socialfilter: introducing social trust to collaborative spam mitigation michael sirivianos...
TRANSCRIPT
SocialFilter:Introducing Social Trust to
Collaborative Spam Mitigation
Michael Sirivianos Telefonica Research
Joint work withKyungbaek Kim (UC Irvine) and Xiaowei Yang (Duke)
Motivation
Spam is becoming increasingly sophisticated Millions of malicious email senders (bots)
Impossible to filter when relying on a small number
of spam detectors
Email reputation systems
To cope, we deployed distributed email blacklisting/
reputation infrastructures with multiple detectors They rely on the fact that each bot sends spam
to multiple receivers
Blocked
Email reputation systems
Spam detector A
Spammer report :
S is spammer
Spam SMTP request
Spammer host S
Report repository
Email server
Spammer report :
S is spammer
Spam SMTP request
Email reputation systems
But they have a limited number of spam detectors A few thousand Partly so they can manually assess the
trustworthiness of their spammer reports
And most are proprietary
Collaborative spam mitigation
Open, large scale, peer-to-peer systems
Can use millions of spam detecting email servers
who share their experiences with email servers that
cannot classify spam fast enough, or at all
Collaborative spam mitigation
SpamWatch/ADOLR & ALPACAS use a DHT
repository of spam reports do not assess how trustworthy the spammer
reports of peers are
Repuscore uses a centralized repository It does compute the reputation of spam
reporters, but assigns low trustworthiness to
lying peers only if they themselves send spam
Collusion
Email server A
Spammer report :
S is spammer
Spammer host S
Report repository
Email server B
Spammer report :S is NOT spammer
Spam SMTP request
Spammer report :S is NOT spammer
Email server C
Sybil attack
Email server A
Spammer report :
S is spammer
Spammer host S
Report repository
Email server
Spammer report :S is NOT spammer
Spam SMTP request
Sybil email serverSybil email serverSybil email serverSybil email server
Sybil email serverSybil email server
Spammer report :S is NOT spammer
Introducing the Social Network
Admins of email servers join social networks we can associate a SocialFilter node with an OSN
identity
Why Social Trust?
It requires effort to built up social relationships The social graph can be used to defeat Sybils
Online Social Networks (OSN) help users to
organize and manage their social contacts Easy to augment the OSN UI, with features
that allow users to declare who they trust and
and by how much
Our Objective
An email server that encounters a host can query
SocialFilter (SF) for the belief in the host
being spammer
It should be difficult for spammers to make
their SMTP connections appear legitimate
It should be difficult for spammers to make
legitimate SMTP connections appear spamming
Spammer belief is a value in [0,1] and it has a
Bayesian interpretation: a host with 0% spammer belief is very unlikely to be a spammer, whereas a host with 100% spammer belief is very likely to be one.
Design Overview
SocialFilter nodes submit spammer reports to
the centralized repository spammer reports include host IP and confidence
Submitted spammer reports are weighted by
the product of two trust values computed by the
repository and concerning the SocialFilter nodes Reporter Trust Identity Uniqueness
Reporter Trust (RT)
To deal with colluders Trust graph in which the edges reflect
similarity of spammer reports between
friend nodes
Similarity initialized with user-defined trust
Maximum trust path from a pre-trusted node
to all other nodes. Costs O(|E| log | V |)
Belief in a node’s reports being trustworthy
Identity Uniqueness (IU)
To deal with Sybil colluders SybilLimit [S&P 09] over the social graph of
admins
SybilLimit relies on a special type of random
walks (random routes) and the Birthday Paradox
Costs O(|V|√|E| log|V|)
Belief in a node not being Sybil
Evaluation
How does SocialFilter compare to Ostra [NSDI 08]?
Ostra annotates social links with credit-balances
and bounds
An email can be sent if the balance in the links
of the social path connecting sender and
destination does not exceed the bounds
How important is Identity Uniqueness?
Does SocialFilter block spam effectively?
In SF, a spam detection event can reach all nodes In Ostra it affects only nodes that receive the spam
over the social link of the detector
50K-user real Facebook social graph sample
Each FB user corresponds to a SF email server
Honest nodes send 3 emails per day
Spammers send 500 emails per day to random hosts
Spammers report each other as legitimate
10% of honest nodes can instantly classify spam
If a host has > 50% belief of being spammer,
his emails are blocked
Does SocialFilter block legitimate email?
SF does not block legitimate email connections In Ostra, spammer and legitimate senders may
share blocked social links towards the destinations
Is Identity Uniqueness needed?
w/o Identity Uniqueness Sybils are a lot more harmful
0.5% spammers 10% of Sybils sends spam Sybils report that spammers are legitimate Sybils report legitimate as spammers
Conclusion
Introduced social trust to assess spammer reports
in collaborative spam mitigation An alternative use of the social network for
spam mitigation
Instead of using it for rate-limiting spam
over social links, employ it to assign trust
values to spam reporters
Yields comparable spam blocking effectiveness
Yields no false positives in the absence of reports
that incriminate legitimate senders