Advanced Cyber Defense Center (ACDC)

Europe takes on the battle against botnets

Botnets represent a serious threat to Internet security, with tens of millions of computers infected each year in Europe alone. In the battle against botnets the European project Advanced Cyber Defence Centre (ACDC) is opening the attack. TU Delft has joined the fight by using reputation metrics to visualise the performance level of providers. 

Botnets are networks of hacked computers, which cybercriminals use to commit Internet fraud. In a number of countries, led by the Netherlands, Internet service providers (ISPs) and other access providers are regarded as the designated parties to take action against botnets. After all, they are able to identify the owner of any PC and thus represent a control point. This is a good illustration of the new perspective on Internet security: the problem is not purely a technical issue, but is more a matter of economic stimuli.

TU Delft conducted the study Internet service providers and botnet mitigation for the Ministry of Economic Affairs, Agriculture and Innovation in 2011. “We analysed the scope of botnets in the Netherlands at the time,” explains Michel van Eeten, Professor of Public Administration at TU Delft. “And we found that the number of infected computers we traced was considerably higher than the number of computers cleaned. That is why, at the beginning of 2013, seven Dutch ISPs launched the Abuse Information Exchange, in which information on botnet infections is gathered and processed in a central location, so that botnets can be fought more effectively and Internet security can be improved.”

Battle plan

The ACDC’s aims are to detect infected websites, prevent attacks and remove malware. The battle plan is as follows: information on infected machines will be obtained from a wide variety of sources. These data will be organised and compiled, after which standardised data feeds will be sent to hosting companies and ISPs, which must then take further action. There will also be national support centres for consumers in different countries. Van Eeten: “The EU wants to know for certain whether this centralised dissemination of information and the support centres do indeed lead to a reduction in the degree of contamination. TU Delft has been engaged to answer this question by way of scientific research.

” TU Delft’s task is to carry out a quantitative evaluation of the impact of the ACDC solution. In other words: is there evidence that the ACDC approach is effective at a European level?? Are the networks of participating access providers cleaned up sooner than those of non-participants? And how does this add up for Europe as a whole? “The second question is whether we can make differences between those providers visible,” says Van Eeten. “So that the ISPs that score highly on security are rewarded, and the poorly performing companies are encouraged to improve.”  

Translation pathway

The research questions of the ACDC are perfectly suited to TU Delft. “This is precisely what we innovated in previous research. What we do fills a gap. Techies look purely at technical events and then produce figures, such as the number of IP addresses associated with suspicious behaviour in a specific network. But those are just numbers. Policymakers don’t look at the technology, but at the markets: which businesses does this concern, what kind of customers do they have, and which legislation applies to them? We have now built the connection between the technical and the economic/legal domain, a type of translation pathway. You feed in raw measurement data, which is processed in order to produce scores for each provider and for each country. The results this produces are often a real eye-opener.” 

Read more

Reputation metrics

TU Delft’s OG research group is a specialist in reputation metrics: measuring the reliability of certain market parties compared to one another and others in their chain. Making visible what everyone does encourages parties to make improvements. Reputation metrics have already been used for access providers (KPN and ZIGGO) and are set to be used for hosting companies (e.g. Leaseweb), registrars (e.g. GoDaddy), certification authorities (e.g. VeriSign) and various banks.