Nothing Special   »   [go: up one dir, main page]

Skip to main content

Botnet Economics: Uncertainty Matters

  • Chapter
  • First Online:
Managing Information Risk and the Economics of Security

Abstract

Botnets have become an increasing security concern in today’s Internet. Thus far the mitigation to botnet attacks is a never ending arms race focusing on technical approaches. In this chapter, we model botnet-related cybercrimes as a result of profit-maximizing decision-making from the perspectives of both botnet masters and renters/attackers. From this economic model, we can understand the effective rental size and the optimal botnet size that can maximize the profits of botnet masters and attackers. We propose the idea of using virtual bots (honeypots running on virtual machines) to create uncertainty in the level of botnet attacks. The uncertainty introduced by virtual bots has a deep impact on the profit gains on the botnet market. With decreasing profitability, botnet-related attacks such as DDoS are reduced if not eliminated from the root cause, i.e. economic incentives.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Alternatively, we can view n e as the minimum number of accesses required to disable a website, and further define the number of accesses per machine to figure out the size of rental. We do not see it necessary to go into such details and believe our conclusions are not affected.

  2. 2.

    Although we are considering Internet Relay Chat (IRC), which is the dominant C&C channel in today’s botnet, the parameter for botnet maintenance costs can be defined accordingly based on the underlying technique adopted to control bots, whether through IRC or other decentralized systems such as P2P.

  3. 3.

    Similar to the determination of n e, how many bots, q, a C&C channel can host is determined by technological progresses and limited by the capacity of the channel. Given technology, q is fixed.

  4. 4.

    Defenders refer to whoever has the incentive to run/maintain honeypots such as researchers and government agencies. While these organizations by lawhave desire to fight against cybercriminals, private parties may also be motivated to create honeypots if they are financially compensated. For example, a honeypot server may collect data on the botnet to sell to customers for development of infrastructure protection techniques.

  5. 5.

    Furthermore, the increased likelihood for an attack to fail also increases the psychological costs of launching such an attack, which makes the practice even less interesting.

  6. 6.

    In reality, the chance for a botnet master to be detected and arrested is small. Dropping the penalty component of the costs does not damage the model conclusions. Effects of non-zero legal punishment and how legal enforcement can be combined with honeypots to fight botnets, especially when botnets are used to launch attacks with linearly increasing payoffs such as spams, are studied in a related work.

  7. 7.

    The actual values of the parameters can be estimated from empirical studies. The numbers assigned here are for illustrative purposes.

  8. 8.

    Botnetmasters may seek for innovation in response to the increased use of honeypots. For example, they may develop cheaper means of C&C (i.e., lower m). According to (20) and (21), profit may increase and the cutoff p v has to be larger. Cheaper means of C&C is unfavorable innovation concerning fighting attacks. Nevertheless, it does not affect the nature of model conclusions.

  9. 9.

    The effective size of a botnet is the number of bots connected to the IRC channel at a specific time. While the effective size has less impact on long-term activities such as executing commands posted as channel topics, it significantly affects the number of minions available to execute timely commands such as DDoS attacks.

  10. 10.

    The size of the botnet is 1.11 (=1/(1 – 0.1)) times the size in the benchmark case. The increase in size is 11 percent.

References

  • Bacher, P., Holz, T., Kotter, M., and Wicherski, G. “Know Your Enemy: Tracking Botnets,” The Honeynet Project & Research Alliance, March 2005.

    Google Scholar 

  • “Computer Scientist Fights Threat of Botnets,” ScienceDaily, Nov. 10 2007. Available at http://www.sciencedaily.com/releases/2007/11/071108141303.htm

  • Dagon, D., Zou, C., and Lee, W.“Modeling BotnetPropagation Using Time Zones,” in Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS’06), Febuarary. 2006.

    Google Scholar 

  • Ford, R., and Gordon, S. “Cent, Five cent, Ten cent, Dollar: Hitting Botnets Where It Really Hurts,” in New Security Paradigms Workshop, 2006, pp. 3–10.

    Google Scholar 

  • Franklin, J., and Perrig, A. “An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants,” in Proceedings of the 14th ACM conference on Computer and Communications Security, SESSION: Internet Security, Alexandria, Virginia, 2007, pp. 375–388.

    Google Scholar 

  • Jin, C., Wang, H., and Shin, K. “Hop-Count Filtering: An Effective Defense Against Spoofed DoS Traffic,” in Proceedings of the 10th ACM Conference on Computer and Communications Security, 2003, pp. 30–41.

    Google Scholar 

  • Jin, S. and Yeung, D. “A Covariance Analysis Model for DDoS Attack Detection,” in Proceeding of the IEEE International Conference on Communications (ICC), vol. 4, June 2004, pp. 1882–1886.

    Google Scholar 

  • Karasaridis, A., Rexroad, B., and Hoeflin, D. “Wide-scale BotnetDetection and Charaterization,” in USENIX Workshop on Hot Topics in Understanding Botnets (HotBots’07), 2007.

    Google Scholar 

  • Mahajan, R., Bellovin, S., Floyd, S., Ioannidis, J., Paxon, V., and Shenker, S. “Controlling High Bandwidth Aggregates in the Network,” ACM SIGCOMM Computer Communication Review(32:3), July 2002, pp. 62–73.

    Article  Google Scholar 

  • Park, K., and Lee, H. “On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack,” in Proceedings of INFOCOM 2001, 2001, pp. 338–347.

    Google Scholar 

  • Rajab, M. A., Zarfoss, J., Monrose, F. and Terzis, A. “A Multifaceted Approach to Understanding the BotnetPhenomenon,” in 6th ACM SIGCOMM conference on Internet Measurment, SESSION: Security and Privacy, 2006, pp. 41–52.

    Google Scholar 

  • Rajab, M. A., Zarfoss, J., Monrose, F., and Terzis, A. “My Botnetis Bigger Than Yours (Maybe, Better Than Yours): Why Size Estimates Remain Challenging,” in Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA, 2007, pp. 5.

    Google Scholar 

  • Savage, S., Wetherall, D., Karlin, A. P., and Anderson, T. “Practical Network Support for (IP) Traceback,” in Proceedings of SIGCOMM, 2000, pp. 295–306.

    Google Scholar 

  • Snoeren, A., Partridge, C., Sanchez, L., Jones, C., Tchakountio, F., Kent, S. and Strayer, W. “Hash-Based IP Traceback,” in Proceedings of SIGCOMM, 2001, pp. 3–14.

    Google Scholar 

  • “Worldwide Infrastructure Security Report vol.ii (2006),” ARBOR NETWORK. Available at http://www.arbornetworks.com/report

  • Xu, J., and Lee, W. “Sustaining Availability of Web Services under Distributed Denial of Service Attacks,” Transactions on Computers (52:2), Feburary 2003, pp. 195–208.

    Article  MathSciNet  Google Scholar 

  • Yau, D. K. Y., Lui, J. C. S., Liang, F. and Yam, Y. “Defending against Distributed Denial-of-Service Attacks with Max-min Fair Server-centric Router Throttles,” IEEE/ACM Transactions on Networking (13:1), 2005, pp. 29–42.

    Article  Google Scholar 

Download references

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer Science+Business Media, LLC

About this chapter

Cite this chapter

Li, Z., Liao, Q., Striegel, A. (2009). Botnet Economics: Uncertainty Matters. In: Johnson, M.E. (eds) Managing Information Risk and the Economics of Security. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-09762-6_12

Download citation

  • DOI: https://doi.org/10.1007/978-0-387-09762-6_12

  • Published:

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-09761-9

  • Online ISBN: 978-0-387-09762-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics