Understanding and defending vulnerabilities of web-based information systems
Date
2020
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
University of Delaware
Abstract
Web-based information systems support the gathering, representation, processing, and dissemination of information on the web, and can provide value-added functions such as recommender systems and online review systems. These systems share a high degree of community formation, user-level content generation, and other features, which can have large potential benefit to web users. However, they could also raise serious security issues. ☐ Recommendation systems are introduced for decision making and are designed to discover users' preferences and foresee their needs. Recommender systems have been increasingly used in a variety of web services, providing a list of recommended items in which a user may be interested. While important, recommender systems are vulnerable to various malicious attacks. In this dissertation, we study a new security vulnerability in recommender systems caused by web injection, through which malicious actors stealthily tamper any unprotected in-transit HTTP webpage content and force victims to visit specific items in some web services (even running HTTPS), e.g., Youtube. By doing so, malicious actors can promote their targeted items in those web services. To obtain a deeper understanding on the recommender systems of interest (including YouTube, Yelp, Taobao, and 360 App market), we first conduct a measurement-based analysis on several real-world recommender systems by leveraging machine learning algorithms. Then, web injection is implemented in three different types of devices (i.e., computer, router, and proxy server) to investigate the scenarios where web injection could occur. Based on the implementation of web injection, we demonstrate that it is feasible and sometimes effective to manipulate the real-world recommender systems through web injection. We also present several countermeasures against such manipulations. ☐ Online reviews play a crucial role in the ecosystem of business today (especially e-commerce platforms), and have become the primary source of consumer opinions. To manipulate consumers' opinions, some sellers of e-commerce platforms outsource opinion spamming with incentives (e.g., free products) in exchange for incentivized reviews. Incentives, by nature, are likely to drive more biased reviews or even fake reviews. Despite e-commerce platforms such as Amazon having taken initiatives to squash the incentivized review practice, sellers turn to various social networking platforms (e.g., Facebook) to outsource the incentivized reviews. The aggregation of sellers who request incentivized reviews and reviewers who seek incentives forms incentivized review groups. In this dissertation, we additionally focus on the incentivized review groups in e-commerce platforms. We perform the data collections from various social networking platforms, including Facebook, WeChat, and Douban. A measurement study of incentivized review groups is conducted with regards to group members, group activities, and products. To identify the incentivized review groups, we propose a new detection approach based on co-review graphs. Specifically, we employ the community detection method to find the suspicious communities from co-review graphs. We also build a "gold standard" dataset from the data we collected, which contains the information of reviewers who belong to incentivized review groups. We utilize the "gold standard" dataset to evaluate the effectiveness of our detection approach. ☐ Due to the importance of online reviews, professional review writing services are employed for paid reviews and even being exploited to conduct opinion spam. Posting deceptive reviews could mislead customers, yield significant benefits or losses to service vendors, and erode confidence in the entire online purchasing ecosystem. In this dissertation, we ferret out deceptive reviews originated from professional review writing services. We do so even when reviewers leverage a number of pseudonymous identities to avoid the detection. To unveil the pseudonymous identities associated with deceptive reviewers, we leverage the multiview clustering method. This enables us to characterize the writing style of reviewers (deceptive vs normal) and cluster the reviewers based on their writing style. Furthermore, we explore different neural network models to model the writing style of deceptive reviews. We select the best performing neural network to generate the representation of reviews. We validate the effectiveness of the multiview clustering framework using real-world Amazon review data under different experimental scenarios. Our results show that our approach is at least 10% better than previous clustering methods in terms of accuracy. We also conduct a large-scale case study based on publicly available Amazon datasets.
Description
Keywords
Web-based information systems, Online review systems, User-level content generation, HTTP webpage, YouTube, Cybersecurity, Yelp, App market, Consumer opinions, E-commerce platforms, Facebook, WeChat, Amazon