ISPs and Ad Networks Against Botnet Ad Fraud

greenpepperwhinnySecurity

Nov 3, 2013 (3 years and 9 months ago)

286 views

ISPs and Ad Networks Against
Botnet

Ad Fraud

Nevena

Vratonjic
, Mohammad
Hossein

Manshaei
, Maxim Raya and Jean
-
Pierre
Hubaux

1

November 2010, GameSec’10

Online Ad Fraud


Online advertising is the major source of revenue on the
Web ($22.4 billion in the US in 2009)


Exploits of the online advertising systems


Click fraud (DormRing1
[1])


On
-
the
-
fly modification of ads
(
Bahama

[2],
Gumblar

[3])


Botnet

ad fraud!


Ad fraud negatively affects the revenue of ad networks
(ANs), advertisers and websites


Economic incentive to fight
botnet

ad fraud


2

[1]
Multi
-
million dollar Chinese click fraud ring broken
, Anchor, 2009.

[2]
Botnet

caught red handed stealing from Google
, The Register, 2009.

[3]
Viral Web infection siphons ad dollars from Google
, The Register
,
2009.

ISPs Against
Botnets


ISPs are in the best position to detect and fight
botnets


Initiatives by IETF[1] and IIA[2] propose ISPs should:


Detect

botnets


Remediate

infected devices


Yet, the revenue of ISPs is not (directly) affected by the
botnets


Incentive for ISPs to fight
botnets
?

3

[1] M.
O’Reirdan

et al.,
Recommendations for the Remediation of Bots in ISP
Networks
, IETF, September 2009.

[2] M.
O’Reirdan

et al.,
ISP Voluntary Code of Practice for Industry Self
-
regulation
in the Area of e
-
security
, Internet Industry Association (IIA), September

2009.

ISPs and Ad Networks Against
Botnet

Ad Fraud?


Economic incentive for ANs to fight
botnet

ad fraud


ANs would benefit if ISPs fight
botnets



Economic incentive for ISPs to fight
botnets
?


If it is at least cost neutral, or cost positive


Are ANs willing to subsidize ISPs to fight
botnets
?

Are ANs willing to fight
botnet

ad fraud themselves?

4

Related Work


Online advertising fraud


The best strategy for ad networks is to fight click fraud [1]



Incentives to increase the security of the Web


Users’ choice: Investment in security or insurance
mechanisms [2]



Our model introduces a new strategic player


the ISP

5

[1] B.
Mungamuru

et al.,
Should Ad Networks Bother Fighting Click Fraud?
(Yes, they should.)
, Stanford
InfoLab
, Technical Report, July 2008.

[2] J.
Grossklags

et al., Secure or insure?: a game
-
theoretic analysis of information
security games, WWW 2008.

Outline

I.
Strategic behavior of ISPs and ANs

II.
Threats and Countermeasures

III.
Botnet

Ad Fraud: A Case Study

IV.
Game
-
theoretic Model


V.
Numerical Analysis

6

System Model

7

User

(U)

Ad
Servers

(AS)

Websites

(WS)

Advertisers

(AV)

Placing ads

Embedding
ads

ISP

Web page

Ads

Ad Network (AN)


Online advertising
s
ystem



ISP


Bots participating in ad fraud

Botnet

Role of ISPs


Traditional role:


Provide Internet access to end users


Forward the communication in compliance with


Network Neutrality Policy


New requirements


Data retention legislations


IETF and IIA initiatives for ISPs to
detect

bots and
remediate

infected devices


90% of Australian ISP subscribers are covered by this initiative


A similar program is ready to be launched in Germany in 2010


How to fund the initiatives?


Governments?

8

Command and Control

(C&C)

Malware

3.
Hidden

Communication
with C&C:

Instructions for the attacks
(e.g.,
DDoS
, SPAM, Adware,
Spyware,
Ad
Fraud
)

2. Local Infection:

Malware infects

the system and

hides using

Rootkit

techniques

1. Spreading the Malware:

via SPAM, Web, Worms,…


Bot

Master:

controls the bots

remotely


Bot

(Zombie)


Botnet



A collection of software robots
(
bots
) that run autonomously and
automatically

Covert Channel (e.g., IRC )
End Host

Botnets

Threat:
Botnet

Ad Fraud


More and more
botnets

committing ad fraud [1]


Focus on
botnets

where:


Malware causes infected devices to return altered ads


Users’ clicks on altered ads generate ad revenue for
botnet

masters
instead

of ANs


Consequence:




Bots divert a fraction of ad revenue from ANs

10

[1]
Biggest,
Baddest

Botnets
: Wanted Dead or Alive
, PC World, 2009.

Countermeasures


ANs can protect their ad revenue by:


1.
Improving security of online advertising systems


More difficult for an adversary to successfully exploit those
systems


2.
Funding ISPs to fight
botnets

involved in ad frauds


Eliminate the major cause of the revenue loss


botnets

11

Outline

I.
Strategic behavior of ISPs and ANs

II.
Threats and Countermeasures

III.
Botnet

Ad Fraud: A Case Study

IV.
Game
-
theoretic Model


V.
Numerical Analysis

12

Popularity of Websites


Infer number of generated clicks on ads for the top 1000
most popular websites in June 2009


based on the data of page views [
Compete.com
]


Distribution of clicks follows the power law


Q(n)


the number of clicks on ads per year at
n
-
th

ranked website


Extrapolate
Q(n)

for the entire Web


Estimated ad revenue generated by the top
x

websites :






k



revenue each click generates for the AN


P
=$22.4 billions


total annual ad revenue

13

Securing Websites

1.
Provide valid certificates for websites

2.
Deploy HTTPS between users, websites and ad servers


Cost for AN to secure
N
S

websites =
c
S

N
S



If bots divert a fraction
λ

of the ad revenue
P
,


the optimal
N
S

is:



Proof:


utility of the AN:

14

secure

insecure

x

ISP and AN Cooperation


ISP:


Deploys a detection system (at a cost
c
D
)


Successfully detects a fraction
P
D

of
N
B

bots in the network


Online help desk to help subscribers remediate infected
devices (at a cost
c
R

per device)


AN:


Provides a reward
R

to the ISP per each remediated device


Cooperation outcome:
remediation of
N
R

infected devices


Optimal
N
R

is:


Proof:

15

Outline

I.
Strategic behavior of ISPs and ANs

II.
Threats and Countermeasures

III.
Botnet

Ad Fraud: A Case Study

IV.
Game
-
theoretic Model


V.
Numerical Analysis

16

Game
-
theoretic Model


Behavior of the
ISP
:


Abstain (A)


forwards users’ communication



Cooperate (C)


detects bots and remediates
N
R

=
P
D
N
B






infected devices


Behavior of the
AN
:


Abstain (A)


does not take any countermeasure


Cooperate (C)


subsidizes the ISP to fight
botnet

ad fraud
by providing a reward
R
per each remediated device


Secure (S)


secures
N
S

websites


Cooperate & Secure (C+S)


deploy both countermeasures



17

The Game


Dynamic, single
-
stage game
G
={
P
,
S
A
,
U
}


Set of players:
P
={
ISP
,
AN
}


Set of actions:
S
A


Set of utility functions:
U


Complete and perfect information


Identify Nash Equilibrium (NE)

18

Game in the Normal Form

19

A

S

S
+
C

A

C

C


λ



fraction of diverted ad revenue by the bots


When playing
S
+
C
, the number of secured websites is:


Payoffs = (
U
ISP
,
U
AN
)

Solving the Game

20

A

S

S
+
C

A

C

C

Payoffs = (
U
ISP
,
U
AN
)


If
R<
c
D
/
N
R
+c
R


and



,
NE: (A,A)


If

R<
c
D
/
N
R
+c
R


and



,
NE: (A,S)


If
R≥c
D
/
N
R
+c
R


and





,
NE
:

(C,
S
+
C)


20

21



Game Results

0


λ


1


(
Abstain,Abstain
)


(
Abstain,Secure
)



If
R<
c
D
/
N
R
+c
R


and



,
NE: (A,A)


If

R<
c
D
/
N
R
+c
R


and



,
NE: (A,S)


If
R≥c
D
/
N
R
+c
R


and





,
NE
:

(C,
S
+
C)


(
Cooperate,
Secure
+Cooperate
)


Outline

I.
Strategic behavior of ISPs and
Ans

II.
Threats and Countermeasures

III.
Botnet

Ad Fraud: A Case Study

IV.
Game
-
theoretic Model


V.
Numerical Analysis

22

Evaluations on a real data set


Top 1000 most popular websites [
Compete.com
]


Extrapolated with the power law


Parameters:


Fraction of ad revenue diverted by bots (
λ
)


Number of bots in the network (
N
B
)


Assumptions:


c
S


= $400


the estimated cost of deploying a X.509




certificate and HTTPS at the web server


c
R

= $100



the estimated cost of remediating an infected




device


c
D

= $100k


the estimated cost of the detection system


23

Game Results


N
B
=
10
4

24

(
Abstain,Abstain
):
N
S
=0 & N
R
=0

(
Abstain,Secure
):
N
S
≠0 & N
R
=0

(
Cooperate,Cooperate+Secure
):

N
S


0
& N
R

≠ 0

(A,A)

λ
<2∙ 10
-
6

λ
<2∙ 10
-
6

λ
=6∙ 10
-
5

λ
=6∙ 10
-
5

(A,A)

(A,S)

(A,S)

(C,C+
S
)

(C,C+
S
)

Game Results contd.


N
B
=
10
7

25

(
Abstain,Abstain
):
N
S
=0 & N
R
=0

(
Abstain,Secure
):
N
S
≠0 & N
R
=0

(
Cooperate,Cooperate+Secure
):

N
S


0
& N
R

≠ 0

(A,A)

λ
<2∙ 10
-
6

λ
<2∙ 10
-
6

λ
=
0.072

λ
=0.072

(A,A)

(A,S)

(A,S)

(C,C+
S
)

(C,C+
S
)

26

Effect of number of bots (
N
B
)


In a system with a given
P
D
, when
N
B

is high, the AN is
cooperative only when the revenue loss is very high

Conclusion


Novel problem of
ISPs and ANs as strategic participants



in efforts to fight
botnets


Studied the behavior and interactions of the ISPs and ANs


Applied game
-
theoretic model to the real data


Cooperation between ISPs and ANs:


Reduces online crime in general


Users benefit from ISPs’ help in maintaining the security of
users’ devices





ISPs and ANs earn more


ANs securing websites:



Improved Web security


The most important websites secured first

27