facetrust: assessing the credibility of online personas via social networks michael sirivianos,...
TRANSCRIPT
FaceTrust: Assessing the Credibility of Online Personas via Social
Networks
Michael Sirivianos, Kyungbaek Kim and Xiaowei Yang
in collaboration with J.W. Gan, C. Carlon and D. Jiang
Duke University and UC IrvineAug 11 @ HotSec 2009
Motivation
Online world without identity credentials:o Makes determining who and what to believe
difficult
Outline
Why do we need a stronger online identity?
Design
Social Tagging
Assessing Credibility
OSN-issued Credentials
Evaluation
Conclusions and work in progress
Trustworthy online communication:o Dating websites, Craigslist, Amazon reviews,
eBay transactions, first contact in OSNso “I work in ...”, “I am a good seller”, “My name
is ...”
Access controlo Age-restricted siteso “I am over 18 years old”
Malware defenceo “I am a reputable software author”
How can Identity Credentials help?
Our Solution
Relaxed (not absolutely verified) credentials
o bind an online statement (assertion) to
the probability this assertion is true
o for not very critical applications, but they
can help users or apps make informed decisions
Online social network users verify their friends’
verifiable identity assertions
OSN providers issue credentials on a user’s
assertions using his friends feedback
Outline
Why do we need stronger online identity?
Design
Social Tagging
Assessing Credibility
OSN-issued Credentials
Evaluation
Conclusions and work in progress
Design: Social Tagging
Users post facts/assertions on their OSN profiles:
o “Am I really over 18 years old?”
Friends tag those facts as TRUE or FALSEo OSN-based crowd-vetting
o Challenges:o Friends can collude and lie for each othero Dishonest users may create many fake OSN
accounts, aka Sybil attack
Our approach: assess the credibility of taggers
using a trust metric
Design: Assessing Credibility (1)
Advogato Trust Metric:
Attack-resistant [Levien et al., Security ’98]
Input: Graph with trust edges that indicate a trust
level X between nodes.
Output: The nodes that can be trusted by at least X.
Design: Assessing Credibility (1)
Advogato Trust Metric:
Input: Graph with trust edges indicating trust level X between nodes.
Output: The nodes that can be trusted by at least X. 100% trusted
node
100%75%25%
50% 75%
75% trusted node
Design: Assessing Credibility (2)
Trust edges annotated with tagging similarity
between friends
o #same-tags / #common-tags
o e.g., if two friends have tagged 2 common facts
of the same user and agree on only one tag,
they have similarity 50%
Design: Assessing Credibility (3)
Use Advogato to compute the tagging credibility
(or weight) in [0, 1] of tags made by each user i : wi
Use weighted average of tags by friends i of j on
j’s assertion (dij = +1 if TRUE, -1 if FALSE) to
compute credibility of j’s assertion:
max(i wi * dij/ i wi , 0)
Design: OSN-issued Credentials
Relaxed credentials issued by the OSN provider:o {assertion type, assertion, credibility}
idemix [Camenisch et al. EuroCrypt 01, CCS 02]o Obtain cryptographic credential from credential
authorityo Prove possession of credential to verifying
authority
without revealing identityo Verifying authorities cannot link credential
showingso Firefox plugin based on idemix Java code
If unlinkability (surveillance-resistance) not required or
if required but the user does not mind creating multiple
credentials for the same assertion:o use simple web based credential, e.g.,
An Age Example
Credential Request:[u, age, > 18]
FacebookUser u
TRUEdxu=1
FALSEdzu=-1
User u[age=21]
User xwx=1.0
TRUEdyu=1
User ywy=1.0
User zwz=0.5
OSN
Verifier
An Age Example
Credential Request:[u, age, > 18]
Credential:[u, age, > 18, 0.6]
FacebookUser u
TRUEdxu=1
FALSEdzu=-1
User u[age=21]
User xwx=1.0
TRUEdyu=1
User ywy=1.0
User zwz=0.5
OSN
Verifier
An Age Example
Credential Request:[u, age, > 18]
Credential:[u, age, > 18, 0.6]
FacebookUser u
Credential:[age, > 18, 0.6]
TRUEdxu=1
FALSEdzu=-1
User u[age=21]
User xwx=1.0
TRUEdyu=1
User ywy=1.0
User zwz=0.5
OSN
Verifier
Outline
Why do we need a stronger online identity?
Design
Social Tagging
Assessing Credibility
OSN-issued Credentials
Evaluation
Conclusions and work in progress
Evaluation
How well do credibility scores correlate with truth? Can the design withstand dishonest user
tagging and
Sybil attacks?
Experimental Setting: Honest and dishonest users make one
assertion each Dishonest users tag both dishonest and
honest
assertions as TRUE Obtain average credibility of honest and
dishonest
assertions
The #tags per user matters
10% dishonest As #tags increase, honest users have more
credibility Dishonest users always have low
credibility Sybils have slightly more credibility than
dishonest
Credibility is robust as %dishonest increases
at most 20 tags per user Honest users always have high
credibility Dishonest user credibility not high even
when 50% Sybils have slightly more credibility than
dishonest
Conclusions
FaceTrust is:
An OSN-based approach to identity verification:o crowd-vetting through social taggingo relaxed and lightweight credentials
Employs robust trust metric for attack resistance
Employs anonymous credentials to preserve privacy
Work in Progress
Need to validate our hypotheses: That users are willing to tag o do they find tagging fun and useful?
That users mostly tag accuratelyo are there many honest taggers?
Facebook application up and runningo we are collecting usage data, tags and social
graph
Exploring other trust metrics: TrustRank [Gyongyi et al. VLDB 04]