Abstract
User tracking has become ubiquitous practice on the Web, allowing services to recommend behaviorally targeted content to users. In this article, we design Alibi, a system that utilizes such readily available personalized content, generated by recommendation engines in real time, as a means to tame Sybil attacks. In particular, by using ads and other tracker-generated recommendations as implicit user “certificates,” Alibi is capable of creating meta-profiles that allow for rapid and inexpensive validation of users’ uniqueness, thereby enabling an Internet-wide Sybil defense service.
We demonstrate the feasibility of such a system, exploring the aggregate behavior of recommendation engines on the Web and demonstrating the richness of the meta-profile space defined by such inputs. We further explore the fundamental properties of such meta-profiles, i.e., their construction, uniqueness, persistence, and resilience to attacks. By conducting a user study, we show that the user meta-profiles are robust and show important scaling effects. We demonstrate that utilizing even a moderate number of popular Web sites empowers Alibi to tame large-scale Sybil attacks.
- Black Enterprise. 2012. New Facebook Privacy Policy Ruffles Feathers. Retrieved February 22, 2021 from http://www.blackenterprise.com/technology/new-facebook-privacy-pollicy/.Google Scholar
- Associated Press. 2012. New Google privacy policy allows even more access to personal information. Fox News. Retrieved February 22, 2021 from https://www.foxnews.com/tech/new-google-privacy-policy-allows-even-more-access-to-personal-information.Google Scholar
- Robert J. Mullins. 2012. New Microsoft privacy policy expands its user data mining rights. eWeek. Retrieved February 22, 2021 from http://www.eweek.com/enterprise-apps/new-microsoft-privacy-policy-expands-its-user-data-mining-rights/.Google Scholar
- BBC News. 2015. Amazon Targets 1,114 Fake Reviewers in Seattle Lawsuit. Retrieved February 22, 2021 from http://www.bbc.com/news/technology-34565631.Google Scholar
- Maeve Shearlaw. 2015. From Britain to Beijing: How governments manipulate the Internet. The Guardian. Retrieved February 22, 2021 from http://www.theguardian.com/world/2015/apr/02/russia-troll-factory-kremlin-cyber-army-comparisons.Google Scholar
- ABP. 2016. AdBlock. Retrieved February 22, 2021 from http://adblockplus.org/en/.Google Scholar
- Alexa. 2017. Home Page. Retrieved February 22, 2021 from http://www.alexa.com/.Google Scholar
- M. Backes, A. Kate, M. Maffei, and K. Pecina. 2012. ObliviAd: Provably secure and practical online behavioral advertising. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP’12). 257--271. DOI:https://doi.org/10.1109/SP.2012.25 Google Scholar
Digital Library
- E. Balsa, C. Troncoso, and C. Diaz. 2012. OB-PWS: Obfuscation-based private web search. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP’12). 491--505. Google Scholar
Digital Library
- Fabrício Benevenuto, Gabriel Magno, Tiago Rodrigues, and Virgílio Almeida. 2010. Detecting spammers on Twitter. In Proceedings of the 7th Annual Collaboration, Electronic Messaging, Anti-Abuse, and Spam Conference (CEAS’10).Google Scholar
- S. Chen, R. Wang, X. Wang, and K. Zhang. 2010. Side-channel leaks in web applications: A reality today, a challenge tomorrow. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP’10). Google Scholar
Digital Library
- Josep Domingo-Ferrer, Agusti Solanas, and Jordi Castella-Roca. 2009. h(k)-Private information retrieval from privacy-uncooperative queryable databases. Online Information Review 33, 4 (2009), 720--744.Google Scholar
Cross Ref
- J. Douceur. 2002. The Sybil attack. In Proceedings of the International Workshop on Peer-to-Peer Systems (IPTPS’02). Google Scholar
Digital Library
- Federal Trade Commission. 2012. Protecting Consumer Privacy in an Era of Rapid Change. Federal Trade Commission.Google Scholar
- M. Fredrikson and B. Livshits. 2011. RePriv: Re-imagining content personalization and in-browser privacy. In Proceedings of the 2011 IEEE Symposium on Security and Privacy (SP’11). Google Scholar
Digital Library
- Google. 2012. How It Works: Ads Help. Retrieved February 22, 2021 from http://support.google.com/ads/bin/answer.py?hl=en&answer=2662749.Google Scholar
- S. Guha, B. Cheng, and P. Francis. 2010. Challenges in measuring online advertising systems. In Proceedings of the Internet Measurement Conference IMC’10). Google Scholar
Digital Library
- S. Guha, B. Cheng, and P. Francis. 2011. Privad: Practical privacy in online advertising. In Proceedings of the 8th USENIX Conference on Networked Systems Design and Implementation (NSDI’11). 169--182. Google Scholar
Digital Library
- K. Gummadi, B. Krishnamurthy, and A. Mislove. 2010. Addressing the privacy management crisis in online social networks. In Proceedings of the IAB Workshop on Internet Privacy.Google Scholar
- A. Hannak, P. Sapiezynski, A. Kakhki, B. Krishnamurthy, D. Lazer, A. Mislove, and C. Wilson. 2013. Measuring personalization of Web search. In Proceedings of the 22nd International Conference on World Wide Web (WWW’13). Google Scholar
Digital Library
- Networking Advertising Initiative. 2017. Home Page. Retrieved February 22, 2021 from http://www.networkadvertising.org.Google Scholar
- Ian Jolliffe. 2002. Principal Component Analysis. Wiley Online Library.Google Scholar
- B. Krishnamurthy and C. Wills.2008. Characterizing privacy in online social networks. In Proceedings of the 1st Workshop on Online Social Networks (WOSN’08). Google Scholar
Digital Library
- B. Krishnamurthy and C. Wills. 2009. Privacy diffusion on the web: A longitudinal perspective. In Proceedings of the 18th International Conference on World Wide Web (WWW’09). Google Scholar
Digital Library
- B. Krishnamurthy and C. Wills.2010. Privacy leakage in mobile online social networks. In Proceedings of the 3rd Conference on Online Social Networks (WOSN’10). Google Scholar
Digital Library
- C. Lesniewski-Laas and F. Kaashoek. 2010. Whanau: A Sybil-proof distributed hash table. In Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation (NSDI’10). Google Scholar
Digital Library
- Ee-Peng Lim, Viet-An Nguyen, Nitin Jindal, Bing Liu, and Hady Wirawan Lauw. 2010. Detecting product review spammers using rating behaviors. In Proceedings of the 19th ACM International Conference on Information and Knowledge Management (CIKM’10). Google Scholar
Digital Library
- Abedelaziz Mohaisen, Aaram Yun, and Yongdae Kim. 2010. Measuring the mixing time of social graphs. In Proceedings of the 2010 ACM/USENIX Internet Measurement Conference. Google Scholar
Digital Library
- Mummoorthy Murugesan and Chris Clifton. 2009. Providing privacy through plausibly deniable search. In Proceedings of the SIAM International Conference on Data Mining (SDM’09), 768--779.Google Scholar
Cross Ref
- A. Narayanan and V. Shmatikov. 2008. Robust de-anonymization of large sparse datasets, or how to break anonymity of the Netflix Prize dataset. In Proceedings of the 2008 IEEE Symposium on Security and Privacy (SP’08). Google Scholar
Digital Library
- Netflix. 2009. Netflix Prize. Retrieved February 22, 2021 from http://www.netflixprize.com/.Google Scholar
- Helen F. Nissenbaum and Howe Daniel. 2009. TrackMeNot: Resisting surveillance in web search. In Lessons fromthe Identity Trail: Anonymity, Privacy, and Identity in a Networked Society, I. Kerr, C. Lucock, and V. Steeves (Eds.). Oxford University Press, Oxford, UK, 1--23.Google Scholar
- J. Pang, B. Greenstein, R. Gummadi, S. Seshan, and D. Wetherall. 2007. 802.11 user fingerprinting. In Proceedings of the 13th Annual ACM International Conference on Mobile Computing and Networking (MobiCom’07). 99--110 Google Scholar
Digital Library
- Panagiotis Papadopoulos, Antonis Papadogiannakis, Michalis Polychronakis, Apostolis Zarras, Thorsten Holz, and Evangelos Markatos. 2013. k-Subscription: Privacy-preserving microblogging browsing through obfuscation. In Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC’13). 49--58. Google Scholar
Digital Library
- A. Petit, T. Cerqueus, S. B. Mokhtar, L. Brunie, and H. Kosch. 2015. PEAS: Private, efficient and accurate web search. In Proceedings of 2015 IEEE International Conference on Trust, Security, and Privacy in Computing and Communications (TrustCom’15). 571--580. Google Scholar
Digital Library
- C. Riederer, V. Erramilli, A. Chaintreau, B. Krishnamurthy, and P. Rodriguez. 2011. For sale : Your data: By : You. In Proceedings of the 10th ACM Workshop on Hot Topics in Networks (HotNets’11). Google Scholar
Digital Library
- F. Roesner, T. Kohno, and D. Wetherall. 2012. Detecting and defending against third-party tracking on the web. In Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation (NSDI’12). Google Scholar
Digital Library
- V. Toubiana, A. Narayanan, D. Boneh, H. Nissenbaum, and S. Barocas. 2010. Adnostic: Privacy preserving targeted advertising. In Proceedings of the 2010 17th Annual Network and Distributed System Security Symposium (NDSS’10).Google Scholar
- N. Tran, B. Min, J. Li, and L. Subramanian. 2009. Sybil-resilient online content voting. In Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI’09). Google Scholar
Digital Library
- TRUSTe. 2017. Home Page. Retrieved February 22, 2021 from http://www.truste.com.Google Scholar
- Bimal Viswanath, Muhammad Ahmad Bashir, Mark Crovella, Saikat Guha, Krishna P. Gummadi, Balachander Krishnamurthy, and Alan Mislove. 2014. Towards detecting anomalous user behavior in online social networks. In Proceedings of USENIX Security Symposium (USENIX Security’14). Google Scholar
Digital Library
- B. Viswanath, A. Post, K. Gummadi, and A. Misolve. 2010. An analysis of social network-based Sybil defenses. In Proceedings of the 2010 Annual Conference of the ACM Special Interest Group on Data Communication (SIGCOMM’10). Google Scholar
Digital Library
- Gang Wang, Tristan Konolige, Christo Wilson, Xiao Wang, Haitao Zheng, and Ben Y. Zhao. 2013. You are how you click: Clickstream analysis for Sybil detection. In Proceedings of the 22nd USENIX Security Symposium (Usenix Security’13). Google Scholar
Digital Library
- Gang Wang, Tianyi Wang, Haitao Zheng, and Ben Y. Zhao. 2014. Man vs. machine: Practical adversarial detection of malicious crowdsourcing workers. In Proceedings of the 23rd USENIX Security Symposium (Usenix Security’14). Google Scholar
Digital Library
- Y. Wang, D. Burgener, A. Kuzmanovic, and G. Macia. 2011. Understanding the network and user-targeting properties of web advertising networks. In Proceedings of the 2011 31st International Conference on Distributed Computing Systems (ICDCS’11). Google Scholar
Digital Library
- N. Xia, H. Song, Y. Liao, M. Iliofotou, A. Nucci, Z. Zhang, and A. Kuzmanovic. 2013. Mosaic: Quantifying privacy leakage in mobile networks. In Proceedings of the 2013 Annual Conference of theACM Special Interest Group on Data Communication (SIGCOMM’13). Google Scholar
Digital Library
- X. Xing, W. Meng, D. Doozan, N. Feamster, W. Lee, and A. Snoeron. 2014. Exposing inconsistent Web search results with Bobble. In Proceedings of the 2014 Passive and Active Measurement Conference. Google Scholar
Digital Library
- T.-F. Yen, Y. Xie, F. Yu, R. Yu, and M. Abadi. 2012. Host fingerprinting and tracking on the web: Privacy and security implications. In Proceedings of the 2012 19th Annual Network and Distributed System Security Symposium (NDSS’12).Google Scholar
- Haifeng Yu, Phillip B. Gibbons, Michael Kaminsky, and Feng Xiao. 2008. SybilLimit: A near-optimal social network defense against Sybil attacks. In Proceedings of the 2008 IEEE Symposium on Security and Privacy (SP’08). Google Scholar
Digital Library
- H. Yu, M. Kaminsky, P. Gibbons, and A. Flaxman. 2006. SybilGuard: Defending against Sybil attacks via social networks. In Proceedings of the 2006 Annual Conference of the ACM Special Interest Group on Data Communication (SIGCOMM’06). Google Scholar
Digital Library
Index Terms
Utilizing Web Trackers for Sybil Defense
Recommendations
Exploiting Temporal Dynamics in Sybil Defenses
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecuritySybil attacks present a significant threat to many Internet systems and applications, in which a single adversary inserts multiple colluding identities in the system to compromise its security and privacy. Recent work has advocated the use of social-...
Defending against Sybil nodes in BitTorrent
NETWORKING'11: Proceedings of the 10th international IFIP TC 6 conference on Networking - Volume Part IIBitTorrent and its derivatives contribute a major portion of Internet traffic due to their simple and scalable operation. However, the lack of security mechanisms makes them vulnerable to attacks such as file piece pollution, connection slot consumption,...
An analysis of social network-based Sybil defenses
SIGCOMM '10Recently, there has been much excitement in the research community over using social networks to mitigate multiple identity, or Sybil, attacks. A number of schemes have been proposed, but they differ greatly in the algorithms they use and in the ...






Comments