Improving abuse detection @ Membership

Projects related to Haoyang Yuan

can we leverage external threat intelligence

to prepare for traffic behaviors we haven’t seen?

RAPTOR

31 sources of hourly threat intelligence

27,522 suspicious registrations that

Yahoo did not classify as suspicious

351 suspicious registrations that

were classified as suspicious by Yahoo as well

Cross-referencing new signals with past logins and registration logs

(24 Hours of Data, 10% of Raptor’s data sources)

37,580 suspicious logins that

Yahoo did not classify as suspicious

119,311 suspicious logins that were classified as suspicious by

Yahoo as well

How to get login context?

If data is delayed → no sense of previous login behavior!Can’t respond quickly!

HDFSLogin Server 15 minutes

Baltar alarm!

Data Rainbow Highway

?

How to get login context?

Real-time login context to help classification

(e.g. unique user count by IP in last minute)

HDFS15 minutes

10 msStorm Topology

1 million/minute

More time

Login Server

Thanks

youngsam

kevin

francis the great