| 摘要: | 在本篇論文中我們將針對一嚴重影響網際網路上商業活動的新型態攻擊行為,點擊造假 (Click Fraud),提出一全新且高效率的解決方案。 隨著網路的日漸普及,使用網路幾乎變成多數人生活中不可或缺的一部分,因而影響且改變了大多數人的生活模式。在商務應用方面,也衍生出了各式各樣與網路相關的商品與服務,其中有一項就是依點擊次數收費(pay-per-click)的廣告模式。在此新的廣告模式下要刊登廣告的人,直接接洽提供廣告刊登服務的廠商,再由廠商代為尋找合適刊登的網站,例如各大搜尋引擎、部落格或網路相簿等流量高且具廣告效益的網站,並在上面刊登含有廣告客戶網頁地址的超連結,一般的網頁瀏覽者在閱讀含有該超連結的網頁時,便可透過該超連結下載廣告客戶的廣告網頁。而依點擊次數收費的廣告的計費方式則是依據廣告被刊登在網站上之後,曾經被多少人點擊且連結到刊登廣告者的網站,最後統計次數來進行收費。在2005年間,依點擊次數收費廣告為Yahoo帶來了37億美元的收益,佔了Yahoo公司本年度收入的一半。另外,也為Google帶來61億美元的收益,佔全公司收入的99%。 點擊造假是近幾年才開始的網路攻擊模式,但立即引起各方的注意與討論,然迄今仍無有效且簡便的防範方法。此類攻擊因而逐漸侵蝕其中龐大的廣告利益,瓦解刊登廣告者與提供廣告刊登服務廠商之間的信任關係,與損害刊登廣告者的利益。點擊造假的攻擊方式是由攻擊者以手動方式,大量的點擊刊登於其自身(或虛擬)網站上的廣告,藉以以偽造的點擊次數向廣告刊登服務廠商騙取金錢,或商業競爭者以此偽造點擊次數,使競爭對手的廣告因為達到預設的點擊次數,而被提供廣告刊登服務的廠商移除,讓真正的使用者無法看到此則廣告。另外也有較有經驗的攻擊者利用各式輔助程式,發送大量封包,於短時間內進行大規模的攻擊。Click Fraud的攻擊行為影響層面甚廣,首當其衝的就是藉刊登廣告作為主要收入的網站,例如:Google, Yahoo等,據Google統計約有,在所有廣告點擊中,約有20%是屬於Click Fraud 所產生。 以TCP Proxy及TCP Splicing為基礎,我們提出一全新高效率且能精確判定網頁點擊攻擊者是否為Click Fraud攻擊者的方法 – Click Fraud Defender (CFD)。由於是以TCP Proxy為基礎,所以所有瀏覽器使用者在透過含有廣告客戶網頁地址的網頁要求讀取廣告客戶的網頁時。該要求皆是先被送到CFD處理,CFD再根據要求的內容替要求者下載網頁並將結果傳回網頁原要求者。由於是以TCP Splicing為基礎,所以所有在網頁瀏覽器與網頁伺服器間傳遞的資訊皆可被CFD完整地掌握,藉由比對正常使用者與點擊造假攻擊者的行為差異:如網頁下載百分比、網頁下載次數、網頁下載頻率,CFD 可正確地區別兩者。畢竟如果沒有比一般使用者更快速頻繁的網頁讀取要求,點擊造假攻擊者是很難達成其目的而不被發現。 另外,為了提昇系統效率,我們將監測使用者連線狀態的功能放入Linux核心中,避免程式在監測封包時,因為不斷在作業系統的kernel mode與user mode間切換,而耗費大量系統資源,所以能使執行效能大大提升。此外由於在同一時間通過CFD的 TCP Connection 數可能多達數萬之多,因此傳統上 Polling或 Sleep-and-Wake-up 型態的處理Socket的方式將不適合CFD,我們將在Kernel中將與所有Sockets有關的活動轉成 Events,並將其插入Event List中。因此 CFD不需花任何時間去處理 idle sockets, CFD 僅需處理 Event List。 In this research, we plan to develop a novice click fraud detection solution named Click Fraud Defender (CFD) to solve this notorious security threat to the Internet-based advertising and companies posting ads on Web Pages. Along with the popularity of Internet, Internet has become a major part of many persons’ everyday life. Internet advertising becomes a new form of commercial activities and creates tens of billions-dollar revenue each year. And the trend keeps on increasing and new advertising forms continues emerging. Among them, one of the most famous ones is pay-per-click advertising. Under pay-per-click advertising, 3 parties are involved, advertisers, advertising agents, and content providers. An advertiser contacts and pays an advertising agent to post her/his advertisements. The advertising agent in turn contacts a content provider (such as a web site owner) to put hyper-links to her/his customer’s (advertiser’s) web sites on the content provider’s web sites and pays the content provider a fixed fee for each visit of the advertiser’s web sites by a user who made the visit through a hyper-link on the content provider’s web sites. Unlike advertising on traditional mass media which charges advertisers fixed fee, no matter how many persons really read advertisers’ advertisements, pay-per-click advertising charges advertisers according to the number of persons that really read their advertisements. Usually, advertisers have fixed amount of budget for pay-per-click advertising each day; hence, a fixed number of persons could read their advertisements through the hyper-links posted on content providers’ web sites. Due to the tremendous profit involved, one kind of attacks targeted at pay-per-click advertisements is used. This new kind of attacks is name click fraud and has two different forms. The first one is usually adopted by the commercial competitors of advertisers to consume up their advertising budget; hence, thwart normal users to see the advertisements. The second one is usually exploited by vicious users which forge the clicks to cheat advertising agents out of money. According to statistic, each year 20% of Google’s revenue (about six billion dollars) is stolen by click fraud. In this research, based on TCP splicing we will develop an accurate and effective solution, Click Fraud Defender, to solve this infamous security problem. Due to the property of TCP splicing, CFD is able to observe all traffic flowing between a web browser and a web server of an advertiser; hence, by comparing the behavior of normal users and click fraud attackers, CFD should be able to detect web traffic made by click fraud attackers. The behavior can be defined by the frequency of clicks, the number of clicks, and the percentage of a web page downloaded by a host. Because in order to make a successful click fraud attack, the above behavior of a click fraud attacker must be different from a normal one; otherwise, it will be very difficult for the attacker to prevent herself/himself from being discovered. CFD will be implemented on a Linux platform. And to improve performance, CFD will be implemented in the Linux kernel. |
