David Freeman (LinkedIn): Securing the perimeter at LinkedIn: Statistical approaches to registration and login defense.

May 8, 2015 at 12:00 PM in 380 Soda Hall

Abstract:

As the world's largest professional network, LinkedIn is subject to a barrage of fraudulent and/or abusive activity aimed at its member-facing products. LinkedIn's Security Data Science team is tasked with detecting bad activity and building proactive solutions to keep it from happening in the first place. In this talk we'll explore various types of abuse we see at LinkedIn and discuss some of the solutions we've built to defend against them. We'll focus on perimeter defense: keeping bad guys from creating fake accounts at registration or from taking over real members' accounts at login. Registration defense presents a challenge because we have very little information at registration time when we are asked to make a decision. In the first part of the talk we will show how we can leverage "asset reputation systems" to score registrations accurately under these constraints. Login defense presents a challenge because passwords are known to have many weaknesses, but no alternative authentication mechanism has been successfully rolled out at scale. In the second part of the talk we will present a statistical login-scoring model we have developed that strengthens password- based authentication without changing the user experience. We will present results of our prototype implementation validated on real-life login data from LinkedIn, showing that a large majority of attacks can be prevented by imposing additional verification steps on only a small fraction of users. The login system is joint work with Markus Dürmuth (Ruhr Universität Bochum), Sakshi Jain (LinkedIn), and Battista Biggio and Giorgio Giacinto (Università di Cagliari).

Bio:

David Freeman is head of Security Data Science at LinkedIn, where he leads a team charged with detecting and preventing fraud and abuse across the LinkedIn site and ecosystem. He has a Ph.D. in mathematics from UC Berkeley and did postdoctoral research in cryptography and security at CWI and Stanford University.
Security Lab