[DNS-Abuse-Measurements] Highlights of ICANN 66 DAAR session

Michele Neylon - Blacknight michele at blacknight.com
Tue Nov 12 14:39:50 UTC 2019 

Samaneh

Do you have slides from the DAAR session?

Regards

Michele


--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

From: DNS-Abuse-Measurements <dns-abuse-measurements-bounces at icann.org> on behalf of Samaneh Tajalizadehkhoob via DNS-Abuse-Measurements <dns-abuse-measurements at icann.org>
Reply to: Samaneh Tajalizadehkhoob <samaneh.tajali at icann.org>
Date: Tuesday 12 November 2019 at 12:00
To: "dns-abuse-measurements at icann.org" <dns-abuse-measurements at icann.org>
Cc: David Conrad <david.conrad at icann.org>
Subject: [DNS-Abuse-Measurements] Highlights of ICANN 66 DAAR session

Again we welcome members of the DNS Abuse measurement mailing list.
We have created this mailing list as a part of DAAR improvement process and followed by requests from the community for more transparency on the DAAR progress. The goal of the list is to facilitate DNS Abuse/security measurement discussions including but not limited to those related to DAAR.


To start the discussion as the DAAR project owner and the mailing list facilitator, hereby I draft a couple of highlights of our DAAR session at ICANN66 in Montreal for those that were not able to attend the session:

The feedback we have received up to now regarding the DAAR improvement process

  *   Requests for more transparency on DAAR progress
  *   Re-aggregating the DAAR data
  *   Adding threat domain time-to-live data
  *   Adding ccTLDs to DAAR
  *   Adding registrar metrics to DAAR
  *   Publishing DAAR detailed data
  *   Distinguishing between maliciously registered domains and compromised one
  *   Better articulation of DAAR’s goal in monthly reports and documentation

The changes we have made

  *   Sharing DAAR data with registries via MOSAPI: Now each gTLD registry can view their own reputation data per security threat type via MOSAPI. For more information please contact globalSupport at icann.org<mailto:globalSupport at icann.org>.
  *   Re-Aggregating DAAR statistics including those in the monthly report from a snapshot metric (measures for a specific day of the month) to a monthly median metric.
  *   We used Restriction Type as another metric to cut the data, on top of the TLD Type (based on our definition legacy versus new) that we already had. Plotting the data demonstrated that almost all threat types are populated with security threat domains within generic gTLDs. This is while certain security threat types such as Botnet C&C have 25% of their abuse (10000 domains) located in generic restricted gTLDs and Spam has around 5% of their total security threat domains (equal to 25000 domains) located in Brand gTLDs.
  *   Carried out an inferential analysis of potential relationships with abuse drivers. For instance, showed that “Size of a zone file” can be an explanatory factor for the concentrations of security threat domains but it can also be an indicator of attack surface size for attackers.
  *   Using a GLM statistical model we modeled all the security threat drivers that we could collect data on and demonstrated that size of a TLD, type of a TLD and restriction type of a TLD plays a statistically significant role in explaining security threat concentrations.
  *   To bring more transparency on the DAAR project and its progress we made the dns-abuse-measurements at icann.org<mailto:dns-abuse-measurements at icann.org> mailing list
  *   Upon many requests from ccTLDs, as of the ICANN66 meeting ccTLDs are able to provide their zone files for inclusion in DAAR. This means that they will be able to pull their own aggregated DAAR data via MOSAPI. The process is simple, ccTLDs need to send an email to globalSupport at icann.org<mailto:globalSupport at icann.org> with the subject: ccTLDs access to the DAAR data. We encourage those parties interested to come forward and participate.


Moving forward we intend to work on

     *   DAAR v2
     *   Incorporating more Reputation Black/Block lists (RBLs)
     *   Developing RBL evaluation cycle
     *   Developing  Registrar metrics
     *   Reviewing other factors that drive security threat within registrars and registries


Cheers,
Samaneh Tajalizadehkhoob, PhD
Lead SSR specialist
ICANN Office of CTO
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/dns-abuse-measurements/attachments/20191112/04653014/attachment-0001.html>

More information about the DNS-Abuse-Measurements mailing list