PassREfinder-FL: Privacy-Preserving Credential Stuffing Risk Prediction via Graph-Based Federated Learning for Representing Password Reuse between Websites
- URL: http://arxiv.org/abs/2510.16083v1
- Date: Fri, 17 Oct 2025 14:59:24 GMT
- Title: PassREfinder-FL: Privacy-Preserving Credential Stuffing Risk Prediction via Graph-Based Federated Learning for Representing Password Reuse between Websites
- Authors: Jaehan Kim, Minkyoo Song, Minjae Seo, Youngjin Jin, Seungwon Shin, Jinwoo Kim,
- Abstract summary: Credential stuffing attacks have caused significant harm to online users who frequently reuse passwords across multiple websites.<n>We propose PassREfinder-FL, a novel framework that predicts credential stuffing risks across websites.<n>We evaluate PassREfinder-FL on a real-world dataset of 360 million breached accounts from 22,378 websites.
- Score: 17.611849684913505
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Credential stuffing attacks have caused significant harm to online users who frequently reuse passwords across multiple websites. While prior research has attempted to detect users with reused passwords or identify malicious login attempts, existing methods often compromise usability by restricting password creation or website access, and their reliance on complex account-sharing mechanisms hinders real-world deployment. To address these limitations, we propose PassREfinder-FL, a novel framework that predicts credential stuffing risks across websites. We introduce the concept of password reuse relations -- defined as the likelihood of users reusing passwords between websites -- and represent them as edges in a website graph. Using graph neural networks (GNNs), we perform a link prediction task to assess credential reuse risk between sites. Our approach scales to a large number of arbitrary websites by incorporating public website information and linking newly observed websites as nodes in the graph. To preserve user privacy, we extend PassREfinder-FL with a federated learning (FL) approach that eliminates the need to share user sensitive information across administrators. Evaluation on a real-world dataset of 360 million breached accounts from 22,378 websites shows that PassREfinder-FL achieves an F1-score of 0.9153 in the FL setting. We further validate that our FL-based GNN achieves a 4-11% performance improvement over other state-of-the-art GNN models through an ablation study. Finally, we demonstrate that the predicted results can be used to quantify password reuse likelihood as actionable risk scores.
Related papers
- Enhancing Password Security Through a High-Accuracy Scoring Framework Using Random Forests [0.5097809301149341]
We implement and evaluate a password strength scoring system by comparing four machine learning models.<n>Our primary contribution is a novel hybrid feature engineering approach that captures nuanced vulnerabilities missed by standard metrics.
arXiv Detail & Related papers (2025-11-12T17:05:27Z) - Incentivizing Collaborative Breach Detection [10.05815981578555]
We propose and evaluate an algorithm by which sites can exchange monitoring favors.<n>We show that using our algorithm, a site improves its ability to detect its own breach when it increases the monitoring effort it expends for other sites.
arXiv Detail & Related papers (2025-06-05T05:12:32Z) - On the Account Security Risks Posed by Password Strength Meters [19.190972978013736]
Password strength meters (PSMs) have been widely used by websites to gauge password strength, encouraging users to create stronger passwords.<n>We analyze 11 PSMs and find that 5 data-driven meters are vulnerable to membership inference attacks that expose their trained passwords.<n>We develop novel meter-aware attacks when a clever attacker can filter the used passwords during compromising accounts on websites using the meter.
arXiv Detail & Related papers (2025-05-13T07:15:17Z) - PriRoAgg: Achieving Robust Model Aggregation with Minimum Privacy Leakage for Federated Learning [49.916365792036636]
Federated learning (FL) has recently gained significant momentum due to its potential to leverage large-scale distributed user data.<n>The transmitted model updates can potentially leak sensitive user information, and the lack of central control of the local training process leaves the global model susceptible to malicious manipulations on model updates.<n>We develop a general framework PriRoAgg, utilizing Lagrange coded computing and distributed zero-knowledge proof, to execute a wide range of robust aggregation algorithms while satisfying aggregated privacy.
arXiv Detail & Related papers (2024-07-12T03:18:08Z) - Ungeneralizable Examples [70.76487163068109]
Current approaches to creating unlearnable data involve incorporating small, specially designed noises.
We extend the concept of unlearnable data to conditional data learnability and introduce textbfUntextbfGeneralizable textbfExamples (UGEs)
UGEs exhibit learnability for authorized users while maintaining unlearnability for potential hackers.
arXiv Detail & Related papers (2024-04-22T09:29:14Z) - The Key to Deobfuscation is Pattern of Life, not Overcoming Encryption [0.7124736158080939]
We present a novel methodology that is effective at deobfuscating sources by synthesizing measurements from key locations along protocol transaction paths.
Our approach links online personas with their origin IP addresses based on a Pattern of Life (PoL) analysis.
We show that, when monitoring in the correct places on the Internet, DNS over HTTPS (DoH) and DNS over TLS (DoT) can be deobfuscated with up to 100% accuracy.
arXiv Detail & Related papers (2023-10-04T02:34:29Z) - FheFL: Fully Homomorphic Encryption Friendly Privacy-Preserving Federated Learning with Byzantine Users [19.209830150036254]
federated learning (FL) technique was developed to mitigate data privacy issues in the traditional machine learning paradigm.
Next-generation FL architectures proposed encryption and anonymization techniques to protect the model updates from the server.
This paper proposes a novel FL algorithm based on a fully homomorphic encryption (FHE) scheme.
arXiv Detail & Related papers (2023-06-08T11:20:00Z) - FedGRec: Federated Graph Recommender System with Lazy Update of Latent
Embeddings [108.77460689459247]
We propose a Federated Graph Recommender System (FedGRec) to mitigate privacy concerns.
In our system, users and the server explicitly store latent embeddings for users and items, where the latent embeddings summarize different orders of indirect user-item interactions.
We perform extensive empirical evaluations to verify the efficacy of using latent embeddings as a proxy of missing interaction graph.
arXiv Detail & Related papers (2022-10-25T01:08:20Z) - CrowdGuard: Federated Backdoor Detection in Federated Learning [39.58317527488534]
This paper presents a novel defense mechanism, CrowdGuard, that effectively mitigates backdoor attacks in Federated Learning.
CrowdGuard employs a server-located stacked clustering scheme to enhance its resilience to rogue client feedback.
The evaluation results demonstrate that CrowdGuard achieves a 100% True-Positive-Rate and True-Negative-Rate across various scenarios.
arXiv Detail & Related papers (2022-10-14T11:27:49Z) - Cross-Network Social User Embedding with Hybrid Differential Privacy
Guarantees [81.6471440778355]
We propose a Cross-network Social User Embedding framework, namely DP-CroSUE, to learn the comprehensive representations of users in a privacy-preserving way.
In particular, for each heterogeneous social network, we first introduce a hybrid differential privacy notion to capture the variation of privacy expectations for heterogeneous data types.
To further enhance user embeddings, a novel cross-network GCN embedding model is designed to transfer knowledge across networks through those aligned users.
arXiv Detail & Related papers (2022-09-04T06:22:37Z) - Federated Social Recommendation with Graph Neural Network [69.36135187771929]
We propose fusing social information with user-item interactions to alleviate it, which is the social recommendation problem.
We devise a novel framework textbfFedrated textbfSocial recommendation with textbfGraph neural network (FeSoG)
arXiv Detail & Related papers (2021-11-21T09:41:39Z) - RoFL: Attestable Robustness for Secure Federated Learning [59.63865074749391]
Federated Learning allows a large number of clients to train a joint model without the need to share their private data.
To ensure the confidentiality of the client updates, Federated Learning systems employ secure aggregation.
We present RoFL, a secure Federated Learning system that improves robustness against malicious clients.
arXiv Detail & Related papers (2021-07-07T15:42:49Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.