NetBeacon MAP

NetBeacon Measurement and Analytics Platform (MAP) (formerly DNSAI:Compass until June, 2023 and DNSAI Intelligence until September, 2022) is NetBeacon Institute initiative to measure and track the use of the DNS for phishing and malware, and the goal is to reduce DNS Abuse at the DNS level ^[1]. It was initially launched in September, 2022, but the first publication about the initiative was in May, 2022 ^[2]. In June, 2023, the Institute announced the addition of a new level of reporting for their measurement project, which was then named NetBeacon Measurement and Analytics Platform (MAP).^[3]

Collaborations[edit | edit source]

NetBeacon MAP is a collaboration with KOR Labs, led by Dr. Maciej Korczynski. KOR Labs is responsible for collecting the data following an established methodology. This data is then provided to the Institute, that works with PIR’s Data Analytics team to create interactive charts, reports, and individualized dashboards ^[1].

Methodology[edit | edit source]

The methodologies employed by KOR Labs to develop the then called DNS Abuse Institute Intelligence reports aim to provide reliable and actionable data on the state of DNS abuse, focusing primarily on phishing and malware. As per 2022, we have the following:

Data Collection and Processing[edit | edit source]

URL Blocklists: Utilizes data from reputable sources (APWG, PhishTank, OpenPhish, ABUSE.ch) to gather URLs associated with phishing and malware.
Domain Names: Collects domain names from various TLDs using zone files and other measurement methods to ensure a comprehensive list.
Technical Registration Information: Gathers registration details using RDAP/WHOIS protocols to identify registrars and gather creation/expiration dates of domains.
Uptime Measurements: Measures the time between a domain being blocklisted and the mitigation of the abuse (e.g., removal of malicious content).

Security Metrics[edit | edit source]

Occurrence Metrics: Calculates the distribution of abusive domain names and presents data normalized by the size of TLDs or registrars.
Persistence Metrics: Measures the persistence of abuse (uptime) to indicate how quickly abuse is mitigated once identified.

Classification of Domains[edit | edit source]

Malicious vs. Compromised Domains: Differentiates between domains registered for malicious purposes and benign domains that are compromised. Utilizes a hybrid method combining a machine learning classifier (MalCom) and manual analysis based on mitigation actions.

TLD and Registrar Size Estimation[edit | edit source]

Estimates the number of domains under management for each TLD and registrar to normalize the metrics.

Challenges and Limitations[edit | edit source]

Acknowledges various challenges in data collection, such as false positives, limitations in WHOIS data, and difficulties in identifying ccTLD registrars.^[4]

Reports[edit | edit source]

NetBeacon MAP can can be consumed in three formats:

NetBeacon MAP: Monthly Analysis reports provide detailed tables identifying registrars and TLDs with high and low relative levels of malicious phishing and malware in their domains under management (DUM) and compared to their new monthly registrations ^[5]. On September 16, 2022, the first report was launched, and focused on higher level aggregate data from May, June, and July 2022. There reports continued monthly ^[2]. In April, 2024, the Institute launched its twentieth report.

NetBeacon MAP: Charts can be used by registries and registrars to understand how often the DNS is used for phishing and malware, whether abuse is mitigated, how quickly, and the type of registrations (compromised website or maliciously registered domain) ^[6].

NetBeacon MAP: Dashboards permits registries and registrars to understand, track and benchmark the impact of their efforts to combat DNS Abuse. Accessing one's organizational dashboard helps to understand how much phishing and malware NetBeacon MAP has identified in a particular zone, whether it has been mitigated, and how this compares to one's peers. It's possible to view analysis on whether the domain name was maliciously registered for the purposes of DNS Abuse or is associated with an issue of compromise (typically website compromise). Data can be used to track and measure the prevalence of abuse as well as how changes in one's processes and policies make an impact over time ^[7].

Results[edit | edit source]

Table 1: Aggregate Trends: This table provides a view on how much DNS Abuse has been identified by their methodology, and how it’s changing over time. It shows the absolute volume of unique domains their methodology has identified are engaged in phishing and malware, broken out by category.

Month-Year	Phishing	Malware
May-2022	30,633	3,410
Jun-2022	28,646	910
Jul-2022	26,209	355
Aug-2022	30,933	243
Sep-2022	36,862	4,056
Oct-2022	34,969	7,781
Nov-2022	28,185	7,058
Dec-2022	29,117	13,941
Jan-2023	25,934	321
Feb-2023	25,558	2,631
Mar-2023	25,532	1,743
Apr-2023	20,274	3,367
May-2023	18,827	5,227
Jun-2023	18,794	2,540
Jul-2023	22,272	220
Aug-2023	23,708	163
Sep-2023	20,486	577
Oct-2023	22,842	2,092
Nov-2023	22,703	1,488
Dec-2023	20,214	1,774
Jan-2024	21,917	226
Feb-2024	24,232	309

^[6]

Table 2: Registrar Median Mitigation Time: This table is intended to show the observed time taken to mitigate phishing and malware, and how it is changing over time. For the domains that their methodology determined were mitigated, this table shows how many registrars had a median time to mitigation in each category.

Month-Year	0 to 24 hours	24 to 48 hours	48 hours to 7 days	More than 7 days
May-2022	131	40	41	17
Jun-2022	91	40	60	26
Jul-2022	105	37	45	23
Aug-2022	118	36	39	31
Sep-2022	138	40	53	43
Oct-2022	90	44	74	48
Nov-2022	105	39	58	35
Dec-2022	178	80	31	28
Jan-2023	50	46	101	66
Feb-2023	126	36	77	33
Mar-2023	129	50	66	31
Apr-2023	224	50	62	26
May-2023	166	29	82	37
Jun-2023	92	37	81	48
Jul-2023	113	37	75	55
Aug-2023	107	46	72	52
Sep-2023	101	34	72	43
Oct-2023	97	42	68	40
Nov-2023	91	31	81	64
Dec-2023	74	52	95	54
Jan-2024	79	50	83	72
Feb-2024	67	36	91	64

^[6]

Table 3: Malicious vs. Compromised: This table is intended to show the observed registration type (malicious registration or a benign domain associated with a compromised website) and how this is changing over time. This is an important distinction because it impacts which mitigation action is most appropriate, and which actor is best placed to mitigate. Domain names that have been maliciously registered for the purpose of DNS Abuse are typically more appropriate for mitigation at the DNS level. A benign domain name that is associated with an issue of compromise is typically inappropriate for DNS level mitigation due to the associated collateral damage.

Month-Year	Malicious	Compromised	Uncategorized
May-2022	21,809	12,226	8
Jun-2022	19,845	9,492	219
Jul-2022	18,106	8,431	27
Aug-2022	21,171	9,986	19
Sep-2022	26,298	14,615	5
Oct-2022	26,251	16,369	130
Nov-2022	20,861	14,378	4
Dec-2022	3,374	19,680	4
Jan-2023	18,708	7,463	84
Feb-2023	19,661	8,454	74
Mar-2023	18,450	8,702	123
Apr-2023	15,082	8,501	58
May-2023	13,952	10,054	48
Jun-2023	13,442	7,825	67
Jul-2023	15,448	6,914	90
Aug-2023	16,224	7,499	148
Sep-2023	13,775	7,231	57
Oct-2023	16,463	8,369	102
Nov-2023	16,389	7,660	142
Dec-2023	14,944	6,914	130
Jan-2024	6,223	5,491	429
Feb-2024	18,794	5,644	103

^[6]

References[edit | edit source]

↑ ^{Jump up to: 1.0} ^1.1 Map Introduction
↑ ^{Jump up to: 2.0} ^2.1 First Report
↑ Measuring
↑ Methodology
↑ Analysis
↑ ^{Jump up to: 6.0} ^6.1 ^6.2 ^6.3 Interactive Charts
↑ Dashboards

ICANNWiki resources: Content Guide | Documentation | Development || Maintenance: Articles needing attention | Candidates for deletion || Projects: Internet & Digital Governance Library

[mapintro-1] {Jump up to: 1.0} ^1.1 Map Introduction

[1strep-2] {Jump up to: 2.0} ^2.1 First Report

[measuring-3] Measuring

[methodology-4] Methodology

[analysis-5] Analysis

[charts-6] {Jump up to: 6.0} ^6.1 ^6.2 ^6.3 Interactive Charts

[dashboard-7] Dashboards

[1]

[2]

[3]

[4]

[5]

[6]

[7]