Incentivizing botnet mitigation

Abstract

Cyber-crime is a large problem for society. OftenA botnet is used to for cybercrime. An infected machine is infected with a bot, this bot communicates with its controller. Other machines are infected with the same bot, which communicates with the same controller. These infected machines together form a zombie army of machines: the botnet. It is estimated that 10% of all computers is infected with malware at any point in time. A bot on a machine can be removed. Enforcing better security would help here. Security comes at a cost and requires specific knowledge. Generally there can be two groups: 1) People with knowledge and resources about security and 2) People without knowledge and resources about security. The first group (usually larger companies), with knowledge has to determine which security measures to invest in, usually this group is aware of botnets. The second group (smaller organizations and the home consumer), without knowledge; the issue with regard to botnets is that this group does not have the knowledge to determine if they are infected. For many end users it is therefore difficult to determine 1) if they are infected and 2) how to mitigate the infection. The end user accesses the internet via the ISP from which they “buy their internet”. This means that all the internet traffic from an end user is going via the ISP. The ISPs are in an ideal position to mitigate the problem of botnets; the ISP can determine who is sending out what kind of traffic. This knowledge makes ISPs are a good candidate to mitigate the botnet problem. By law ISPs have to do something about this problem, but it is unspecified how much. These ISPs could mitigate botnet activity of their customers i.e. by informing end users or in a more radical situation shutting down connections until the user’s bot is cleaned up. ISPs are aware of the problem and are working on it, but their incentives are not aligned towards botnet mitigation. Contacting customers is costly, the law is vague as it specifies only an effort has to be made: the negative incentives. ISPs do face costs if they have infected users, since botnet traffic increases the amount of bandwidth they have to provide. If an ISP hosts a lot of infected machines, other ISPs could be affected by it and force the ISP to “clean-up”, in practice this does not happen often. These incentives in favor of mitigation are in place, but they are much lower than the incentives for not mitigating. The result of the incentives for ISPs is that they are contacting some customers, but with many ISPs this only is a very small fraction of the actual infected machines they host. ISPs operate in a competitive market and are susceptible to brand damage. They fear that it becomes publicly known how they are doing number wise on infected machines. For this reason reputation based on the bot infected machines ISPs hosts was researched. Such a system also has an advantage for ISPs, it helps to create awareness among people. Such awareness could make their mitigation efforts easier. First by mapping the current situation regarding botnets, Internet Service Providers and the market of ISPs. Second, since a reputation system has to be developed, the concepts of reputation and reputation systems were researched. By researching reputation in the context of ISPS design criteria for a reputation system were created. Two possible designs have also been identified from these design criteria.