Exposing Criminal Abuse of Internet Names and Addresses · world xyz. 0 2,000 4,000 6,000 8,000...
Transcript of Exposing Criminal Abuse of Internet Names and Addresses · world xyz. 0 2,000 4,000 6,000 8,000...
Exposing Criminal Abuse of Internet Names
and Addresses
Colin Strutt, Interisle Consulting Group
Greg Aaron, Illumintel
Presented at Workshop on Internet Economics: Knowledge of Internet Structure:
Measurement, Epistemology, and Technology (WIE-KISMET), December 2019
Measuring and Documenting
Domain Name Abuse
◼ Spam, malware, phishing, etc., degrade the online environment
⧫ Erode user confidence
⧫ Inflict serious harm on individuals and organizations across the world
◼ Harms:
⧫ Financial
⧫ Election interference
⧫ Cyber terrorism
⧫ Physical harms, as criminals target critical infrastructures (e.g., healthcare
systems)
◼ Countering them tops “most important Internet issues” list for most
2
ECAINA Vision
◼ A measurable and quantifiably safer Internet
◼ An Internet in which organizations, governments, and individuals have
data they can use to
⧫ Deploy security measures
⧫ Demonstrate empirically the effectiveness of security and administrative controls
⧫ Make informed policy and regulatory decisions
⧫ Conduct research
3
ECAINA Mission
To collect and publish information that identifies, quantifies,
and categorizes Internet identifier abuse and the contexts in
which it occurs
4
ECAINA Mission (the detailed version)
◼ We seek the structural, systemic enablers of Internet abuse
◼ Numerous organizations already compile reputation data or “threat intelligence”
⧫ Can be used tactically to stop crimes in progress, notify victims, pursue legal recourse,
and prevent future abuse — in individual instances
◼ We will collect, process, and warehouse reputation information that identifies,
quantifies, and categorizes activities that harm Internet users
⧫ Can be used strategically to identify and fight cybercriminal activity Internet-wide
◼ Information comprising census & reputation statistics for
⧫ Domain names
⧫ IP addresses
⧫ Autonomous Systems (AS)
⧫ Associated organizations (e.g., registries, registrars, and hosting, cloud, or ISP operators)
5
ECAINA Project
◼ ECAINA will provide
⧫ Scientifically reliable data for researchers to:
⚫ Observe and report concentrations of criminal activity
⚫ Measure, quantify, and rank domain name service providers and operators
⚫ Measure, quantify, and rank addressing service providers and operators
⚫ Observe criminal flocking and migration behavior over time
⚫ Discover and codify indicators that allow us to discover additional abuse identifiers
⚫ Report the above to inform legislators and policy makers
⧫ Researchers with means to:
⚫ Study harmful names and addresses
6
ECAINA Proof of Concept
◼ Feasibility study begun 3 September 2019
⧫ Gathering daily blocklist data for 23 TLDs
⧫ Identifying the associated registrar from available domain name registration data
◼ Analysis of blocklist and Whois data for each TLD on each day:
1. # domain names on blocklist; “sponsoring” registrar
2. # domain names added to blocklist each day; “sponsoring” registrar
3. # domain names removed from the blocklist each day
◼ Demonstrating the value and viability of ECAINA
⧫ Observed relationships between turnover, bulk registration, and blocklisting
“spikes” and well-recognized patterns of criminal behavior
7
Number of Names on Each TLD’s Blocklist
8
0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
16,000
18,000
3-S
ep
5-S
ep
7-S
ep
9-S
ep
11
-Se
p
13
-Se
p
15
-Se
p
17
-Se
p
19
-Se
p
21
-Se
p
23
-Se
p
25
-Se
p
27
-Se
p
29
-Se
p
1-O
ct
3-O
ct
5-O
ct
7-O
ct
9-O
ct
11
-Oct
13
-Oct
15
-Oct
17
-Oct
19
-Oct
21
-Oct
23
-Oct
25
-Oct
27
-Oct
29
-Oct
31
-Oct
2-N
ov
4-N
ov
6-N
ov
8-N
ov
10
-No
v
12
-No
v
14
-No
v
16
-No
v
18
-No
v
20
-No
v
22
-No
v
24
-No
v
26
-No
v
28
-No
v
30
-No
v
2-D
ec
4-D
ec
6-D
ec
8-D
ec
10
-Dec
Sep Oct Nov Dec
agency
biz
cloud
co.kr
com
fit
gdn
icu
info
life
live
monster
net
org
pet
ru
site
tokyo
top
us
work
world
xyz
0
2,000
4,000
6,000
8,000
10,000
12,000
3-S
ep
5-S
ep
7-S
ep
9-S
ep
11
-Se
p
13
-Se
p
15
-Se
p
17
-Se
p
19
-Se
p
21
-Se
p
23
-Se
p
25
-Se
p
27
-Se
p
29
-Se
p
1-O
ct
3-O
ct
5-O
ct
7-O
ct
9-O
ct
11
-Oct
13
-Oct
15
-Oct
17
-Oct
19
-Oct
21
-Oct
23
-Oct
25
-Oct
27
-Oct
29
-Oct
31
-Oct
2-N
ov
4-N
ov
6-N
ov
8-N
ov
10
-No
v
12
-No
v
14
-No
v
16
-No
v
18
-No
v
20
-No
v
22
-No
v
24
-No
v
26
-No
v
28
-No
v
30
-No
v
2-D
ec
4-D
ec
6-D
ec
8-D
ec
10
-Dec
Sep Oct Nov Dec
agency
biz
cloud
co.kr
com
fit
gdn
icu
info
life
live
monster
net
org
pet
ru
site
tokyo
top
us
work
world
xyz
Number of Names Added to Each TLD’s Blocklist
.us, 14 Oct
10,516 names
9
Registrars with High Proportion of Blocklisted Domains
Top Registrar for all blocked domains in TLD
TLD DateBlocked
DomainsTop Registrar # domains % domains Added
biz 9/4/2019 4,083 GMO Internet, Inc. d/b/a Onamae.com 3,381 82.8% 132
biz 9/5/2019 4,269 GMO Internet, Inc. d/b/a Onamae.com 3,487 81.7% 245
biz 9/6/2019 3,593 GMO Internet, Inc. d/b/a Onamae.com 2,767 77.0% 163
biz 9/10/2019 3,409 GMO Internet, Inc. d/b/a Onamae.com 2,207 64.7% 244
biz 9/11/2019 3,416 GMO Internet, Inc. d/b/a Onamae.com 2,000 58.5% 484
biz 9/13/2019 3,444 GMO Internet, Inc. d/b/a Onamae.com 1,880 54.6% 76
biz 9/15/2019 4,059 GMO Internet, Inc. d/b/a Onamae.com 1,809 44.6% 131
biz 9/18/2019 4,783 GMO Internet, Inc. d/b/a Onamae.com 1,963 41.0% 629
biz 9/19/2019 4,884 GMO Internet, Inc. d/b/a Onamae.com 2,050 42.0% 317
biz 9/20/2019 5,648 GMO Internet, Inc. d/b/a Onamae.com 2,791 49.4% 911
biz 9/22/2019 5,682 GMO Internet, Inc. d/b/a Onamae.com 2,869 50.5% 164
biz 9/23/2019 5,795 GMO Internet, Inc. d/b/a Onamae.com 2,948 50.9% 253
biz 9/24/2019 6,495 GMO Internet, Inc. d/b/a Onamae.com 3,612 55.6% 966
10
14 October – 10,516 Names Added to .us Blocklist
01fl9z
01py42
02gtn1
02joer
0317gm
034wo8
047pip
048bfu
049eql
04bqda
04dtr9
04otrs
058dax
05cfis
05h3tx
05kbpy
05ourk
05vbdo
05vmdi
06mwpx
07ebdo
07ktun
081uq5
082asy
08phqx
09feqg
09nb2a
09w8yh
09zzc4
0aaior
0aec3m
0afxwz
0ahncl
0amepc
0ammbh
0bgisc
0bhqex
0bkpju
0brnlo
0c2wmp
0cb1o3
0cbik6
0cenf4
0chmtp
0chyql
0ck65z
0cmddq
0cornp
0cyxbl
0d3q2g
0d4ayv
0d6gml
0dm5hn
0duz8q
0dzwfo
0e2lrg
0eganq
0enwfg
0es5oz
0ess1k
0faari
0foksf
0gd9bf
0gia1m
0gim9b
0gjswb
0gjvxp
0gklqr
0gnnt9
0gtkue
0guvdk
0h4blq
0h4ofm
0hfbkg
0hiep1
0hl5vh
0hlc3x
0hmdi2
0hmdiu
0iilt4
0j5mer
0jef9e
0jh2vh
0jhtex
0jjzqc
0joebq
0juxgq
0jvtes
0kjboo
0kngxi
0kwngu
0kxtzj
0lcosd
0lezti
0lhlgs
0lnajf
0lqpph
0lrgre
0lvdaw
0mbvys
0mi31c
0mm2de
0nbd8d
0nfegu
0ogm1f
0olerp
0on1yf
0oqq1x
0oxcwz
0oyjgo
0p6zxx
0pun6d
0q5ger
0q6frx
0q9ity
0qaf4b
0qfuof
0qrqeu
0qtl67
0qyrcj
0r6tbq
0rmgbe
0rpimy
0rpmyl
0rv1f8
0rxnru
0sbtxd
0senfy
0sgonf
0slxkr
0sogh3
0sq6ie
0sxqqu
0szzsa
0t8acb
0t9pfs
0tfks6
0tgque
0tjx8h
0u5k7v
0unbec
0uradt
0urq3q
0uta83
0uzprk
0v5dfu
0vqc2r
0vxhat
0vxnkw
0w6jyz
0w7knj
0wu4kl
0wz5tr
0x1qiw
0x63s4
0x6a7o
0xaaub
0xeil1
0xo5yn
0xrpvu
0xx3hk
0y8n4q
0ycepx
0yeapq
0yi3nm
0yiobn
0yxwkl
0zcues
0zelby
0ziu9u
0zmkya
0zreem
0zvms9
0zwgx9
10g8ki
12dggb
13mp4u
14fjnq
14fkid
14quhf
14zvhy
15bj8p
15soim
15topm
16bhoj
16jsrg
16oldc
16onzh
17hed6
17mkzd
17usze
18kvrq
18mmn2
19betq
19rlft
19tutk
19vpjn
19wiqd
1a7wmt
1aaymn
1akyt8
1asirm
1bcg2o
1bg94j
1blmny
1bslan
1bukmx
1bw9f8
1cahhd
1cb4ko
1cbxpw
1ciuwl
1cjqrg
1ckggh
1cnkef
1coswo
1coznb
1devil
1dey2n
1dgr4p
1dioyr
1dph6j
1dv5vq
1e9jbj
1eabcv
1eqjju
1eu4lp
1f0hln
1f4o67
1f5c3b
1fbdhn
1fo7tv
1fottc
1fri3d
1fryuk
1fvysa
1fy4bd
1getts
1ghxzy
1gyexj
1h6icu
1hbglt
1hfluh
1hhqna
1hjat2
1hpbxt
1i7ryf
1iaqnp
1igeop
1igqmr
1ipdax
1j2v0p
1jgsyq
1jikfz
1jm4cp
1jyawi
1k2kvp
1kbpgd
1kdu98
1kvvet
1kyfgu
1lae98
1lkesp
1lna7l
1lpm8e
1lupth
1m08dx
1m8vkd
1m9bo8
1mg3ha
1micki
1mqdsx
1mupiw
1mvofp
1n2xo5
1nfexj
1ngw50
1nr5sy
1o4m2i
1ojyrx
1omb8j
1ozlxj
1ozmz6
1pridj
1pseyq
1pxrsn
1q3ptz
1q3thg
1qllzn
1qra03
1raqpw
1rb2gu
1rbtu4
1ribqz
1rygkd
1s7kn0
1slbol
1sw9ar
1tfvbb
1tihrp
1tkyev
1tn29j
1tnhkw
1tpblj
1txwra
1tycqx
1ueqgd
1ukude
1uo8iy
1urwba
1usqrj
1uvxmd
1uzwhl
1vgxt9
1vwkoc
1w0ied
1wfsks
1whdgb
1wpkre
1wr5rg
1wsvrp
1wzlxn
1xgow5
1xjjes
1y8mr7
1yanr7
1yhunx
1yjuga
1yqtjl
1z9cxe
1zcbhj
1zxyve
20zbln
21adq0
21dwzi
21ghy7
21gj9z
21ndte
21oyjn
21s8os
23mdip
23yd0z
24aro5
24cpne
25fhdd
25ikb6
25lzj3
260uwp
26vlcz
26x5na
27brhe
29jvhi
2adoqi
2akoul
2anwem
2arqez
2azznj
2b8n3q
2befys
2bggcd
2bir8b
2blqhm
2blukk
2bpivj
2bqo0x
2bsidd
2bultj
2bxszf
2canrt
2cmwk9
2dbh71
2dm1hd
2dqfjn
2dwyn7
2dzvpw
2e1zvh
2ecpom
2ejalk
2epwfb
2ercji
2etrfa
2etvis
2eymrl
2f0wxk
2fersd
2fnrye
2fsvyg
2g4eus
2ga3oe
2gdehd
2gi6jq
2glrum
2guqot
2gwvif
2ihrhe
2irkap
2izmeu
2jdj9v
2jgzqt
2jkozr
2jqv3h
2jsukg
2jwtbh
2kkzhj
2knpu8
2l7dky
2lgawo
2lgayw
2lh1gv
2limoc
2m9zho
2mcer1
2mfda6
2mktqo
2mqbvz
2mwcld
2mxo1l
2mzaxq
2nhlrn
2o0lov
2o1mfa
2o9fkd
2oaobn
2ocuye
2odsd0
2ofeyj
2omalh
2osplf
2pizlu
2pntiq
2pvxdo
2px0et
2pxnr0
2pxogx
2qjalh
2qkvtc
2qpthe
2r8ttl
2rcmci
2rfbhp
2rjxvu
2rknin
2rkwug
2rspug
2rtm13
2rxhfn
2s1elx
2sdryw
2si9ts
2sndla
2somkm
2sprjd
2strin
2t7pvz
2tbspk
2tefgz
2tj5vf
2tjnam
2tnify
2tuev3
2tzfqn
2tzmd7
2tzuhm
2ubxm6
2ud43l
2ufozp
2up8cg
2uuvfz
2uvn1g
2uxdh3
2uz7dm
2vdwcg
2vfcjy
2vrno7
2wpdwh
2wrvwi
2x4ct9
2x8jlc
2xj59t
2xouvk
2xv1pi
2xwqmf
2ylexc
2ysyu5
2ytahr
2yzkip
2z37mp
2zamxh
2zfivy
2zil5a
2zjp9s
2zpqh4
2zsbs5
30dtrs
30kil9
30pm2n
31oizc
326mbg
329rxj
32znio
34hagr
34opqr
34rhps
34sgyb
34v6fo
358hx2
35j01w
35jly4
35qcmb
36hvuq
36mgrp
36naqh
36zdwc
37ieeb
37ksrr
37upab
384vwt
38ktvt
38qe1m
38rper
3aa8rp
3afsfu
3ao2zr
3atdol
3awnhp
zwscho
zwuhqg
zwuqvh
zwxoy6
zx2hwj
zxd2gj
zxe1ds
zxhixb
zxhpwa
zxjaib
zxmion
zxnmer
zxpnva
zxppcl
zxrgfh
zxtoh5
zxvamd
zxy3kl
zy4nw0
zy5wco
zy61nk
zyabti
zyapks
zyfota
zyogai
zytotn
zyvlss
zyw7k5
zz7yld
zzf38l
zzgktf
zzlbeu
zzojwa
zzr3fs
zzryek
···
11
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%3
-Se
p
5-S
ep
7-S
ep
9-S
ep
11
-Se
p
13
-Se
p
15
-Se
p
17
-Se
p
19
-Se
p
21
-Se
p
23
-Se
p
25
-Se
p
27
-Se
p
29
-Se
p
1-O
ct
3-O
ct
5-O
ct
7-O
ct
9-O
ct
11
-Oct
13
-Oct
15
-Oct
17
-Oct
19
-Oct
21
-Oct
23
-Oct
25
-Oct
27
-Oct
29
-Oct
31
-Oct
2-N
ov
4-N
ov
6-N
ov
8-N
ov
10
-No
v
12
-No
v
14
-No
v
16
-No
v
18
-No
v
20
-No
v
22
-No
v
24
-No
v
26
-No
v
28
-No
v
30
-No
v
2-D
ec
4-D
ec
6-D
ec
8-D
ec
10
-Dec
Sep Oct Nov Dec
agency
biz
cloud
co.kr
com
fit
gdn
icu
info
life
live
monster
net
org
pet
ru
site
tokyo
top
us
work
world
xyz
Percent of Each TLD’s Blocklist Added
.monster, 14 Sep
82% 89 names
.tokyo, 30 Oct
82% 307 names
.pet, 1 Nov
100%, 2 names
12
.icu, 10 Dec
51%, 1,195 names
10 December – 1,195 Names Added
to .icu Blocklist – ERANET namesaaykz
aazoj
adlbq
afexe
ajqhg
allcq
arwza
atdbf
athia
atpzw
attsl
atudd
atyze
avqlw
avqxr
avrwr
awpwu
awsib
aybx
ayen
ayma
azbbt
azje
azrhq
azyk
balz
bamt
barmy
basb
bbnz
bbqo
bckz
bcnig
bcpxm
bcpyl
bdqot
bdww
beei
berpm
besm
bfaei
bfbve
bfmj
bfwtw
bfzb
bfzh
bgfz
bgjl
bgury
bhju
bhsau
bhuah
biehw
bihne
bikqj
bipbs
bjaf
bjufp
bkas
bkdh
bkdoe
blaiv
bluuk
blwg
bmgk
bmjdw
bmjxj
bodoy
bolyh
bqkub
bqxya
brfc
brgmn
briak
brtx
bscu
bsfly
bslev
bslml
bsnk
bssr
bsth
bthp
bung
bupvi
buscb
bvdb
bvlhv
bvwfv
byaat
bybe
bykur
bzffm
bzjgx
bzkqy
bzwcl
cbas
cbcuk
cbynt
cccpi
cclfz
cddwb
cdkjw
cdzbj
ceqn
cevg
cfhwo
cfoz
cgdxe
cguyl
chavm
chfzg
chpt
chsb
chuwp
civzq
cixe
cjcdd
ckng
ckwa
clapi
clbmq
cmeqg
cnizl
cnqxg
cnvf
cnzgr
cokri
cpml
cqrhk
cqus
crajj
cruud
csawg
csfqm
ctbxh
ctmob
ctnay
curn
cvfq
cvsn
cwcs
cwpg
cwput
cwtz
cxbci
cxnfq
cxvwz
cyogl
cypz
czuwx
czyyl
daozs
daxr
dcaqz
dcchx
dcyw
ddmfp
ddneb
deam
deiat
deqkq
dewkc
dffju
dgfgq
dgln
dguys
dhcac
dixiy
diyss
djex
djsj
dkijr
dkqut
dksz
dkxql
dljsv
dluih
dlyc
dmgk
dmgu
dnhdq
dnok
dnon
dnqu
dnsr
dnxyx
domc
dosia
doudw
dpsmu
dpue
dpuf
dpvpk
dqjyt
dsbim
dsbm
dshdl
dstua
dsxf
dtadu
dthro
dtlzh
dtnwc
dtqrf
dtyf
duvz
dvogs
dvot
dvvxu
dxggq
dzsk
eacgz
eahl
ebrou
ebsnf
ebvha
ebzzg
echnh
ecnai
ecspf
edfmk
edweg
eehz
eeifo
eeri
efxo
egbwq
ehfvg
ehga
ehkda
ehtt
eifos
ejftk
ejsz
ekcel
ekqp
ekwbl
ekxb
elqgi
eltz
emiq
emlr
emtt
enzl
epam
epdt
eqkx
eqvm
eraz
erbrs
eriq
erzo
esdv
esrae
estbp
etau
etdhj
etuwm
euwtd
euxaf
euzeo
evdli
evztw
ewgou
ewocs
ewpvb
ewpzt
ewvcq
ewxe
exani
exaxe
exly
exxkw
eysm
eythm
eyxtf
eyzwn
ezcfe
ezeys
fbejj
fcdwk
fchjd
fcsxp
fcurz
fdgss
fduck
fdwf
fejhn
fejzg
felkl
fffyy
ffpm
fgawg
fhdi
fhrni
finl
fjko
fjlde
fjqkp
fjyfe
fjzer
fklzi
fkozo
flcfy
flfdq
flgez
fliud
flqk
fmkte
fmmwb
fmtlv
fmtz
fnjkw
foev
fohxe
foqry
fqbar
fqgd
fqtf
frzt
fsbbk
fsdx
fstqd
ftaf
ftgla
ftgqy
ftvyt
fuaqk
fuejj
fuxsy
fuxvm
fvcxs
fwbs
fwou
fxsvo
fyqe
fzdez
fzpn
gaajn
gawp
gawzm
gaypu
gbxf
gcftp
gcgao
gcte
gctlf
gcxuc
genb
gfadc
gfdzx
gfqz
ggyij
ghavr
ghfz
ghlov
gibac
gidla
gipz
gisxf
gjfjy
gknat
gktfo
gmro
gmup
gmxmy
gntft
goqzn
gosdb
gqclb
gqcpt
grbe
grccw
gskd
gsoyo
gtlxn
gtrad
gugoc
gurq
gvmca
gvmvt
gvni
gvsmc
gvtt
gvxdo
gwca
gwfa
gwjib
gwkea
gwtnr
gyev
gzjen
gztq
gzxi
habcy
hamv
haxge
hayeu
hbxqe
hcdcl
hcemu
hchg
hcjpu
hcovl
hcslq
hdusg
hedz
hfcm
hftsu
hgcgj
hgnmh
hgwqw
hhap
hhmn
hifkn
hiqd
hivoq
hjecy
hkydg
hmew
hmlk
hmma
hnycl
hnzo
hpjo
hpnel
hptup
hpwi
hrvga
hsit
hsye
htgqd
htqbm
htudi
htwxp
hulyx
hunx
huypa
hvked
hvuui
hwvml
hxgob
hycdt
hzgfj
hzixt
hzvjd
iaprn
icacm
icaeo
icfjm
icssm
idbr
idjot
idof
idrbx
ienlu
ievs
ifbbn
ifqh
ihqhy
ihyra
ihzic
ijdfi
ijfc
ijqj
ijtmu
ikkvk
ikssg
ikwnc
ilcwu
illld
ilxr
ilygi
imlwl
immc
injsv
intdn
invtk
inxlr
iocjj
ipkfl
iprag
iqise
isjbp
ispt
isvge
ithy
itjf
ituy
ivvgs
ivvn
iwba
iwjp
iwqaz
iwyye
ixwmp
ixywm
iywvg
izgar
jado
jahra
jarxv
jbhg
jblik
jbrr
jchz
jcih
jcjsr
jdfww
jdjot
jdugv
jesn
jeta
jiasn
jidb
jizzl
jjdio
jjiw
jjybg
jkee
jkqaa
jkxd
jldy
jmlq
xbvqj
xcolh
xdbbr
xekbp
xffbu
xfocf
xgtjn
xhsid
xnicj
xqjbh
xqonj
xxzmz
xypzk
xysjm
xzhvb
yaaxq
yaiyr
ybldw
yblrm
yddvx
ydura
ygsd
yjka
ynfvh
yruii
ytodh
yudrb
yvlob
ywxhk
zksop
zmxpq
zsqik
ztcmk
zyhxe
zzzpc
···
13
Turnover Rate
Date TLD Blocklist Size Names Added
14 Sep .monster 108 89
6 Oct .us 9,401 6,329
14 Oct .us 18,636 10,516
20 Oct .cloud 1,072 620
23 Nov .cloud 779 429
25 Nov .co.kr 213 123
2 Dec .xyz 4,653 1,052
5 Dec .info 7,952 3,115
Date TLD Names Removed Blocklist Size
29 Oct .us 9,821 3,928
2 Nov .agency 1,615 247
12 Sep .monster 160 41
14
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
180,000
200,000
3-S
ep
5-S
ep
7-S
ep
9-S
ep
11
-Se
p
13
-Se
p
15
-Se
p
17
-Se
p
19
-Se
p
21
-Se
p
23
-Se
p
25
-Se
p
27
-Se
p
29
-Se
p
1-O
ct
3-O
ct
5-O
ct
7-O
ct
9-O
ct
11
-Oct
13
-Oct
15
-Oct
17
-Oct
19
-Oct
21
-Oct
23
-Oct
25
-Oct
27
-Oct
29
-Oct
31
-Oct
2-N
ov
4-N
ov
6-N
ov
8-N
ov
10
-No
v
12
-No
v
14
-No
v
16
-No
v
18
-No
v
20
-No
v
22
-No
v
24
-No
v
26
-No
v
28
-No
v
30
-No
v
2-D
ec
4-D
ec
6-D
ec
8-D
ec
10
-Dec
Sep Oct Nov Dec
agency
biz
cloud
co.kr
com
fit
gdn
icu
info
life
live
monster
net
org
pet
ru
site
tokyo
top
us
work
world
xyz
Cumulative Unique Blocked Domains
.com overwhelms
16
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
3-S
ep
5-S
ep
7-S
ep
9-S
ep
11
-Se
p
13
-Se
p
15
-Se
p
17
-Se
p
19
-Se
p
21
-Se
p
23
-Se
p
25
-Se
p
27
-Se
p
29
-Se
p
1-O
ct
3-O
ct
5-O
ct
7-O
ct
9-O
ct
11
-Oct
13
-Oct
15
-Oct
17
-Oct
19
-Oct
21
-Oct
23
-Oct
25
-Oct
27
-Oct
29
-Oct
31
-Oct
2-N
ov
4-N
ov
6-N
ov
8-N
ov
10
-No
v
12
-No
v
14
-No
v
16
-No
v
18
-No
v
20
-No
v
22
-No
v
24
-No
v
26
-No
v
28
-No
v
30
-No
v
2-D
ec
4-D
ec
6-D
ec
8-D
ec
10
-Dec
Sep Oct Nov Dec
agency
biz
cloud
co.kr
fit
gdn
icu
info
life
live
monster
net
org
pet
ru
site
tokyo
top
us
work
world
xyz
Cumulative Blocked Domains (excluding .com)
.us increases
17
ECAINA Plan
◼ ECAINA will operate a trusted, neutral, public clearinghouse
◼ ECAINA will use trusted reputation data sources with additional high fidelity “curation”
◼ ECAINA will expand the reputation data to allow classification and analysis of
additional security threats
◼ ECAINA will operate as a research project at George Mason University
◼ University and commercial participation will be part of ECAINA’s DNA
◼ Interisle staff will participate as co-Principal Investigators to provide subject matter
expertise, recommend research activities, co-advise University graduate research
assistants, and solicit industry or foundation participation and financial support
18
ECAINA Project
Phase 1:Publish Reports
Phase 2: Reports, aggregated data,
ECAINA-sourced and licensed underlying data
Phase 1.1: Reports and underlying aggregated
data available
Phase 1.2: Reports, aggregated data, ECAINA-sourced underlying data
ECAINA DATA REPOSITORY and
ANALYTICS ENGINE
Data collected by ECAINAfrom public sources
“Raw”subscription
data
Pre-processed subscription data
19
ECAINA – The Players So Far
◼ Interisle
⧫ Dave Piscitello
⧫ Lyman Chapin
⧫ Colin Strutt
◼ Illumintel
⧫ Greg Aaron
◼ George Mason University (GMU)
⧫ Eric Osterweil
◼ Others welcome!
20