270 likes | 435 Views
ISPs and Ad Networks Against Botnet Ad Fraud. Nevena Vratonjic , Mohammad Hossein Manshaei , Maxim Raya and Jean-Pierre Hubaux. November 2010, GameSec’10. Online Ad Fraud. Online advertising is the major source of revenue on the Web ($22.4 billion in the US in 2009)
E N D
ISPs and Ad Networks Against Botnet Ad Fraud NevenaVratonjic, Mohammad HosseinManshaei, Maxim Raya and Jean-Pierre Hubaux • November 2010, GameSec’10
Online Ad Fraud • Online advertising is the major source of revenue on the Web ($22.4 billion in the US in 2009) • Exploits of the online advertising systems • Click fraud (DormRing1 [1]) • On-the-fly modification of ads (Bahama [2], Gumblar [3]) • Botnet ad fraud! • Ad fraud negatively affects the revenue of ad networks (ANs), advertisers and websites • Economic incentive to fight botnet ad fraud • [1] Multi-million dollar Chinese click fraud ring broken, Anchor, 2009. • [2] Botnet caught red handed stealing from Google, The Register, 2009. • [3] Viral Web infection siphons ad dollars from Google, The Register, 2009.
ISPs Against Botnets • ISPs are in the best position to detect and fight botnets • Initiatives by IETF[1] and IIA[2] propose ISPs should: • Detectbotnets • Remediate infected devices • Yet, the revenue of ISPs is not (directly) affected by the botnets • Incentive for ISPs to fight botnets? • [1] M. O’Reirdan et al., Recommendations for the Remediation of Bots in ISP Networks, IETF, September 2009. • [2] M. O’Reirdan et al., ISP Voluntary Code of Practice for Industry Self-regulation in the Area of e-security, Internet Industry Association (IIA), September2009.
ISPs and Ad Networks Against Botnet Ad Fraud? • Economic incentive for ANs to fight botnet ad fraud • ANs would benefit if ISPs fight botnets • Economic incentive for ISPs to fight botnets? • If it is at least cost neutral, or cost positive Are ANs willing to subsidize ISPs to fight botnets? Are ANs willing to fight botnet ad fraud themselves?
Related Work • Online advertising fraud • The best strategy for ad networks is to fight click fraud [1] • Incentives to increase the security of the Web • Users’ choice: Investment in security or insurance mechanisms [2] • Our model introduces a new strategic player – the ISP • [1] B. Mungamuru et al., Should Ad Networks Bother Fighting Click Fraud? (Yes, they should.), Stanford InfoLab, Technical Report, July 2008. • [2] J. Grossklags et al., Secure or insure?: a game-theoretic analysis of information security games, WWW 2008.
Outline • Strategic behavior of ISPs and ANs • Threats and Countermeasures • Botnet Ad Fraud: A Case Study • Game-theoretic Model • Numerical Analysis
Botnet User (U) Ad Servers (AS) Websites (WS) ISP System Model Ad Network (AN) Embedding ads Placing ads Web page Advertisers (AV) Ads • Online advertising system • ISP • Bots participating in ad fraud
Role of ISPs • Traditional role: • Provide Internet access to end users • Forward the communication in compliance with Network Neutrality Policy • New requirements • Data retention legislations • IETF and IIA initiatives for ISPs to detect bots and remediate infected devices • 90% of Australian ISP subscribers are covered by this initiative • A similar program is ready to be launched in Germany in 2010 • How to fund the initiatives? • Governments?
Botnets 1. Spreading the Malware: via SPAM, Web, Worms,… Botnet – A collection of software robots (bots) that run autonomously and automatically Command and Control (C&C) Malware Covert Channel (e.g., IRC ) End Host Bot (Zombie) Bot Master: controls the bots remotely 3. Hidden Communication with C&C: Instructions for the attacks (e.g., DDoS, SPAM, Adware, Spyware, Ad Fraud) 2. Local Infection: Malware infects the system and hides using Rootkit techniques
Threat: Botnet Ad Fraud • More and more botnets committing ad fraud [1] • Focus on botnets where: • Malware causes infected devices to return altered ads • Users’ clicks on altered ads generate ad revenue for botnet masters instead of ANs • Consequence: Bots divert a fraction of ad revenue from ANs • [1] Biggest, BaddestBotnets: Wanted Dead or Alive, PC World, 2009.
Countermeasures • ANs can protect their ad revenue by: • Improving security of online advertising systems • More difficult for an adversary to successfully exploit those systems • Funding ISPs to fight botnets involved in ad frauds • Eliminate the major cause of the revenue loss – botnets
Outline • Strategic behavior of ISPs and ANs • Threats and Countermeasures • Botnet Ad Fraud: A Case Study • Game-theoretic Model • Numerical Analysis
Popularity of Websites • Infer number of generated clicks on ads for the top 1000 most popular websites in June 2009 • based on the data of page views [Compete.com] • Distribution of clicks follows the power law • Q(n) – the number of clicks on ads per year at n-th ranked website • Extrapolate Q(n) for the entire Web • Estimated ad revenue generated by the top x websites : • k – revenue each click generates for the AN • P=$22.4 billions – total annual ad revenue
Securing Websites • Provide valid certificates for websites • Deploy HTTPS between users, websites and ad servers • Cost for AN to secure NS websites = cSNS • If bots divert a fraction λ of the ad revenue P, the optimal NS is: • Proof: utility of the AN: secure insecure x
ISP and AN Cooperation • ISP: • Deploys a detection system (at a cost cD) • Successfully detects a fraction PD of NB bots in the network • Online help desk to help subscribers remediate infected devices (at a cost cRper device) • AN: • Provides a reward R to the ISP per each remediated device • Cooperation outcome: remediation of NR infected devices • Optimal NR is: • Proof:
Outline • Strategic behavior of ISPs and ANs • Threats and Countermeasures • Botnet Ad Fraud: A Case Study • Game-theoretic Model • Numerical Analysis
Game-theoretic Model • Behavior of the ISP: • Abstain (A) – forwards users’ communication • Cooperate (C) – detects bots and remediates NR = PDNB infected devices • Behavior of the AN: • Abstain (A) – does not take any countermeasure • Cooperate (C) – subsidizes the ISP to fight botnet ad fraud by providing a reward R per each remediated device • Secure (S) – secures NS websites • Cooperate & Secure (C+S) – deploy both countermeasures
The Game • Dynamic, single-stage game G={P,SA,U} • Set of players: P={ISP, AN} • Set of actions: SA • Set of utility functions: U • Complete and perfect information • Identify Nash Equilibrium (NE)
Game in the Normal Form • Payoffs = (UISP,UAN) A C A C S+C S • λ – fraction of diverted ad revenue by the bots • When playing S+C, the number of secured websites is:
Solving the Game • Payoffs = (UISP,UAN) A C A C S+C S • If R<cD/NR+cR and , NE: (A,A) • If R<cD/NR+cR and , NE: (A,S) • If R≥cD/NR+cR and , NE:(C,S+C) 20
Game Results • If R<cD/NR+cR and , NE: (A,A) • If R<cD/NR+cR and , NE: (A,S) • If R≥cD/NR+cR and , NE:(C,S+C) 0 1 λ (Cooperate,Secure+Cooperate) (Abstain,Abstain) (Abstain,Secure)
Outline • Strategic behavior of ISPs and Ans • Threats and Countermeasures • Botnet Ad Fraud: A Case Study • Game-theoretic Model • Numerical Analysis
Evaluations on a real data set • Top 1000 most popular websites [Compete.com] • Extrapolated with the power law • Parameters: • Fraction of ad revenue diverted by bots (λ) • Number of bots in the network (NB) • Assumptions: • cS = $400 – the estimated cost of deploying a X.509 certificate and HTTPS at the web server • cR = $100– the estimated cost of remediating an infected device • cD= $100k – the estimated cost of the detection system
Game Results • NB=104 • λ<2· 10-6 • λ<2· 10-6 • λ=6· 10-5 • λ=6· 10-5 • (A,S) • (A,S) • (C,C+S) • (C,C+S) • (A,A) • (A,A) • (Abstain,Abstain): NS=0 & NR=0 • (Abstain,Secure): NS≠0 & NR=0 • (Cooperate,Cooperate+Secure):NS ≠ 0 & NR ≠ 0
Game Results contd. • NB=107 • λ<2· 10-6 • λ<2· 10-6 • λ=0.072 • λ=0.072 • (A,S) • (A,S) • (C,C+S) • (C,C+S) • (A,A) • (A,A) • (Abstain,Abstain): NS=0 & NR=0 • (Abstain,Secure): NS≠0 & NR=0 • (Cooperate,Cooperate+Secure):NS ≠ 0 & NR ≠ 0
Effect of number of bots (NB) • In a system with a given PD, when NB is high, the AN is cooperative only when the revenue loss is very high
Conclusion • Novel problem of ISPs and ANs as strategic participants in efforts to fight botnets • Studied the behavior and interactions of the ISPs and ANs • Applied game-theoretic model to the real data • Cooperation between ISPs and ANs: • Reduces online crime in general • Users benefit from ISPs’ help in maintaining the security of users’ devices • ISPs and ANs earn more • ANs securing websites: • Improved Web security • The most important websites secured first