1 / 18

Using Information Economics & Spam to Thwart Malware

Using Information Economics & Spam to Thwart Malware. Data on the Botnet Problem. Responsible for > 65% of spam messages (as well as being responsible for DDoS attacks, identity theft enterprises, etc…) (McPherson 2007)

zora
Download Presentation

Using Information Economics & Spam to Thwart Malware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Using Information Economics & Spam to Thwart Malware

  2. Data on the Botnet Problem Responsible for > 65% of spam messages (as well as being responsible for DDoS attacks, identity theft enterprises, etc…) (McPherson 2007) Proceeds from botnet operations are used to support criminal organizations internationally (van Eeten, 2008) Estimates range from 15-25% infection rate in home machines (NYTimes, Vint Cerf) Single botnets reported in sizes as large as 10k to100k hosts. “Modern worms are stealthier and they are professionally written. The criminals have gone upmarket, and they’re organized and international because there is real money to be made.” – Bruce Schneier (NYTimes 2008) 2

  3. Problems with Existing Botnet Solutions Technological arms race Insufficient tools In tests of 36 commercial antivirus products, less than half of newest malware programs were detected BotHunter, BotMiner, BotSniffer: show promise, but… Can be circumvented by introducing minor delays to bot operations Adjusting the time window causes new problems 3

  4. Problems with Existing Botnet Solutions Technical skills The most common targets are home machines, whose owners are frequently ill-equipped to deal with security issues Legislation Enforceability, jurisdiction? Costly to police and adjudicate Moral hazard Bots intentionally operate during idle time, so the legal owner of the infected machine is often the one least inconvenienced by it (in the short term, anyways) 4

  5. Attention Bonds • No consensus definition of spam: 92% adult, 74% political/religious, 65% charities, 32% unsolicited + prior biz relation, 11% unsolicited + granted permission to market (Pew Internet Report) • Our definition: Anything unwanted by the recipient, after contents are known • “message pollution” • ABM: assign attention rights to recipients, and charge those who create waste (Coase Theorem)

  6. Attention Bonds Recipient sets screen, chooses bond size bi. Unknown senders must post bond bi to get through. On reading message, recipient chooses to claim or return bi. Effects: Willingness to post bond signals sender private knowledge. Shift task from ex ante classification (hard) to ex post verification (easy). Compensates recipient directly for any wasted time If the sender knows more about message content than the receiver, force him to reveal that private knowledge: 9

  7. Obj: If 65% of spam is sent by botnets & zombies, fraud creates a user nightmare! Remember: Moral Hazard Not bearing the costs of the waste their infected machines create, owners are insufficiently motivated (or able) to clean them. Now, they are motivated, but still likely unable We need fraud protection… Just like credit card companies , ISPs can afford to offer say $5 insurance provided ISPs can keep users’ antiviral software up to date. 10

  8. Botnet Detection New transaction trail Moral hazard essentially eliminated Based on Seize rate # Messages sent # bonds posted Send frequency Early detection means less spam gets sent Reduces the problem to financial fraud detection, a more tractable problem 11

  9. The Model • The net value of a message to the sender and receiver are sand r. • Both are real numbers, and s is non-negative. • The The total number of customers being served by the ISP is N. • The rate of botnet infection among those customers is I. • A normal machine sends out mnmessages, while an infected sends out mi . • The number of spam messages sent by one machine is mi - mn • The cost of processing a spam message in a filtering system is cf, while the corresponding cost in a bonding system is cb. • The value of overall welfare created in filtering and bonding systems are Wfand Wbrespectively. • bis the average bond value set by the receiver. • The probability of a user’s bond being seized is znfor a normal user and zifor a user with an infected machine.

  10. Botnet Detection • Without detect, Wb is: • Detection changes (mi - mn) to a constant k, eliminating a possibly unbounded negative term • Seize rate, send rate, etc will undergo drastic changes following an infection. These changes can be detected quickly whp. • With k = 3, and I = .15, we predict detection with 99.92% certainty

  11. Why “Economics” Matters to Security In the US, liability for ATM fraud lies with the bank, unless it can prove the customer was at fault. In the UK, liability lies with the customer unless the customer can prove the bank was at fault. Issue: which party is better positioned to prevent illicit access, bank or consumer? Source: Anderson “Why cryptosystems fail” 15

  12. Botnet Prevention • ISP assumes responsibility for patching previously compromised machines • Or customer assumes responsibility for security and waives insurance • Put responsibility for security and liability for failures with the same party • Customer base is on average more secure • Expect a botnet rate decrease and a proportionate decrease in spam volume 16

  13. Botnet Prevention • Fraud protection becomes feasible when I decreases sufficiently for Wb > Wf • In the bond case, the infection rate is I/∆, where ∆ > 1. It is still I in the filter case • Wb > Wf when delta is • With the start conditions of I = .15, mi = 1000, mn = 10, b= 5¢, cb = .01¢, and cf = .04¢ initially, then the system will pay for itself when the infection rate reaches 12.

  14. Convert Cost to Revenue – Direct Mail is only $52 Bn of a $269 Bn Total Ad Spending in 2004 (269.70 $Bn) Newspapers 46.93 Magazines 12.12 Broadcast TV 46.02 Cable TV 21.07 Radio 19.78 Yellow Pages 14.04 Direct mail 52.24 DM Bus. Papers 4.09 Out of home 5.79 Internet 7.06 Miscellaneous 34.55 Source: US Statistical Abstracts – Table 1265 “Half of all my ad dollars are wasted; trouble is, I don’t know which half!” J. Wannamaker 19

  15. Advertising Effects • Bonds provide precise feedback to advertisers • ISPs can collect valuable demographic data to sell to advertisers • The cost of joining the system decreases, producing new welfare-positive transactions

  16. Other Revenue Opportunities • If the currency portion of the system is successful, there are other large markets which the ISP could expand into: • Electronic Payments (ex: Paypal) • If the system works out for small payments, the ISP could facilitate larger ones • Credit Card offerings

  17. Conclusions Reduces the problem of botnet detection to one of financial fraud detection Introduces new welfare positive transactions and new products for the ISP to sell Can reduce spread of viruses and spambots. Reduces moral hazard Facilitates detection Facilitates prevention 22

  18. References Using Information Economics & Spam to Thwart Malware (by request) Academic proof ABM beats Perfect Filter: http://www.bepress.com/bejeap/advances/vol6/iss1/art2 Short popular article: http://www.bepress.com/ev/vol4/iss2/art4 Two Sided Network Effects: A Theory of Information Product Design Questions? mva@bu.edumarshall@mit.edusarahlz@bu.edu 23

More Related