ISPs and Ad Networks Against Botnet Ad Fraud Nevena Vratonjic, Mohammad Hossein Manshaei, Maxim Raya and Jean-Pierre Hubaux 1 November 2010, GameSec’10
Online Ad Fraud Online advertising is the major source of revenue on the Web ($22.4 billion in the US in 2009) Exploits of the online advertising systems Click fraud (DormRing1 [1]) On-the-fly modification of ads (Bahama [2], Gumblar [3]) Botnet ad fraud! Ad fraud negatively affects the revenue of ad networks (ANs), advertisers and websites Economic incentive to fight botnet ad fraud 2 [1] Multi-million dollar Chinese click fraud ring broken, Anchor, [2] Botnet caught red handed stealing from Google, The Register, [3] Viral Web infection siphons ad dollars from Google, The Register, 2009.
ISPs Against Botnets ISPs are in the best position to detect and fight botnets Initiatives by IETF[1] and IIA[2] propose ISPs should: Detect botnets Remediate infected devices Yet, the revenue of ISPs is not (directly) affected by the botnets Incentive for ISPs to fight botnets? 3 [1] M. O’Reirdan et al., Recommendations for the Remediation of Bots in ISP Networks, IETF, September [2] M. O’Reirdan et al., ISP Voluntary Code of Practice for Industry Self-regulation in the Area of e-security, Internet Industry Association (IIA), September 2009.
ISPs and Ad Networks Against Botnet Ad Fraud? Economic incentive for ANs to fight botnet ad fraud ANs would benefit if ISPs fight botnets Economic incentive for ISPs to fight botnets? If it is at least cost neutral, or cost positive Are ANs willing to subsidize ISPs to fight botnets? Are ANs willing to fight botnet ad fraud themselves? 4
Related Work Online advertising fraud The best strategy for ad networks is to fight click fraud [1] Incentives to increase the security of the Web Users’ choice: Investment in security or insurance mechanisms [2] Our model introduces a new strategic player – the ISP 5 [1] B. Mungamuru et al., Should Ad Networks Bother Fighting Click Fraud? (Yes, they should.), Stanford InfoLab, Technical Report, July [2] J. Grossklags et al., Secure or insure?: a game-theoretic analysis of information security games, WWW 2008.
Outline I. Strategic behavior of ISPs and ANs II. Threats and Countermeasures III. Botnet Ad Fraud: A Case Study IV. Game-theoretic Model V. Numerical Analysis 6
System Model 7 User (U) Ad Servers (AS) Websites (WS) Advertisers (AV) Placing ads Embedding ads ISP Web page Ads Ad Network (AN) Online advertising system ISP Bots participating in ad fraud Botnet
Role of ISPs Traditional role: Provide Internet access to end users Forward the communication in compliance with Network Neutrality Policy New requirements Data retention legislations IETF and IIA initiatives for ISPs to detect bots and remediate infected devices 90% of Australian ISP subscribers are covered by this initiative A similar program is ready to be launched in Germany in 2010 How to fund the initiatives? Governments? 8
Command and Control (C&C) Malware 3. Hidden Communication with C&C: Instructions for the attacks (e.g., DDoS, SPAM, Adware, Spyware, Ad Fraud) 2. Local Infection: Malware infects the system and hides using Rootkit techniques 1. Spreading the Malware: via SPAM, Web, Worms,… Bot Master: controls the bots remotely Bot (Zombie) Botnet – A collection of software robots (bots) that run autonomously and automatically Covert Channel (e.g., IRC ) End Host Botnets
Threat: Botnet Ad Fraud More and more botnets committing ad fraud [1] Focus on botnets where: Malware causes infected devices to return altered ads Users’ clicks on altered ads generate ad revenue for botnet masters instead of ANs Consequence: Bots divert a fraction of ad revenue from ANs 10 [1] Biggest, Baddest Botnets: Wanted Dead or Alive, PC World, 2009.
Countermeasures ANs can protect their ad revenue by: 1. Improving security of online advertising systems More difficult for an adversary to successfully exploit those systems 2. Funding ISPs to fight botnets involved in ad frauds Eliminate the major cause of the revenue loss – botnets 11
Outline I. Strategic behavior of ISPs and ANs II. Threats and Countermeasures III. Botnet Ad Fraud: A Case Study IV. Game-theoretic Model V. Numerical Analysis 12
Popularity of Websites Infer number of generated clicks on ads for the top 1000 most popular websites in June 2009 based on the data of page views [Compete.com] Distribution of clicks follows the power law Q(n) – the number of clicks on ads per year at n-th ranked website Extrapolate Q(n) for the entire Web Estimated ad revenue generated by the top x websites : k – revenue each click generates for the AN P=$22.4 billions – total annual ad revenue 13
Securing Websites 1. Provide valid certificates for websites 2. Deploy HTTPS between users, websites and ad servers Cost for AN to secure N S websites = c S N S If bots divert a fraction λ of the ad revenue P, the optimal N S is: Proof: utility of the AN: 14 secureinsecure x
ISP and AN Cooperation ISP: Deploys a detection system (at a cost c D ) Successfully detects a fraction P D of N B bots in the network Online help desk to help subscribers remediate infected devices (at a cost c R per device) AN: Provides a reward R to the ISP per each remediated device Cooperation outcome: remediation of N R infected devices Optimal N R is: Proof: 15
Outline I. Strategic behavior of ISPs and ANs II. Threats and Countermeasures III. Botnet Ad Fraud: A Case Study IV. Game-theoretic Model V. Numerical Analysis 16
Game-theoretic Model Behavior of the ISP: Abstain (A) – forwards users’ communication Cooperate (C) – detects bots and remediates N R = P D N B infected devices Behavior of the AN: Abstain (A) – does not take any countermeasure Cooperate (C) – subsidizes the ISP to fight botnet ad fraud by providing a reward R per each remediated device Secure (S) – secures N S websites Cooperate & Secure (C+S) – deploy both countermeasures 17
The Game Dynamic, single-stage game G={P,S A,U} Set of players: P={ISP, AN} Set of actions: S A Set of utility functions: U Complete and perfect information Identify Nash Equilibrium (NE) 18
Game in the Normal Form 19 A S S+CS+C A C C λ – fraction of diverted ad revenue by the bots When playing S+C, the number of secured websites is: Payoffs = (U ISP,U AN )
Solving the Game 20 A S S+CS+C A C C Payoffs = (U ISP,U AN ) If R<c D /N R +c R and, NE: (A,A) If R<c D /N R +c R and, NE: (A,S) If R≥c D /N R +c R and, NE: (C,S+C) 20
21 Game Results 0λ1 (Abstain,Abstain) (Abstain,Secure) If R<c D /N R +c R and, NE: (A,A) If R<c D /N R +c R and, NE: (A,S) If R≥c D /N R +c R and, NE: (C,S+C) (Cooperate,Secure+Cooperate)
Outline I. Strategic behavior of ISPs and Ans II. Threats and Countermeasures III. Botnet Ad Fraud: A Case Study IV. Game-theoretic Model V. Numerical Analysis 22
Evaluations on a real data set Top 1000 most popular websites [Compete.com] Extrapolated with the power law Parameters: Fraction of ad revenue diverted by bots (λ) Number of bots in the network (N B ) Assumptions: c S = $400 – the estimated cost of deploying a X.509 certificate and HTTPS at the web server c R = $100 – the estimated cost of remediating an infected device c D = $100k – the estimated cost of the detection system 23
Game Results N B = (Abstain,Abstain): N S =0 & N R =0 (Abstain,Secure): N S ≠0 & N R =0 (Cooperate,Cooperate+Secure): N S ≠ 0 & N R ≠ 0 (A,A) λ<2· λ=6· (A,A) (A,S) (C,C+S)
Game Results contd. N B = (Abstain,Abstain): N S =0 & N R =0 (Abstain,Secure): N S ≠0 & N R =0 (Cooperate,Cooperate+Secure): N S ≠ 0 & N R ≠ 0 (A,A) λ<2· λ=0.072 (A,A)(A,S) (C,C+S)
26 Effect of number of bots (N B ) In a system with a given P D, when N B is high, the AN is cooperative only when the revenue loss is very high
Conclusion Novel problem of ISPs and ANs as strategic participants in efforts to fight botnets Studied the behavior and interactions of the ISPs and ANs Applied game-theoretic model to the real data Cooperation between ISPs and ANs: Reduces online crime in general Users benefit from ISPs’ help in maintaining the security of users’ devices ISPs and ANs earn more ANs securing websites: Improved Web security The most important websites secured first 27