect compromised accounts.
Previous research on spamming account detection mostly cannot distinguish compromised accounts from sybil accounts, features compromised accounts detection. Existing approaches involve account profile analysis and message content (e.g. embedded URL analysis and message clustering. However, account profile analysis is hardly applicable for detecting compromised accounts, because their profiles are the original common users’ information which is likely to remain intact by spammers. URL blacklisting has the challenge of timely maintenance and update, and message clustering introduces significant overhead when subjected to a large number of real-time messages.
We propose to use spam campaigns, instead of individual spam messages, as the objects for spam classification.
We solve the challenge of reconstructing campaigns in real-time by adopting incremental clustering and parallelization.
We identify six features that distinguish spam campaigns from legitimate message clusters in OSNs.
We develop and evaluate an accurate and efficient system that can be easily deployed at the OSN server side to provide online spam filtering.
we first propose several social behavior features on OSNs, and describe in detail how they can reflect user social interaction differences. Then, we present a measurement study on user behavior diversity by analyzing real user clickstreams of a well known OSN, Facebook, with respect to our proposed features.
In this paper, we propose to build a social behavior profile for individual OSN users to characterize their behavioral patterns. Our approach takes into account both extroversive and introversive behaviors. Based on the characterized social behavioral profiles, we are able to distinguish a users from others, which can be easily employed for compromised account detection. Specifically, we introduce eight behavioral features to portray a user’s social behaviors, which include both its extroversive posting and introversive browsing activities.
A user’s statistical distributions of those feature values comprise its behavioral profile. While users’ behavior profiles diverge, individual user’s activities are highly likely to conform to its behavioral profile. This fact is thus employed to detect a compromised account, since impostors’ social behaviors can hardly conform to the authentic user’s behavioral profile. Our evaluation on sample Facebook users indicates that we can achieve high detection accuracy when behavioral profiles are built in a complete and accurate fashion.