{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,14]],"date-time":"2026-01-14T18:04:40Z","timestamp":1768413880138,"version":"3.49.0"},"reference-count":57,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2018,8,7]],"date-time":"2018-08-07T00:00:00Z","timestamp":1533600000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Archimedes Privatstiftung, Innsbruck"},{"name":"NWO","award":["12.003\/628.001.003"],"award-info":[{"award-number":["12.003\/628.001.003"]}]},{"name":".NL Registry"},{"name":"National Cyber Security Center (NCSC) and SIDN"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Internet Technol."],"published-print":{"date-parts":[[2018,11,30]]},"abstract":"<jats:p>\n            Internet security and technology policy research regularly uses technical indicators of abuse to identify culprits and to tailor mitigation strategies. As a major obstacle, current inferences from abuse data that aim to characterize providers with poor security practices often use a\n            <jats:italic>naive<\/jats:italic>\n            normalization of abuse (abuse counts divided by network size) and do not take into account other inherent or structural properties of providers. Even the size estimates are subject to measurement errors relating to attribution, aggregation, and various sources of heterogeneity. More precise indicators are costly to measure at Internet scale. We address these issues for the case of hosting providers with a statistical model of the abuse data generation process, using phishing sites in hosting networks as a case study. We decompose error sources and then estimate key parameters of the model, controlling for heterogeneity in size and business model. We find that 84% of the variation in abuse counts across 45,358 hosting providers can be explained with structural factors alone. Informed by the fitted model, we systematically select and enrich a subset of 105 homogeneous \u201cstatistical twins\u201d with additional explanatory variables, unreasonable to collect for\n            <jats:italic>all<\/jats:italic>\n            hosting providers. We find that abuse is positively associated with the popularity of websites hosted and with the prevalence of popular content management systems. Moreover, hosting providers who charge higher prices (after controlling for level differences between countries) witness less abuse. These structural factors together explain a further 77% of the remaining variation. This calls into question premature inferences from raw abuse indicators about the security efforts of actors, and suggests the adoption of similar analysis frameworks in all domains where network measurement aims at informing technology policy.\n          <\/jats:p>","DOI":"10.1145\/3122985","type":"journal-article","created":{"date-parts":[[2018,8,8]],"date-time":"2018-08-08T19:14:21Z","timestamp":1533755661000},"page":"1-25","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":10,"title":["Rotten Apples or Bad Harvest? What We Are Measuring When We Are Measuring Abuse"],"prefix":"10.1145","volume":"18","author":[{"given":"Samaneh","family":"Tajalizadehkhoob","sequence":"first","affiliation":[{"name":"Delft University of Technology, Jaffalaan, the Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Rainer","family":"B\u00f6hme","sequence":"additional","affiliation":[{"name":"University of Innsbruck, Innsbruck, Austria"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Carlos","family":"Ga\u00f1\u00e1n","sequence":"additional","affiliation":[{"name":"Delft University of Technology, Jaffalaan, the Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Maciej","family":"Korczy\u0144ski","sequence":"additional","affiliation":[{"name":"Delft University of Technology, Jaffalaan, the Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Michel Van","family":"Eeten","sequence":"additional","affiliation":[{"name":"Delft University of Technology, Jaffalaan, the Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2018,8,7]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"Greg Aaron and Rod Rasmussen. 2015a. Anti-phishing working group (APWG) global phishing survey: Trends and domain name use in 2H2014. Retrieved from http:\/\/internetidentity.com\/wp-content\/uploads\/2015\/05\/APWG_Global_Phishing_Report_2H_2014.pdf.  Greg Aaron and Rod Rasmussen. 2015a. Anti-phishing working group (APWG) global phishing survey: Trends and domain name use in 2H2014. Retrieved from http:\/\/internetidentity.com\/wp-content\/uploads\/2015\/05\/APWG_Global_Phishing_Report_2H_2014.pdf."},{"key":"e_1_2_1_2_1","unstructured":"Greg Aaron and Rod Rasmussen. 2015b. Global phishing survey: Trends and domain name use in 1H2014. Retrieved from http:\/\/docs.apwg.org\/reports\/APWG_Global_Phishing_Report_1H_2014.pdf.  Greg Aaron and Rod Rasmussen. 2015b. Global phishing survey: Trends and domain name use in 1H2014. Retrieved from http:\/\/docs.apwg.org\/reports\/APWG_Global_Phishing_Report_1H_2014.pdf."},{"key":"e_1_2_1_3_1","unstructured":"Anti-Phishing Working Group. 2016. Retrieved from http:\/\/www.antiphishing.org.  Anti-Phishing Working Group. 2016. Retrieved from http:\/\/www.antiphishing.org."},{"key":"e_1_2_1_4_1","volume-title":"Proceedings of the 24th USENIX Security Symposium (USENIXSecurity\u201915)","author":"Asghari Hadi"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2015.110"},{"key":"e_1_2_1_6_1","volume-title":"Proceedings of the Network 8 Distributed System Security Symposium (NDSS\u201911)","author":"Bilge Leyla","year":"2011"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/1879141.1879166"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1016\/0304-4076(90)90014-K"},{"key":"e_1_2_1_9_1","volume-title":"Regression Analysis of Count Data","volume":"53","author":"Colin Cameron A."},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/2488388.2488405"},{"key":"e_1_2_1_11_1","volume-title":"Proceedings of the 14th Workshop on the Economics of Information Security (WEIS\u201915)","author":"Cetin Orcun","year":"2015"},{"key":"e_1_2_1_12_1","volume-title":"Proceedings of the 14th Annual Workshop on the Economics of Information Security (WEIS\u201915)","author":"Clayton Richard","year":"2015"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/1298306.1298319"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/2663716.2663717"},{"key":"e_1_2_1_15_1","volume-title":"Proceedings of the Passive and Active Network Measurement Workshop (PAM\u201906)","author":"Dimitropoulos X."},{"key":"e_1_2_1_16_1","unstructured":"DNS Database (DNSDB). 2016. Farsight Security. Retrieved from https:\/\/www.dnsdb.info.  DNS Database (DNSDB). 2016. Farsight Security. Retrieved from https:\/\/www.dnsdb.info."},{"key":"e_1_2_1_17_1","unstructured":"Dutch Hosting Provider Association. 2013. Nederland paradijs voor internet criminelen? Retrieved from https:\/\/www.dhpa.nl\/nederland-paradijs-voor-internet-criminelen.html.  Dutch Hosting Provider Association. 2013. Nederland paradijs voor internet criminelen? Retrieved from https:\/\/www.dhpa.nl\/nederland-paradijs-voor-internet-criminelen.html."},{"key":"e_1_2_1_18_1","first-page":"141","article-title":"Who, what, where, when, and why of WHOIS: Privacy and accuracy concerns of the WHOIS database. SMU Sci","volume":"12","author":"Elliott Kathryn","year":"2008","journal-title":"Technol. Law Rev."},{"key":"e_1_2_1_19_1","unstructured":"Farsight Security. 2016. Security Information Exchange. Retrieved from https:\/\/www.farsightsecurity.com.  Farsight Security. 2016. Security Information Exchange. Retrieved from https:\/\/www.farsightsecurity.com."},{"key":"e_1_2_1_20_1","volume-title":"Proceedings of the Network 8 Distributed System Security Symposium (NDSS\u201913)","author":"Garg Vaibhav"},{"key":"e_1_2_1_21_1","unstructured":"Cyscon GmbH. 2016. Cyscon Security - PhishKiller. Retrieved from http:\/\/www.cyscon.de.  Cyscon GmbH. 2016. Cyscon Security - PhishKiller. Retrieved from http:\/\/www.cyscon.de."},{"key":"e_1_2_1_22_1","unstructured":"Max Goncharov. 2015. Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved from http:\/\/www.trendmicro.com\/cloud-content\/us\/pdfs\/security-intelligence\/white-papers\/wp-criminal-hideouts-for-lease.pdf.  Max Goncharov. 2015. Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved from http:\/\/www.trendmicro.com\/cloud-content\/us\/pdfs\/security-intelligence\/white-papers\/wp-criminal-hideouts-for-lease.pdf."},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/2068816.2068842"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/2504730.2504753"},{"key":"e_1_2_1_25_1","volume-title":"Proceedings of the 14th Annual Workshop on the Economics of Information Security (WEIS\u201915)","author":"He Shu"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0167-9473(03)00062-8"},{"key":"e_1_2_1_27_1","unstructured":"HostExploit. 2017. World Hosts Report. Retrieved from http:\/\/hostexploit.com.  HostExploit. 2017. World Hosts Report. Retrieved from http:\/\/hostexploit.com."},{"key":"e_1_2_1_28_1","volume-title":"Society Report","author":"International Telecommunication","year":"2014"},{"key":"e_1_2_1_29_1","first-page":"1","article-title":"Linking cybersecurity policy and performance","volume":"1","author":"Kleiner Aaron","year":"2013","journal-title":"Microsoft Trust. Comput."},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/2785956.2787494"},{"key":"e_1_2_1_31_1","volume-title":"Research in Attacks, Intrusions and Defenses","author":"K\u00fchrer Marc"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2011.24"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/2872427.2883039"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.5555\/1972441.1972448"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/2815675.2815693"},{"key":"e_1_2_1_36_1","volume-title":"Proceedings of the 24th USENIX Security Symposium (USENIXSecurity\u201915)","author":"Liu Yang","year":"2015"},{"key":"e_1_2_1_37_1","unstructured":"M3AAWG. 2015. Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers. Retrieved from https:\/\/www.m3aawg.org\/sites\/maawg\/files\/news\/M3AAWG_Hosting_Abuse_BCPs-2015-03.pdf.  M3AAWG. 2015. Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers. Retrieved from https:\/\/www.m3aawg.org\/sites\/maawg\/files\/news\/M3AAWG_Hosting_Abuse_BCPs-2015-03.pdf."},{"key":"e_1_2_1_38_1","unstructured":"MaxMind. 2016. IP Geolocation Databases. Retrieved from https:\/\/www.maxmind.com.  MaxMind. 2016. IP Geolocation Databases. Retrieved from https:\/\/www.maxmind.com."},{"key":"e_1_2_1_39_1","unstructured":"McAfee Intel Security. 2013. Botnet Control Servers Span the Globe. Retrieved from https:\/\/blogs.mcafee.com\/mcafee-labs\/botnet-control-servers-span-the-globe.  McAfee Intel Security. 2013. Botnet Control Servers Span the Globe. Retrieved from https:\/\/blogs.mcafee.com\/mcafee-labs\/botnet-control-servers-span-the-globe."},{"key":"e_1_2_1_40_1","unstructured":"Leigh Metcalf and Jonathan M. Spring. 2013. Everything You Wanted to Know About Blacklists But Were Afraid to Ask. Technical Report. CERT Network Situational Awareness Group.  Leigh Metcalf and Jonathan M. Spring. 2013. Everything You Wanted to Know About Blacklists But Were Afraid to Ask. Technical Report. CERT Network Situational Awareness Group."},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0169-2607(01)00173-0"},{"key":"e_1_2_1_42_1","unstructured":"Nederlandse Omroep Stichting. 2013. Nederland paradijs cybercriminelen. Retrieved from http:\/\/nos.nl\/artikel\/469969-nederland-paradijs-cybercriminelen.html.  Nederlandse Omroep Stichting. 2013. Nederland paradijs cybercriminelen. Retrieved from http:\/\/nos.nl\/artikel\/469969-nederland-paradijs-cybercriminelen.html."},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/1972551.1972553"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.5555\/2831120.2831125"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/2398776.2398821"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/1151659.1159947"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/SECCOM.2007.4550367"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/TNET.2011.2157699"},{"key":"e_1_2_1_49_1","volume-title":"Proceedings of the 23rd USENIX Security Symposium (USENIXSecurity\u201914)","author":"Soska Kyle","year":"2014"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2009.29"},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/NOMS.2016.7502824"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2015.2427847"},{"key":"e_1_2_1_53_1","volume-title":"Proceedings of the Conference on Integrated Management (IM\u201913)","author":"Wagner Christoph","year":"2013"},{"key":"e_1_2_1_54_1","unstructured":"Web-Archive. 2016. Internet Archive. Retrieved from http:\/\/archive.org\/web.  Web-Archive. 2016. Internet Archive. Retrieved from http:\/\/archive.org\/web."},{"key":"e_1_2_1_55_1","volume-title":"Proceedings of the Network 8 Distributed System Security Symposium (NDSS\u201910)","author":"Whittaker Colin","year":"2010"},{"key":"e_1_2_1_56_1","unstructured":"WPScan Team. 2016. WordPress Vulnerability Scanner. Retrieved from http:\/\/wpscan.org.  WPScan Team. 2016. WordPress Vulnerability Scanner. Retrieved from http:\/\/wpscan.org."},{"key":"e_1_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23057"}],"container-title":["ACM Transactions on Internet Technology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3122985","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3122985","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T02:11:04Z","timestamp":1750212664000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3122985"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,8,7]]},"references-count":57,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2018,11,30]]}},"alternative-id":["10.1145\/3122985"],"URL":"https:\/\/doi.org\/10.1145\/3122985","relation":{},"ISSN":["1533-5399","1557-6051"],"issn-type":[{"value":"1533-5399","type":"print"},{"value":"1557-6051","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,8,7]]},"assertion":[{"value":"2016-11-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2017-06-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2018-08-07","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}