Samaneh Do you have slides from the DAAR session? Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: DNS-Abuse-Measurements <dns-abuse-measurements-bounces@icann.org> on behalf of Samaneh Tajalizadehkhoob via DNS-Abuse-Measurements <dns-abuse-measurements@icann.org> Reply to: Samaneh Tajalizadehkhoob <samaneh.tajali@icann.org> Date: Tuesday 12 November 2019 at 12:00 To: "dns-abuse-measurements@icann.org" <dns-abuse-measurements@icann.org> Cc: David Conrad <david.conrad@icann.org> Subject: [DNS-Abuse-Measurements] Highlights of ICANN 66 DAAR session Again we welcome members of the DNS Abuse measurement mailing list. We have created this mailing list as a part of DAAR improvement process and followed by requests from the community for more transparency on the DAAR progress. The goal of the list is to facilitate DNS Abuse/security measurement discussions including but not limited to those related to DAAR. To start the discussion as the DAAR project owner and the mailing list facilitator, hereby I draft a couple of highlights of our DAAR session at ICANN66 in Montreal for those that were not able to attend the session: The feedback we have received up to now regarding the DAAR improvement process * Requests for more transparency on DAAR progress * Re-aggregating the DAAR data * Adding threat domain time-to-live data * Adding ccTLDs to DAAR * Adding registrar metrics to DAAR * Publishing DAAR detailed data * Distinguishing between maliciously registered domains and compromised one * Better articulation of DAAR’s goal in monthly reports and documentation The changes we have made * Sharing DAAR data with registries via MOSAPI: Now each gTLD registry can view their own reputation data per security threat type via MOSAPI. For more information please contact globalSupport@icann.org<mailto:globalSupport@icann.org>. * Re-Aggregating DAAR statistics including those in the monthly report from a snapshot metric (measures for a specific day of the month) to a monthly median metric. * We used Restriction Type as another metric to cut the data, on top of the TLD Type (based on our definition legacy versus new) that we already had. Plotting the data demonstrated that almost all threat types are populated with security threat domains within generic gTLDs. This is while certain security threat types such as Botnet C&C have 25% of their abuse (10000 domains) located in generic restricted gTLDs and Spam has around 5% of their total security threat domains (equal to 25000 domains) located in Brand gTLDs. * Carried out an inferential analysis of potential relationships with abuse drivers. For instance, showed that “Size of a zone file” can be an explanatory factor for the concentrations of security threat domains but it can also be an indicator of attack surface size for attackers. * Using a GLM statistical model we modeled all the security threat drivers that we could collect data on and demonstrated that size of a TLD, type of a TLD and restriction type of a TLD plays a statistically significant role in explaining security threat concentrations. * To bring more transparency on the DAAR project and its progress we made the dns-abuse-measurements@icann.org<mailto:dns-abuse-measurements@icann.org> mailing list * Upon many requests from ccTLDs, as of the ICANN66 meeting ccTLDs are able to provide their zone files for inclusion in DAAR. This means that they will be able to pull their own aggregated DAAR data via MOSAPI. The process is simple, ccTLDs need to send an email to globalSupport@icann.org<mailto:globalSupport@icann.org> with the subject: ccTLDs access to the DAAR data. We encourage those parties interested to come forward and participate. Moving forward we intend to work on * DAAR v2 * Incorporating more Reputation Black/Block lists (RBLs) * Developing RBL evaluation cycle * Developing Registrar metrics * Reviewing other factors that drive security threat within registrars and registries Cheers, Samaneh Tajalizadehkhoob, PhD Lead SSR specialist ICANN Office of CTO

Hello all, Samaneh Nice to do list, where one might want to prioritize registrar metrics. Perhaps also an idea is https://www.kineviz.com/graphxr/ When dealing with large data sets, it is handy to have a tool to visualize data, which also allows for the correlation of data. Graphx is often used in OSINT and Social Media, but it has many other uses. Note, I have no affiliation with Graphxr. Best regards, Theo Privacy & GRC Officer | Realtime Register B.V. Ceintuurbaan 32A 8024 AA - ZWOLLE - The Netherlands T: +31.384530759 F: +31.384524734 U: www.realtimeregister.com E: legal@realtimeregister.com Samaneh Tajalizadehkhoob via DNS-Abuse-Measurements schreef op 2019-11-12 12:44 PM:

Again we welcome members of the DNS Abuse measurement mailing list. We have created this mailing list as a part of DAAR improvement process and followed by requests from the community for more transparency on the DAAR progress. The goal of the list is to facilitate DNS Abuse/security measurement discussions including but not limited to those related to DAAR.

To start the discussion as the DAAR project owner and the mailing list facilitator, hereby I draft a couple of highlights of our DAAR session at ICANN66 in Montreal for those that were not able to attend the session:

The feedback we have received up to now regarding the DAAR improvement process

* Requests for more transparency on DAAR progress * Re-aggregating the DAAR data * Adding threat domain time-to-live data * Adding ccTLDs to DAAR * Adding registrar metrics to DAAR * Publishing DAAR detailed data * Distinguishing between maliciously registered domains and compromised one * Better articulation of DAAR’s goal in monthly reports and documentation

The changes we have made

* Sharing DAAR data with registries via MOSAPI: Now each gTLD registry can view their own reputation data per security threat type via MOSAPI. For more information please contact globalSupport@icann.org<mailto:globalSupport@icann.org>. * Re-Aggregating DAAR statistics including those in the monthly report from a snapshot metric (measures for a specific day of the month) to a monthly median metric. * We used Restriction Type as another metric to cut the data, on top of the TLD Type (based on our definition legacy versus new) that we already had. Plotting the data demonstrated that almost all threat types are populated with security threat domains within generic gTLDs. This is while certain security threat types such as Botnet C&C have 25% of their abuse (10000 domains) located in generic restricted gTLDs and Spam has around 5% of their total security threat domains (equal to 25000 domains) located in Brand gTLDs. * Carried out an inferential analysis of potential relationships with abuse drivers. For instance, showed that “Size of a zone file” can be an explanatory factor for the concentrations of security threat domains but it can also be an indicator of attack surface size for attackers. * Using a GLM statistical model we modeled all the security threat drivers that we could collect data on and demonstrated that size of a TLD, type of a TLD and restriction type of a TLD plays a statistically significant role in explaining security threat concentrations. * To bring more transparency on the DAAR project and its progress we made the dns-abuse-measurements@icann.org<mailto:dns-abuse-measurements@icann.org> mailing list * Upon many requests from ccTLDs, as of the ICANN66 meeting ccTLDs are able to provide their zone files for inclusion in DAAR. This means that they will be able to pull their own aggregated DAAR data via MOSAPI. The process is simple, ccTLDs need to send an email to globalSupport@icann.org<mailto:globalSupport@icann.org> with the subject: ccTLDs access to the DAAR data. We encourage those parties interested to come forward and participate.

Moving forward we intend to work on

* DAAR v2 * Incorporating more Reputation Black/Block lists (RBLs) * Developing RBL evaluation cycle * Developing Registrar metrics * Reviewing other factors that drive security threat within registrars and registries

Cheers, Samaneh Tajalizadehkhoob, PhD Lead SSR specialist ICANN Office of CTO

_______________________________________________ DNS-Abuse-Measurements mailing list DNS-Abuse-Measurements@icann.org https://mm.icann.org/mailman/listinfo/dns-abuse-measurements

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.