Measuring Network Reputation in the Ad-Bidding Process

  • Yizheng Chen
  • Yacin Nadji
  • Rosa Romero-Gómez
  • Manos Antonakakis
  • David Dagon
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10327)

Abstract

Online advertising is a multi-billion dollar market, and therefore a target for abuse by Internet criminals. Prior work has shown millions of dollars of advertisers’ capital are lost due to ad abuse and focused on defense from the perspective of the end-host or the local network egress point. We investigate the potential of using public threat data to measure and detect adware and malicious affiliate traffic from the perspective of demand side platforms, which facilitate ad bidding between ad exchanges and advertisers. Our results show that malicious ad campaigns have statistically significant differences in traffic and lookup patterns from benign ones, however, public blacklists can only label a small percentage of ad publishers (0.27%), which suggests new lists dedicated to ad abuse should be created. Furthermore, we show malicious infrastructure on ad exchanges can be tracked with simple graph analysis and maliciousness heuristics.

Notes

Acknowledgements

We would like to thank TAPAD and in particular their CTO, Dag Liodden, for his invaluable help throughout this project. This material is based upon work supported in part by the US Department of Commerce grant 2106DEK, National Science Foundation (NSF) grant 2106DGX and Air Force Research Laboratory/Defense Advanced Research Projects Agency grant 2106DTX. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the US Department of Commerce, National Science Foundation, Air Force Research Laboratory, or Defense Advanced Research Projects Agency.

References

  1. 1.
  2. 2.
  3. 3.
  4. 4.
    Malc0de Database. http://malc0de.com/bl/BOOT
  5. 5.
  6. 6.
    PassiveTotal: RiskIQ. https://www.passivetotal.org/
  7. 7.
  8. 8.
  9. 9.
    Mozilla Public Suffix List (2015). https://publicsuffix.org/list/
  10. 10.
    Advertising Age. Ad Fraud Will Cost $7.2 Billion in 2016, ANA Says, Up Nearly $1 Billion. http://bit.ly/1Qe21C2
  11. 11.
    Alexa: The web information company (2007). http://www.alexa.com/
  12. 12.
    Alrwais, S.A., Gerber, A., Dunn, C.W., Spatscheck, O., Gupta, M., Osterweil, E.: Dissecting ghost clicks: ad fraud via misdirected human clicks. In: Proceedings of the 28th Annual Computer Security Applications Conference. ACM (2012)Google Scholar
  13. 13.
    Antonakakis, M., Demar, J., Stevens, K., Dagon, D.: Unveiling the network criminal infrastructure of tdss/tdl4 dgav14: a case study on a new tdss/tdl4 variant. Technical Report, Damballa Inc.,Georgia Institute of Technology (GTISC) (2012)Google Scholar
  14. 14.
    Association of National Advertisers: The Bot Baseline: Fraud in Digital Advertising. http://bit.ly/1PKe769
  15. 15.
    Chen, Y., Kintis, P., Antonakakis, M., Nadji, Y., Dagon, D., Lee, W., Farrell, M.: Financial lower bounds of online advertising abuse. In: International conference on Detection of Intrusions and Malware, and Vulnerability Assessment (2016)Google Scholar
  16. 16.
    ClickZ. Fake Display Ad Impressions Comprise 30% of All Online Traffic [Study]. http://bit.ly/2e3HdCZ
  17. 17.
    Daswani, N., Stoppelman, M.: The anatomy of Clickbot.A. In: The First Workshop on Hot Topics in Understanding Botnets. USENIX Association (2007)Google Scholar
  18. 18.
    Dave, V., Guha, S., Zhang, Y.: Measuring and fingerprinting click-spam in ad networks. In: Proceedings of the ACM SIGCOMM 2012 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication (2012)Google Scholar
  19. 19.
    Dave, V., Guha, S., Zhang, Y.: Viceroi: catching click-spam in search ad networks. In: 2013 ACM SIGSAC Conference on Computer & Communications Security (2013)Google Scholar
  20. 20.
    Department of Homeland Security: Trusted Cyber Risk Research Data Sharing. https://www.dhs.gov/csd-impact
  21. 21.
    Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: 23rd USENIX Security Symposium (USENIX Security) (2014)Google Scholar
  22. 22.
    Malware Tips: How to remove Websearch.searc-hall.info. http://bit.ly/2e9qyKw
  23. 23.
    Malware Tips: Remove Sl.now-update-check.com virus. http://bit.ly/2dm1LWp
  24. 24.
    Meng, W., Duan, R., Lee, W.: DNS Changer Remediation Study. In: M3AAWG 27th General Meeting (2013)Google Scholar
  25. 25.
    Metwally, A., Agrawal, D., El Abbadi, A.: Detectives: detecting coalition hit inflation attacks in advertising networks streams. In: Proceedings of the 16th International Conference on World Wide Web, pp. 241–250. ACM (2007)Google Scholar
  26. 26.
    Miller, B., Pearce, P., Grier, C., Kreibich, C., Paxson, V.: What’s clicking what? Techniques and innovations of today’s clickbots. In: Detection of Intrusions and Malware, and Vulnerability Assessment (2011)Google Scholar
  27. 27.
    openrtb.info: OpenRTB: Documentation and Issue tracking for the OpenRTB Project (2014). http://openrtb.github.io/OpenRTB/
  28. 28.
    Pearce, P., Dave, V., Grier, C., Levchenko, K., Guha, S., McCoy, D., Paxson, V., Savage, S., Voelker, G.M.: Characterizing large-scale click fraud in zeroaccess. In: 2014 ACM SIGSAC Conference on Computer and Communications Security (2014)Google Scholar
  29. 29.
    Springborn, K., Barford, P.: Impression fraud in online advertising via pay-per-view networks. In: Proceedings of the 22nd USENIX Security Symposium (2013)Google Scholar
  30. 30.
    Stone-Gross, B., Stevens, R., Zarras, A., Kemmerer, R., Kruegel, C., Vigna, G.: Understanding fraudulent activities in online ad exchanges. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference (2011)Google Scholar
  31. 31.
    Thomas, K., Bursztein, E., Grier, C., Ho, G., Jagpal, N., Kapravelos, A., McCoy, D., Nappa, A., Paxson, V., Pearce, P., et al.: Ad injection at scale: assessing deceptive advertisement modifications. In: 2015 IEEE Symposium on Security and Privacy (2015)Google Scholar
  32. 32.
    Tian, T., Zhu, J., Xia, F., Zhuang, X., Zhang, T.: Crowd fraud detection in internet advertising. In: Proceedings of the 24th International Conference on World Wide Web, pp. 1100–1110. ACM (2015)Google Scholar
  33. 33.
    TrendMicro, Inc.: Threat Encyclopedia: TROJ_LEMIR.CS (2012). https://goo.gl/8ryRjK
  34. 34.
    Tuzhilin, A.: The Lane’s Gift v. Google Report (2006)Google Scholar
  35. 35.
    VirusTotal: Antivirus scan (2014). https://goo.gl/jU0b0b
  36. 36.
    VirusTotal: Antivirus scan (2015). https://goo.gl/s97XI5
  37. 37.
    VirusTotal: IP address information (2015). https://goo.gl/ifLvT5
  38. 38.
    Xing, X., Meng, W., Lee, B., Weinsberg, U., Sheth, A., Perdisci, R., Lee, W.: Understanding malvertising through ad-injecting browser extensions. In: Proceedings of the 24th International Conference on World Wide Web (2015)Google Scholar
  39. 39.
    Zeus Tracker: Zeus IP & domain name block list. https://zeustracker.abuse.ch

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Yizheng Chen
    • 1
  • Yacin Nadji
    • 2
  • Rosa Romero-Gómez
    • 2
  • Manos Antonakakis
    • 2
  • David Dagon
    • 1
  1. 1.School of Computer ScienceGeorgia Institute of TechnologyAtlantaGeorgia
  2. 2.School of Electrical and Computer EngineeringGeorgia Institute of TechnologyAtlantaGeorgia

Personalised recommendations