THE ECONOMIC INCENTIVES OF PROVIDING NETWORK SECURITY SERVICES ON THE INTERNET INFRASTRUCTURE

Transcription

1 Journal of Information Technology Management ISSN # A Publication of the Aociation of Management THE ECONOMIC INCENTIVES OF PROVIDING NETWORK SECURITY SERVICES ON THE INTERNET INFRASTRUCTURE LI-CHIOU CHEN SCHOOL OF COMPUTER SCIENCE AND INFORMATION SYSTEMS PACE UNIVERSITY lchen@pace.edu THOMAS A. LONGSTAFF SOFTWARE ENGINEERING INSTITUTE CARNEGIE MELLON UNIVERSITY tal@cert.org KATHLEEN M. CARLEY INSTITUTE FOR SOFTWARE RESEARCH INTERNATIONAL CARNEGIE MELLON UNIVERSITY kathleen.carley@cmu.edu ABSTRACT Ditributed denial-of-ervice (DDOS) attack have emerged a a prevalent way to compromie the availability of network and erver, which impoed financial loe for e-commerce buinee. Many defene that mitigate the effect of ongoing DDOS attack have been propoed. However, none of the defene have been widely deployed on the Internet infratructure at thi point becaue of a lack of undertanding in the economic incentive inherent in providing the defene a well a uncertainty in current defene. We propoe that ISP hould provide DDOS defene a network ervice to enure the availability of a network or a erver when the technology i ready. Thi paper provide an analytical framework for the propoed ervice to align the economic incentive. Uing empirical data from ecurity incident, thi paper how that the propoed ervice can bring economic benefit to provider with an appropriate pricing trategy, ome invetigation into the expected lo of ubcriber, and knowledge on the overall rik level of attack. Keyword: network ecurity, ditributed denial of ervice, network ervice, cot-benefit analyi, economic incentive. INTRODUCTION Network ditributed denial-of-ervice (DDOS) attack [12] compromie the availability of victim network or erver. Pat incident have caued financial loe of victim [10, 24-25, 27]. Many defene that mitigate the effect of ongoing DDOS attack have been propoed and the uncertainty inherent in the technology ha been previouly tudied [6, 14, 17]. Currently, ome ISP have developed method to trace the ource of attack traffic on Journal of Information Technology Management Volume XV, Number 3-4,

2 their backbone network [21, 22] and ome ISP 1 have tarted to offer ervice that mitigate the impact of DDOS attack. Automatic mechanim on reponding againt ongoing attack traffic are till underdeveloped in practice. More reearch effort i till needed to develop the automatic repone. Our purpoe here i to ae if any economic incentive would puh ISP toward the development of the automatic mechanim o that ISP will further provide them to their ubcriber. Thi problem i not jut technical but i a management and policy problem a well, involving the etting of policie and meeting the need of divere ubcriber with different prioritie [16, 26]. What would be the economic incentive of ISP to provide defene againt network attack uch a DDOS? Thi paper i intended to addre thi quetion by analyzing the economic benefit and cot of ISP to provide the defene at ome choke point of the Internet infratructure, uch a network router/proxy erver. We propoe that ISP hould provide network defene a network ecurity ervice to their ubcriber. Network ecurity ervice, uch a Virtual Private Network or firewall, have been provided by ISP a optional network ervice to deal with the ecrecy of data tranportation. In thi cae, the ervice that provide DDOS defene enure the availability of a network or a erver during attack. We developed an analytical model to quantify the benefit and cot of the ervice proviion. The model conider both the demand of ubcriber (potential attack victim/ource) and the upply of the provider (ISP) to deploy the network defene. We analyzed the model analytically and calibrated ome parameter uing empirical data on network attack. Baed on thee reult, we provide recommendation on aligning ISP economic incentive. The next ection introduce the propoed ervice and decribe the analytical model, followed by a ection on the analytical reult from the model, another on the empirical calibration and finally the model reult are dicued. Concluion and future work follow. 1 AT&T offer DDOS detection and repone ervice ( tarting from June 2004 but the ervice doe not pecify performance in a Service Level Agreement (SLA). Starting from March, 2004, MCI offer DDOS detection ervice with a SLA that guarantee ome link utilization during DDOS attack. However, thi ervice doe not trigger automatic repone againt attack and it provide only attack detection when cutomer report upiciou attack ( THE ANALYTICAL MODEL FOR PROVISION OF NETWORK SECURITY SERVICES We propoe that ISP provide network ecurity ervice to their ubcriber. The ervice deploy DDOS defene on ome choke point of the Internet infratructure and react actively to filter DDOS attack traffic during attack. We conider two type of DDOS defene: ource filtering and detination filtering. Source filtering refer to the defene that monitor the outbound traffic from a ubcriber in order to prevent the ubcriber from originating attack (attack ource). Detination filtering refer to the defene that monitor the inbound traffic to a ubcriber in order to prevent the ubcriber from being attacked (attack victim). A detail decription of the current technologie i in [6]. We define our analytical model baed on the following aumption: Attack: DDOS attack aturate the network connection of ubcriber to their backbone network or take down erver inide the network of the ubcriber. The attack can be traced to their ource within the adminitrative boundary of one network provider. Even if the attack are originated from ubcriber of another network provider, the provider of the victim can till trace to the network provider that carrie the attack traffic. Subcriber: Subcriber would pay baed on the utility received from the defene. The utility that a ubcriber derive from DDOS defene i the expected lo that would be incurred from DDOS attack. Provider: Provider would offer the ervice to an additional ubcriber when the marginal benefit to the provider i larger than the marginal cot to the provider. Pricing: Provider charge all ubcriber at a flat rate for a certain time period for the ecurity ervice, uch a a month. Many ISP uch a AOL currently offer viru canning and firewall at a flat rate in additional to the network connection ervice that they provide. We will vary thi aumption and analyze other pricing cheme when we dicu the model reult. Market: The ervice i offered in a competitive market where the price for the ervice i determined o that the number of ubcriber that are willing to ubcribe it i equal to the number of ubcriber that the provider would like to offer it. We will alo dicu the ervice proviion in a monopoly market when we dicu the model reult. Journal of Information Technology Management Volume XV, Number 3-4,

3 Benefit and Cot of Subcriber What a ubcriber i willing to pay for DDOS defene i aumed to be le than the utility received from the ecurity ervice. We ue a linear function to quantify the utility. A imilar linear function form ha been ued to quantify the expected lo aociated with the information et being compromied in an attack [11] and the utility of ubcriber for intermediary ervice [1] and digital good [2]. The utility that a ubcriber derive from DDOS defene i the expected lo that would be incurred from DDOS attack. Economic loe from Internet ecurity breache have been tudied previouly [4, 9]. The expected lo i quantified by three factor: the attack frequency, a [0,1], referring to how often attack occur, the expected lo per attack, L, referring to how much lo an attack impoe on the ubcriber and the quality of the defene, q [0,1], quantifying the impact of the performance efficiency on the expected lo. Let U denote the utility function of a ubcriber for the ervice, which i defined a: U = aql (1.a). Conider a implifying ituation that only one type of ervice i offered and the provider charge each ubcriber a flat rate p for a certain time period, uch a a month. Baed on the aumption that a ubcriber i willing to pay le than the utility, the upper bound for the ervice charge p d i: P d aql (1.b). Aume that L for all ubcriber i proportional to a uniform ditribution. Let q denote the quality of the ervice for DDOS defene, which can be conidered a a network performance meaure, uch a the arrival rate of legitimate traffic. The number of ubcriber that will ubcribe to the ervice depend on the ditribution of a. F(a) denote the percentage of the ubcriber that have at leat a attack, and aume that L and a are independent. A a reult, only the ubcriber that expect the attack ql frequency to be larger than would ubcribe to the ervice at P d. Let M repreent the total number of ubcriber of an ISP. Let N d denote the number of ubcriber that are willing to ubcribe to the network ecurity ervice. When the price i et at P, N d i calculated a: N d = F( a) M (1.c). From (1.c), the lowet attack frequency expected by the ubcriber of the network ecurity ervice i a function of N d, which i: P d d K( N d ) = a= F 1 N d ( ) M (1.d). Benefit and Cot of Provider The cot quantification conider only the operational cot of providing DDOS defene but not the capital invetment on the infratructure. Three factor are conidered in quantifying the operational cot. They are: 1) fixed cot (C o ), 2) filter overhead (R), and 3) bandwidth aving (W). Both R and W quantify the per-attack operating cot while C o quantifie the per-ubcriber operating cot. Fixed cot (C o ) quantifie the additional cot per ubcriber that the provider ha to pay in order to et up the ervice for the ubcriber. For example, the cot of additional equipment, uch a dik pace for logging, or additional adminitrative overhead. Filter overhead (R) quantifie the per-attack overhead of a defene on IP tranport due to attack detection and repone. If the provider provide an IP tranport ervice that guarantee a certain quality of ervice (QoS), the additional overhead impoe an economic cot to the provider. On the contrary, bandwidth aving (W) reduce the cot, which quantifie the per-attack tranport benefit. Thi benefit come from filtering attack packet before they are tranported to their detination. Filter overhead per attack R i defined to be proportional to the number of filter H(G), the link utilization by legitimate traffic µ x, and the attack duration τ. Given a network topology G, H(G) i calculated a the number of edge monitored by filter, which are deployed between attack ource and victim. H(G) i influenced by the network topology becaue filter mut be deployed at ome choke point between the attack ource and the victim. The model aume that filter are triggered only when attack are detected and that the proportional relationhip i linear. C r denote the unit economic cot of filter overhead and S denote the number of attack ource, R i defined a: R=τµ x Cr H (G) (2.a). Bandwidth aving per attack W i defined to be proportional to tranport ditance aved D(G), the link utilization by attack traffic µ a, and the attack duration τ. D(G) i calculated a the tranport ditance between filter and the victim network, which i alo topology dependent. f a denote the attack traffic filtering rate and C w denote the unit economic cot of bandwidth. W(G) i defined a: W = τµ C a w D( G, f a ) (2.b). Journal of Information Technology Management Volume XV, Number 3-4,

4 The total cot of providing the defene C i the um of operational cot C o from all ubcriber, and R from all attack. Let Θ ( N) repreent the total number of attack from all ubcriber of the ervice, which i equal to N a i i= 1 where a i i the attack frequency of i th ubcriber. When the ervice i offered to N ubcriber, the total cot for providing the ervice i calculated a: C= C o N + RΘ ( N (2.c). The total benefit for providing the ervice i calculated a: B= P N + WΘ ( N (2.d). The total profit for providing the ervice TP i: TP= B C = P N + ( W R) Θ( N ) C dtp dn o ) N ) (2.e). By etting = 0, the lower bound of the ervice charge (the marginal cot of providing the ervice to one additional ubcriber) i: P C o + [ R W ] K ( N ) ANALYTICAL RESULTS (2.f). From (1.a)-(1.d) and (2.a)-(2.f), the price range of the ecurity ervice obtained i the following: C o + [ R W ] K( n) p K( n) ql (3.a) How a provider et the price within thi range depend on the market (it competitor) and it pricing trategy. In the hort term, if all provider have the ame marginal cot, the equilibrium price and the equilibrium number of ubcriber in a competitive market can be calculated by equaling (3.b) and (3.c). The equilibrium number of ubcriber n will atify C o The equilibrium price i + [ R W ql] K( n ) = 0 (3.b). which i p = K( n ) ql= C o + [ R W ] K( n (3.c). The total provider benefit i equal to it profit, TP= p n [ R W ] Θ( n) C n The total ubcriber benefit i CS = qlθ ( n) p n The total ocial benefit i SB= TP+ CS = [ ql R+ W ] Θ( n) C n o ) o (3.d). (3.e). (3.f). Table 1 lit the impact of each variable on TP, CS and SB. We ummarized two major finding a follow: 1) When the capacity of the network i contrained, provider have more benefit over cot of providing defene mechanim uing flat rate pricing. When the capacity of the ISP network i contrained, the bandwidth aving i larger than the filter overhead (R<W). During a DDOS attack, an ISP network capacity can be contrained becaue attacker intend to caue burt traffic. Even if the ISP expand it network capacity, attacker can till generate attack with increaingly higher packet rate. In thi cae, all TP, CS and SB increae with bandwidth aving and decreae with filter overhead o that the provider interet i aligned with the ubcriber interet. 2) When the capacity of the network i not contrained, provider have more cot over benefit of providing defene mechanim uing flat rate pricing in a competitive market. In thi cae, other pricing trategie hould be conidered. When the capacity of the ISP network i not contrained, the bandwidth aving i maller than filter over head (R>W). In thi cae, provider have loe from providing the defene mechanim becaue the flat rate price cannot fully recover the cot. Subcriber that have low probability of being attacked will not pay for the ervice becaue they imply expect le lo from the attack than the ervice fee. Under thi circumtance, the provider hould conider other pricing trategie. Journal of Information Technology Management Volume XV, Number 3-4,

5 Table 1: The impact 2 of variable on provider benefit, ubcriber benefit and ocial benefit Variable R=W (TP=0) R<W (TP>0) R>W (TP<0) Name Increae in TP CS SB TP CS SB TP CS SB Operational cot C o 0 Reduced expected L,q 0 lo Router overhead R( x, C r, H) 0 Bandwidth aving W( a, C w, D) 0 Attack duration τ EMPIRICAL EVIDENCE FOR PARAMETER CALIBRATIONS We etimated the variation of the demand among individual ubcriber uing empirical data of network attack. The variation can be explained a the variation in the attack rik of ubcriber online ervice. For example, the demand for the ervice from an e-commerce web ite uch a Yahoo or ebay i higher than a peronal web ite ince the probability of attack to an e-commerce web ite i greater. We ued two data et to calibrate the probability of attack F(a) ince F(a) determine the hape of the demand function. Thee two empirical data et are: 1) the DDOS data et [18] and 2) the Code-Red data et [19]. The DDOS data et i ued to etimate the ditribution of attack ent to ubcriber (for detination filtering), and the Code-Red data et i ued to etimate the ditribution of attack originating from ubcriber (for ource filtering). Figure 1 how that both data et can be modeled by a power curve functional form (R-quare = 0.93 and 0.98, repectively). We will ue the two etimated functional form to calibrate F(a) in the next ection. We calculated R and W uing an AT&T backbone network map from [3]. Thi map decribe a core network topology connecting North America citie for AT&T network. In addition, we collected public available data to calibrate parameter of a bae cenario (Table 2). In the next ection, the parameter for the model analyi are et to the value in thi bae cenario unle they are otherwie pecified. Thi bae cenario aume a TCP SYN attack launched at an average packet rate baed on data oberved from ingle attack ource. Detination filtering i deployed to monitor the inbound traffic to ubcriber (victim). The unit bandwidth cot i equal to unit filter overhead becaue thi cae aume that the overhead impoed by filtering a packet i equal to the overhead of forwarding a packet. A detail decription of the data et and the topology calculation i in [5]. 2 0 denote no influence, denote an increae on the parameter will decreae TP, CS or SB, and denote an increae on the parameter will increae TP, CS or SB. Journal of Information Technology Management Volume XV, Number 3-4,

6 Table 2: Parameter etting for the bae cenario Category Unit cot Network topology Defene Attack Notat Bae Decription ion value M 2800 Number of ubcriber to network connection ervice. The number of buine ubcriber for IP tranport i etimated from it market hare. The etimated market hare i 10% and 3.5% for AT&T and Cable & Wirele repectively. Cable & Wirele reported the number of buine ubcriber i 950. Hence, the etimated number of buine ubcriber for the AT& T in 2000 i 95010%/3.5%~2800 [3]. C o $945 /month Operation cot per ubcriber. The operation cot i etimated baed on current AT&T ecurity ervice. AT&T charge a $945 recurring monthly fee for ecurity ervice in a three-year contract. The recurring monthly fee include Tunnel Server, 24x7 management and maintenance, help dek upport, client oftware, and 4 hour time to repone [3]. C r $85,025 /month Unit economic cot of performance overhead. Etimated baed on OC3 155Mbp leaed line acce price from AT&T on Jan C w $85,025 Unit economic benefit of bandwidth aving. Etimated baed on OC3 155Mbp leaed /month line acce price from AT&T on Jan H(G) 1 Number of edge monitored by filter. H and D are et at the value that dynamic filter are triggered at 7 hop away from the victim network (at the border of the network). D(G) 7 Ditance between filter and the victim network q 1 Performance efficiency (in range [0,1]). The bet cae for legitimate traffic arrival ratio. f a 0.99 Attack traffic filtering rate (in range [0,1]). L(q) $4,080 Expected lo of an attack. In [8], the reported average annually loe from denial of /attack ervice for a company i $122,389 in Aume the number of attack i uniformly ditributed among 12 month. The average number of attack i 2.5 from prior analyi. The expected lo reduced by filter per attack = $122,389/(122.5)~$4,080. µ x 30% Link utilization of the edge monitored by filter. The link utilization i 20%-35% and 20%-70% in two OC-3 link in a backbone link monitor project decribed in [20]. 30% i the medium etimation. µ a 60Mb /econd Attack magnitude. It i etimated by 1500 packet per econd (pp) and 40 byte per packet [7]. An attack with 1500 pp i enough to compromie a firewall. In the trace analyzed in [18], 20% of all attack event had an etimated packet 1500 pp or higher. Minimum TCP packet ize which carrie TCP acknowledgement but no payload [15]. Duration of an attack. In the trace analyzed in [18], 20% of attack 5 minute, 50% of attack 10 minute, and 90% of attack 1 hour. τ 10 minute S 1 Number of attack ource. F(a) Cumulative ditribution of the attack frequency. a denote the frequencie of attack. The DDOS data et i ued for the bae cenario. Journal of Information Technology Management Volume XV, Number 3-4,

7 The percentage of ubcriber that have at leat a attack (F(a) ) 1.E-03 1.E-04 Power line (Code-Red) F(a) = 1.39a E-05 Power line (DDOS) F(a) = 0.37a E-06 1.E+02 1.E+03 1.E+04 1.E+05 Attack frequency (a ) Data et DDOS Code-Red Power (Code-Red) Power (DDOS) Figure 1: The empirical data of network attack COST AND BENEFIT ANALYSIS BASED ON EMPIRICAL EVIDENCE The empirical calibration i to clarify three iue that can not be determined by the analytical reult alone. 1) When the capacity of the network i contrained, how do we chooe from different defene technologie? 2) What are the factor that influence the capacity contraint during an attack? 3) If the flat rate pricing cannot upport the ecurity ervice, what are the alternative? Each of the following ub-ection will addre each of the three quetion, repectively. To avoid preenting abolute monetary value of the benefit and cot, we will ue a benefit-cot ratio ( C B ) to preent the empirical reult. Filtering Technology What defene technologie that a network provider hould adopt when bandwidth cot i a concern of the operation? Here we dicu two type of technologie: 1) detination filtering: filtering inbound traffic of ubcriber to prevent the ubcriber from being attacked, and 2) ource filtering: filtering outbound traffic of ubcriber to prevent the ubcriber from ending out attack traffic. We ued the DDOS data to calibrate the demand for detination filtering and the Code-Red data to calibrate the demand for ource filtering. When detination filtering i deployed, the cloer the filter can be to the attack ource, the more benefit both the provider and the ubcriber will have. Figure 2 how that both the provider benefit and the ubcriber benefit increae when the filter location 3 i cloer to the attack ource. The provider gain from the increae of the bandwidth aving becaue attack traffic ha been filtered out before it i tranported. The ubcriber alo benefit from an increae in the quality of the ervice. That i, more legitimate traffic to the ubcriber can bypa the filter. Some ubcriber may be exploited by attacker to launch attack. When ubcriber uffer loe from originating attack, the network provider will be better off to adopt ource filtering than detination filtering. Thi reult occur when the packet rate of an attack i larger than a threhold, 150pp for our cenario (Figure 3). Thi point i where the network capacity i contrained (W>R) a we dicued in the analytical reult from the model. Thi reult implie that a policy i needed to impoe a cot on ubcriber that originate attack. Poible way of impoing uch a cot include blackliting the ubcriber that originate attack, aigning liability to attack ource [13], or revealing the origin of the attack ource. 3 Attack uptream mean the filter i et at one hop uptream of the network that originate attack. Victim uptream mean the filter i et at the acce router to the victim network. Journal of Information Technology Management Volume XV, Number 3-4,

8 The percentage of ubcriber that have at leat a attack (F(a) ) 1.E-03 1.E-04 Power line (Code-Red) F(a) = 1.39a E-05 Power line (DDOS) F(a) = 0.37a E-06 1.E+02 1.E+03 1.E+04 1.E+05 Attack frequency (a ) Data et DDOS Code-Red Power (Code-Red) Power (DDOS) Figure 2: Increae on both the provider benefit and ubcriber benefit by etting filter cloer to the attack ource 1.E+04 benefit-cot ratio 1.E+03 1.E+02 When the packet rate >=150pp, ource filtering i better off ource filtering detination filtering packet rate of an attack to the victim (pp). Figure 3: Benefit-cot ratio per ervice for ource filtering and detination filtering Capacity Contraint What i the impact of other factor on the network capacity contraint? Here we dicu two factor in our model: the ratio of bandwidth cot and filter overhead and the ditribution of attack ource. Firt, the network capacity become contrained when the unit bandwidth cot i 10 time of the unit filter overhead. In thi cae, ource filtering i more beneficial for the provider. Figure 4 how that the benefit cot ratio in ource filtering exceed it value in detination filtering when C w /C r >0.1. Second, the packet rate for the capacity contraint increae when the number of attack ource increae and when the attack ource are ditributed. A in Figure 5, when the packet rate < 3000pp, the benefit-cot ratio for the ource filtering data et i maller than it i for the Journal of Information Technology Management Volume XV, Number 3-4,

9 detination filtering. When the packet rate > 3000pp, the difference of the benefit-cot ratio between the two approache i much maller than it i during a ingle ource attack. Thi reaon for the reult i that, for a given packet rate of an attack received by the victim, the packet rate from one attack ource when the attack i ditributed i le than the packet rate from one attack ource when the attack i from one ource. 1.E+03 1.E+02 ource filtering benefit-cot ratio detination filtering bandwidth cot/filter overhead cot (C w /C r ) Figure 4: The impact of bandwidth cot/filter overhead cot 1.E+04 detinaton filtering, ingle 1.E+03 detination filtering, ditributed benefit-cot ratio 1.E ource filtering, ingle ource filetring, ditributed 1.E-03 packet rate of the attack to the victim (pp) Figure 5: Single ource attack v ditributed ource attack Journal of Information Technology Management Volume XV, Number 3-4,

10 Pricing Strategie The advantage of the flat rate pricing cheme i it implicity. However, under uch a cheme, the provider will not have incentive to provide the ervice if the network i not capacity contrained. We will relax thi flat rate aumption in thi ection. For comparion, we analyzed two other trategie: 1) free bundling and 2) differential pricing. We will dicu the free bundling pricing cheme uing the benefit-cot ratio per attack, which repreent how much benefit over cot that an ISP would obtain without conidering the payment and the fixed cot from each ubcriber. Thi ituation happen when provider would like to attract more ubcriber to the IP tranport ervice or when provider charge the ubcriber for only the fixed cot per ubcriber. Uing ource filtering (Figure 6) a an example, the flat rate pricing cheme ha the approximately ame benefit-cot ratio a the free bundling cheme if the fixed cot i recovered from other ervice. The reaon for thi i that the number of attack frequency i very large in our Code-Red data et o that the benefit per attack i much larger than the benefit from ervice charge. In thi cae, the impact of the ervice charge i negligible. In addition, if the benefit from network connection ervice i larger than the fixed cot, the free bundling cheme i even more beneficial for the provider than the flat rate cheme ince the provider obtain both the bandwidth aving and the additional gain from other ervice. An alternative pricing cheme hould be provided under the monopoly market. A poible pricing cheme i to charge ubcriber differently baed on their individual utility from the ervice (a equation 1.a). However, the individual utility of the ervice could be hard to etimate in practice. An alternative i to differentiate the ervice to everal verion for ubcriber who have different expected lo. Similar cheme have been ued in digital product vertical differentiation [2]. Figure 7 compare the flat rate pricing cheme and the differential pricing cheme for individual ubcriber. The differential pricing conider an extreme cae that the provider can price the ubcriber baed on their individual utility, which i determined by their expected lo and the attack frequency. Acro all packet rate, the differential pricing cheme i more beneficial for the provider than the flat rate cheme. The analyi on the differential pricing here i preliminary. Further mechanim are needed for aligning ubcriber with different price ince it i hard in practice to evaluate the expected lo of ubcriber. 1.E+04 Benefit-cot ratio per ervice 1.E+03 Benefit-cot ratio per attack Benefit-cot ratio 1.E Packet rate of an attack (pp) Figure 6: Benefit-cot ratio per ervice v benefit-cot ratio per attack for ource filtering at the uptream router of attack ource Journal of Information Technology Management Volume XV, Number 3-4,

11 1.E+04 1.E+03 benefit-cot ratio 1.E+02 differential flat rate packet rate of an attack to the victim (pp) Figure 7: Differential pricing v. flat rate pricing in the monopoly market for ource filtering CONCLUSIONS We propoed a quantitative method to invetigate the economic incentive for providing ervice to repond againt ongoing DDOS attack traffic. To introduce the new ervice for their ubcriber, network provider need to enure that the operational profit in the long term would jutify their capital invetment. We found everal factor that will influence the operational profit. At the initial tage, when few provider are able to deploy the ervice (monopoly market), the provider hould implement a differential pricing cheme. By doing thi, the provider can benefit from the different level of expected lo experienced by ubcriber and from the different level of the attack frequency. When more and more provider are able to provide the ervice (competitive market), no ingle provider can benefit from the differential pricing cheme ince ubcriber can have more choice by witching to another provider. In thi cae, three implication can be drawn: 1) Setting the filter location cloer to the attack ource i more beneficial than cloer to the victim network for both the ubcriber and the provider. Thi reult i more ignificant when the network of the provider i capacity contrained. 2) Providing ource filtering i better for a provider than providing detination filtering when mot attack to it ubcriber are launched at high packet rate and when ubcriber that originate attack uffer loe. 3) The provider i better off providing the detination filtering ervice for free if the fixed cot per ubcriber can be recovered from the additional revenue brought by new ubcriber to network tranport ervice. We provided an analyi on the economic incentive of providing DDOS defene. With an appropriate pricing trategy and ome invetigation into the expected lo from attack, network provider can benefit from providing the ecurity ervice and align their interet with ubcriber. Thi work i jut our firt tep to invetigate thi problem. Future work on etimating ubcriber expected lo and collecting data on attack incident are needed to facilitate our propoal. Journal of Information Technology Management Volume XV, Number 3-4,

12 REFERENCES [1] Bhargava, H.K., V. Choudhary, and R. Krihnan, Pricing and product deign: intermediary trategie in an electronic market. International Journal of Electronic Commerce, Vol. 5,No. 1: pp [2] Bhargava, H.K. and V. Choudhary, Information good and vertical differentiation. Journal of Management, Vol. 18,No. 2: pp [3] BW, Directory of Internet Service Provider, The Board Watch Magazine [4] Cavuoglu, H., B. Mihra, and S. Raghunathan. The effect of Internet ecurity breach announcement on market value of breached firm and Internet ecurity developer. Workhop on Information Sytem and Economic Barcelona, Spain. [5] Chen, L.-C., Computational Model for Defene againt Internet-baed Attack, Department of Engineering and Public Policy. 2003, Carnegie Mellon Univerity: Pittburgh. [6] Chen, L.-C., T.A. Longtaff, and K.M. Carley, Characterization of defene mechanim for ditributed of denial of ervice attack. Computer & Security, Vol. 23,No. 8: pp [7] Claffy, K.C., G. Miller, and K. Thompon. The nature of the beat: recent traffic meaurement from an Internet backbone. INET Geneva, Switzerland. [8] CSI, CSI/FBI computer crime and ecurity urvey, Computer Security Iue & Trend [9] Ettredge, M. and V.J. Richardon. Aeing the rik in e-commerce. Proceeding of the 35th Hawaii International Conference on Sytem Science Hawaii. [10] Garber, L., Denial-of-ervice attack rip the Internet. IEEE Computer, Vol. 33,No. 4: pp [11] Gordon, L.A. and M.P. Loeb, The economic of information ecurity invetment. ACM Tranaction on Information and Sytem Security, Vol. 5,No. 4: pp [12] Houle, K.J. and G.M. Weaver, Trend in denial of ervice attack technology. 2001, CERT Coordination Center, Software Engineering Intitute, Carnegie Mellon Univerity: Pittburgh. [13] Kabay, M.E., Ditributed denial-of-ervice attack, contributory negligence and downtream liability. ACM Ubiquity, Vol. No. [14] Lipon, H., Tracking and tracing cyber-attack: technical challenge and global policy iue. 2002, CERT Coordination Center, Software Engineering Intitute: Pittburgh. [15] McCreary, S. and K.C. Claffy. Trend in wide area IP traffic pattern: a view from Ame Internet Exchange. ITC Specialit Seminar Monterey, CA. [16] McCurdy, D., The DHS Infratructure Protection Diviion: Public-Private Partnerhip to Secure Critical Infratructure. 2004, ISAlliance. [17] Mirkovic, J. and P. Reiher, A taxonomy of DDoS attack and DDoS defene mechanim. ACM SIGCOMM Computer Communication Review, Vol. 34,No. 2: pp [18] Moore, D., G.M. Voelker, and S. Savage. Inferring Internet denial-of-ervice activity. USENIX Security Sympoium Wahington DC. [19] Moore, D., C. Shannon, and J. Brown. Code-Red: a cae tudy on the pread and victim of an Internet worm. ACM SIGCOMM/USENIX Internet Meaurement Workhop Mareille, France. [20] Papagiannaki, K., et al. Analyi of meaured ingle- Hop delay from an operational backbone network. IEEE INFOCOMM New York. [21] Snoeren, A.C., et al. Hah-baed IP traceback. ACM SIGCOMM [22] Stone, R. CenterTrack: An IP overlay network for tracking DoS. USENIX Security Sympoium Denver, CO. [23] Symantec, Symantec Internet ecurity threat report. 2004, Symantec. [24] Tran, K.T.L., Hacker attack major Internet ite, temporarily hutting Buy.com, Ebay, Wall Street Journal pp. 3. [25] Verton, D., Teen hacker 'Mafiaboy' plead guilty to 55 charge, ComputerWorld [26] WH, The national trategy to ecure cyberpace. 2003, The White Houe. [27] Yankee, $1.2 Billion Impact Seen a a Reult of Recent Attack Launched by Internet Hacker. 2000, The Yankee Group. ACKNOWLEDGMENTS Thi work wa upported in part by the NSF/ITR and the Pennylvania Infratructure Technology Alliance, a partnerhip of Carnegie Mellon, Lehigh Univerity, and the Commonwealth of Pennylvania' Department of Economic and Community Development. Additional upport wa provided by ICES (the Intitute for Complex Engineered Sytem) and CASOS the Center for Computational Analyi of Social and Organizational Sytem at Carnegie Mellon Univerity ( The view and concluion Journal of Information Technology Management Volume XV, Number 3-4,

13 contained in thi document are thoe of the author and hould not be interpreted a repreenting the official policie, either expreed or implied, of the National Science Foundation, the Commonwealth of Pennylvania or the U.S. government. AUTHORS BIOGRAPHIES Dr. Li-Chiou Chen received her Ph.D. from Carnegie Mellon Univerity in Engineering and Public Policy. She i an aitant profeor at the Department of Information Sytem in the School of Computer Science and Information Sytem, Pace Univerity. Her reearch interet are focued on combining artificial intelligence and agent-baed modeling to conduct technological and policy analyi in the area of information ecurity. Specific area include countermeaure againt the propagation of computer virue, computational modeling for defene againt ditributed denial of ervice attack and agent-baed imulation on policie to counter the pread of epidemic. Dr. Thoma A. Longtaff received hi PhD in 1991 at the Univerity of California, Davi in oftware environment. He i a enior member of the technical taff in the Network Situational Awarene Program at the Software Engineering Intitute (SEI), Carnegie Mellon Univerity. He i currently managing reearch and development in network infratructure ecurity for the program. Hi publication area include information urvivability, inider threat, intruder modeling, and intruion detection. Dr. Kathleen M. Carley received her Ph.D. from Harvard. She i a profeor at the Intitute for Software Reearch International, Carnegie Mellon Univerity. Her reearch combine cognitive cience, ocial network and computer cience. Specific reearch area are dynamic network analyi, computational ocial and organization theory, adaptation and evolution, computational text analyi, and the impact of telecommunication technologie and policy on behavior and dieae contagion within and among group. Her model meld multi-agent technology with network dynamic and empirical data. Illutrative large-cale multi-agent network model he and the CASOS team have developed are: BioWar -- city, cale model of weaponized biological attack; OrgAhead -- a trategic and natural organizational adaptation model; and DyNet -- a change in covert network model. Journal of Information Technology Management Volume XV, Number 3-4,