isps and ad networks against botnet ad fraud
DESCRIPTION
ISPs and Ad Networks Against Botnet Ad Fraud. Nevena Vratonjic , Mohammad Hossein Manshaei , Maxim Raya and Jean-Pierre Hubaux. November 2010, GameSec’10. Online Ad Fraud. Online advertising is the major source of revenue on the Web ($22.4 billion in the US in 2009) - PowerPoint PPT PresentationTRANSCRIPT
ISPs and Ad Networks Against Botnet Ad Fraud
Nevena Vratonjic, Mohammad Hossein Manshaei, Maxim Raya and Jean-Pierre Hubaux
1November 2010, GameSec’10
Online Ad FraudOnline advertising is the major source of
revenue on the Web ($22.4 billion in the US in 2009)
Exploits of the online advertising systemsClick fraud (DormRing1 [1]) On-the-fly modification of ads (Bahama [2],
Gumblar [3])Botnet ad fraud!
Ad fraud negatively affects the revenue of ad networks (ANs), advertisers and websites
Economic incentive to fight botnet ad fraud
2
[1] Multi-million dollar Chinese click fraud ring broken, Anchor, 2009.
[2] Botnet caught red handed stealing from Google, The Register, 2009.
[3] Viral Web infection siphons ad dollars from Google, The Register, 2009.
ISPs Against BotnetsISPs are in the best position to detect and
fight botnetsInitiatives by IETF[1] and IIA[2] propose ISPs
should:Detect botnetsRemediate infected devices
Yet, the revenue of ISPs is not (directly) affected by the botnets
Incentive for ISPs to fight botnets?
3
[1] M. O’Reirdan et al., Recommendations for the Remediation of Bots in ISP Networks, IETF, September 2009.
[2] M. O’Reirdan et al., ISP Voluntary Code of Practice for Industry Self-regulation in the Area of e-security, Internet Industry Association (IIA), September 2009.
ISPs and Ad Networks Against Botnet Ad Fraud?
Economic incentive for ANs to fight botnet ad fraud
ANs would benefit if ISPs fight botnets
Economic incentive for ISPs to fight botnets?If it is at least cost neutral, or cost positive
Are ANs willing to subsidize ISPs to fight botnets?
Are ANs willing to fight botnet ad fraud themselves?
4
Related WorkOnline advertising fraud
The best strategy for ad networks is to fight click fraud [1]
Incentives to increase the security of the WebUsers’ choice: Investment in security or insurance
mechanisms [2]
Our model introduces a new strategic player – the ISP
5
[1] B. Mungamuru et al., Should Ad Networks Bother Fighting Click Fraud? (Yes, they should.), Stanford InfoLab, Technical Report, July 2008.
[2] J. Grossklags et al., Secure or insure?: a game-theoretic analysis of information security games, WWW 2008.
Outline
I. Strategic behavior of ISPs and ANs
II. Threats and Countermeasures
III.Botnet Ad Fraud: A Case Study
IV. Game-theoretic Model
V. Numerical Analysis
6
7
System Model
User(U)
Ad Servers
(AS)
Websites
(WS)
Advertisers
(AV)
Placing ads
Embedding ads
ISP
Web page
Ads
Ad Network (AN)
Online advertising system ISPBots participating in ad fraud
Botnet
8
Role of ISPsTraditional role:
Provide Internet access to end usersForward the communication in compliance with
Network Neutrality PolicyNew requirements
Data retention legislations IETF and IIA initiatives for ISPs to detect bots and
remediate infected devices 90% of Australian ISP subscribers are covered by this initiative A similar program is ready to be launched in Germany in 2010
How to fund the initiatives? Governments?
Command and Control(C&C)Malware
3. Hidden Communication with C&C:
Instructions for the attacks (e.g., DDoS, SPAM, Adware,
Spyware, Ad Fraud)
2. Local Infection:Malware infects the system and hides using Rootkit techniques
1. Spreading the Malware:via SPAM, Web, Worms,…
Bot Master:controls the bots
remotely
Bot (Zombie)
Botnet – A collection of software robots (bots) that run autonomously and automatically
Covert Channel (e.g., IRC ) End Host
Botnets
Threat: Botnet Ad Fraud
More and more botnets committing ad fraud [1]
Focus on botnets where: Malware causes infected devices to return
altered adsUsers’ clicks on altered ads generate ad revenue
for botnet masters instead of ANsConsequence:
Bots divert a fraction of ad revenue from ANs
10[1] Biggest, Baddest Botnets: Wanted Dead or Alive, PC World,
2009.
CountermeasuresANs can protect their ad revenue by:
1. Improving security of online advertising systems
More difficult for an adversary to successfully exploit those systems
2. Funding ISPs to fight botnets involved in ad frauds
Eliminate the major cause of the revenue loss – botnets
11
Outline
I. Strategic behavior of ISPs and ANs
II. Threats and Countermeasures
III.Botnet Ad Fraud: A Case Study
IV. Game-theoretic Model
V. Numerical Analysis
12
Popularity of WebsitesInfer number of generated clicks on ads for the
top 1000 most popular websites in June 2009based on the data of page views [Compete.com]
Distribution of clicks follows the power law Q(n) – the number of clicks on ads per year at n-th ranked
websiteExtrapolate Q(n) for the entire Web
Estimated ad revenue generated by the top x websites :
k – revenue each click generates for the AN P=$22.4 billions – total annual ad revenue
13
nnQ )(
x
xkdnnk1
1 )1()1(
Securing Websites1. Provide valid certificates for websites 2. Deploy HTTPS between users, websites and
ad serversCost for AN to secure NS websites = cS NS
If bots divert a fraction λ of the ad revenue P,
the optimal NS is:
Proof:utility of the AN:
14
1
)1(
SS c
PN
xcdnndnnk Sx
x
)1(1
secure insecure
x
ISP and AN CooperationISP:
Deploys a detection system (at a cost cD)Successfully detects a fraction PD of NB bots in the
networkOnline help desk to help subscribers remediate
infected devices (at a cost cR per device)AN:
Provides a reward R to the ISP per each remediated device
Cooperation outcome: remediation of NR infected devices
Optimal NR is:Proof:
15
BDR NPN
DRRISP ccRNu )( RNNNPu RB
RAN
)1(1
Outline
I. Strategic behavior of ISPs and ANs
II. Threats and Countermeasures
III.Botnet Ad Fraud: A Case Study
IV. Game-theoretic Model
V. Numerical Analysis
16
17
Game-theoretic Model
Behavior of the ISP:Abstain (A) – forwards users’ communicationCooperate (C) – detects bots and remediates NR
= PDNB infected devicesBehavior of the AN:
Abstain (A) – does not take any countermeasureCooperate (C) – subsidizes the ISP to fight
botnet ad fraud by providing a reward R per each remediated device
Secure (S) – secures NS websitesCooperate & Secure (C+S) – deploy both
countermeasures
18
The Game
Dynamic, single-stage game G={P,SA,U}Set of players: P={ISP, AN}Set of actions: SA
Set of utility functions: UComplete and perfect informationIdentify Nash Equilibrium (NE)
Game in the Normal Form
19
A
SS+C
A
C
C
λ – fraction of diverted ad revenue by the botsWhen playing S+C, the number of secured websites
is:
SB
R
SSC N
NN
cPN
1
)1)(1(
Payoffs = (UISP,UAN)
Solving the Game
20
A
SS+C
A
C
C
Payoffs = (UISP,UAN)
If R<cD/NR+cR and , NE: (A,A)
If R<cD/NR+cR and , NE: (A,S)
If R≥cD/NR+cR and , NE:
(C,S+C)
20
)1( 1
S
SS
NPcN
)1( 1
S
SS
NPcN
1
1 )1(1,B
R
S
SSR
NNG
GPNGcNRN
21
Game Results
0 λ 1 )1( 1 S
SS
NPcN
(Abstain,Abstain)
(Abstain,Secure)
If R<cD/NR+cR and , NE: (A,A)
If R<cD/NR+cR and , NE: (A,S)
If R≥cD/NR+cR and , NE:
(C,S+C)
)1( 1
S
SS
NPcN
)1( 1
S
SS
NPcN
1
1 )1(1,B
R
S
SSR
NNG
GPNGcNRN
GPNGcNRN
S
SSR
1
(Cooperate,Secure+Cooperate)
Outline
I. Strategic behavior of ISPs and Ans
II. Threats and Countermeasures
III.Botnet Ad Fraud: A Case Study
IV. Game-theoretic Model
V. Numerical Analysis
22
Evaluations on a real data setTop 1000 most popular websites
[Compete.com]Extrapolated with the power law
Parameters:Fraction of ad revenue diverted by bots (λ)Number of bots in the network (NB)
Assumptions:cS = $400 – the estimated cost of deploying a
X.509 certificate and HTTPS at the web server
cR = $100 – the estimated cost of remediating an infected device
cD = $100k – the estimated cost of the detection system
23
044.191018.3)( nnQ
Game ResultsNB=10
4
24
(Abstain,Abstain): NS=0 & NR=0(Abstain,Secure): NS≠0 & NR=0
(Cooperate,Cooperate+Secure): NS ≠ 0 & NR ≠ 0
(A,A)
λ<2· 10-
6λ<2· 10-
6
λ=6· 10-
5
λ=6· 10-
5
(A,A)(A,S) (A,S) (C,C+S)
(C,C+S)
Game Results contd.NB=10
7
25
(Abstain,Abstain): NS=0 & NR=0(Abstain,Secure): NS≠0 & NR=0
(Cooperate,Cooperate+Secure): NS ≠ 0 & NR ≠ 0
(A,A)
λ<2· 10-
6λ<2· 10-
6
λ=0.072
λ=0.072
(A,A)
(A,S)(A,S)
(C,C+S)
(C,C+S)
26
Effect of number of bots (NB)
In a system with a given PD, when NB is high, the AN is cooperative only when the revenue loss is very high
ConclusionNovel problem of ISPs and ANs as strategic
participants in efforts to fight botnets
Studied the behavior and interactions of the ISPs and ANs
Applied game-theoretic model to the real dataCooperation between ISPs and ANs:
Reduces online crime in generalUsers benefit from ISPs’ help in maintaining the
security of users’ devices ISPs and ANs earn more
ANs securing websites: Improved Web securityThe most important websites secured first
27