1 / 27

ISPs and Ad Networks Against Botnet Ad Fraud

This article explores the economic incentives and initiatives for ISPs and Ad Networks to work together in fighting botnet ad fraud, which negatively affects the revenue of ad networks, advertisers, and websites.

mcouture
Download Presentation

ISPs and Ad Networks Against Botnet Ad Fraud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ISPs and Ad Networks Against Botnet Ad Fraud NevenaVratonjic, Mohammad HosseinManshaei, Maxim Raya and Jean-Pierre Hubaux • November 2010, GameSec’10

  2. Online Ad Fraud • Online advertising is the major source of revenue on the Web ($22.4 billion in the US in 2009) • Exploits of the online advertising systems • Click fraud (DormRing1 [1]) • On-the-fly modification of ads (Bahama [2], Gumblar [3]) • Botnet ad fraud! • Ad fraud negatively affects the revenue of ad networks (ANs), advertisers and websites • Economic incentive to fight botnet ad fraud • [1] Multi-million dollar Chinese click fraud ring broken, Anchor, 2009. • [2] Botnet caught red handed stealing from Google, The Register, 2009. • [3] Viral Web infection siphons ad dollars from Google, The Register, 2009.

  3. ISPs Against Botnets • ISPs are in the best position to detect and fight botnets • Initiatives by IETF[1] and IIA[2] propose ISPs should: • Detectbotnets • Remediate infected devices • Yet, the revenue of ISPs is not (directly) affected by the botnets • Incentive for ISPs to fight botnets? • [1] M. O’Reirdan et al., Recommendations for the Remediation of Bots in ISP Networks, IETF, September 2009. • [2] M. O’Reirdan et al., ISP Voluntary Code of Practice for Industry Self-regulation in the Area of e-security, Internet Industry Association (IIA), September2009.

  4. ISPs and Ad Networks Against Botnet Ad Fraud? • Economic incentive for ANs to fight botnet ad fraud • ANs would benefit if ISPs fight botnets • Economic incentive for ISPs to fight botnets? • If it is at least cost neutral, or cost positive Are ANs willing to subsidize ISPs to fight botnets? Are ANs willing to fight botnet ad fraud themselves?

  5. Related Work • Online advertising fraud • The best strategy for ad networks is to fight click fraud [1] • Incentives to increase the security of the Web • Users’ choice: Investment in security or insurance mechanisms [2] • Our model introduces a new strategic player – the ISP • [1] B. Mungamuru et al., Should Ad Networks Bother Fighting Click Fraud? (Yes, they should.), Stanford InfoLab, Technical Report, July 2008. • [2] J. Grossklags et al., Secure or insure?: a game-theoretic analysis of information security games, WWW 2008.

  6. Outline • Strategic behavior of ISPs and ANs • Threats and Countermeasures • Botnet Ad Fraud: A Case Study • Game-theoretic Model • Numerical Analysis

  7. Botnet User (U) Ad Servers (AS) Websites (WS) ISP System Model Ad Network (AN) Embedding ads Placing ads Web page Advertisers (AV) Ads • Online advertising system • ISP • Bots participating in ad fraud

  8. Role of ISPs • Traditional role: • Provide Internet access to end users • Forward the communication in compliance with Network Neutrality Policy • New requirements • Data retention legislations • IETF and IIA initiatives for ISPs to detect bots and remediate infected devices • 90% of Australian ISP subscribers are covered by this initiative • A similar program is ready to be launched in Germany in 2010 • How to fund the initiatives? • Governments?

  9. Botnets 1. Spreading the Malware: via SPAM, Web, Worms,… Botnet – A collection of software robots (bots) that run autonomously and automatically Command and Control (C&C) Malware Covert Channel (e.g., IRC ) End Host Bot (Zombie) Bot Master: controls the bots remotely 3. Hidden Communication with C&C: Instructions for the attacks (e.g., DDoS, SPAM, Adware, Spyware, Ad Fraud) 2. Local Infection: Malware infects the system and hides using Rootkit techniques

  10. Threat: Botnet Ad Fraud • More and more botnets committing ad fraud [1] • Focus on botnets where: • Malware causes infected devices to return altered ads • Users’ clicks on altered ads generate ad revenue for botnet masters instead of ANs • Consequence: Bots divert a fraction of ad revenue from ANs • [1] Biggest, BaddestBotnets: Wanted Dead or Alive, PC World, 2009.

  11. Countermeasures • ANs can protect their ad revenue by: • Improving security of online advertising systems • More difficult for an adversary to successfully exploit those systems • Funding ISPs to fight botnets involved in ad frauds • Eliminate the major cause of the revenue loss – botnets

  12. Outline • Strategic behavior of ISPs and ANs • Threats and Countermeasures • Botnet Ad Fraud: A Case Study • Game-theoretic Model • Numerical Analysis

  13. Popularity of Websites • Infer number of generated clicks on ads for the top 1000 most popular websites in June 2009 • based on the data of page views [Compete.com] • Distribution of clicks follows the power law • Q(n) – the number of clicks on ads per year at n-th ranked website • Extrapolate Q(n) for the entire Web • Estimated ad revenue generated by the top x websites : • k – revenue each click generates for the AN • P=$22.4 billions – total annual ad revenue

  14. Securing Websites • Provide valid certificates for websites • Deploy HTTPS between users, websites and ad servers • Cost for AN to secure NS websites = cSNS • If bots divert a fraction λ of the ad revenue P, the optimal NS is: • Proof: utility of the AN: secure insecure x

  15. ISP and AN Cooperation • ISP: • Deploys a detection system (at a cost cD) • Successfully detects a fraction PD of NB bots in the network • Online help desk to help subscribers remediate infected devices (at a cost cRper device) • AN: • Provides a reward R to the ISP per each remediated device • Cooperation outcome: remediation of NR infected devices • Optimal NR is: • Proof:

  16. Outline • Strategic behavior of ISPs and ANs • Threats and Countermeasures • Botnet Ad Fraud: A Case Study • Game-theoretic Model • Numerical Analysis

  17. Game-theoretic Model • Behavior of the ISP: • Abstain (A) – forwards users’ communication • Cooperate (C) – detects bots and remediates NR = PDNB infected devices • Behavior of the AN: • Abstain (A) – does not take any countermeasure • Cooperate (C) – subsidizes the ISP to fight botnet ad fraud by providing a reward R per each remediated device • Secure (S) – secures NS websites • Cooperate & Secure (C+S) – deploy both countermeasures

  18. The Game • Dynamic, single-stage game G={P,SA,U} • Set of players: P={ISP, AN} • Set of actions: SA • Set of utility functions: U • Complete and perfect information • Identify Nash Equilibrium (NE)

  19. Game in the Normal Form • Payoffs = (UISP,UAN) A C A C S+C S • λ – fraction of diverted ad revenue by the bots • When playing S+C, the number of secured websites is:

  20. Solving the Game • Payoffs = (UISP,UAN) A C A C S+C S • If R<cD/NR+cR and , NE: (A,A) • If R<cD/NR+cR and , NE: (A,S) • If R≥cD/NR+cR and , NE:(C,S+C) 20

  21. Game Results • If R<cD/NR+cR and , NE: (A,A) • If R<cD/NR+cR and , NE: (A,S) • If R≥cD/NR+cR and , NE:(C,S+C) 0 1 λ (Cooperate,Secure+Cooperate) (Abstain,Abstain) (Abstain,Secure)

  22. Outline • Strategic behavior of ISPs and Ans • Threats and Countermeasures • Botnet Ad Fraud: A Case Study • Game-theoretic Model • Numerical Analysis

  23. Evaluations on a real data set • Top 1000 most popular websites [Compete.com] • Extrapolated with the power law • Parameters: • Fraction of ad revenue diverted by bots (λ) • Number of bots in the network (NB) • Assumptions: • cS = $400 – the estimated cost of deploying a X.509 certificate and HTTPS at the web server • cR = $100– the estimated cost of remediating an infected device • cD= $100k – the estimated cost of the detection system

  24. Game Results • NB=104 • λ<2· 10-6 • λ<2· 10-6 • λ=6· 10-5 • λ=6· 10-5 • (A,S) • (A,S) • (C,C+S) • (C,C+S) • (A,A) • (A,A) • (Abstain,Abstain): NS=0 & NR=0 • (Abstain,Secure): NS≠0 & NR=0 • (Cooperate,Cooperate+Secure):NS ≠ 0 & NR ≠ 0

  25. Game Results contd. • NB=107 • λ<2· 10-6 • λ<2· 10-6 • λ=0.072 • λ=0.072 • (A,S) • (A,S) • (C,C+S) • (C,C+S) • (A,A) • (A,A) • (Abstain,Abstain): NS=0 & NR=0 • (Abstain,Secure): NS≠0 & NR=0 • (Cooperate,Cooperate+Secure):NS ≠ 0 & NR ≠ 0

  26. Effect of number of bots (NB) • In a system with a given PD, when NB is high, the AN is cooperative only when the revenue loss is very high

  27. Conclusion • Novel problem of ISPs and ANs as strategic participants in efforts to fight botnets • Studied the behavior and interactions of the ISPs and ANs • Applied game-theoretic model to the real data • Cooperation between ISPs and ANs: • Reduces online crime in general • Users benefit from ISPs’ help in maintaining the security of users’ devices • ISPs and ANs earn more • ANs securing websites: • Improved Web security • The most important websites secured first

More Related