Understanding and Defending Against Malicious Identities in Online Social Networks

Serving more than one billion users around the world, today's online social networks (OSNs) pervade our everyday life and change the way people connect and communicate with each other. However, the open nature of OSNs attracts a constant interest in attacking and exploiting them. In particular, they are vulnerable to various attacks launched through malicious accounts, including fake accounts and compromised real user accounts. In those attacks, malicious accounts are used to send out spam, spread malware, distort online voting, etc.;In this dissertation, we present practical systems that we have designed and built to help OSNs effectively throttle malicious accounts. The overarching contribution of this dissertation is the approaches that leverage the fundamental weaknesses of attackers to defeat them. We have explored defense schemes along two dimensions of an attacker's weaknesses: limited social relationships and strict economic constraints.;The first part of this dissertation focuses on how to leverage social relationship constraints to detect fake accounts. We present SybilRank, a novel social-graph-based detection scheme that can scale up to OSNs with billions of users. SybilRank is based on the observation that the social connections between fake accounts and real users, called attack edges, are limited. It formulates the detection as scalable user ranking according to the landing probability of early-terminated random walks on the social graph. SybilRank generates an informative user-ranked list with a substantial fraction of fake accounts at the bottom, and bounds the number of fake accounts that are ranked higher than legitimate users to O(log n) per attack edge, where n is the total number of users. We have demonstrated the scalability of SybilRank via a prototype on Hadoop MapReduce, and its effectiveness in the real world through a live deployment at Tuenti, the largest OSN in Spain.;The second part of this dissertation focuses on how to exploit an attacker's economic constraints to uncover malicious accounts. We present SynchroTrap, a system that uncovers large groups of active malicious accounts, including both fake accounts and compromised accounts, by detecting their loosely synchronized actions. The design of SynchroTrap is based on the observation that malicious accounts usually perform loosely synchronized actions to accomplish an attack mission, due to limited budgets, specific mission goals, etc. SynchroTrap transforms the detection into a scalable clustering algorithm. It uncovers large groups of accounts that act similarly at around the same time for a sustained period of time. To handle the enormous volume of user action data in large OSNs, we designed SynchroTrap as an incremental processing system that processes small data chunks on a daily basis but aggregates the computational results over the continuous data stream. We implemented SynchroTrap on Hadoop and Giraph, and we deployed it on Facebook and Instagram. This deployment has resulted in the unveiling of millions of malicious accounts and thousands of large attack campaigns per month.