NetBeacon MAP

Revision as of 00:28, 17 May 2024 by Christiane (talk | contribs) (Fixed headers)

NetBeacon Measurement and Analytics Platform (MAP), formerly DNSAI:Compass is NetBeacon Institute initiative to measure and track the use of the DNS for phishing and malware.The goal is to reduce DNS Abuse at the DNS level.[1] It was initially launched in September, 2022. In June, 2023, the Institute announced the addition of a new level of reporting for their measurement project, which they called NetBeacon Measurement and Analytics Platform (MAP).[2]

Collaborations edit

NetBeacon MAP is a collaboration with KOR Labs, led by Dr. Maciej Korczynski. KOR Labs is responsible for collecting the data following an established methodology. This data is then provided to the Institute, that works with PIR’s Data Analytics team to create interactive charts, reports, and individualized dashboards.[1]

Methodology edit

The methodologies employed by KOR Labs to develop DNS Abuse Institute Intelligence reports aim to provide reliable and actionable data on the state of DNS abuse, focusing primarily on phishing and malware. As per 2022, we have the following:

Data Collection and Processing edit

  • URL Blocklists: Utilizes data from reputable sources (APWG, PhishTank, OpenPhish, ABUSE.ch) to gather URLs associated with phishing and malware.
  • Domain Names: Collects domain names from various TLDs using zone files and other measurement methods to ensure a comprehensive list.
  • Technical Registration Information: Gathers registration details using RDAP/WHOIS protocols to identify registrars and gather creation/expiration dates of domains.
  • Uptime Measurements: Measures the time between a domain being blocklisted and the mitigation of the abuse (e.g., removal of malicious content).

Security Metrics edit

  • Occurrence Metrics: Calculates the distribution of abusive domain names and presents data normalized by the size of TLDs or registrars.
  • Persistence Metrics: Measures the persistence of abuse (uptime) to indicate how quickly abuse is mitigated once identified.

Classification of Domains edit

  • Malicious vs. Compromised Domains: Differentiates between domains registered for malicious purposes and benign domains that are compromised. Utilizes a hybrid method combining a machine learning classifier (MalCom) and manual analysis based on mitigation actions.

TLD and Registrar Size Estimation edit

  • Estimates the number of domains under management for each TLD and registrar to normalize the metrics.

Challenges and Limitations edit

  • Acknowledges various challenges in data collection, such as false positives, limitations in WHOIS data, and difficulties in identifying ccTLD registrars.[3]

References edit