Using Information Economics & Spam to Thwart Malware

Marshall Van Alstyne Sarah ZatkoBoston University & MIT Boston University

mva@bu.edu

marshall@mit.edu

sarahlz@bu.edu

2

Data on the Botnet Problem• Responsible for > 65% of spam messages (as well as being

responsible for DDoS attacks, identity theft enterprises, etc…) (McPherson 2007)

• Proceeds from botnet operations are used to support criminal organizations internationally (van Eeten, 2008)

• Estimates range from 15-25% infection rate in home machines (NYTimes, Vint Cerf)

• Single botnets reported in sizes as large as 10k to100k hosts.

“Modern worms are stealthier and they are professionally written. The criminals have gone upmarket, and they’re organized and international because there is real money to be made.”

– Bruce Schneier (NYTimes 2008)

3

Problems with Existing Botnet Solutions

• Technological arms race• Insufficient tools

– In tests of 36 commercial antivirus products, less than half of newest malware programs were detected

– BotHunter, BotMiner, BotSniffer: show promise, but…

• Can be circumvented by introducing minor delays to bot operations

• Adjusting the time window causes new problems

4

Problems with Existing Botnet Solutions

• Technical skills– The most common targets are home machines, whose

owners are frequently ill-equipped to deal with security issues

• Legislation– Enforceability, jurisdiction?– Costly to police and adjudicate

• Moral hazard– Bots intentionally operate during idle time, so the legal

owner of the infected machine is often the one least inconvenienced by it (in the short term, anyways)

Attention Bonds• No consensus definition of spam:

92% adult, 74% political/religious, 65% charities, 32% unsolicited + prior biz relation, 11% unsolicited + granted permission to market (Pew Internet Report)

• Our definition: Anything unwanted by the recipient, after contents are known– “message pollution”

• ABM: assign attention rights to recipients, and charge those who create waste (Coase Theorem)

9

Attention Bonds

1. Recipient sets screen, chooses bond size bi.2. Unknown senders must post bond bi to get through.3. On reading message, recipient chooses to claim or return bi.

• Effects: – Willingness to post bond signals sender private knowledge.– Shift task from ex ante classification (hard) to ex post verification

(easy).– Compensates recipient directly for any wasted time

If the sender knows more about message content than the receiver, force him to reveal that private knowledge:

10

Obj: If 65% of spam is sent by botnets & zombies, fraud creates a user nightmare!

• Remember: Moral Hazard– Not bearing the costs of the

waste their infected machines create, owners are insufficiently motivated (or able) to clean them.

– Now, they are motivated, but still likely unable

• We need fraud protection…

Just like credit card companies , ISPs can afford to offer say $5 insurance provided ISPs can keep users’ antiviral software up to date.

Botnet Detection

• New transaction trail• Moral hazard essentially

eliminated• Based on

– Seize rate– # Messages sent– # bonds posted – Send frequency

• Early detection means less spam gets sent

• Reduces the problem to financial fraud detection, a more tractable problem

11

The Model• The net value of a message to the sender and receiver are s and r.

– Both are real numbers, and s is non-negative.• The The total number of customers being served by the ISP is N.• The rate of botnet infection among those customers is I.• A normal machine sends out mn messages, while an infected sends

out mi . – The number of spam messages sent by one machine is mi - mn

• The cost of processing a spam message in a filtering system is cf , while the corresponding cost in a bonding system is cb.

• The value of overall welfare created in filtering and bonding systems are Wf and Wb respectively.

• b is the average bond value set by the receiver.• The probability of a user’s bond being seized is zn for a normal user

and zi for a user with an infected machine.

Botnet Detection

• Without detect, Wb is:

• Detection changes (mi - mn) to a constant k, eliminating a possibly unbounded negative term

• Seize rate, send rate, etc will undergo drastic changes following an infection. These changes can be detected quickly whp.

• With k = 3, and I = .15, we predict detection with 99.92% certainty

15

Why “Economics” Matters to Security

• In the US, liability for ATM fraud lies with the bank, unless it can prove the customer was at fault.

• In the UK, liability lies with the customer unless the customer can prove the bank was at fault.

• Issue: which party is better positioned to prevent illicit access, bank or consumer?

Source: Anderson “Why cryptosystems fail”

16

Botnet Prevention• ISP assumes responsibility for

patching previously compromised machines– Or customer assumes responsibility

for security and waives insurance– Put responsibility for security and

liability for failures with the same party

• Customer base is on average more secure

• Expect a botnet rate decrease and a proportionate decrease in spam volume

Botnet Prevention

• Fraud protection becomes feasible when I decreases sufficiently for Wb > Wf

• In the bond case, the infection rate is I/∆, where ∆ > 1. It is still I in the filter case

• Wb > Wf when delta is

• With the start conditions of I = .15, mi = 1000, mn = 10, b= 5¢, cb = .01¢, and cf = .04¢ initially, then the system will pay for itself when the infection rate reaches 12.

19

Convert Cost to Revenue – Direct Mail is only $52 Bn of a $269 Bn

Total Ad Spending in 2004 (269.70 $Bn)

Magazines 12.12

Broadcast TV 46.02

Cable TV 21.07

Radio 19.78

Yellow Pages 14.04

Direct mail 52.24

Bus. Papers 4.09

Out of home 5.79

Internet 7.06

Miscellaneous 34.55

Newspapers 46.93

Source: US Statistical Abstracts – Table 1265

DM

“Half of all my ad dollars are wasted; trouble is, I don’t know which half!”

J. Wannamaker

Advertising Effects

• Bonds provide precise feedback to advertisers

• ISPs can collect valuable demographic data to sell to advertisers

• The cost of joining the system decreases, producing new welfare-positive transactions

Other Revenue Opportunities

• If the currency portion of the system is successful, there are other large markets which the ISP could expand into:– Electronic Payments (ex: Paypal)

• If the system works out for small payments, the ISP could facilitate larger ones

– Credit Card offerings

22

Conclusions

• Reduces the problem of botnet detection to one of financial fraud detection

• Introduces new welfare positive transactions and new products for the ISP to sell

• Can reduce spread of viruses and spambots.– Reduces moral hazard– Facilitates detection– Facilitates prevention

23

References

1. Using Information Economics & Spam to Thwart Malware (by request)

2. Academic proof ABM beats Perfect Filter: http://www.bepress.com/bejeap/advances/vol6/iss1/art2

3. Short popular article: http://www.bepress.com/ev/vol4/iss2/art4

4. Two Sided Network Effects: A Theory of Information Product Design

5. Questions? mva@bu.edu marshall@mit.edu sarahlz@bu.edu