Hadi Asghari

Security economics in the HTTPS value chain

Even though we increasingly rely on HTTPS to secure Internet communications, several landmark incidents in recent years have illustrated that its security is deeply flawed. We present an extensive multi-disciplinary analysis that examines how the systemic vulnerabilities of the HTTPS authentication model could be addressed. We conceptualize the security issues from the perspective of the HTTPS value chain. We then discuss the breaches at several Certificate Authorities (CAs). Next, we explore the security incentives of CAs via the empirical analysis of the market for SSL certificates, based on the SSL Observatory dataset. This uncovers a surprising pattern: there is no race to the bottom. Rather, we find a highly concentrated market with very large price differences among suppliers and limited price competition. We explain this pattern and explore what it tells us about the security incentives of CAs, including how market leaders seem to benefit from the status quo. In light of these findings, we look at regulatory and technical proposals to address the systemic vulnerabilities in the HTTPS value chain, in particular the EU eSignatures proposal that seeks to strictly regulate HTTPS communications.

Economics of Fighting Botnets: Lessons from a Decade of Mitigation

The fight against botnets has been going on for more than a decade, but they still impose significant costs. ISPs have become increasingly central to the effort, as they can undertake mitigation more economically and efficiently than end users. A study evaluates the role and performance of ISPs in botnet mitigation across 60 countries.

How dynamic is the ISPs address space? Towards internet-wide DHCP churn estimation

IP address counts are typically used as a surrogate metric for the number of hosts in a network, as in the case of ISP rankings based on botnet infected addresses. However, due to effects of dynamic IP address allocation, such counts tend to overestimate the number of hosts, sometimes by an order of magnitude. In the literature, the rate at which hosts change IP addresses is referred to as DHCP churn. Churn rates vary significantly within and among ISP networks, and such variation poses a challenge to any research that relies upon IP addresses as a metric. We present the first attempt towards estimating ISP and Internet-wide DHCP churn rates, in order to better understand the relation between IP addresses and hosts, as well as allow us to correct data relying on IP addresses as a surrogate metric. We propose an scalable active measurement methodology and then validate it using ground truth data from a medium-sized ISP. Next, we build a statistical model to estimate DHCP churn rates and validate against the ground truth data of the same ISP, estimating correctly 72.3% of DHCP churn rates. Finally, we apply our measurement methodology to four major ISPs, triangulate the results to another Internet census, and discuss the next steps to more precisely estimate DHCP churn rates.

Deep Packet Inspection: Effects of Regulation on Its Deployment by Internet Providers

Deep Packet Inspection (DPI) has been the subject of heated policy debates. This paper examines theoretically and empirically patterns of DPI adoption during the past four years. An examination of the data revealed that in 2010, around two thirds of all broadband operators worldwide made noticeable or pervasive use of DPI for bandwidth management purposes. This figure was high in light of the public and regulatory unease over the use of these technologies. In 2012, this figure drops to around one third of the examined ISPs. What is less understood is the extent to which government policies encourage or discourage DPI adoption by ISPs. We explore those forces and find evidence that regulatory frameworks exert influence on the adoption of DPI. Using an integrated modelling approach, we hypothesized that all other things being equal, stringent privacy regulation would discourage the use of DPI, whereas Internet filtering policies would encourage it. There are also countries where neither is present. In those cases, we hypothesized that the ISPs own incentives dominate adoption. We conclude the paper with a discussion of policy implications.

Economics of cybersecurity

The Internet has enabled tremendous economic and social innovation yet the underlying systems, networks and services sometimes fail miserably to protect the security of communications and data. Security incidents occur in many forms, including but not limited to the leaking and theft of private information, unauthorized access to information, malicious alteration of data, or software and service unavailability. Given the complexity of the problem, it seems improbable that security can be attained by eliminating all vulnerabilities. Moreover, preventative security measures are costly. Some level of uncertainty will therefore have to be accepted and choices need to be made, trading off competing objectives and limited resources. Recent research has developed approaches to better explain why certain security failures occur and others do not. These contributions clarified that security is not merely a technical problem that can be fixed with engineering solutions but that is also has important economic and behavioral dimensions that need to be addressed. Examining the incentives of players in the information and communication technology (ICT) ecosystem has been particularly fruitful in explaining the landscape of vulnerabilities and attacks that can be observed. The core of this work is rooted in information security economics. This chapter surveys the state of the art of the existing research with a focus on the criminal threats to cybersecurity.

Unraveling the Economic and Political Drivers of Deep Packet Inspection

The use of Deep Packet Inspection technology has been the focus of a growing amount of scholarly work due to its impact on sensitive policy issues. In this paper we look at the use of DPI for throttling or blocking peer to peer protocols by 288 broadband operators over three years, and correlate this with economic and political variables. Our empirical data shows that as of 2011, half of the studied ISPs are actively using DPI in their networks, although to varying degrees. We examine the role of seven economic and political drivers of DPI technology based on typical use-cases: bandwidth scarcity, network security, competition, surveillance, privacy protections, censorship and the strength of copyright industries. Performing bivariate analysis, we find that a few of these drivers are significantly correlated with the use of DPI.

A time-dependent SIS-model for long-term computer worm evolution

Epidemic models like the SIS or SIR model enable us to describe simple spreading processes over networks but are often not sufficient to accurately capture more complex network dynamics as exhibited by sophisticated and malicious computer worms. Many of the common assumptions behind epidemic models do not necessary hold if the process under investigation spans big networks or large scales of time. We extend the standard SIS network model by dropping the assumption of a constant curing rate in favour of a time-dependent curing rate function, which enables us to reflect changes in the effectiveness of the active worm removal process over time. The resulting time-dependent mean-field SIS model allows us to study the evolution of the size of computer worm bot-nets. We exemplify the complete procedure, including data-processing, needed to obtain a reliable model on data from Conficker, an extremely resilient computer worm. Using empirical data obtained from the Conficker sinkhole, we fit long time periods of up to 6 years on multiple scales and different levels of noise. We end by reflecting on the limits of epidemic models in empirical analysis of malware threats.

Internet Measurements and Public Policy: Mind the Gap

Large and impressive data collection efforts often fail to make their data useful for answering policy questions. In this paper, we argue that this is due to a systematic gap between the ways measurement engineers think about their data, and how other disciplines typically make use of data. We recap our own efforts to use the data generated by a number of such projects to address questions of Internet and telecommunication policy, and based on our experience, propose five points for engineers to consider when building measurement systems to reduce the gap. Ignoring the gap means that fewer researchers use the data and significantly lowers a project’s impact on policy debates and outcomes.