3.4 Evaluation and Analysis
3.4.2 Analysis of the Game Theoretic Model
From the analysis of the payoff functions of the Attacker and Defender, the conditions of each Nash equilibrium, and the results of above simulations, we can derive the following insights:
1. This game is not a zero-sum game, because the Attacker's gain does not come from the Defender's loss.
2. Although performing inspection (playing strategy I) will not bring the Defender any positive gain, it will lower his loss if he can detect the malicious ads with a sufficiently high rate. Therefore, the Defender is still motivated to inspect the submitted ads before letting them pass and be posted on ad publisher's website.
3. If the detection rate is too low (α ), then the Defender will just choose not to inspect the ads. This is because in this case the reduction of Defender's loss due to inspection is less than the cost spent on inspection, and thus will not lower the overall cost.
4. If the detection rate is not high enough (α < ), then the Attacker will always post malicious ads. This is because that although some malicious ads submitted by the Attacker will be detected by the Defender's inspection techniques, the gain brought in by those malicious ads
successfully delivered to vulnerable user machines is still higher than the cost of launching malvertising.
5. If the detection rate is high enough (α > and α > ), then the Attacker and Defender start to randomize their choice of strategy because no pure- strategy Nash equilibrium exists.
6. Assume that the detection rate (α) is within the same range as given in point 5 (i.e. α > and α > ). Provided that everything else is constant, higher α will make the Attacker incline more to post benign ads (from Equation (3.1) in Section 3.3.2, we can get that x increases when α
increases), and make the Defender incline more to not inspect the ads (from Equation (3.2) in Section 3.3.2, we can get that y decreases when α
increases).
7. Assume that the detection rate (α) is within the same range as given in point 5, and the Defender has knowledge of the Attacker's average gain (g) resulting from each successful delivery of malicious ad. Provided that everything else is constant, higher g will make Defender incline more to inspect (from Equation (3.2) in Section 3.3.2, we can get that y increases when g increases).
8. Assume that the detection rate (α) is within the same range as given in point 5, and the Attacker has knowledge of the Defender's average loss (l) resulting from each undetected malicious ad. Provided that everything else is constant, higher l will make Attacker incline more to post benign ads (from Equation (3.1) in Section 3.3.2, we can get that x increases when l
increases).
3.5 Related Work
Researchers have proposed complete defense systems to counter malvertisements as well. Ford et al. [45] developed a tool that can automatically analyze Flash advertisements to identify malicious behavior. Li et al. [46] presented MadTracer, a malvertising detection system based on machine learning techniques that learn and identify prominent features from malicious advertising nodes and their related content delivery paths. MadTracer can automatically generate detection rules and utilize them to detect malvertising activities. Rastogi et al. [47] developed a framework for analyzing the app-web interfaces in Android applications and successfully analyzed 201 ad networks and their associated ad library packages and 600,000 apps in the Google Play store and identified hundreds of malicious files and scam campaigns. Their scheme involves triggering of the app-web interfaces, detection of malicious
content, and provenance to identify the responsible parties. Arshad et al. [48] proposed an in-browser approach called Excision to automatically detect and block malicious third-party content inclusions as the user's browser loads web pages or executes browser extensions. They claimed that their approach does not rely on the inspection of the resources' content; rather, it relies on analyzing the sequence of inclusions that leads to the resolution and loading of a final third- party resource.
Researchers have previously applied the game theoretic approach to combat other similar malicious threats. Njilla et al. [49] proposed a game theoretic framework to model the security and trust relationship in cyberspace among users, service providers and attackers. The authors formulated a three- player game and analyzed different solutions obtained from Nash equilibrium that can benefit the service providers in decision making. Kamhoua et al. [50] proposed a game-theoretic approach for testing for hardware Trojans in digital circuits where the testing is modeled as a zero-sum game between malicious manufacturers or designers who want to insert Trojans, and testers whose goal is to detect the Trojans. The resulting solution involves multiple possible mixed strategy Nash equilibria that can provide guideline for optimum test sets for identifying and preventing hardware Trojans. Similar game theoretic approaches have been used in [51, 52, 53, 54].
3.6 Summary
Malvertising has posed serious security threats to the Internet, and caused losses to Internet users and ad networks alike. In this work, we formulated the malvertising inspection problem with a game theoretic model, and introduced a normal form game between the malvertiser and the ad network. To the best of our knowledge, this is the first attempt to apply game theory to model this problem. We computed pure-strategy and mixed-strategy Nash equilibria for the two players, and derived several useful insights from analysis of the game. Our findings can provide guidelines for ad networks to best utilize their resources to mitigate the problem of malvertising.
In the future, we aim to extend our game theoretic model to consider the repeated Bayesian game between the malvertiser and the ad network. The main characteristic of a Bayesian game is that one or both of the players have incomplete information about the type of the other player, which will allow us to model the scenario when the ad network has incomplete information to determine whether the advertiser belongs to the benign type or the malicious type. Moreover, repeated game will allow the players to incorporate the information they learned in previous games into the playing of future games.