Jump to content

NetBeacon MAP: Difference between revisions

From ICANNWiki
Christiane (talk | contribs)
Added content
Christiane (talk | contribs)
m Removed extra spacing
Line 4: Line 4:


NetBeacon MAP is a collaboration with KOR Labs, led by Dr. [[Maciej Korczynski]]. KOR Labs is responsible for collecting the data following an established methodology. This data is then provided to the Institute, that works with PIR’s Data Analytics team to create interactive charts, reports, and individualized dashboards.<ref name="mapintro"></ref>
NetBeacon MAP is a collaboration with KOR Labs, led by Dr. [[Maciej Korczynski]]. KOR Labs is responsible for collecting the data following an established methodology. This data is then provided to the Institute, that works with PIR’s Data Analytics team to create interactive charts, reports, and individualized dashboards.<ref name="mapintro"></ref>


==Methodology==
==Methodology==

Revision as of 00:25, 17 May 2024

NetBeacon Measurement and Analytics Platform (MAP), formerly DNSAI:Compass is NetBeacon Institute initiative to measure and track the use of the DNS for phishing and malware.The goal is to reduce DNS Abuse at the DNS level.[1] It was initially launched in September, 2022. In June, 2023, the Institute announced the addition of a new level of reporting for their measurement project, which they called NetBeacon Measurement and Analytics Platform (MAP).[2]

Collaborations[edit | edit source]

NetBeacon MAP is a collaboration with KOR Labs, led by Dr. Maciej Korczynski. KOR Labs is responsible for collecting the data following an established methodology. This data is then provided to the Institute, that works with PIR’s Data Analytics team to create interactive charts, reports, and individualized dashboards.[1]

Methodology[edit | edit source]

The methodologies employed by KOR Labs to develop DNS Abuse Institute Intelligence reports aim to provide reliable and actionable data on the state of DNS abuse, focusing primarily on phishing and malware. As per 2022, we have the following:

Data Collection and Processing[edit | edit source]

  • URL Blocklists: Utilizes data from reputable sources (APWG, PhishTank, OpenPhish, ABUSE.ch) to gather URLs associated with phishing and malware.
  • Domain Names: Collects domain names from various TLDs using zone files and other measurement methods to ensure a comprehensive list.
  • Technical Registration Information: Gathers registration details using RDAP/WHOIS protocols to identify registrars and gather creation/expiration dates of domains.
  • Uptime Measurements: Measures the time between a domain being blocklisted and the mitigation of the abuse (e.g., removal of malicious content).

Security Metrics[edit | edit source]

  • Occurrence Metrics: Calculates the distribution of abusive domain names and presents data normalized by the size of TLDs or registrars.
  • Persistence Metrics: Measures the persistence of abuse (uptime) to indicate how quickly abuse is mitigated once identified.

Classification of Domains[edit | edit source]

  • Malicious vs. Compromised Domains: Differentiates between domains registered for malicious purposes and benign domains that are compromised. Utilizes a hybrid method combining a machine learning classifier (MalCom) and manual analysis based on mitigation actions.

TLD and Registrar Size Estimation

  • Estimates the number of domains under management for each TLD and registrar to normalize the metrics.

Challenges and Limitations

  • Acknowledges various challenges in data collection, such as false positives, limitations in WHOIS data, and difficulties in identifying ccTLD registrars.[3]

References[edit | edit source]