SocialFilter:Introducing Social Trust to

Collaborative Spam Mitigation

Michael Sirivianos Telefonica Research

Joint work withKyungbaek Kim (UC Irvine) and Xiaowei Yang (Duke)

Motivation

Spam is becoming increasingly sophisticated Millions of malicious email senders (bots)

Impossible to filter when relying on a small number

of spam detectors

Email reputation systems

To cope, we deployed distributed email blacklisting/

reputation infrastructures with multiple detectors They rely on the fact that each bot sends spam

to multiple receivers

Blocked

Email reputation systems

Spam detector A

Spammer report :

S is spammer

Spam SMTP request

Spammer host S

Report repository

Email server

Spammer report :

S is spammer

Spam SMTP request

Email reputation systems

But they have a limited number of spam detectors A few thousand Partly so they can manually assess the

trustworthiness of their spammer reports

And most are proprietary

Collaborative spam mitigation

Open, large scale, peer-to-peer systems

Can use millions of spam detecting email servers

who share their experiences with email servers that

cannot classify spam fast enough, or at all

Collaborative spam mitigation

SpamWatch/ADOLR & ALPACAS use a DHT

repository of spam reports do not assess how trustworthy the spammer

reports of peers are

Repuscore uses a centralized repository It does compute the reputation of spam

reporters, but assigns low trustworthiness to

lying peers only if they themselves send spam

Collusion

Email server A

Spammer report :

S is spammer

Spammer host S

Report repository

Email server B

Spammer report :S is NOT spammer

Spam SMTP request

Spammer report :S is NOT spammer

Email server C

Sybil attack

Email server A

Spammer report :

S is spammer

Spammer host S

Report repository

Email server

Spammer report :S is NOT spammer

Spam SMTP request

Sybil email serverSybil email serverSybil email serverSybil email server

Sybil email serverSybil email server

Spammer report :S is NOT spammer

Introducing the Social Network

Admins of email servers join social networks we can associate a SocialFilter node with an OSN

identity

Why Social Trust?

It requires effort to built up social relationships The social graph can be used to defeat Sybils

Online Social Networks (OSN) help users to

organize and manage their social contacts Easy to augment the OSN UI, with features

that allow users to declare who they trust and

and by how much

Our Objective

An email server that encounters a host can query

SocialFilter (SF) for the belief in the host

being spammer

It should be difficult for spammers to make

their SMTP connections appear legitimate

It should be difficult for spammers to make

legitimate SMTP connections appear spamming

Spammer belief is a value in [0,1] and it has a

Bayesian interpretation: a host with 0% spammer belief is very unlikely to be a spammer, whereas a host with 100% spammer belief is very likely to be one.

Design Overview

SocialFilter nodes submit spammer reports to

the centralized repository spammer reports include host IP and confidence

Submitted spammer reports are weighted by

the product of two trust values computed by the

repository and concerning the SocialFilter nodes Reporter Trust Identity Uniqueness

Reporter Trust (RT)

To deal with colluders Trust graph in which the edges reflect

similarity of spammer reports between

friend nodes

Similarity initialized with user-defined trust

Maximum trust path from a pre-trusted node

to all other nodes. Costs O(|E| log | V |)

Belief in a node’s reports being trustworthy

Identity Uniqueness (IU)

To deal with Sybil colluders SybilLimit [S&P 09] over the social graph of

admins

SybilLimit relies on a special type of random

walks (random routes) and the Birthday Paradox

Costs O(|V|√|E| log|V|)

Belief in a node not being Sybil

How SocialFilter works

How SocialFilter works

How SocialFilter works

How SocialFilter works

How SocialFilter Works

i confidencei RTi IUi

Spammer belief =

i RTi IUi

How SocialFilter Works

Outline

Motivation

Design

Evaluation

Conclusion

Evaluation

How does SocialFilter compare to Ostra [NSDI 08]?

Ostra annotates social links with credit-balances

and bounds

An email can be sent if the balance in the links

of the social path connecting sender and

destination does not exceed the bounds

How important is Identity Uniqueness?

Does SocialFilter block spam effectively?

In SF, a spam detection event can reach all nodes In Ostra it affects only nodes that receive the spam

over the social link of the detector

50K-user real Facebook social graph sample

Each FB user corresponds to a SF email server

Honest nodes send 3 emails per day

Spammers send 500 emails per day to random hosts

Spammers report each other as legitimate

10% of honest nodes can instantly classify spam

If a host has > 50% belief of being spammer,

his emails are blocked

Does SocialFilter block legitimate email?

SF does not block legitimate email connections In Ostra, spammer and legitimate senders may

share blocked social links towards the destinations

Is Identity Uniqueness needed?

w/o Identity Uniqueness Sybils are a lot more harmful

0.5% spammers 10% of Sybils sends spam Sybils report that spammers are legitimate Sybils report legitimate as spammers

Conclusion

Introduced social trust to assess spammer reports

in collaborative spam mitigation An alternative use of the social network for

spam mitigation

Instead of using it for rate-limiting spam

over social links, employ it to assign trust

values to spam reporters

Yields comparable spam blocking effectiveness

Yields no false positives in the absence of reports

that incriminate legitimate senders

Thank You!

Source and datasets at:http://www.cs.duke.edu/nds/wiki/socialfilter

Questions?Questions?