Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth.

Slides:



Advertisements
Similar presentations
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Advertisements

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Talking to Yourself for Fun and Profit Lin-Shung Huang ∗, Eric Y. Chen ∗, Adam Barth †, Eric Rescorla ‡ and Collin Jackson ∗ ∗ Carnegie Mellon University.
Understanding and Detecting Malicious Web Advertising
Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.
Attacking Session Management Juliette Lessing
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Measuring the Web. What? Use, size –Of entire Web, of sites (popularity), of pages –Growth thereof Technologies in use (servers, media types) Properties.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Beware of Finer-Grained Origins
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Authors: Mona Gandhi, Markus Jakobsson, Jacob Ratkiewicz (Indiana University at Bloomington) Presented By: Lakshmy Mohanan.
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.
 What I hate about you things people often do that hurt their Web site’s chances with search engines.
Norman SecureSurf Protect your users when surfing the Internet.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
Attacks on Computer Systems
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Prevent Cross-Site Scripting (XSS) attack
Security Awareness Chapter 3 Internet Security. Security Awareness, 3 rd Edition2 Objectives After completing this chapter, you should be able to do the.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.
Internet Basics Dr. Norm Friesen June 22, Questions What is the Internet? What is the Web? How are they different? How do they work? How do they.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
Badvertisements: Stealthy Click-Fraud with Unwitting Accessories Mona Gandhi Markus Jakobsson Jacob Ratkiewicz Indiana University at Bloomington Presented.
Honeypot and Intrusion Detection System
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
Host and Application Security Lesson 19: How the Web Works.
Security+ Guide to Network Security Fundamentals, Fourth Edition
Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.
Click to edit Master title style Click to edit Master text styles –Second level Third level –Fourth level »Fifth level June 10 th, 2009Event details (title,
Robust Defenses for Cross-Site Request Forgery
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Web Metrics Terminology & Measurement. Visit A visit is a Web user with a unique address entering a Web site at some page for the first time that day.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS Systems Modeling & Simulation Lab. Kim.
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
1 Introduction to Malcode, DoS Attack, Traceback, RFID Security Cliff C. Zou 03/02/06.
How the Web Works Building a Website – Lesson 1. How People Access the Web Browsers People access websites using software called a web browser. To view.
Sid Stamm, Zulfikar Ramzan and Markus Jokobsson Erkang Xu.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Cross-site request forgery Collin Jackson CS 142 Winter 2009.
ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
Firewalls Fighting Spyware, Viruses, and Malware Ch 5.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.
Week 7 - Wednesday.  Web security – user side.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
CISC103 Web Development Basics: Web site:
CISC103 Web Development Basics: Web site:
Internet Worm propagation
Riding Someone Else’s Wave with CSRF
Cross Site Request Forgery New Attacks and Defenses
Presentation transcript:

Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth Stinson

BotNets, Current and Future Traditional BotNetsBotNets 2.0 Permanent malwareEphemeral Infect host – attachments – Drive-by downloads Browser-based – Malicious advertisements – Popular web sites Click-fraud, Spam, DDoS, Key-logging Click-fraud, Spam, (maybe DDoS) ~100,000 membersMuch larger

Browser Security Model Same-origin policy for network access –Origin is scheme://host:port Write HTTP anywhere on the network –Easy using HTML forms –Except restricted ports, like 25 (SMTP) Read from origin only –Can read some “library” formats from anywhere JavaScript, CSS, Images, Applets, etc

Desired Properties of Policy Can’t send spam –Writes to port 25 blocked Can’t click advertisements –Need to READ a token to make a click count Unfortunately…

DNS Rebinding Attacks Circumvent browser network access policy attacker.com points to attacker and target Can read and write sockets to anywhere <allow-access-from domain="*" to-ports="*" /> attacker’s server target server rebind DNS

An Experiment We ran a Flash ad (gains socket access) –Paid $30 –50,951 impressions from 44,924 unique IP addresses 90.6% of browser vulnerable –More if we include other rebinding attacks $100 to hijack  100,000 IP addresses –No click required –Impressions are cheap

Duration of IP Hijacking

A Long Tail Some impressions last for days

Using Rebinding for Click-Fraud Enroll as a publisher with ad network A –Publish pay-per-click ads on your site Enroll as a advertiser with ad network B –Buy pay-per-impression Flash ads Buy bots for $0.001 each –Use 99% just to generate impressions on your site –Use 1% to generate ad clicks on $0.50/per-click ads –Multiply your money by 5, repeat

Implications for Click-Fraud Defense Simulates IP distribution exactly –Each bot an independent sample from web visitors –Black-listing IPs as bot infested meaningless Traffic time-appropriate for IP –Human at that IP actually surfing the web right now HTTP headers appropriate for IP –Grab real headers from request for Flash ad –Can’t get cookies, but many networks don’t use them

Distinguish Bots from Humans Bots cannot simulate human cognition Can’t use traditional CAPTCHAs –Too disruptive to the user experience –User has not interest in proving their humanity Click-fraud detection a different problem –CAPTCHAs determine if this client a human –We just need estimate the proportion of humans

A Straw-Man Design Humans click “Yes!” Bots click at random Ad network stats: –3487 Yes clicks –1271 No clicks How many bots? –Expectation: 2542 –High probably bound an exercise for the reader

A Real Advertisement Where will humans click? Bots cannot simulate Can’t trick humans into clicking –Actually need process ad

Image Recognition Doesn’t Help Suppose the bot can identify the hot spots –Say by segmenting the image using vision techniques In what ratio should the bot click? –Depends on the relative appeal of the hot spots –Requires human-level AI to get right Any error a signal of bot proportion

Fraudster Has to Click on Many Ads

Ad Network can Measure Humans At first, run ads on trusted partners –Record distribution of human click location –Easy to record (x, y) coordinates of click on web Cheap for ad network –Was going to run ad anyway Expensive for attacker to influence –Must use valuable bot clicks without payout –Must be clicking everywhere all the time

A Work in Progress Need to validate diversity in distribution –Will run real ads and measure click location –How does distribution vary by screen location of ad? Experiment with ad design –Objective: human click location hard for bot to predict Text ads? –Less area to click and less enticing visuals –There still might be a valuable signal in click location

Conclusions BotNets 2.0 are coming –Cheap, large-scale, ephemeral bots in the browser –Don’t require full-machine compromise –Heuristic click-fraud detection’s days are numbered Click location can divide humans from bots –Accurate simulation requires human cognition –Easy for ad networks to deploy –More science needed to determine effectiveness

Thanks!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.