Bureaucrats, steward, Administrators, translator
875
edits
Changes
Added content
==Collaborations==
==Collaborations==
NetBeacon MAP is a collaboration with KOR Labs, led by Dr. [[Maciej Korczynski]]. KOR Labs is responsible for collecting the data following an established methodology. This data is then provided to the Institute, that works with PIR’s Data Analytics team to create interactive charts, reports, and individualized dashboards.
NetBeacon MAP is a collaboration with KOR Labs, led by Dr. [[Maciej Korczynski]]. KOR Labs is responsible for collecting the data following an established methodology. This data is then provided to the Institute, that works with PIR’s Data Analytics team to create interactive charts, reports, and individualized dashboards.<ref name="mapintro"></ref>
==Methodology==
==Methodology==
The methodologies employed by KOR Labs to develop DNS Abuse Institute Intelligence reports aim to provide reliable and actionable data on the state of DNS abuse, focusing primarily on phishing and malware. As per 2022, we have the following:
=== Data Collection and Processing ===
* '''URL Blocklists:''' Utilizes data from reputable sources (APWG, PhishTank, OpenPhish, ABUSE.ch) to gather URLs associated with phishing and malware.
* '''Domain Names:''' Collects domain names from various TLDs using zone files and other measurement methods to ensure a comprehensive list.
* '''Technical Registration Information:''' Gathers registration details using RDAP/WHOIS protocols to identify registrars and gather creation/expiration dates of domains.
* '''Uptime Measurements:''' Measures the time between a domain being blocklisted and the mitigation of the abuse (e.g., removal of malicious content).
=== Security Metrics ===
* '''Occurrence Metrics:''' Calculates the distribution of abusive domain names and presents data normalized by the size of TLDs or registrars.
* '''Persistence Metrics:''' Measures the persistence of abuse (uptime) to indicate how quickly abuse is mitigated once identified.
=== Classification of Domains ===
* '''Malicious vs. Compromised Domains''': Differentiates between domains registered for malicious purposes and benign domains that are compromised. Utilizes a hybrid method combining a machine learning classifier (MalCom) and manual analysis based on mitigation actions.
'''TLD and Registrar Size Estimation'''
* Estimates the number of domains under management for each TLD and registrar to normalize the metrics.
'''Challenges and Limitations'''
* Acknowledges various challenges in data collection, such as false positives, limitations in WHOIS data, and difficulties in identifying ccTLD registrars.<ref>https://web.archive.org/web/20221206141218/https://dnsabuseinstitute.org/wp-content/uploads/2022/10/DNSAI-Compass-Methodology.pdf</ref>
==References==
==References==