Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs

Maciej Korczynski; Samaneh Tajalizadehkhoob; Arman Noroozian; Maarten Wullink; Cristian Hesselman; Michel Van Eeten

doi:10.1109/EuroSP.2017.15

Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs

Maciej Korczynski, Samaneh Tajalizadehkhoob, Arman Noroozian, Maarten Wullink, Cristian Hesselman, Michel Van Eeten

Organisation & Governance

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

15 Citations (Scopus)

Abstract

Over the years cybercriminals have misused the Domain Name System (DNS) - a critical component of the Internet - to gain profit. Despite this persisting trend, little empirical information about the security of Top-Level Domains (TLDs) and of the overall 'health' of the DNS ecosystem exists. In this paper, we present security metrics for this ecosystem and measure the operational values of such metrics using three representative phishing and malware datasets. We benchmark entire TLDs against the rest of the market. We explicitly distinguish these metrics from the idea of measuring security performance, because the measured values are driven by multiple factors, not just by the performance of the particular market player. We consider two types of security metrics: occurrence of abuse and persistence of abuse. In conjunction, they provide a good understanding of the overall health of a TLD. We demonstrate that attackers abuse a variety of free services with good reputation, affecting not only the reputation of those services, but of entire TLDs. We find that, when normalized by size, old TLDs like.com host more bad content than new generic TLDs. We propose a statistical regression model to analyze how the different properties of TLD intermediaries relate to abuse counts. We find that next to TLD size, abuse is positively associated with domain pricing (i.e. registries who provide free domain registrations witness more abuse). Last but not least, we observe a negative relation between the DNSSEC deployment rate and the count of phishing domains.

Original language	English
Title of host publication	Proceedings of 2nd IEEE European Symposium on Security and Privacy (EuroS&P) 2017
Publisher	Institute of Electrical and Electronics Engineers (IEEE)
Pages	579-594
Number of pages	16
ISBN (Electronic)	9781509057610
DOIs	https://doi.org/10.1109/EuroSP.2017.15
Publication status	Published - 2017
Event	2nd IEEE European Symposium on Security and Privacy 2017 - Paris, France Duration: 26 Apr 2017 → 28 Apr 2017

Conference

Conference	2nd IEEE European Symposium on Security and Privacy 2017
Abbreviated title	EuroS&P 2017
Country/Territory	France
City	Paris
Period	26/04/17 → 28/04/17

Keywords

domain abuse
malware
phishing
reputation metrics
security
top-level domains

Access to Document

10.1109/EuroSP.2017.15

Cite this

Korczynski, M., Tajalizadehkhoob, S., Noroozian, A., Wullink, M., Hesselman, C., & Eeten, M. V. (2017). Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs. In Proceedings of 2nd IEEE European Symposium on Security and Privacy (EuroS&P) 2017 (pp. 579-594). [7962004] Institute of Electrical and Electronics Engineers (IEEE). https://doi.org/10.1109/EuroSP.2017.15

Korczynski, Maciej ; Tajalizadehkhoob, Samaneh ; Noroozian, Arman ; Wullink, Maarten ; Hesselman, Cristian ; Eeten, Michel Van. / Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs. Proceedings of 2nd IEEE European Symposium on Security and Privacy (EuroS&P) 2017. Institute of Electrical and Electronics Engineers (IEEE), 2017. pp. 579-594

@inproceedings{6c8db065220f492088f53f1ee567f4c2,

title = "Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs",

abstract = "Over the years cybercriminals have misused the Domain Name System (DNS) - a critical component of the Internet - to gain profit. Despite this persisting trend, little empirical information about the security of Top-Level Domains (TLDs) and of the overall 'health' of the DNS ecosystem exists. In this paper, we present security metrics for this ecosystem and measure the operational values of such metrics using three representative phishing and malware datasets. We benchmark entire TLDs against the rest of the market. We explicitly distinguish these metrics from the idea of measuring security performance, because the measured values are driven by multiple factors, not just by the performance of the particular market player. We consider two types of security metrics: occurrence of abuse and persistence of abuse. In conjunction, they provide a good understanding of the overall health of a TLD. We demonstrate that attackers abuse a variety of free services with good reputation, affecting not only the reputation of those services, but of entire TLDs. We find that, when normalized by size, old TLDs like.com host more bad content than new generic TLDs. We propose a statistical regression model to analyze how the different properties of TLD intermediaries relate to abuse counts. We find that next to TLD size, abuse is positively associated with domain pricing (i.e. registries who provide free domain registrations witness more abuse). Last but not least, we observe a negative relation between the DNSSEC deployment rate and the count of phishing domains.",

keywords = "domain abuse, malware, phishing, reputation metrics, security, top-level domains",

author = "Maciej Korczynski and Samaneh Tajalizadehkhoob and Arman Noroozian and Maarten Wullink and Cristian Hesselman and Eeten, {Michel Van}",

year = "2017",

doi = "10.1109/EuroSP.2017.15",

language = "English",

pages = "579--594",

booktitle = "Proceedings of 2nd IEEE European Symposium on Security and Privacy (EuroS&P) 2017",

publisher = "Institute of Electrical and Electronics Engineers (IEEE)",

address = "United States",

note = "2nd IEEE European Symposium on Security and Privacy 2017, EuroS&P 2017 ; Conference date: 26-04-2017 Through 28-04-2017",

}

Korczynski, M, Tajalizadehkhoob, S, Noroozian, A, Wullink, M, Hesselman, C & Eeten, MV 2017, Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs. in Proceedings of 2nd IEEE European Symposium on Security and Privacy (EuroS&P) 2017., 7962004, Institute of Electrical and Electronics Engineers (IEEE), pp. 579-594, 2nd IEEE European Symposium on Security and Privacy 2017, Paris, France, 26/04/17. https://doi.org/10.1109/EuroSP.2017.15

Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs. / Korczynski, Maciej; Tajalizadehkhoob, Samaneh; Noroozian, Arman; Wullink, Maarten; Hesselman, Cristian; Eeten, Michel Van.

Proceedings of 2nd IEEE European Symposium on Security and Privacy (EuroS&P) 2017. Institute of Electrical and Electronics Engineers (IEEE), 2017. p. 579-594 7962004.

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs

AU - Korczynski, Maciej

AU - Tajalizadehkhoob, Samaneh

AU - Noroozian, Arman

AU - Wullink, Maarten

AU - Hesselman, Cristian

AU - Eeten, Michel Van

PY - 2017

Y1 - 2017

N2 - Over the years cybercriminals have misused the Domain Name System (DNS) - a critical component of the Internet - to gain profit. Despite this persisting trend, little empirical information about the security of Top-Level Domains (TLDs) and of the overall 'health' of the DNS ecosystem exists. In this paper, we present security metrics for this ecosystem and measure the operational values of such metrics using three representative phishing and malware datasets. We benchmark entire TLDs against the rest of the market. We explicitly distinguish these metrics from the idea of measuring security performance, because the measured values are driven by multiple factors, not just by the performance of the particular market player. We consider two types of security metrics: occurrence of abuse and persistence of abuse. In conjunction, they provide a good understanding of the overall health of a TLD. We demonstrate that attackers abuse a variety of free services with good reputation, affecting not only the reputation of those services, but of entire TLDs. We find that, when normalized by size, old TLDs like.com host more bad content than new generic TLDs. We propose a statistical regression model to analyze how the different properties of TLD intermediaries relate to abuse counts. We find that next to TLD size, abuse is positively associated with domain pricing (i.e. registries who provide free domain registrations witness more abuse). Last but not least, we observe a negative relation between the DNSSEC deployment rate and the count of phishing domains.

AB - Over the years cybercriminals have misused the Domain Name System (DNS) - a critical component of the Internet - to gain profit. Despite this persisting trend, little empirical information about the security of Top-Level Domains (TLDs) and of the overall 'health' of the DNS ecosystem exists. In this paper, we present security metrics for this ecosystem and measure the operational values of such metrics using three representative phishing and malware datasets. We benchmark entire TLDs against the rest of the market. We explicitly distinguish these metrics from the idea of measuring security performance, because the measured values are driven by multiple factors, not just by the performance of the particular market player. We consider two types of security metrics: occurrence of abuse and persistence of abuse. In conjunction, they provide a good understanding of the overall health of a TLD. We demonstrate that attackers abuse a variety of free services with good reputation, affecting not only the reputation of those services, but of entire TLDs. We find that, when normalized by size, old TLDs like.com host more bad content than new generic TLDs. We propose a statistical regression model to analyze how the different properties of TLD intermediaries relate to abuse counts. We find that next to TLD size, abuse is positively associated with domain pricing (i.e. registries who provide free domain registrations witness more abuse). Last but not least, we observe a negative relation between the DNSSEC deployment rate and the count of phishing domains.

KW - domain abuse

KW - malware

KW - phishing

KW - reputation metrics

KW - security

KW - top-level domains

UR - http://www.scopus.com/inward/record.url?scp=85021938564&partnerID=8YFLogxK

U2 - 10.1109/EuroSP.2017.15

DO - 10.1109/EuroSP.2017.15

M3 - Conference contribution

AN - SCOPUS:85021938564

SP - 579

EP - 594

BT - Proceedings of 2nd IEEE European Symposium on Security and Privacy (EuroS&P) 2017

PB - Institute of Electrical and Electronics Engineers (IEEE)

T2 - 2nd IEEE European Symposium on Security and Privacy 2017

Y2 - 26 April 2017 through 28 April 2017

ER -

Korczynski M, Tajalizadehkhoob S, Noroozian A, Wullink M, Hesselman C, Eeten MV. Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs. In Proceedings of 2nd IEEE European Symposium on Security and Privacy (EuroS&P) 2017. Institute of Electrical and Electronics Engineers (IEEE). 2017. p. 579-594. 7962004 https://doi.org/10.1109/EuroSP.2017.15

Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cybersecurity (TPM)

Cite this

Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Projects

Cybersecurity (TPM)

Cite this