SybilBlind: Detecting Fake Users in Online Social Networks Without Manual Labels

Abstract

Detecting fake users (also called Sybils) in online social networks is a basic security research problem. State-of-the-art approaches rely on a large amount of manually labeled users as a training set. These approaches suffer from three key limitations: (1) it is time-consuming and costly to manually label a large training set, (2) they cannot detect new Sybils in a timely fashion, and (3) they are vulnerable to Sybil attacks that leverage information of the training set. In this work, we propose SybilBlind, a structure-based Sybil detection framework that does not rely on a manually labeled training set. SybilBlind works under the same threat model as state-of-the-art structure-based methods. We demonstrate the effectiveness of SybilBlind using (1) a social network with synthetic Sybils and (2) two Twitter datasets with real Sybils. For instance, SybilBlind achieves an AUC of 0.98 on a Twitter dataset.

B. Wang and L. Zhang—Authors contributed equally to this work.

Appendices

A Performance of the Average Aggregator

Theorem 2

When SybilBlind uses the average aggregator, the expected aggregated probability is 0.5 for every node.

Proof

Suppose in some sampling trial, the sampled subsets are B and S, and SybilSCAR halts after T iterations. We denote by \(q_u\) the prior probability and by \({p_u}^{(t)}\) the probability in the tth iteration for u, respectively. Note that the subsets \(B'=S\) and \(S'=B\) are sampled by the sampler with the same probability. We denote by \(q_u'\) the prior probability and by \({p_u}^{(t)'}\) the probability in the tth iteration for u, respectively, when SybilSCAR uses the subsets \(B'\) and \(S'\). We prove that \({q}_u'=1 -{q}_u\) and \({p}_u^{(t)'} = 1-{p}_u^{(t)}\) for every node u and iteration t. First, we have:

$$\begin{aligned} {q}_u' = {\left\{ \begin{array}{ll} 0.5 - \theta &{}= 1-{q}_u \,\,\text { if } u \in S \\ 0.5 + \theta &{}= 1-{q}_u \,\, \text { if } u \in B \\ 0.5 &{}= 1-{q}_u \,\,\text { otherwise,} \end{array}\right. } \end{aligned}$$

which means that \({{q}_u}'=1-{q}_u\) for every node.

We have \({p_u}^{(0)'} = {q_u}'\) and \({p_u}^{(0)} = {q_u}\). Therefore, \({p}_u^{(0)'} =1 -{p}_u^{(0)}\) holds for every node in the 0th iteration. We can also show that \({p}_u^{(t)'} = 1-{p}_u^{(t)}\) holds for every node in the tth iteration if \({p}_u^{(t-1)'} = 1-{p}_u^{(t-1)}\) holds for every node. Therefore, \({p}_u^{(t)'} = 1-{p}_u^{(t)}\) holds for every node u and iteration t. As a result, with the sampled subsets \(B'\) and \(S'\), SybilSCAR also halts after T iterations. Moreover, the average probability in the two sampling trials (i.e., the sampled subsets are B and S, and \(B'=S\) and \(S'=B\)) is 0.5 for every node. For each pair of sampled subsets B and S, there is a pair of subsets \(B'=S\) and \(S'=B\) that are sampled by our sampler with the same probability. Therefore, the expected aggregated probability is 0.5 for every node.

B Proof of Theorem 1

Lower Bound: We have:

$$\begin{aligned} \text {Pr}(\alpha _b \le \tau , \alpha _s \le \tau )&\ge \text {Pr}(\alpha _b=\alpha _s = 0) =(1-r)^n r^n. \end{aligned}$$

(4)

We note that this lower bound is very loose because we simply ignore the cases where \(\text {Pr}(0<\alpha _b \le \tau , 0<\alpha _s \le \tau )\). However, this lower bound is sufficient to give us qualitative understanding.

Upper Bound: We observe that the probability that label noise in both the benign region and the Sybil region are no bigger than \(\tau \) is bounded by the probability that label noise in the benign region or the Sybil region is no bigger than \(\tau \). Formally, we have:

$$\begin{aligned} \text {Pr}(\alpha _b \le \tau , \alpha _s \le \tau ) \le \min \{\text {Pr}(\alpha _b \le \tau ), \text {Pr}( \alpha _s \le \tau ) \} \end{aligned}$$

(5)

Next, we will bound the probabilities \(\text {Pr}(\alpha _b \le \tau )\) and \(\text {Pr}( \alpha _s \le \tau )\) separately. We will take \(\text {Pr}(\alpha _b \le \tau )\) as an example to show the derivations, and similar derivations can be used to bound \(\text {Pr}( \alpha _s \le \tau )\).

We observe the following equivalent equations:

$$\begin{aligned} \text {Pr}(\alpha _b \le \tau )&=\text {Pr}(\frac{n_{sb}}{n_{sb} + n_{bb} } \le \tau ) =\text {Pr}(\tau n_{bb} + (\tau - 1) n_{sb} \ge 0) \end{aligned}$$

(6)

We define n random variables \(X_1, X_2, \cdots , X_n\) and n random variables \(Y_1, Y_2, \cdots , Y_n\) as follows:

$$\begin{aligned}&X_i = {\left\{ \begin{array}{ll} \tau &{}\, \, \, \, \,\,\, \text { if the } i \text {th node in B is benign} \\ 0 &{}\, \, \, \, \,\,\, \text { otherwise} \\ \end{array}\right. } \\&Y_i = {\left\{ \begin{array}{ll} \tau -1 &{}\text { if the } i \text {th node in S is benign} \\ 0 &{}\text { otherwise,} \end{array}\right. } \end{aligned}$$

where \(i=1,2,\cdots , n\). According to our definitions, we have \(\text {Pr}(X_i=\tau )=1 - r\) and \(\text {Pr}(Y_i=\tau - 1)=1 - r\), where \(i=1,2,\cdots , n\). Moreover, we denote S as the sum of these random variables, i.e., \(S=\sum _{i=1}^n X_i + \sum _{i=1}^n Y_i\). Then, the expected value of S is \(E(S)=-(1-2\tau )(1-r)n\). With the variables S and E(S), we can further rewrite Eq. 6 as follows:

$$\begin{aligned} \text {Pr}(\alpha _b \le \tau )= \text {Pr}( S -E(S) \ge -E(S)) \end{aligned}$$

According to Hoeffding’s inequality [17], we have

$$\begin{aligned} \text {Pr}( S -E(S) \ge -E(S))&\le \text {exp}\Big (-\frac{2E^2(s)}{(\tau ^2 + (1-\tau )^2)n}\Big ) =\text {exp}\Big (-\frac{2(1-2\tau )^2(1-r)^2n}{\tau ^2 + (1-\tau )^2}\Big ) \end{aligned}$$

Similarly, we can derive an upper bound of \(Pr( \alpha _s \le \tau )\) as follows:

$$\begin{aligned} \text {Pr}( \alpha _s \le \tau )&\le \text {exp}\Big (-\frac{2(1-2\tau )^2 r^2 n}{\tau ^2 + (1-\tau )^2}\Big ) \end{aligned}$$

(7)

Since we consider \(r<0.5\) in this work, we have:

$$\begin{aligned} \min \{\text {Pr}(\alpha _b \le \tau ), \text {Pr}( \alpha _s \le \tau ) \} = \text {exp}\Big (-\frac{2(1-2\tau )^2(1-r)^2n}{\tau ^2 + (1-\tau )^2}\Big ) \end{aligned}$$

(8)

By combining Eqs. 5 and 8, we obtain Eq. 3.