Abstract

  


 



The Role of Internet Service Providers in Botnet Mitigation an Empirical Analysis Based on Spam Data


Michel Van Eeten


Delft University of Technology - Faculty of Technology, Policy and Management

Johannes M. Bauer


Michigan State University

Hadi Asghari


Delft University of Technology

Shirin Tabatabaie


affiliation not provided to SSRN

David Rand


Trend Micro Incorporated
August 15, 2010

TPRC 2010

Abstract:     
Botnets, networks of machines infected with malicious software, are widely regarded as a critical security threat. Measures that directly address the owners of the infected machine end users are useful, but have proven insufficient to reduce the overall problem. Recent studies have shifted attention to key intermediaries – most notably, Internet Service Providers (ISPs) – as control points for botnet activity. Surprisingly little empirical information is available to assess the claim that ISPs are an important control point, as well as related claims, for example, that large ISPs are worse cybercitizens than smaller ones. This paper is a first effort to go beyond generalized arguments by dissecting the diversity of ISPs and the number of infected machines in their networks. As most of the current spam is sent through botnets, the origin of spam messages provides us with a proxy for detecting infected machines. Using a global dataset of 138 million unique IP addresses that connected to a spam trap in the period 2005-2008, we have analyzed in detail the geographic patterns, time trends, and differences at the level of countries and ISPs. This data underlines the key position of ISPs as intermediaries. For example, in our dataset just 10 ISPs account for around 30 percent of all unique IP addresses sending spam worldwide; 50 ISPs account for over half of all sources. For the first time, the patterns in infected machines are connected to other data, such as the size of the ISPs and the country in which they are located. Using bivariate and multivariate statistical approaches we investigate empirically the effects of country-level policy measures on the number of unique IP addresses sending spam at the ISP level. The data reveals wide differences between ISPs in the relative number of infected machines, sometimes up to three orders of magnitude. Whereas the overall number of infected machines is largely driven by the size of the user base, we also find limited evidence that public policies to improve cybersecurity have the desired mitigating effects. Our findings confirm some of the claims made in the research literature but refute others.

Number of Pages in PDF File: 31

Accepted Paper Series


Download This Paper

Date posted: January 22, 2012  

Suggested Citation

Van Eeten, Michel, Bauer, Johannes M., Asghari, Hadi, Tabatabaie, Shirin and Rand, David, The Role of Internet Service Providers in Botnet Mitigation an Empirical Analysis Based on Spam Data (August 15, 2010). TPRC 2010. Available at SSRN: http://ssrn.com/abstract=1989198

Contact Information

Michael Van Eeten (Contact Author)
Delft University of Technology - Faculty of Technology, Policy and Management ( email )
P.O. Box 5015
2600 GB Delft
Netherlands
Johannes M. Bauer
Michigan State University ( email )
Department of Telecommunication
404 Wilson Road, Room 409
East Lansing, MI 48824-1212
United States
517-355-8372 (Phone)
517-355-1292 (Fax)
HOME PAGE: http://www.msu.edu/~bauerj
Hadi Asghari
Delft University of Technology ( email )
HOME PAGE: http://homepage.tudelft.nl/r0d9v/
Shirin Tabatabaie
affiliation not provided to SSRN
David Rand
Trend Micro Incorporated ( email )
Feedback to SSRN (Beta)


Paper statistics
Abstract Views: 388
Downloads: 74
Download Rank: 163,916

© 2013 Social Science Electronic Publishing, Inc. All Rights Reserved.  FAQ   Terms of Use   Privacy Policy   Copyright
This page was processed by apollo8 in 0.344 seconds