REMEDI3S-TLD: Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński Delft University of Technology Contact: [email protected]ICANN 54 Techday 19 October 2015, Dublin
23
Embed
REMEDI3S-TLD: Reputation Metrics Design to Improve ... · Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczyński
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
REMEDI3S-TLD: Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs
A project in collaboration with SIDN and NCSC
Maciej Korczyński Delft University of Technology Contact: [email protected] ICANN 54 Techday 19 October 2015, Dublin
REMEDI3S-TLD
REMEDI3S-TLD
REMEDI3S-TLD
REMEDI3S-TLD
Agenda
• Types of security metrics
• Security metrics for TLDs
• Security metrics for hosting providers
• Discussion
Types of security metrics
• Different layers of security metrics:
• Top Level Domains (TLDs)
• Market players related to the TLD (infrastructure providers): registrars, hosting providers, DNS service providers
• Network resources managed by each of the players, such as resolvers, name servers
Security metrics for TLDs
Security metrics for TLDs
• Type of reputation metrics
• Concentration of malicious content:
a) Number of unique domains b) Number of FQDN c) Number of URLs
Security metrics for TLDs
• Type of reputation metrics
• Concentration of malicious content:
a) Number of unique domains b) Number of FQDN c) Number of URLs
• Size matters!
• Type of reputation metrics (example)
Security metrics for TLDs
• Type of reputation metrics
• Up-times of maliciously registered/compromised domains
Security metrics for TLDs
Security metrics for hosting providers
Security metrics for hosting providers
1. Count badness per AS across different data sources
# Advertised IPs # IPs in p-‐DNS # Domains Hosted
Abuse Mapping
Size Mapping
• Farsight Security p-‐DNS Data • Internet IP RouLng Data
# Unique Abuse / AS
Abuse Maps PhishTank AS#1 ß à 100 AS#2 ß à 200
MLAT AS#1 ß à 50 AS#2 ß à 73
Size Maps AdverLsed IPs AS#1 ß à 256 AS#2 ß à 1024
Domains Hosted AS#1 ß à 23 AS#2 ß à 1232
Normaliza3on
Normalized Abuse
PhishTank / Advrt. IPs AS#1 ß à 0.39 AS#2 ß à 0.19
PhishTank / Domains Hosted AS#1 ß à 4.34 AS#2 ß à 0.16
MLAT / Advrt. IPs AS#1 ß à 0.19 AS#2 ß à 0.07
MLAT / Domains Hosted AS#1 ß à 2.17 AS#2 ß à 0.05
• # Abuse / Size
3. Rank ASes on amount of badness
4. Aggregate rankings
5. Identify ASes with consistently high concentrations of badness
Rank
Abuse Ranking
PhishTank Ranking 1 AS#1 ß à 834 AS#2 ß à 833
PhishTank Ranking 2 AS#1 ß à 834 AS#2 ß à 833
MLAT Ranking 1 AS#1 ß à 235 AS#2 ß à 234
MLAT Ranking 2 AS#1 ß à 235 AS#2 ß à 234
Combine Ranks
Sort Rank High à Low Borda Count
Overall Ranking Borda Count Ranking AS#1 ß à 2354 AS#2 ß à 1834 AS#3 ß à 1542 AS#4 ß à 1322
Normalized Abuse
PhishTank / Advrt. IPs AS#1 ß à 0.39 AS#2 ß à 0.19
PhishTank / Domains Hosted AS#1 ß à 4.34 AS#2 ß à 0.16
MLAT / Advrt. IPs AS#1 ß à 0.19 AS#2 ß à 0.07
MLAT / Domains Hosted AS#1 ß à 2.17 AS#2 ß à 0.05
Security metrics for hosting providers
Practical application
• “Clean Netherlands”: Enhance self cleansing ability of the Dutch hosting market by
• promoting best practices and awareness
• pressuring the rotten apples
Discussion
• Compare your TLD against the market
• Driving factors (why the attackers are more interested in certain types of domains?)
• Let us know about policy changes, pricing
Discussion
• Limitations: metrics for smaller TLDs are more sensitive to individual security incidents
• Abuse handling initiatives
Discussion
• Limited access to:
• Domain WHOIS (classifier between maliciously registered and legitimate domains, metrics for registrars)
• Datasets, e.g. shadow server reports
• Feedback
ACKNOWLEDGEMENTS
The research leading to these results was funded by SIDN (www.sidn.nl) Many thanks to: Cristian Hesselman (SIDN Labs), Paul Vixie (Farsight Security), and Thorsten Kraft (Cyscon)
Contact information: Maciej Korczyński Delft University of Technology [email protected]