Intermediaries and regulation

Transcription

1 Intermediaries and regulation Economics of Security and Privacy (BMEVIHIAV15) Mark Felegyhazi assistant professor CrySyS Lab. Intermediaries and regulation BME Department of Telecommunications (Híradástechnikai Tanszék) mfelegyhazi(atat)crysys(dot)hu

2 Information security: the big picture software vendor security company ISP ISP Carol, Dave, domain hosting ISP Bob ISP domain hosting government Malice Intermediaries and regulation domain registrar content provider Alice cyber-insurance company 2

3 Spam filtering strategies block source using local or global blacklists reasons for blacklisting is often unclear content analysis and drop using spam signatures user feedback question: How to compile blacklists add and remove items Andrei Serjantov and Richard Clayton, Modelling Incentives for Blocking Strategies, WEIS 2005 Intermediaries and regulation 3

4 Intermediaries and regulation 4 s A C 50 B s flowing between ISPs ISPs have different sizes large ISP A does not want to receive from either of the small ISPs

5 Intermediaries and regulation 5 Model C A = users of A V B : C B N = vulnerability of the clients of B (that is cost of spam sent by users of B to one address) utility of A: U(A) = self-sending B s.t. (A,B) E accept connection from B if U(C B ) C A U(A) self = U(C A ) C A V A (C A ) U(C B ) C A V B (C B ) 0. lete (viz: the node is owned b B s.t. (B,A) E V B (C B )

6 Intermediaries and regulation 6 ISP behavior scan user machines indicate the need for patches avoid the node being blocked - reputation ISPs cannot precisely measure V B (C B ) notice and time to correct important to publish removal efficiency sometimes long time to unblock blocking strategy blocking is at the subnet/as level check ISPs with few ham s sent block ISPs where the spam/ham ratio is high make this blocking very dynamic

7 ISPs role is botnet and spam mitigation malware botnets botnets vehicle for cybercrime the swiss army knife for miscreants significant percentage of machines is infected owners don t know mostly used for spam intermediaries contribute to the botnet problem most infection comes from users and SMEs ISPs are in a key position to mitigate the problem M. van Eeten, J. M. Bauer, H. Asghari, S. Tabatabaie and D. Rand, The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data, WEIS 2010 Intermediaries and regulation 7

8 Intermediaries and regulation 8 ISPs responsibility ISPs can mitigate the threat should they do it? substantial costs when taking actions pressure from governments code of conduct and good practices no reliable data ISPs deal only with fraction of infected machines Questions: ISPs as critical control points for botnet mitigation comparison of efficiency performance vs. ISP characteristics

9 Intermediaries and regulation 9 Data collection no reliable source of botnets spam trap with 138m IP addresses typical sources data collected external to the botnet - honeypots, IDS, spam traps - identifying infected machines by their behavior (spam, DoS) - good coverage, average accuracy (FPs and FNs) data collected internal to the botnet - traffic redirection, infiltrating IRC channels (C&C) - intercepting communications within the botnet - limited coverage, good accuracy

10 Intermediaries and regulation 10 Botnets as spam sources 80-90% of all is spam Ironport, MessageLabs most spam comes via botnets other techniques? spam originating IP likely an infected machine setup a spam trap

11 Intermediaries and regulation 11 Data collection methodology (1/2) for each IP AS number country MaxMind GeoIP historical coverage number of spam from this IP AS to ISP mapping is difficult historical market data on ISPs historical WHOIS data check names of ASs

12 Intermediaries and regulation 12 Data collection methodology (2/2) issues NAT underestimate infected machines dynamic IP addresses overestimates infected machines bias is not balanced + churn over time solutions correlate with spam volume calculate with daily averages

13 Intermediaries and regulation 13 ISPs as critical points blocking port 25 How many machines are actually in the ISPs networks? vs. hosting providers, application network providers, university and corporate networks Wide spectrum of ISPs few large, legitimate, well known ISPs grey area, rogue ISPs - many of them short-lived, dynamic - disproportionately involved in spam - evade collective actions

14 Intermediaries and regulation 14 ISPs as critical points data (1/2) data within large ISPs 63-69% of sources (77-82% in the same countries) 50-64% of spam

15 Intermediaries and regulation 15 ISPs as critical points data (1/2) most sources within the top ISPs instead of collective actions control top ISPs!

16 Intermediaries and regulation 16 ISPs performance (1/3) by size infected machines proportional to size still some ISPs are much more efficient

17 Intermediaries and regulation 17 ISPs performance (2/3) over time (a) Variability in absolute number of sources (b) Variability in relative number of sources stable core of non-efficient ISPs

18 Intermediaries and regulation 18 ISP performance (3/3) large ISPs less peer pressure worse performance FALSE: they are slightly better lower revenue per user higher financial pressure worse performance FALSE: unrelated cable providers different technology and userbase easier security improvements (partially) TRUE: but volume matches more regulation (London Action Plan / Cybercrime Convention) less botnet infections TRUE more piracy more infections (slightly) TRUE higher education levels awareness less infections TRUE

19 Intermediaries and regulation 19 Intermediate summary ISPs indeed critical control points Enough to regulate a few large, well established ISPs

20 Intermediaries and regulation 20 Incentive issues for ISPs market competition is fierce cost to handle reports, small effect of solving issues free-riding maintain good relationship with customers careless customers no lesser experience, but cost to get involved expert help is especially costly if the message is clear, users do care strong expectations from customers but tech support is not specialized in malware removal no reliable market signals for security M. van Eeten, J. M. Bauer, H. Asghari, S. Tabatabaie and D. Rand, The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data, WEIS 2010 Richard Clayton, Might Governments Clean-up Malware?, WEIS 2010

21 Can governments help? government to care about this public good analogy public health subsidize expert services beneficial for users bulk purchase gets better prices a sales point for experts (ex. to promote anti-virus products) Richard Clayton, Might Governments Clean-up Malware?, WEIS 2010 Intermediaries and regulation 21

22 Government intervention subsidize expert services beneficial for users bulk purchase gets better prices a sales point for experts (ex. to promote anti-virus products) experts computer retailers community groups utility companies (?!) Richard Clayton, Might Governments Clean-up Malware?, WEIS 2010 Intermediaries and regulation 22

23 Intermediaries and regulation Proposed workflow ISP info material and removal tools Alice 4b. 4a. hires expert security expert 4b. subsidizes expert government

24 Intermediaries and regulation 24 Key benefits small improvement in number of infected computers reduction in data loss by citizens improved confidence in using the Internet considered as a major communication channel influence other countries show examples transfer know-how

25 Intermediaries and regulation 25 Issues and objections ISP control over third-parties ISP cooperation consistent reporting governments could involve the market for clean-up should stay in the loop to establish credibility and maintain quality controls government subsidy reduces and limits market subsidy is limited that leaves enough playground for the market players

26 Reading for next time K. Levchenko, N. Chachra, B. Enright, M. Félegyházi, C. Grier, T. Halvorson, C. Kanich, C. Kreibich, H. Liu, D. McCoy, A. Pitsillidis, N. Weaver, V. Paxson, G. M. Voelker, and S. Savage, Click Trajectories: End-to-End Analysis of the Spam Value Chain, IEEE S&P 2011 optional: Kanich, C. and Kreibich, C. and Levchenko, K. and Enright, B. and Voelker, G.M. and Paxson, V. and Savage, S., Spamalytics: An empirical analysis of spam marketing conversion, ACM CCS 2008 Cyber-insurance 26