Let Me Out! Evaluating the Effectiveness of Quarantining Compromised Users in Walled Gardens

In the fight to clean up malware-infected machines, notifications from Internet Service Providers (ISPs) to their customers play a crucial role. Since stand-alone notifications are routinely ignored, some ISPs have invested in a potentially more effective mechanism: quarantining customers in so-called walled gardens. We present the first empirical study on user behavior and remediation effectiveness of quarantining infected machines in broadband networks. We analyzed 1,736 quarantining actions involving 1,208 retail customers of a medium-sized ISP in the period of April-October 2017. The first two times they are quarantined, users can easily release themselves from the walled garden and around two-thirds of them use this option. Notwithstanding this easy way out, we find that 71% of these users have actually cleaned up the infection during their first quarantine period and, of the recidivists, 48% are cleaned after their second quarantining. Users who do not self-release either contact customer support (30%) or are released automatically after 30 days (3%). They have even higher cleanup rates. Reinfection rates are quite low and most users get quarantined only once. Users that remain infected spend less time in the walled garden during subsequent quarantining events, without a major drop in cleanup rates. This suggests there are positive learning effects, rather than mere habituation to being notified and self-releasing from the walled garden. In the communications with abuse and support staff, a fraction of quarantined users ask for additional help, request a paid technician, voice frustration about being cut off, or threaten to cancel their subscriptions. All in all, walled gardens seem to be a relatively effective and usable mechanism to improve the security of end users. We reflect on our main findings in terms of how to advance this industry best practice for botnet mitigation by ISPs.

[1]  岩橋 敏幸,et al.  "Your Attention Please: Designing security-decision UIs to make genuine risks harder to ignore"の紹介 , 2013 .

[2]  Vern Paxson,et al.  Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension , 2016, WWW.

[3]  Johannes M. Bauer,et al.  Economics of Fighting Botnets: Lessons from a Decade of Mitigation , 2015, IEEE Security & Privacy.

[4]  Michel van Eeten,et al.  Post-Mortem of a Zombie: Conficker Cleanup After Six Years , 2015, USENIX Security Symposium.

[5]  Michael Backes,et al.  Didn't You Hear Me? - Towards More Successful Web Vulnerability Notifications , 2018, NDSS.

[6]  Sunny Consolvo,et al.  Your Reputation Precedes You: History, Reputation, and the Chrome Malware Warning , 2014, SOUPS.

[7]  M. V. Eeten,et al.  Make notifications great again: learning how to notify in the age of large-scale vulnerability scanning , 2017 .

[8]  Aurélien Francillon,et al.  The role of web hosting providers in detecting compromised websites , 2013, WWW '13.

[9]  Rick Wash,et al.  Out of the Loop: How Automated Software Updates Cause Unintended Security Consequences , 2014, SOUPS.

[10]  Iqbal Gondal,et al.  A survey of similarities in banking malware behaviours , 2018, Comput. Secur..

[11]  Kat Krol,et al.  Don't work. Can't work? Why it's time to rethink security warnings , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[12]  Tyler Moore,et al.  Understanding the Role of Sender Reputation in Abuse Reporting and Cleanup , 2015, WEIS.

[13]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[14]  Michael Backes,et al.  Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification , 2016, USENIX Security Symposium.

[15]  Lorrie Faith Cranor,et al.  Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It , 2014, SOUPS.

[16]  Mohammad Maifi Hasan Khan,et al.  Why Do They Do What They Do?: A Study of What Motivates Users to (Not) Follow Computer Security Advice , 2016, SOUPS.

[17]  Nicolas Christin,et al.  Do or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes , 2016, SOUPS.

[18]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[19]  Christian Rossow,et al.  Exit from Hell? Reducing the Impact of Amplification DDoS Attacks , 2014, USENIX Security Symposium.

[20]  Michael S. Wogalter,et al.  Habituation, Dishabituation, and Recovery Effects in Visual Warnings , 2009 .