Improving abuse detection @ Membership
Projects related to Haoyang Yuan
can we leverage external threat intelligence
to prepare for traffic behaviors we haven’t seen?
RAPTOR
31 sources of hourly threat intelligence
27,522 suspicious registrations that
Yahoo did not classify as suspicious
351 suspicious registrations that
were classified as suspicious by Yahoo as well
Cross-referencing new signals with past logins and registration logs
(24 Hours of Data, 10% of Raptor’s data sources)
37,580 suspicious logins that
Yahoo did not classify as suspicious
119,311 suspicious logins that were classified as suspicious by
Yahoo as well
How to get login context?
If data is delayed → no sense of previous login behavior!Can’t respond quickly!
HDFSLogin Server 15 minutes
Baltar alarm!
Data Rainbow Highway
?
How to get login context?
Real-time login context to help classification
(e.g. unique user count by IP in last minute)
HDFS15 minutes
10 msStorm Topology
1 million/minute
More time
Login Server
Thanks
youngsam
kevin
francis the great
Top Related