Difference between revisions of "NetBeacon MAP"
Christiane (talk | contribs) m (Removed extra spacing) |
Christiane (talk | contribs) (Added table) |
||
| (7 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | '''NetBeacon Measurement and Analytics Platform (MAP)''' | + | '''NetBeacon Measurement and Analytics Platform (MAP)''' (formerly '''DNSAI:Compass''' until June, 2023 and '''DNSAI Intelligence''' until September, 2022) is [[NetBeacon Institute]] initiative to measure and track the use of the DNS for [[phishing]] and [[malware]].The goal is to reduce [[DNS Abuse]] at the DNS level.<ref name="mapintro">[https://netbeacon.org/map-analytics/ Map Introduction]</ref> It was initially launched in September, 2022, but the first publication about the initiave was in May, 2022.<ref>https://netbeacon.org/measuring-dns-abuse-our-first-report/</ref> In June, 2023, the Institute announced the addition of a new level of reporting for their measurement project, which they called NetBeacon Measurement and Analytics Platform (MAP).<ref>https://netbeacon.org/a-new-phase-of-measuring-dns-abuse/</ref> |
==Collaborations== | ==Collaborations== | ||
| − | NetBeacon MAP is a collaboration with KOR Labs, led by Dr. [[Maciej Korczynski]]. KOR Labs is responsible for collecting the data following an established methodology. This data is then provided to the Institute, that works with | + | NetBeacon MAP is a collaboration with KOR Labs, led by Dr. [[Maciej Korczynski]]. KOR Labs is responsible for collecting the data following an established methodology. This data is then provided to the Institute, that works with [[PIR]]’s Data Analytics team to create interactive charts, reports, and individualized dashboards.<ref name="mapintro"></ref> |
==Methodology== | ==Methodology== | ||
| − | The methodologies employed by KOR Labs to develop DNS Abuse Institute Intelligence reports aim to provide reliable and actionable data on the state of DNS abuse, focusing primarily on phishing and malware. As per 2022, we have the following: | + | The methodologies employed by KOR Labs to develop the then called DNS Abuse Institute Intelligence reports aim to provide reliable and actionable data on the state of DNS abuse, focusing primarily on phishing and malware. As per 2022, we have the following: |
=== Data Collection and Processing === | === Data Collection and Processing === | ||
| Line 25: | Line 25: | ||
* '''Malicious vs. Compromised Domains''': Differentiates between domains registered for malicious purposes and benign domains that are compromised. Utilizes a hybrid method combining a machine learning classifier (MalCom) and manual analysis based on mitigation actions. | * '''Malicious vs. Compromised Domains''': Differentiates between domains registered for malicious purposes and benign domains that are compromised. Utilizes a hybrid method combining a machine learning classifier (MalCom) and manual analysis based on mitigation actions. | ||
| − | + | === TLD and Registrar Size Estimation === | |
* Estimates the number of domains under management for each TLD and registrar to normalize the metrics. | * Estimates the number of domains under management for each TLD and registrar to normalize the metrics. | ||
| − | + | === Challenges and Limitations === | |
* Acknowledges various challenges in data collection, such as false positives, limitations in WHOIS data, and difficulties in identifying ccTLD registrars.<ref>https://web.archive.org/web/20221206141218/https://dnsabuseinstitute.org/wp-content/uploads/2022/10/DNSAI-Compass-Methodology.pdf</ref> | * Acknowledges various challenges in data collection, such as false positives, limitations in WHOIS data, and difficulties in identifying ccTLD registrars.<ref>https://web.archive.org/web/20221206141218/https://dnsabuseinstitute.org/wp-content/uploads/2022/10/DNSAI-Compass-Methodology.pdf</ref> | ||
| + | |||
| + | == Reports == | ||
| + | |||
| + | NetBeacon MAP can can be consumed in three formats: | ||
| + | |||
| + | '''NetBeacon MAP: Monthly Analysis''' reports provide detailed tables identifying registrars and TLDs with high and low relative levels of malicious phishing and malware in their domains under management (DUM) and compared to their new monthly registrations.<ref>https://netbeaconurprd.wpenginepowered.com/map-monthly-analysis/</ref> On September 16, 2022, the first report was launched, and focused on higher level aggregate data from May, June, and July 2022. There reports continued monthly.<ref>https://netbeacon.org/measuring-dns-abuse-our-first-report/</ref> In April, 2024, the Institute launched its twentieth report. | ||
| + | |||
| + | '''NetBeacon MAP: Charts''' can be used by [[registries]] and [[registrars]] to understand how often the DNS is used for phishing and malware, whether abuse is mitigated, how quickly, and the type of registrations (compromised website or maliciously registered domain).<ref name="charts">[https://netbeaconurprd.wpenginepowered.com/map-analytics/map-interactive-charts/ Interactive Charts]</ref> | ||
| + | |||
| + | '''NetBeacon MAP: Dashboards''' permits registries and registrars to understand, track and benchmark the impact of their efforts to combat DNS Abuse. Accessing one's organizational dashboard helps to understand how much phishing and malware NetBeacon MAP has identified in a particular zone, whether it has been mitigated, and how this compares to one's peers. It's possible to view analysis on whether the domain name was maliciously registered for the purposes of DNS Abuse or is associated with an issue of compromise (typically website compromise). Data can be used to track and measure the prevalence of abuse as well as how changes in one's processes and policies make an impact over time.<ref>https://netbeaconurprd.wpenginepowered.com/individual-dashboards/</ref> | ||
| + | |||
| + | ===Results=== | ||
| + | |||
| + | '''Table 1: Aggregate Trends:''' This table provides a view on how much DNS Abuse has been identified by their methodology, and how it’s changing over time. It shows the absolute volume of unique domains their methodology has identified are engaged in phishing and malware, broken out by category. | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |- | ||
| + | ! Month-Year !! Phishing !! Malware | ||
| + | |- | ||
| + | | May-2022 || 30,633 || 3,410 | ||
| + | |- | ||
| + | | Jun-2022 || 28,646 || 910 | ||
| + | |- | ||
| + | | Jul-2022 || 26,209 || 355 | ||
| + | |- | ||
| + | | Aug-2022 || 30,933 || 243 | ||
| + | |- | ||
| + | | Sep-2022 || 36,862|| 4,056 | ||
| + | |- | ||
| + | | Oct-2022 || 34,969 || 7,781 | ||
| + | |- | ||
| + | | Nov-2022 || 28,185 || 7,058 | ||
| + | |- | ||
| + | | Dec-2022 || 29,117 || 13,941 | ||
| + | |- | ||
| + | | Jan-2023 || 25,934 || 321 | ||
| + | |- | ||
| + | | Feb-2023 || 25,558 || 2,631 | ||
| + | |- | ||
| + | | Mar-2023 || 25,532 || 1,743 | ||
| + | |- | ||
| + | | Apr-2023 || 20,274 || 3,367 | ||
| + | |- | ||
| + | | May-2023 || 18,827 || 5,227 | ||
| + | |- | ||
| + | | Jun-2023 || 18,794 || 2,540 | ||
| + | |- | ||
| + | | Jul-2023 || 22,272 || 220 | ||
| + | |- | ||
| + | | Aug-2023 || 23,708 || 163 | ||
| + | |- | ||
| + | | Sep-2023 || 20,486 || 577 | ||
| + | |- | ||
| + | | Oct-2023 || 22,842 || 2,092 | ||
| + | |- | ||
| + | | Nov-2023 || 22,703 || 1,488 | ||
| + | |- | ||
| + | | Dec-2023 || 20,214 || 1,774 | ||
| + | |- | ||
| + | | Jan-2024 || 21,917 || 226 | ||
| + | |- | ||
| + | | Feb-2024 || 24,232 || 309 | ||
| + | |} | ||
| + | <ref name="charts"></ref> | ||
| + | |||
| + | '''Table 2: Registrar Median Mitigation Time:''' This table is intended to show the observed time taken to mitigate phishing and malware, and how it is changing over time. For the domains that their methodology determined were mitigated, this table shows how many registrars had a median time to mitigation in each category. | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |- | ||
| + | ! Month-Year !! 0 to 24 hours !! 24 to 48 hours !! 48 hours to 7 days !! More than 7 days | ||
| + | |- | ||
| + | | May-2022 || 131 || 40 || 41 || 17 | ||
| + | |- | ||
| + | | Jun-2022 || 91 || 40 || 60 || 26 | ||
| + | |- | ||
| + | | Jul-2022 || 105 || 37 || 45 || 23 | ||
| + | |- | ||
| + | | Aug-2022 || 118 || 36 || 39 || 31 | ||
| + | |- | ||
| + | | Sep-2022 || 138 || 40 || 53 || 43 | ||
| + | |- | ||
| + | | Oct-2022 || 90 || 44 || 74 || 48 | ||
| + | |- | ||
| + | | Nov-2022 || 105 || 39 || 58 || 35 | ||
| + | |- | ||
| + | | Dec-2022 || 178 || 80 || 31 || 28 | ||
| + | |- | ||
| + | | Jan-2023 || 50 || 46 || 101 || 66 | ||
| + | |- | ||
| + | | Feb-2023 || 126 || 36 || 77 || 33 | ||
| + | |- | ||
| + | | Mar-2023 || 129 || 50 || 66 || 31 | ||
| + | |- | ||
| + | | Apr-2023 || 224 || 50 || 62 || 26 | ||
| + | |- | ||
| + | | May-2023 || 166 || 29 || 82 || 37 | ||
| + | |- | ||
| + | | Jun-2023 || 92 || 37 || 81 || 48 | ||
| + | |- | ||
| + | | Jul-2023 || 113 || 37 || 75 || 55 | ||
| + | |- | ||
| + | | Aug-2023 || 107 || 46 || 72 || 52 | ||
| + | |- | ||
| + | | Sep-2023 || 101 || 34 || 72 || 43 | ||
| + | |- | ||
| + | | Oct-2023 || 97 || 42 || 68 || 40 | ||
| + | |- | ||
| + | | Nov-2023 || 91 || 31 || 81 || 64 | ||
| + | |- | ||
| + | | Dec-2023 || 74 || 52 || 95 || 54 | ||
| + | |- | ||
| + | | Jan-2024 || 79 || 50 || 83 || 72 | ||
| + | |- | ||
| + | | Feb-2024 || 67 || 36 || 91 || 64 | ||
| + | |} | ||
==References== | ==References== | ||
Latest revision as of 17:44, 20 May 2024
NetBeacon Measurement and Analytics Platform (MAP) (formerly DNSAI:Compass until June, 2023 and DNSAI Intelligence until September, 2022) is NetBeacon Institute initiative to measure and track the use of the DNS for phishing and malware.The goal is to reduce DNS Abuse at the DNS level.[1] It was initially launched in September, 2022, but the first publication about the initiave was in May, 2022.[2] In June, 2023, the Institute announced the addition of a new level of reporting for their measurement project, which they called NetBeacon Measurement and Analytics Platform (MAP).[3]
Collaborations
NetBeacon MAP is a collaboration with KOR Labs, led by Dr. Maciej Korczynski. KOR Labs is responsible for collecting the data following an established methodology. This data is then provided to the Institute, that works with PIR’s Data Analytics team to create interactive charts, reports, and individualized dashboards.[1]
Methodology
The methodologies employed by KOR Labs to develop the then called DNS Abuse Institute Intelligence reports aim to provide reliable and actionable data on the state of DNS abuse, focusing primarily on phishing and malware. As per 2022, we have the following:
Data Collection and Processing
- URL Blocklists: Utilizes data from reputable sources (APWG, PhishTank, OpenPhish, ABUSE.ch) to gather URLs associated with phishing and malware.
- Domain Names: Collects domain names from various TLDs using zone files and other measurement methods to ensure a comprehensive list.
- Technical Registration Information: Gathers registration details using RDAP/WHOIS protocols to identify registrars and gather creation/expiration dates of domains.
- Uptime Measurements: Measures the time between a domain being blocklisted and the mitigation of the abuse (e.g., removal of malicious content).
Security Metrics
- Occurrence Metrics: Calculates the distribution of abusive domain names and presents data normalized by the size of TLDs or registrars.
- Persistence Metrics: Measures the persistence of abuse (uptime) to indicate how quickly abuse is mitigated once identified.
Classification of Domains
- Malicious vs. Compromised Domains: Differentiates between domains registered for malicious purposes and benign domains that are compromised. Utilizes a hybrid method combining a machine learning classifier (MalCom) and manual analysis based on mitigation actions.
TLD and Registrar Size Estimation
- Estimates the number of domains under management for each TLD and registrar to normalize the metrics.
Challenges and Limitations
- Acknowledges various challenges in data collection, such as false positives, limitations in WHOIS data, and difficulties in identifying ccTLD registrars.[4]
Reports
NetBeacon MAP can can be consumed in three formats:
NetBeacon MAP: Monthly Analysis reports provide detailed tables identifying registrars and TLDs with high and low relative levels of malicious phishing and malware in their domains under management (DUM) and compared to their new monthly registrations.[5] On September 16, 2022, the first report was launched, and focused on higher level aggregate data from May, June, and July 2022. There reports continued monthly.[6] In April, 2024, the Institute launched its twentieth report.
NetBeacon MAP: Charts can be used by registries and registrars to understand how often the DNS is used for phishing and malware, whether abuse is mitigated, how quickly, and the type of registrations (compromised website or maliciously registered domain).[7]
NetBeacon MAP: Dashboards permits registries and registrars to understand, track and benchmark the impact of their efforts to combat DNS Abuse. Accessing one's organizational dashboard helps to understand how much phishing and malware NetBeacon MAP has identified in a particular zone, whether it has been mitigated, and how this compares to one's peers. It's possible to view analysis on whether the domain name was maliciously registered for the purposes of DNS Abuse or is associated with an issue of compromise (typically website compromise). Data can be used to track and measure the prevalence of abuse as well as how changes in one's processes and policies make an impact over time.[8]
Results
Table 1: Aggregate Trends: This table provides a view on how much DNS Abuse has been identified by their methodology, and how it’s changing over time. It shows the absolute volume of unique domains their methodology has identified are engaged in phishing and malware, broken out by category.
| Month-Year | Phishing | Malware |
|---|---|---|
| May-2022 | 30,633 | 3,410 |
| Jun-2022 | 28,646 | 910 |
| Jul-2022 | 26,209 | 355 |
| Aug-2022 | 30,933 | 243 |
| Sep-2022 | 36,862 | 4,056 |
| Oct-2022 | 34,969 | 7,781 |
| Nov-2022 | 28,185 | 7,058 |
| Dec-2022 | 29,117 | 13,941 |
| Jan-2023 | 25,934 | 321 |
| Feb-2023 | 25,558 | 2,631 |
| Mar-2023 | 25,532 | 1,743 |
| Apr-2023 | 20,274 | 3,367 |
| May-2023 | 18,827 | 5,227 |
| Jun-2023 | 18,794 | 2,540 |
| Jul-2023 | 22,272 | 220 |
| Aug-2023 | 23,708 | 163 |
| Sep-2023 | 20,486 | 577 |
| Oct-2023 | 22,842 | 2,092 |
| Nov-2023 | 22,703 | 1,488 |
| Dec-2023 | 20,214 | 1,774 |
| Jan-2024 | 21,917 | 226 |
| Feb-2024 | 24,232 | 309 |
Table 2: Registrar Median Mitigation Time: This table is intended to show the observed time taken to mitigate phishing and malware, and how it is changing over time. For the domains that their methodology determined were mitigated, this table shows how many registrars had a median time to mitigation in each category.
| Month-Year | 0 to 24 hours | 24 to 48 hours | 48 hours to 7 days | More than 7 days |
|---|---|---|---|---|
| May-2022 | 131 | 40 | 41 | 17 |
| Jun-2022 | 91 | 40 | 60 | 26 |
| Jul-2022 | 105 | 37 | 45 | 23 |
| Aug-2022 | 118 | 36 | 39 | 31 |
| Sep-2022 | 138 | 40 | 53 | 43 |
| Oct-2022 | 90 | 44 | 74 | 48 |
| Nov-2022 | 105 | 39 | 58 | 35 |
| Dec-2022 | 178 | 80 | 31 | 28 |
| Jan-2023 | 50 | 46 | 101 | 66 |
| Feb-2023 | 126 | 36 | 77 | 33 |
| Mar-2023 | 129 | 50 | 66 | 31 |
| Apr-2023 | 224 | 50 | 62 | 26 |
| May-2023 | 166 | 29 | 82 | 37 |
| Jun-2023 | 92 | 37 | 81 | 48 |
| Jul-2023 | 113 | 37 | 75 | 55 |
| Aug-2023 | 107 | 46 | 72 | 52 |
| Sep-2023 | 101 | 34 | 72 | 43 |
| Oct-2023 | 97 | 42 | 68 | 40 |
| Nov-2023 | 91 | 31 | 81 | 64 |
| Dec-2023 | 74 | 52 | 95 | 54 |
| Jan-2024 | 79 | 50 | 83 | 72 |
| Feb-2024 | 67 | 36 | 91 | 64 |
References
- ↑ 1.0 1.1 Map Introduction
- ↑ https://netbeacon.org/measuring-dns-abuse-our-first-report/
- ↑ https://netbeacon.org/a-new-phase-of-measuring-dns-abuse/
- ↑ https://web.archive.org/web/20221206141218/https://dnsabuseinstitute.org/wp-content/uploads/2022/10/DNSAI-Compass-Methodology.pdf
- ↑ https://netbeaconurprd.wpenginepowered.com/map-monthly-analysis/
- ↑ https://netbeacon.org/measuring-dns-abuse-our-first-report/
- ↑ 7.0 7.1 Interactive Charts
- ↑ https://netbeaconurprd.wpenginepowered.com/individual-dashboards/