Economics of Fighting Botnets: Lessons from a Decade of Mitigation

Asghari, Hadi; Eeten, Michel van; Bauer, J. M.

doi:10.1109/msp.2015.110

Cited by 27 publications

(23 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Cleanup is an arduous process that demands efforts from different actors, such as operating system vendors, anti-virus vendors, ISPs and the affected end users. As most infected machines reside in consumer broadband networks [3], the role of ISPs has become more salient over time. A range of best practices and codes of conduct have been published by leading industry associations [21], [23], public-private initiatives [18], [11] and governmental entities [17], [12].…”

Section: Isp Botnet Mitigationmentioning

confidence: 99%

See 1 more Smart Citation

Cleaning Up the Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai

Çetin

Gañán

Altena

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

With the rise of IoT botnets, the remediation of infected devices has become a critical task. As over 87% of these devices reside in broadband networks, this task will fall primarily to consumers and the Internet Service Providers. We present the first empirical study of IoT malware cleanup in the wild-more specifically, of removing Mirai infections in the network of a medium-sized ISP. To measure remediation rates, we combine data from an observational study and a randomized controlled trial involving 220 consumers who suffered a Mirai infection together with data from honeypots and darknets. We find that quarantining and notifying infected customers via a walled garden, a best practice from ISP botnet mitigation for conventional malware, remediates 92% of the infections within 14 days. Email-only notifications have no observable impact compared to a control group where no notifications were sent. We also measure surprisingly high natural remediation rates of 58-74% for this control group and for two reference networks where users were also not notified. Even more surprising, reinfection rates are low. Only 5% of the customers who remediated suffered another infection in the five months after our first study. This stands in contrast to our lab tests, which observed reinfection of real IoT devices within minutes-a discrepancy for which we explore various different possible explanations, but find no satisfactory answer. We gather data on customer experiences and actions via 76 phone interviews and the communications logs of the ISP. Remediation succeeds even though many users are operating from the wrong mental model-e.g., they run antivirus software on their PC to solve the infection of an IoT device. While quarantining infected devices is clearly highly effective, future work will have to resolve several remaining mysteries. Furthermore, it will be hard to scale up the walled garden solution because of the weak incentives of the ISPs.

show abstract

Section: Isp Botnet Mitigationmentioning

confidence: 99%

“…Many of the devices are in access networks, so ISPs can identify and contact the customers who own them. For regular PC-based malware, botnet mitigation by ISPs is widely accepted and has met with some success [3]. However, cleaning up infected devices is still an open problem, even when considering conventional malware.…”

Section: Introductionmentioning

confidence: 99%

Cleaning Up the Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai

Çetin

Gañán

Altena

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…For startups, which introduce many new IoT products, there are even fewer incentives than for bigger companies since they have little reputation to loose [29]. Internet Service Providers (ISPs) could play an important role in mitigating security risks, but also for them, the extra costs yield little benefits [5][7].…”

Section: Reasons and Impactsmentioning

confidence: 99%

“…Finally, policymakers can offer incentives to ISPs to mitigate security risks [5]. As ISPs act as a doorway to the Internet for many, they are in an advantageous position to mitigate cyber security risks.…”

Section: Solution Directionsmentioning

confidence: 99%

A Conceptual Framework for Addressing IoT Threats: Challenges in Meeting Challenges

Harbers¹,

Bargh²,

Pool³

et al. 2018

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

The Internet of Things (IoT) is rapidly growing, and offers many economical and societal potentials and benefits. Nevertheless, the IoT also introduces new threats to our Security, Privacy and Safety (SPS). The existing work on mitigating these SPS threats often fails to address the fundamental challenges behind the mitigation measures proposed, and fails to make the relations between different mitigation measures explicit. This paper, therefore, offers a conceptual framework for understanding and approaching the challenges and obstacles that arise in addressing the SPS threats of the IoT. This contribution aims to help policymakers in adopting policies and strategies that stimulate others to develop, deploy and use IoT devices, applications and services in secure, privacyfriendly and safe ways.

show abstract

“…Classification function presented by (12) need to be adjusted to accommodate a specific period or a device geographic location, since it is expected that the CDN will react different if the local network is changed. To establish a new classification a learning set should be used with known CDN and Botnets.…”

Section: Threshold Decision Algorithmmentioning

confidence: 99%

Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness

2018

View full text Add to dashboard Cite

Botnets are considered as the primary threats on the Internet and there have been many research efforts to detect and mitigate them. Today, Botnet uses a DNS technique fast-flux to hide malware sites behind a constantly changing network of compromised hosts. This technique is similar to trustworthy Round Robin DNS technique and Content Delivery Network (CDN). In order to distinguish the normal network traffic from Botnets different techniques are developed with more or less success. The aim of this paper is to improve Botnet detection using an Intrusion Detection System (IDS) or router. A novel classification method for online Botnet detection based on DNS traffic features that distinguish Botnet from CDN based traffic is presented. Botnet features are classified according to the possibility of usage and implementation in an embedded system. Traffic response is analysed as a strong candidate for online detection. Its disadvantage lies in specific areas where CDN acts as a Botnet. A new feature based on search engine hits is proposed to improve the false positive detection. The experimental evaluations show that proposed classification could significantly improve Botnet detection. A procedure is suggested to implement such a system as a part of IDS.

show abstract

Economics of Fighting Botnets: Lessons from a Decade of Mitigation

Cited by 27 publications

References 5 publications

Cleaning Up the Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai

Cleaning Up the Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai

A Conceptual Framework for Addressing IoT Threats: Challenges in Meeting Challenges

Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness

Contact Info

Product

Resources

About