[DNS-Abuse-Measurements] Highlights of ICANN 66 DAAR session

gtheo gtheo at xs4all.nl
Wed Nov 13 07:43:24 UTC 2019 

Hello all, Samaneh

Nice to do list, where one might want to prioritize registrar metrics.

Perhaps also an idea is https://www.kineviz.com/graphxr/
When dealing with large data sets, it is handy to have a tool to 
visualize data, which also allows for the correlation of data. Graphx is 
often used in OSINT and Social Media, but it has many other uses.

Note, I have no affiliation with Graphxr.

Best regards,

Theo

Privacy & GRC Officer | Realtime Register B.V.

Ceintuurbaan 32A
8024 AA - ZWOLLE - The Netherlands
T: +31.384530759
F: +31.384524734
U: www.realtimeregister.com
E: legal at realtimeregister.com





Samaneh Tajalizadehkhoob via DNS-Abuse-Measurements schreef op 
2019-11-12 12:44 PM:
> Again we welcome members of the DNS Abuse measurement mailing list.
> We have created this mailing list as a part of DAAR improvement
> process and followed by requests from the community for more
> transparency on the DAAR progress. The goal of the list is to
> facilitate DNS Abuse/security measurement discussions including but
> not limited to those related to DAAR.
> 
> 
> To start the discussion as the DAAR project owner and the mailing list
> facilitator, hereby I draft a couple of highlights of our DAAR session
> at ICANN66 in Montreal for those that were not able to attend the
> session:
> 
> The feedback we have received up to now regarding the DAAR improvement 
> process
> 
>   *   Requests for more transparency on DAAR progress
>   *   Re-aggregating the DAAR data
>   *   Adding threat domain time-to-live data
>   *   Adding ccTLDs to DAAR
>   *   Adding registrar metrics to DAAR
>   *   Publishing DAAR detailed data
>   *   Distinguishing between maliciously registered domains and 
> compromised one
>   *   Better articulation of DAAR’s goal in monthly reports and 
> documentation
> 
> The changes we have made
> 
>   *   Sharing DAAR data with registries via MOSAPI: Now each gTLD
> registry can view their own reputation data per security threat type
> via MOSAPI. For more information please contact
> globalSupport at icann.org<mailto:globalSupport at icann.org>.
>   *   Re-Aggregating DAAR statistics including those in the monthly
> report from a snapshot metric (measures for a specific day of the
> month) to a monthly median metric.
>   *   We used Restriction Type as another metric to cut the data, on
> top of the TLD Type (based on our definition legacy versus new) that
> we already had. Plotting the data demonstrated that almost all threat
> types are populated with security threat domains within generic gTLDs.
> This is while certain security threat types such as Botnet C&C have
> 25% of their abuse (10000 domains) located in generic restricted gTLDs
> and Spam has around 5% of their total security threat domains (equal
> to 25000 domains) located in Brand gTLDs.
>   *   Carried out an inferential analysis of potential relationships
> with abuse drivers. For instance, showed that “Size of a zone file”
> can be an explanatory factor for the concentrations of security threat
> domains but it can also be an indicator of attack surface size for
> attackers.
>   *   Using a GLM statistical model we modeled all the security threat
> drivers that we could collect data on and demonstrated that size of a
> TLD, type of a TLD and restriction type of a TLD plays a statistically
> significant role in explaining security threat concentrations.
>   *   To bring more transparency on the DAAR project and its progress
> we made the
> dns-abuse-measurements at icann.org<mailto:dns-abuse-measurements at icann.org>
> mailing list
>   *   Upon many requests from ccTLDs, as of the ICANN66 meeting ccTLDs
> are able to provide their zone files for inclusion in DAAR. This means
> that they will be able to pull their own aggregated DAAR data via
> MOSAPI. The process is simple, ccTLDs need to send an email to
> globalSupport at icann.org<mailto:globalSupport at icann.org> with the
> subject: ccTLDs access to the DAAR data. We encourage those parties
> interested to come forward and participate.
> 
> Moving forward we intend to work on
> 
>      *   DAAR v2
>      *   Incorporating more Reputation Black/Block lists (RBLs)
>      *   Developing RBL evaluation cycle
>      *   Developing  Registrar metrics
>      *   Reviewing other factors that drive security threat within
> registrars and registries
> 
> 
> Cheers,
> Samaneh Tajalizadehkhoob, PhD
> Lead SSR specialist
> ICANN Office of CTO
> 
> _______________________________________________
> DNS-Abuse-Measurements mailing list
> DNS-Abuse-Measurements at icann.org
> https://mm.icann.org/mailman/listinfo/dns-abuse-measurements
> 
> _______________________________________________
> By submitting your personal data, you consent to the processing of
> your personal data for purposes of subscribing to this mailing list
> accordance with the ICANN Privacy Policy
> (https://www.icann.org/privacy/policy) and the website Terms of
> Service (https://www.icann.org/privacy/tos). You can visit the Mailman
> link above to change your membership status or configuration,
> including unsubscribing, setting digest-style delivery or disabling
> delivery altogether (e.g., for a vacation), and so on.

More information about the DNS-Abuse-Measurements mailing list