[DNS-Abuse-Measurements] Highlights of ICANN 66 DAAR session
gtheo
gtheo at xs4all.nl
Wed Nov 13 07:43:24 UTC 2019
Hello all, Samaneh
Nice to do list, where one might want to prioritize registrar metrics.
Perhaps also an idea is https://www.kineviz.com/graphxr/
When dealing with large data sets, it is handy to have a tool to
visualize data, which also allows for the correlation of data. Graphx is
often used in OSINT and Social Media, but it has many other uses.
Note, I have no affiliation with Graphxr.
Best regards,
Theo
Privacy & GRC Officer | Realtime Register B.V.
Ceintuurbaan 32A
8024 AA - ZWOLLE - The Netherlands
T: +31.384530759
F: +31.384524734
U: www.realtimeregister.com
E: legal at realtimeregister.com
Samaneh Tajalizadehkhoob via DNS-Abuse-Measurements schreef op
2019-11-12 12:44 PM:
> Again we welcome members of the DNS Abuse measurement mailing list.
> We have created this mailing list as a part of DAAR improvement
> process and followed by requests from the community for more
> transparency on the DAAR progress. The goal of the list is to
> facilitate DNS Abuse/security measurement discussions including but
> not limited to those related to DAAR.
>
>
> To start the discussion as the DAAR project owner and the mailing list
> facilitator, hereby I draft a couple of highlights of our DAAR session
> at ICANN66 in Montreal for those that were not able to attend the
> session:
>
> The feedback we have received up to now regarding the DAAR improvement
> process
>
> * Requests for more transparency on DAAR progress
> * Re-aggregating the DAAR data
> * Adding threat domain time-to-live data
> * Adding ccTLDs to DAAR
> * Adding registrar metrics to DAAR
> * Publishing DAAR detailed data
> * Distinguishing between maliciously registered domains and
> compromised one
> * Better articulation of DAAR’s goal in monthly reports and
> documentation
>
> The changes we have made
>
> * Sharing DAAR data with registries via MOSAPI: Now each gTLD
> registry can view their own reputation data per security threat type
> via MOSAPI. For more information please contact
> globalSupport at icann.org<mailto:globalSupport at icann.org>.
> * Re-Aggregating DAAR statistics including those in the monthly
> report from a snapshot metric (measures for a specific day of the
> month) to a monthly median metric.
> * We used Restriction Type as another metric to cut the data, on
> top of the TLD Type (based on our definition legacy versus new) that
> we already had. Plotting the data demonstrated that almost all threat
> types are populated with security threat domains within generic gTLDs.
> This is while certain security threat types such as Botnet C&C have
> 25% of their abuse (10000 domains) located in generic restricted gTLDs
> and Spam has around 5% of their total security threat domains (equal
> to 25000 domains) located in Brand gTLDs.
> * Carried out an inferential analysis of potential relationships
> with abuse drivers. For instance, showed that “Size of a zone file”
> can be an explanatory factor for the concentrations of security threat
> domains but it can also be an indicator of attack surface size for
> attackers.
> * Using a GLM statistical model we modeled all the security threat
> drivers that we could collect data on and demonstrated that size of a
> TLD, type of a TLD and restriction type of a TLD plays a statistically
> significant role in explaining security threat concentrations.
> * To bring more transparency on the DAAR project and its progress
> we made the
> dns-abuse-measurements at icann.org<mailto:dns-abuse-measurements at icann.org>
> mailing list
> * Upon many requests from ccTLDs, as of the ICANN66 meeting ccTLDs
> are able to provide their zone files for inclusion in DAAR. This means
> that they will be able to pull their own aggregated DAAR data via
> MOSAPI. The process is simple, ccTLDs need to send an email to
> globalSupport at icann.org<mailto:globalSupport at icann.org> with the
> subject: ccTLDs access to the DAAR data. We encourage those parties
> interested to come forward and participate.
>
> Moving forward we intend to work on
>
> * DAAR v2
> * Incorporating more Reputation Black/Block lists (RBLs)
> * Developing RBL evaluation cycle
> * Developing Registrar metrics
> * Reviewing other factors that drive security threat within
> registrars and registries
>
>
> Cheers,
> Samaneh Tajalizadehkhoob, PhD
> Lead SSR specialist
> ICANN Office of CTO
>
> _______________________________________________
> DNS-Abuse-Measurements mailing list
> DNS-Abuse-Measurements at icann.org
> https://mm.icann.org/mailman/listinfo/dns-abuse-measurements
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of
> your personal data for purposes of subscribing to this mailing list
> accordance with the ICANN Privacy Policy
> (https://www.icann.org/privacy/policy) and the website Terms of
> Service (https://www.icann.org/privacy/tos). You can visit the Mailman
> link above to change your membership status or configuration,
> including unsubscribing, setting digest-style delivery or disabling
> delivery altogether (e.g., for a vacation), and so on.
More information about the DNS-Abuse-Measurements
mailing list