ISPs and Ad Networks Against Botnet Ad Fraud

Nevena Vratonjic, Mohammad Hossein Manshaei, Maxim Raya and Jean-Pierre Hubaux

1November 2010, GameSec’10

Online Ad FraudOnline advertising is the major source of

revenue on the Web ($22.4 billion in the US in 2009)

Exploits of the online advertising systemsClick fraud (DormRing1 [1]) On-the-fly modification of ads (Bahama [2],

Gumblar [3])Botnet ad fraud!

Ad fraud negatively affects the revenue of ad networks (ANs), advertisers and websites

Economic incentive to fight botnet ad fraud

2

[1] Multi-million dollar Chinese click fraud ring broken, Anchor, 2009.

[2] Botnet caught red handed stealing from Google, The Register, 2009.

[3] Viral Web infection siphons ad dollars from Google, The Register, 2009.

ISPs Against BotnetsISPs are in the best position to detect and

fight botnetsInitiatives by IETF[1] and IIA[2] propose ISPs

should:Detect botnetsRemediate infected devices

Yet, the revenue of ISPs is not (directly) affected by the botnets

Incentive for ISPs to fight botnets?

3

[1] M. O’Reirdan et al., Recommendations for the Remediation of Bots in ISP Networks, IETF, September 2009.

[2] M. O’Reirdan et al., ISP Voluntary Code of Practice for Industry Self-regulation in the Area of e-security, Internet Industry Association (IIA), September 2009.

ISPs and Ad Networks Against Botnet Ad Fraud?

Economic incentive for ANs to fight botnet ad fraud

ANs would benefit if ISPs fight botnets

Economic incentive for ISPs to fight botnets?If it is at least cost neutral, or cost positive

Are ANs willing to subsidize ISPs to fight botnets?

Are ANs willing to fight botnet ad fraud themselves?

4

Related Work

Online advertising fraudThe best strategy for ad networks is to fight click

fraud [1]

Incentives to increase the security of the WebUsers’ choice: Investment in security or insurance

mechanisms [2]

Our model introduces a new strategic player – the ISP

5

[1] B. Mungamuru et al., Should Ad Networks Bother Fighting Click Fraud? (Yes, they should.), Stanford InfoLab, Technical Report, July 2008.

[2] J. Grossklags et al., Secure or insure?: a game-theoretic analysis of information security games, WWW 2008.

Outline

I. Strategic behavior of ISPs and ANs

II. Threats and Countermeasures

III.Botnet Ad Fraud: A Case Study

IV. Game-theoretic Model

V. Numerical Analysis

6

7

System Model

User(U)

Ad Servers

(AS)

Websites

(WS)

Advertisers

(AV)

Placing ads

Embedding ads

ISP

Web page

Ads

Ad Network (AN)

Online advertising system ISPBots participating in ad fraud

Botnet

8

Role of ISPsTraditional role:

Provide Internet access to end usersForward the communication in compliance with

Network Neutrality PolicyNew requirements

Data retention legislations IETF and IIA initiatives for ISPs to detect bots and

remediate infected devices 90% of Australian ISP subscribers are covered by this

initiative A similar program is ready to be launched in Germany in

2010

How to fund the initiatives? Governments?

Command and Control(C&C)Malware

3. Hidden Communication with C&C:

Instructions for the attacks (e.g., DDoS, SPAM, Adware,

Spyware, Ad Fraud)

2. Local Infection:Malware infects the system and hides using Rootkit techniques

1. Spreading the Malware:via SPAM, Web, Worms,…

Bot Master:controls the bots

remotely

Bot (Zombie)

Botnet – A collection of software robots (bots) that run autonomously and automatically

Covert Channel (e.g., IRC ) End Host

Botnets

Threat: Botnet Ad Fraud

More and more botnets committing ad fraud [1]

Focus on botnets where: Malware causes infected devices to return

altered adsUsers’ clicks on altered ads generate ad revenue

for botnet masters instead of ANs

Consequence: Bots divert a fraction of ad revenue from ANs

10[1] Biggest, Baddest Botnets: Wanted Dead or Alive, PC World,

2009.

CountermeasuresANs can protect their ad revenue by:

1. Improving security of online advertising systems

More difficult for an adversary to successfully exploit those systems

2. Funding ISPs to fight botnets involved in ad frauds

Eliminate the major cause of the revenue loss – botnets

11

Outline

I. Strategic behavior of ISPs and ANs

II. Threats and Countermeasures

III.Botnet Ad Fraud: A Case Study

IV. Game-theoretic Model

V. Numerical Analysis

12

Popularity of WebsitesInfer number of generated clicks on ads for the

top 1000 most popular websites in June 2009based on the data of page views [Compete.com]

Distribution of clicks follows the power law Q(n) – the number of clicks on ads per year at n-th ranked

websiteExtrapolate Q(n) for the entire Web

Estimated ad revenue generated by the top x websites :

k – revenue each click generates for the AN P=$22.4 billions – total annual ad revenue

13

nnQ )(

x

xkdnnk1

1 )1()1(

Securing Websites

1. Provide valid certificates for websites 2. Deploy HTTPS between users, websites and

ad servers

Cost for AN to secure NS websites = cS NS

If bots divert a fraction λ of the ad revenue P,

the optimal NS is:

Proof:utility of the AN:

14

1

)1(

SS c

PN

xcdnndnnk Sx

x

)1(1

secure insecure

x

ISP and AN CooperationISP:

Deploys a detection system (at a cost cD)Successfully detects a fraction PD of NB bots in the

networkOnline help desk to help subscribers remediate

infected devices (at a cost cR per device)

AN:Provides a reward R to the ISP per each

remediated device

Cooperation outcome: remediation of NR infected devices

Optimal NR is:

Proof:

15

BDR NPN

DRRISP ccRNu )( RNN

NPu R

B

RAN

)1(1

Outline

I. Strategic behavior of ISPs and ANs

II. Threats and Countermeasures

III.Botnet Ad Fraud: A Case Study

IV. Game-theoretic Model

V. Numerical Analysis

16

17

Game-theoretic Model

Behavior of the ISP:Abstain (A) – forwards users’ communicationCooperate (C) – detects bots and remediates NR

= PDNB infected devices

Behavior of the AN:Abstain (A) – does not take any countermeasureCooperate (C) – subsidizes the ISP to fight

botnet ad fraud by providing a reward R per each remediated device

Secure (S) – secures NS websitesCooperate & Secure (C+S) – deploy both

countermeasures

18

The Game

Dynamic, single-stage game G={P,SA,U}

Set of players: P={ISP, AN}

Set of actions: SA

Set of utility functions: U

Complete and perfect information

Identify Nash Equilibrium (NE)

Game in the Normal Form

19

A

S

S+C

A

C

C

λ – fraction of diverted ad revenue by the botsWhen playing S+C, the number of secured websites

is:

SB

R

SSC N

N

N

c

PN

1

)1)(1(

Payoffs = (UISP,UAN)

Solving the Game

20

A

S

S+C

A

C

C

Payoffs = (UISP,UAN)

If R<cD/NR+cR and , NE: (A,A)

If R<cD/NR+cR and , NE: (A,S)

If R≥cD/NR+cR and , NE:

(C,S+C)

20

)1( 1

S

SS

NP

cN

)1( 1

S

SS

NP

cN

1

1)1(1,

B

R

S

SSR

N

NG

GPN

GcNRN

21

Game Results

0 λ 1 )1( 1 S

SS

NP

cN

(Abstain,Abstain)

(Abstain,Secure)

If R<cD/NR+cR and , NE: (A,A)

If R<cD/NR+cR and , NE: (A,S)

If R≥cD/NR+cR and , NE:

(C,S+C)

)1( 1

S

SS

NP

cN

)1( 1

S

SS

NP

cN

1

1)1(1,

B

R

S

SSR

N

NG

GPN

GcNRN

GPN

GcNRN

S

SSR

1

(Cooperate,Secure+Cooperate)

Outline

I. Strategic behavior of ISPs and Ans

II. Threats and Countermeasures

III.Botnet Ad Fraud: A Case Study

IV. Game-theoretic Model

V. Numerical Analysis

22

Evaluations on a real data setTop 1000 most popular websites

[Compete.com]Extrapolated with the power law

Parameters:Fraction of ad revenue diverted by bots (λ)Number of bots in the network (NB)

Assumptions:cS = $400 – the estimated cost of deploying a

X.509 certificate and HTTPS at the web server

cR = $100 – the estimated cost of remediating an infected device

cD = $100k – the estimated cost of the detection system

23

044.191018.3)( nnQ

Game ResultsNB=10

4

24

(Abstain,Abstain): NS=0 & NR=0

(Abstain,Secure): NS≠0 & NR=0

(Cooperate,Cooperate+Secure): NS ≠ 0 & NR ≠ 0

(A,A)

λ<2· 10-

6

λ<2· 10-

6

λ=6· 10-

5

λ=6· 10-

5

(A,A)(A,S) (A,S) (C,C+S)

(C,C+S)

Game Results contd.NB=10

7

25

(Abstain,Abstain): NS=0 & NR=0

(Abstain,Secure): NS≠0 & NR=0

(Cooperate,Cooperate+Secure): NS ≠ 0 & NR ≠ 0

(A,A)

λ<2· 10-

6

λ<2· 10-

6

λ=0.072

λ=0.072

(A,A)

(A,S)

(A,S)

(C,C+S)

(C,C+S)

26

Effect of number of bots (NB)

In a system with a given PD, when NB is high, the AN is cooperative only when the revenue loss is very high

ConclusionNovel problem of ISPs and ANs as strategic

participants in efforts to fight botnets

Studied the behavior and interactions of the ISPs and ANs

Applied game-theoretic model to the real dataCooperation between ISPs and ANs:

Reduces online crime in generalUsers benefit from ISPs’ help in maintaining the

security of users’ devices ISPs and ANs earn more

ANs securing websites: Improved Web securityThe most important websites secured first

27