Fighting Fire With Fire:
Crowdsourcing Security Solutions
on the Social Web
Christo Wilson
Northeastern University
cbw@ccs.neu.edu
High Quality Sybils and Spam
2
We tend to think of spam as “low quality”
Christo Wilson
Stock
MaxGentleman is the bestest male enhancement system
Photographs
avalable. http://cid-ce6ec5.space.live.com/
What about high quality spam and Sybils?
3
Black Market Crowdsourcing
4
Large and profitable
Growing
exponentially in size and revenue in China
$1 million per month on just one site
Cost effective: $0.21 per click
Starting to grow in US and other countries
Mechanical
Turk, Freelancer
Twitter Follower Markets
Huge problem for existing security systems
Little
to no automation to detect
Turing tests fail
Crowdsourcing Sybil Defense
5
Defenders are losing the battle against OSN Sybils
Idea: build a crowdsourced Sybil detector
Leverage human intelligence
Scalable
Open Questions
How accurate are users?
What factors affect detection accuracy?
Is crowdsourced Sybil detection cost effective?
User Study
6
Two groups of users
Also used by
spammers
Experts – CS professors, masters, and PhD students
Turkers – crowdworkers from Mechanical Turk and Zhubajie
Three ground-truth datasets of full user profiles
Renren – given to us by Renren Inc.
Stock
Facebook US and India
Picture
Crawled
Legitimate profiles – 2-hops from our profiles
Suspicious profiles – stock profile images
Banned suspicious profiles = Sybils
Testers may skip around
and revisit profiles
Real or fake?
Navigation Buttons
Why?
Progress
Classifying
Profiles
Browsing
Profiles
Screenshot of Profile
(Links Cannot be Clicked)
7
Experiment Overview
Data from Renren Fewer Experts
8
Dataset
# of Profiles
Sybil
Renren
Facebook
US
Facebook
India
100
32
50
Test Group
# of
Testers
Profile per
Tester
Chinese Expert
24
100
Chinese Turker
418
10
US Expert
40
50
US Turker
299
12
India Expert
20
100
India Turker
342
12
Legit.
100
50
49
Crawled Data
More Profiles for Experts
Individual Tester Accuracy
9
100
Chinese Turker
US Turker
US Expert
Chinese Expert
80
60
Not so
good :(
CDF (%)
• Experts prove that humans can be accurate
Awesome!
• Turkers
need extra help…
40
80% of experts have
>90% accuracy!
20
0
0
10
20
30
40
50
60
70
Accuracy per Tester (%)
80
90
100
Accuracy of the Crowd
10
Treat each classification by each tester as a vote
Majority makes final decision
Almost Zero False
Experts
False
False
Positives
Dataset
Test Group
Negatives
PerformPositives
Okay
Chinese Expert
0%
Renren
Chinese
0%
Miss
• False positive
ratesTurker
areTurkers
excellent
US Expert Lots of Sybils
0%
Facebook
• Turkers need extra help against false
US
US Turker
2%
3%
63%
10%
India Expert
India Turker
16%
50%
negatives
19%
• What can be done to improve accuracy?
Facebook
India
0%
0%
How Many Classifications Do You Need?
11
100
Error Rate (%)
• Only need a 4-5 classifications
to converge
False Negatives
80
• Few classifications = less cost
China
India
60
40
False Positives
20
US
0
2
4
6
8 10 12 14 16 18 20 22 24
Classifications per Profile
Eliminating Inaccurate Turkers
12
Most workers are
>40% accurate
False Negative Rate (%)
100
80
China
Dramatic
India
Improvement
From 60% to 10%
US
False Negatives
• Only
60 a subset of workers are removed (<50%)
• Getting rid of inaccurate turkers is a no-brainer
40
20
0
0
10
20
30
40
50
Turker Accuracy Threshold (%)
60
70
How to turn our results into a system?
13
1.
Scalability
OSNs
2.
with millions of users
Performance
Improve
turker accuracy
Reduce costs
3.
Privacy
Preserve
user privacy when giving data to turkers
Filter OutArchitecture
Inaccurate
System
14
Turkers
Maximize Usefulness of
High Accuracy Turkers
Crowdsourcing Layer
Rejected!
Experts
Turker
Selection
Very Accurate
Turkers
Accurate Turkers
Sybils
• Leverage Existing Techniques
All Turkers
• Help the System Scale
• Continuous Quality Control
• Locate Malicious Workers
Social Network
Heuristics
User Reports
?
Suspicious Profiles
Filtering Layer
Trace Driven Simulations
15
Classifications
2
Very Accurate
Turkers
Accurate Turkers
Simulate
2000 profiles
Error rates drawn from survey data
Vary 4 parameters
20-50%
Controversial Range
Results++
Results
• Average 6
8 classifications per profile
90%
Threshold
• <1%
<0.1%false
falsepositives
positives
• <1%
<0.1%false
falsenegatives
negatives
Classifications
5
Estimating Cost
16
Estimated cost in a real-world social networks: Tuenti
12,000 profiles to verify daily
14 full-time employees
Minimum wage ($8 per hour) $890 per day
Crowdsourced Sybil Detection
20sec/profile, 8 hour day 50 turkers
Facebook wage ($1 per hour) $400 per day
Cost with malicious turkers
Estimate that 25% of turkers are malicious
63 turkers
$1 per hour $504 per day
Takeaways
17
Humans can differentiate between real and fake profiles
Crowdsourced Sybil detection is feasible
Designed a crowdsourced Sybil detection system
False
positives and negatives <1%
Resistant to infiltration by malicious workers
Sensitive to user privacy
Low cost
Augments existing security systems
18
Questions?
Survey Fatigue
19
100
80
80
80
80
60
60
60
60
40
40
40
40
20
20
20
20
0
0
0
0
0
10
20 30 40
Profile Order
Time per Profile (s)
100
Accuracy (%)
Time per Profile (s)
100
US Turkers
Accuracy
Time
0
2
4 6 8 10
Profile Order
All testers speed up over
time matters
No fatigue
Fatigue
100
Accuracy (%)
US Experts
Sybil Profile Difficulty
Experts perform well on
most difficult Sybils
20
Average Accuracy per Sybil (%)
100
90
80
70
60
• Some Sybils are more stealthy
50
• Experts
catch more tough Sybils than turkers
40
30
Really difficult
profiles
20
10
0
0
5
10
15
20
25
30
Sybil Profiles Ordered By Turker Accuracy
35
Turker
Expert
Preserving User Privacy
21
Showing profiles to crowdworkers raises privacy issues
Solution: reveal profile information in context
Crowdsourced
Evaluation
Friends
Crowdsourced
Evaluation
Friend-Only
Public Profile
Profile
Information
Information
0
