Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth."— Presentation transcript:

1 Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth Stinson

2 BotNets, Current and Future Traditional BotNetsBotNets 2.0 Permanent malwareEphemeral Infect host – Email attachments – Drive-by downloads Browser-based – Malicious advertisements – Popular web sites Click-fraud, Spam, DDoS, Key-logging Click-fraud, Spam, (maybe DDoS) ~100,000 membersMuch larger

3 Browser Security Model Same-origin policy for network access –Origin is scheme://host:port Write HTTP anywhere on the network –Easy using HTML forms –Except restricted ports, like 25 (SMTP) Read from origin only –Can read some “library” formats from anywhere JavaScript, CSS, Images, Applets, etc

4 Desired Properties of Policy Can’t send spam –Writes to port 25 blocked Can’t click advertisements –Need to READ a token to make a click count Unfortunately…

5 DNS Rebinding Attacks Circumvent browser network access policy attacker.com points to attacker and target Can read and write sockets to anywhere <allow-access-from domain="*" to-ports="*" /> attacker’s server target server rebind DNS

6 An Experiment We ran a Flash ad (gains socket access) –Paid $30 –50,951 impressions from 44,924 unique IP addresses 90.6% of browser vulnerable –More if we include other rebinding attacks $100 to hijack  100,000 IP addresses –No click required –Impressions are cheap

7 Duration of IP Hijacking

8 A Long Tail Some impressions last for days

9 Using Rebinding for Click-Fraud Enroll as a publisher with ad network A –Publish pay-per-click ads on your site Enroll as a advertiser with ad network B –Buy pay-per-impression Flash ads Buy bots for $0.001 each –Use 99% just to generate impressions on your site –Use 1% to generate ad clicks on $0.50/per-click ads –Multiply your money by 5, repeat

10 Implications for Click-Fraud Defense Simulates IP distribution exactly –Each bot an independent sample from web visitors –Black-listing IPs as bot infested meaningless Traffic time-appropriate for IP –Human at that IP actually surfing the web right now HTTP headers appropriate for IP –Grab real headers from request for Flash ad –Can’t get cookies, but many networks don’t use them

11 Distinguish Bots from Humans Bots cannot simulate human cognition Can’t use traditional CAPTCHAs –Too disruptive to the user experience –User has not interest in proving their humanity Click-fraud detection a different problem –CAPTCHAs determine if this client a human –We just need estimate the proportion of humans

12 A Straw-Man Design Humans click “Yes!” Bots click at random Ad network stats: –3487 Yes clicks –1271 No clicks How many bots? –Expectation: 2542 –High probably bound an exercise for the reader

13 A Real Advertisement Where will humans click? Bots cannot simulate Can’t trick humans into clicking –Actually need process ad

14 Image Recognition Doesn’t Help Suppose the bot can identify the hot spots –Say by segmenting the image using vision techniques In what ratio should the bot click? –Depends on the relative appeal of the hot spots –Requires human-level AI to get right Any error a signal of bot proportion

15 Fraudster Has to Click on Many Ads

16 Ad Network can Measure Humans At first, run ads on trusted partners –Record distribution of human click location –Easy to record (x, y) coordinates of click on web Cheap for ad network –Was going to run ad anyway Expensive for attacker to influence –Must use valuable bot clicks without payout –Must be clicking everywhere all the time

17 A Work in Progress Need to validate diversity in distribution –Will run real ads and measure click location –How does distribution vary by screen location of ad? Experiment with ad design –Objective: human click location hard for bot to predict Text ads? –Less area to click and less enticing visuals –There still might be a valuable signal in click location

18 Conclusions BotNets 2.0 are coming –Cheap, large-scale, ephemeral bots in the browser –Don’t require full-machine compromise –Heuristic click-fraud detection’s days are numbered Click location can divide humans from bots –Accurate simulation requires human cognition –Easy for ad networks to deploy –More science needed to determine effectiveness

19 Thanks!

20

Download ppt "Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth."

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Talking to Yourself for Fun and Profit Lin-Shung Huang ∗, Eric Y. Chen ∗, Adam Barth †, Eric Rescorla ‡ and Collin Jackson ∗ ∗ Carnegie Mellon University.

Talking to Yourself for Fun and Profit Lin-Shung Huang ∗, Eric Y. Chen ∗, Adam Barth †, Eric Rescorla ‡ and Collin Jackson ∗ ∗ Carnegie Mellon University.
Understanding and Detecting Malicious Web Advertising

Understanding and Detecting Malicious Web Advertising
Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.

Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Measuring the Web. What? Use, size –Of entire Web, of sites (popularity), of pages –Growth thereof Technologies in use (servers, media types) Properties.

Measuring the Web. What? Use, size –Of entire Web, of sites (popularity), of pages –Growth thereof Technologies in use (servers, media types) Properties.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Beware of Finer-Grained Origins

Beware of Finer-Grained Origins
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Authors: Mona Gandhi, Markus Jakobsson, Jacob Ratkiewicz (Indiana University at Bloomington) Presented By: Lakshmy Mohanan.

Authors: Mona Gandhi, Markus Jakobsson, Jacob Ratkiewicz (Indiana University at Bloomington) Presented By: Lakshmy Mohanan.
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.
 What I hate about you things people often do that hurt their Web site’s chances with search engines.

 What I hate about you things people often do that hurt their Web site’s chances with search engines.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
Attacks on Computer Systems

Attacks on Computer Systems

Similar presentations

Ads by Google