Exposing Criminal Abuse of Internet Names

and Addresses

Colin Strutt, Interisle Consulting Group

Greg Aaron, Illumintel

Presented at Workshop on Internet Economics: Knowledge of Internet Structure:

Measurement, Epistemology, and Technology (WIE-KISMET), December 2019

Measuring and Documenting

Domain Name Abuse

◼ Spam, malware, phishing, etc., degrade the online environment

⧫ Erode user confidence

⧫ Inflict serious harm on individuals and organizations across the world

◼ Harms:

⧫ Financial

⧫ Election interference

⧫ Cyber terrorism

⧫ Physical harms, as criminals target critical infrastructures (e.g., healthcare

systems)

◼ Countering them tops “most important Internet issues” list for most

2

ECAINA Vision

◼ A measurable and quantifiably safer Internet

◼ An Internet in which organizations, governments, and individuals have

data they can use to

⧫ Deploy security measures

⧫ Demonstrate empirically the effectiveness of security and administrative controls

⧫ Make informed policy and regulatory decisions

⧫ Conduct research

3

ECAINA Mission

To collect and publish information that identifies, quantifies,

and categorizes Internet identifier abuse and the contexts in

which it occurs

4

ECAINA Mission (the detailed version)

◼ We seek the structural, systemic enablers of Internet abuse

◼ Numerous organizations already compile reputation data or “threat intelligence”

⧫ Can be used tactically to stop crimes in progress, notify victims, pursue legal recourse,

and prevent future abuse — in individual instances

◼ We will collect, process, and warehouse reputation information that identifies,

quantifies, and categorizes activities that harm Internet users

⧫ Can be used strategically to identify and fight cybercriminal activity Internet-wide

◼ Information comprising census & reputation statistics for

⧫ Domain names

⧫ IP addresses

⧫ Autonomous Systems (AS)

⧫ Associated organizations (e.g., registries, registrars, and hosting, cloud, or ISP operators)

5

ECAINA Project

◼ ECAINA will provide

⧫ Scientifically reliable data for researchers to:

⚫ Observe and report concentrations of criminal activity

⚫ Measure, quantify, and rank domain name service providers and operators

⚫ Measure, quantify, and rank addressing service providers and operators

⚫ Observe criminal flocking and migration behavior over time

⚫ Discover and codify indicators that allow us to discover additional abuse identifiers

⚫ Report the above to inform legislators and policy makers

⧫ Researchers with means to:

⚫ Study harmful names and addresses

6

ECAINA Proof of Concept

◼ Feasibility study begun 3 September 2019

⧫ Gathering daily blocklist data for 23 TLDs

⧫ Identifying the associated registrar from available domain name registration data

◼ Analysis of blocklist and Whois data for each TLD on each day:

1. # domain names on blocklist; “sponsoring” registrar

2. # domain names added to blocklist each day; “sponsoring” registrar

3. # domain names removed from the blocklist each day

◼ Demonstrating the value and viability of ECAINA

⧫ Observed relationships between turnover, bulk registration, and blocklisting

“spikes” and well-recognized patterns of criminal behavior

7

Number of Names on Each TLD’s Blocklist

8

0

2,000

4,000

6,000

8,000

10,000

12,000

14,000

16,000

18,000

3-S

ep

5-S

ep

7-S

ep

9-S

ep

11

-Se

p

13

-Se

p

15

-Se

p

17

-Se

p

19

-Se

p

21

-Se

p

23

-Se

p

25

-Se

p

27

-Se

p

29

-Se

p

1-O

ct

3-O

ct

5-O

ct

7-O

ct

9-O

ct

11

-Oct

13

-Oct

15

-Oct

17

-Oct

19

-Oct

21

-Oct

23

-Oct

25

-Oct

27

-Oct

29

-Oct

31

-Oct

2-N

ov

4-N

ov

6-N

ov

8-N

ov

10

-No

v

12

-No

v

14

-No

v

16

-No

v

18

-No

v

20

-No

v

22

-No

v

24

-No

v

26

-No

v

28

-No

v

30

-No

v

2-D

ec

4-D

ec

6-D

ec

8-D

ec

10

-Dec

Sep Oct Nov Dec

agency

biz

cloud

co.kr

com

fit

gdn

icu

info

life

live

monster

net

org

pet

ru

site

tokyo

top

us

work

world

xyz

0

2,000

4,000

6,000

8,000

10,000

12,000

3-S

ep

5-S

ep

7-S

ep

9-S

ep

11

-Se

p

13

-Se

p

15

-Se

p

17

-Se

p

19

-Se

p

21

-Se

p

23

-Se

p

25

-Se

p

27

-Se

p

29

-Se

p

1-O

ct

3-O

ct

5-O

ct

7-O

ct

9-O

ct

11

-Oct

13

-Oct

15

-Oct

17

-Oct

19

-Oct

21

-Oct

23

-Oct

25

-Oct

27

-Oct

29

-Oct

31

-Oct

2-N

ov

4-N

ov

6-N

ov

8-N

ov

10

-No

v

12

-No

v

14

-No

v

16

-No

v

18

-No

v

20

-No

v

22

-No

v

24

-No

v

26

-No

v

28

-No

v

30

-No

v

2-D

ec

4-D

ec

6-D

ec

8-D

ec

10

-Dec

Sep Oct Nov Dec

agency

biz

cloud

co.kr

com

fit

gdn

icu

info

life

live

monster

net

org

pet

ru

site

tokyo

top

us

work

world

xyz

Number of Names Added to Each TLD’s Blocklist

.us, 14 Oct

10,516 names

9

Registrars with High Proportion of Blocklisted Domains

Top Registrar for all blocked domains in TLD

TLD DateBlocked

DomainsTop Registrar # domains % domains Added

biz 9/4/2019 4,083 GMO Internet, Inc. d/b/a Onamae.com 3,381 82.8% 132

biz 9/5/2019 4,269 GMO Internet, Inc. d/b/a Onamae.com 3,487 81.7% 245

biz 9/6/2019 3,593 GMO Internet, Inc. d/b/a Onamae.com 2,767 77.0% 163

biz 9/10/2019 3,409 GMO Internet, Inc. d/b/a Onamae.com 2,207 64.7% 244

biz 9/11/2019 3,416 GMO Internet, Inc. d/b/a Onamae.com 2,000 58.5% 484

biz 9/13/2019 3,444 GMO Internet, Inc. d/b/a Onamae.com 1,880 54.6% 76

biz 9/15/2019 4,059 GMO Internet, Inc. d/b/a Onamae.com 1,809 44.6% 131

biz 9/18/2019 4,783 GMO Internet, Inc. d/b/a Onamae.com 1,963 41.0% 629

biz 9/19/2019 4,884 GMO Internet, Inc. d/b/a Onamae.com 2,050 42.0% 317

biz 9/20/2019 5,648 GMO Internet, Inc. d/b/a Onamae.com 2,791 49.4% 911

biz 9/22/2019 5,682 GMO Internet, Inc. d/b/a Onamae.com 2,869 50.5% 164

biz 9/23/2019 5,795 GMO Internet, Inc. d/b/a Onamae.com 2,948 50.9% 253

biz 9/24/2019 6,495 GMO Internet, Inc. d/b/a Onamae.com 3,612 55.6% 966

10

14 October – 10,516 Names Added to .us Blocklist

01fl9z

01py42

02gtn1

02joer

0317gm

034wo8

047pip

048bfu

049eql

04bqda

04dtr9

04otrs

058dax

05cfis

05h3tx

05kbpy

05ourk

05vbdo

05vmdi

06mwpx

07ebdo

07ktun

081uq5

082asy

08phqx

09feqg

09nb2a

09w8yh

09zzc4

0aaior

0aec3m

0afxwz

0ahncl

0amepc

0ammbh

0bgisc

0bhqex

0bkpju

0brnlo

0c2wmp

0cb1o3

0cbik6

0cenf4

0chmtp

0chyql

0ck65z

0cmddq

0cornp

0cyxbl

0d3q2g

0d4ayv

0d6gml

0dm5hn

0duz8q

0dzwfo

0e2lrg

0eganq

0enwfg

0es5oz

0ess1k

0faari

0foksf

0gd9bf

0gia1m

0gim9b

0gjswb

0gjvxp

0gklqr

0gnnt9

0gtkue

0guvdk

0h4blq

0h4ofm

0hfbkg

0hiep1

0hl5vh

0hlc3x

0hmdi2

0hmdiu

0iilt4

0j5mer

0jef9e

0jh2vh

0jhtex

0jjzqc

0joebq

0juxgq

0jvtes

0kjboo

0kngxi

0kwngu

0kxtzj

0lcosd

0lezti

0lhlgs

0lnajf

0lqpph

0lrgre

0lvdaw

0mbvys

0mi31c

0mm2de

0nbd8d

0nfegu

0ogm1f

0olerp

0on1yf

0oqq1x

0oxcwz

0oyjgo

0p6zxx

0pun6d

0q5ger

0q6frx

0q9ity

0qaf4b

0qfuof

0qrqeu

0qtl67

0qyrcj

0r6tbq

0rmgbe

0rpimy

0rpmyl

0rv1f8

0rxnru

0sbtxd

0senfy

0sgonf

0slxkr

0sogh3

0sq6ie

0sxqqu

0szzsa

0t8acb

0t9pfs

0tfks6

0tgque

0tjx8h

0u5k7v

0unbec

0uradt

0urq3q

0uta83

0uzprk

0v5dfu

0vqc2r

0vxhat

0vxnkw

0w6jyz

0w7knj

0wu4kl

0wz5tr

0x1qiw

0x63s4

0x6a7o

0xaaub

0xeil1

0xo5yn

0xrpvu

0xx3hk

0y8n4q

0ycepx

0yeapq

0yi3nm

0yiobn

0yxwkl

0zcues

0zelby

0ziu9u

0zmkya

0zreem

0zvms9

0zwgx9

10g8ki

12dggb

13mp4u

14fjnq

14fkid

14quhf

14zvhy

15bj8p

15soim

15topm

16bhoj

16jsrg

16oldc

16onzh

17hed6

17mkzd

17usze

18kvrq

18mmn2

19betq

19rlft

19tutk

19vpjn

19wiqd

1a7wmt

1aaymn

1akyt8

1asirm

1bcg2o

1bg94j

1blmny

1bslan

1bukmx

1bw9f8

1cahhd

1cb4ko

1cbxpw

1ciuwl

1cjqrg

1ckggh

1cnkef

1coswo

1coznb

1devil

1dey2n

1dgr4p

1dioyr

1dph6j

1dv5vq

1e9jbj

1eabcv

1eqjju

1eu4lp

1f0hln

1f4o67

1f5c3b

1fbdhn

1fo7tv

1fottc

1fri3d

1fryuk

1fvysa

1fy4bd

1getts

1ghxzy

1gyexj

1h6icu

1hbglt

1hfluh

1hhqna

1hjat2

1hpbxt

1i7ryf

1iaqnp

1igeop

1igqmr

1ipdax

1j2v0p

1jgsyq

1jikfz

1jm4cp

1jyawi

1k2kvp

1kbpgd

1kdu98

1kvvet

1kyfgu

1lae98

1lkesp

1lna7l

1lpm8e

1lupth

1m08dx

1m8vkd

1m9bo8

1mg3ha

1micki

1mqdsx

1mupiw

1mvofp

1n2xo5

1nfexj

1ngw50

1nr5sy

1o4m2i

1ojyrx

1omb8j

1ozlxj

1ozmz6

1pridj

1pseyq

1pxrsn

1q3ptz

1q3thg

1qllzn

1qra03

1raqpw

1rb2gu

1rbtu4

1ribqz

1rygkd

1s7kn0

1slbol

1sw9ar

1tfvbb

1tihrp

1tkyev

1tn29j

1tnhkw

1tpblj

1txwra

1tycqx

1ueqgd

1ukude

1uo8iy

1urwba

1usqrj

1uvxmd

1uzwhl

1vgxt9

1vwkoc

1w0ied

1wfsks

1whdgb

1wpkre

1wr5rg

1wsvrp

1wzlxn

1xgow5

1xjjes

1y8mr7

1yanr7

1yhunx

1yjuga

1yqtjl

1z9cxe

1zcbhj

1zxyve

20zbln

21adq0

21dwzi

21ghy7

21gj9z

21ndte

21oyjn

21s8os

23mdip

23yd0z

24aro5

24cpne

25fhdd

25ikb6

25lzj3

260uwp

26vlcz

26x5na

27brhe

29jvhi

2adoqi

2akoul

2anwem

2arqez

2azznj

2b8n3q

2befys

2bggcd

2bir8b

2blqhm

2blukk

2bpivj

2bqo0x

2bsidd

2bultj

2bxszf

2canrt

2cmwk9

2dbh71

2dm1hd

2dqfjn

2dwyn7

2dzvpw

2e1zvh

2ecpom

2ejalk

2epwfb

2ercji

2etrfa

2etvis

2eymrl

2f0wxk

2fersd

2fnrye

2fsvyg

2g4eus

2ga3oe

2gdehd

2gi6jq

2glrum

2guqot

2gwvif

2ihrhe

2irkap

2izmeu

2jdj9v

2jgzqt

2jkozr

2jqv3h

2jsukg

2jwtbh

2kkzhj

2knpu8

2l7dky

2lgawo

2lgayw

2lh1gv

2limoc

2m9zho

2mcer1

2mfda6

2mktqo

2mqbvz

2mwcld

2mxo1l

2mzaxq

2nhlrn

2o0lov

2o1mfa

2o9fkd

2oaobn

2ocuye

2odsd0

2ofeyj

2omalh

2osplf

2pizlu

2pntiq

2pvxdo

2px0et

2pxnr0

2pxogx

2qjalh

2qkvtc

2qpthe

2r8ttl

2rcmci

2rfbhp

2rjxvu

2rknin

2rkwug

2rspug

2rtm13

2rxhfn

2s1elx

2sdryw

2si9ts

2sndla

2somkm

2sprjd

2strin

2t7pvz

2tbspk

2tefgz

2tj5vf

2tjnam

2tnify

2tuev3

2tzfqn

2tzmd7

2tzuhm

2ubxm6

2ud43l

2ufozp

2up8cg

2uuvfz

2uvn1g

2uxdh3

2uz7dm

2vdwcg

2vfcjy

2vrno7

2wpdwh

2wrvwi

2x4ct9

2x8jlc

2xj59t

2xouvk

2xv1pi

2xwqmf

2ylexc

2ysyu5

2ytahr

2yzkip

2z37mp

2zamxh

2zfivy

2zil5a

2zjp9s

2zpqh4

2zsbs5

30dtrs

30kil9

30pm2n

31oizc

326mbg

329rxj

32znio

34hagr

34opqr

34rhps

34sgyb

34v6fo

358hx2

35j01w

35jly4

35qcmb

36hvuq

36mgrp

36naqh

36zdwc

37ieeb

37ksrr

37upab

384vwt

38ktvt

38qe1m

38rper

3aa8rp

3afsfu

3ao2zr

3atdol

3awnhp

zwscho

zwuhqg

zwuqvh

zwxoy6

zx2hwj

zxd2gj

zxe1ds

zxhixb

zxhpwa

zxjaib

zxmion

zxnmer

zxpnva

zxppcl

zxrgfh

zxtoh5

zxvamd

zxy3kl

zy4nw0

zy5wco

zy61nk

zyabti

zyapks

zyfota

zyogai

zytotn

zyvlss

zyw7k5

zz7yld

zzf38l

zzgktf

zzlbeu

zzojwa

zzr3fs

zzryek

···

11

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%3

-Se

p

5-S

ep

7-S

ep

9-S

ep

11

-Se

p

13

-Se

p

15

-Se

p

17

-Se

p

19

-Se

p

21

-Se

p

23

-Se

p

25

-Se

p

27

-Se

p

29

-Se

p

1-O

ct

3-O

ct

5-O

ct

7-O

ct

9-O

ct

11

-Oct

13

-Oct

15

-Oct

17

-Oct

19

-Oct

21

-Oct

23

-Oct

25

-Oct

27

-Oct

29

-Oct

31

-Oct

2-N

ov

4-N

ov

6-N

ov

8-N

ov

10

-No

v

12

-No

v

14

-No

v

16

-No

v

18

-No

v

20

-No

v

22

-No

v

24

-No

v

26

-No

v

28

-No

v

30

-No

v

2-D

ec

4-D

ec

6-D

ec

8-D

ec

10

-Dec

Sep Oct Nov Dec

agency

biz

cloud

co.kr

com

fit

gdn

icu

info

life

live

monster

net

org

pet

ru

site

tokyo

top

us

work

world

xyz

Percent of Each TLD’s Blocklist Added

.monster, 14 Sep

82% 89 names

.tokyo, 30 Oct

82% 307 names

.pet, 1 Nov

100%, 2 names

12

.icu, 10 Dec

51%, 1,195 names

10 December – 1,195 Names Added

to .icu Blocklist – ERANET namesaaykz

aazoj

adlbq

afexe

ajqhg

allcq

arwza

atdbf

athia

atpzw

attsl

atudd

atyze

avqlw

avqxr

avrwr

awpwu

awsib

aybx

ayen

ayma

azbbt

azje

azrhq

azyk

balz

bamt

barmy

basb

bbnz

bbqo

bckz

bcnig

bcpxm

bcpyl

bdqot

bdww

beei

berpm

besm

bfaei

bfbve

bfmj

bfwtw

bfzb

bfzh

bgfz

bgjl

bgury

bhju

bhsau

bhuah

biehw

bihne

bikqj

bipbs

bjaf

bjufp

bkas

bkdh

bkdoe

blaiv

bluuk

blwg

bmgk

bmjdw

bmjxj

bodoy

bolyh

bqkub

bqxya

brfc

brgmn

briak

brtx

bscu

bsfly

bslev

bslml

bsnk

bssr

bsth

bthp

bung

bupvi

buscb

bvdb

bvlhv

bvwfv

byaat

bybe

bykur

bzffm

bzjgx

bzkqy

bzwcl

cbas

cbcuk

cbynt

cccpi

cclfz

cddwb

cdkjw

cdzbj

ceqn

cevg

cfhwo

cfoz

cgdxe

cguyl

chavm

chfzg

chpt

chsb

chuwp

civzq

cixe

cjcdd

ckng

ckwa

clapi

clbmq

cmeqg

cnizl

cnqxg

cnvf

cnzgr

cokri

cpml

cqrhk

cqus

crajj

cruud

csawg

csfqm

ctbxh

ctmob

ctnay

curn

cvfq

cvsn

cwcs

cwpg

cwput

cwtz

cxbci

cxnfq

cxvwz

cyogl

cypz

czuwx

czyyl

daozs

daxr

dcaqz

dcchx

dcyw

ddmfp

ddneb

deam

deiat

deqkq

dewkc

dffju

dgfgq

dgln

dguys

dhcac

dixiy

diyss

djex

djsj

dkijr

dkqut

dksz

dkxql

dljsv

dluih

dlyc

dmgk

dmgu

dnhdq

dnok

dnon

dnqu

dnsr

dnxyx

domc

dosia

doudw

dpsmu

dpue

dpuf

dpvpk

dqjyt

dsbim

dsbm

dshdl

dstua

dsxf

dtadu

dthro

dtlzh

dtnwc

dtqrf

dtyf

duvz

dvogs

dvot

dvvxu

dxggq

dzsk

eacgz

eahl

ebrou

ebsnf

ebvha

ebzzg

echnh

ecnai

ecspf

edfmk

edweg

eehz

eeifo

eeri

efxo

egbwq

ehfvg

ehga

ehkda

ehtt

eifos

ejftk

ejsz

ekcel

ekqp

ekwbl

ekxb

elqgi

eltz

emiq

emlr

emtt

enzl

epam

epdt

eqkx

eqvm

eraz

erbrs

eriq

erzo

esdv

esrae

estbp

etau

etdhj

etuwm

euwtd

euxaf

euzeo

evdli

evztw

ewgou

ewocs

ewpvb

ewpzt

ewvcq

ewxe

exani

exaxe

exly

exxkw

eysm

eythm

eyxtf

eyzwn

ezcfe

ezeys

fbejj

fcdwk

fchjd

fcsxp

fcurz

fdgss

fduck

fdwf

fejhn

fejzg

felkl

fffyy

ffpm

fgawg

fhdi

fhrni

finl

fjko

fjlde

fjqkp

fjyfe

fjzer

fklzi

fkozo

flcfy

flfdq

flgez

fliud

flqk

fmkte

fmmwb

fmtlv

fmtz

fnjkw

foev

fohxe

foqry

fqbar

fqgd

fqtf

frzt

fsbbk

fsdx

fstqd

ftaf

ftgla

ftgqy

ftvyt

fuaqk

fuejj

fuxsy

fuxvm

fvcxs

fwbs

fwou

fxsvo

fyqe

fzdez

fzpn

gaajn

gawp

gawzm

gaypu

gbxf

gcftp

gcgao

gcte

gctlf

gcxuc

genb

gfadc

gfdzx

gfqz

ggyij

ghavr

ghfz

ghlov

gibac

gidla

gipz

gisxf

gjfjy

gknat

gktfo

gmro

gmup

gmxmy

gntft

goqzn

gosdb

gqclb

gqcpt

grbe

grccw

gskd

gsoyo

gtlxn

gtrad

gugoc

gurq

gvmca

gvmvt

gvni

gvsmc

gvtt

gvxdo

gwca

gwfa

gwjib

gwkea

gwtnr

gyev

gzjen

gztq

gzxi

habcy

hamv

haxge

hayeu

hbxqe

hcdcl

hcemu

hchg

hcjpu

hcovl

hcslq

hdusg

hedz

hfcm

hftsu

hgcgj

hgnmh

hgwqw

hhap

hhmn

hifkn

hiqd

hivoq

hjecy

hkydg

hmew

hmlk

hmma

hnycl

hnzo

hpjo

hpnel

hptup

hpwi

hrvga

hsit

hsye

htgqd

htqbm

htudi

htwxp

hulyx

hunx

huypa

hvked

hvuui

hwvml

hxgob

hycdt

hzgfj

hzixt

hzvjd

iaprn

icacm

icaeo

icfjm

icssm

idbr

idjot

idof

idrbx

ienlu

ievs

ifbbn

ifqh

ihqhy

ihyra

ihzic

ijdfi

ijfc

ijqj

ijtmu

ikkvk

ikssg

ikwnc

ilcwu

illld

ilxr

ilygi

imlwl

immc

injsv

intdn

invtk

inxlr

iocjj

ipkfl

iprag

iqise

isjbp

ispt

isvge

ithy

itjf

ituy

ivvgs

ivvn

iwba

iwjp

iwqaz

iwyye

ixwmp

ixywm

iywvg

izgar

jado

jahra

jarxv

jbhg

jblik

jbrr

jchz

jcih

jcjsr

jdfww

jdjot

jdugv

jesn

jeta

jiasn

jidb

jizzl

jjdio

jjiw

jjybg

jkee

jkqaa

jkxd

jldy

jmlq

xbvqj

xcolh

xdbbr

xekbp

xffbu

xfocf

xgtjn

xhsid

xnicj

xqjbh

xqonj

xxzmz

xypzk

xysjm

xzhvb

yaaxq

yaiyr

ybldw

yblrm

yddvx

ydura

ygsd

yjka

ynfvh

yruii

ytodh

yudrb

yvlob

ywxhk

zksop

zmxpq

zsqik

ztcmk

zyhxe

zzzpc

···

13

Turnover Rate

Date TLD Blocklist Size Names Added

14 Sep .monster 108 89

6 Oct .us 9,401 6,329

14 Oct .us 18,636 10,516

20 Oct .cloud 1,072 620

23 Nov .cloud 779 429

25 Nov .co.kr 213 123

2 Dec .xyz 4,653 1,052

5 Dec .info 7,952 3,115

Date TLD Names Removed Blocklist Size

29 Oct .us 9,821 3,928

2 Nov .agency 1,615 247

12 Sep .monster 160 41

14

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

160,000

180,000

200,000

3-S

ep

5-S

ep

7-S

ep

9-S

ep

11

-Se

p

13

-Se

p

15

-Se

p

17

-Se

p

19

-Se

p

21

-Se

p

23

-Se

p

25

-Se

p

27

-Se

p

29

-Se

p

1-O

ct

3-O

ct

5-O

ct

7-O

ct

9-O

ct

11

-Oct

13

-Oct

15

-Oct

17

-Oct

19

-Oct

21

-Oct

23

-Oct

25

-Oct

27

-Oct

29

-Oct

31

-Oct

2-N

ov

4-N

ov

6-N

ov

8-N

ov

10

-No

v

12

-No

v

14

-No

v

16

-No

v

18

-No

v

20

-No

v

22

-No

v

24

-No

v

26

-No

v

28

-No

v

30

-No

v

2-D

ec

4-D

ec

6-D

ec

8-D

ec

10

-Dec

Sep Oct Nov Dec

agency

biz

cloud

co.kr

com

fit

gdn

icu

info

life

live

monster

net

org

pet

ru

site

tokyo

top

us

work

world

xyz

Cumulative Unique Blocked Domains

.com overwhelms

16

0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

3-S

ep

5-S

ep

7-S

ep

9-S

ep

11

-Se

p

13

-Se

p

15

-Se

p

17

-Se

p

19

-Se

p

21

-Se

p

23

-Se

p

25

-Se

p

27

-Se

p

29

-Se

p

1-O

ct

3-O

ct

5-O

ct

7-O

ct

9-O

ct

11

-Oct

13

-Oct

15

-Oct

17

-Oct

19

-Oct

21

-Oct

23

-Oct

25

-Oct

27

-Oct

29

-Oct

31

-Oct

2-N

ov

4-N

ov

6-N

ov

8-N

ov

10

-No

v

12

-No

v

14

-No

v

16

-No

v

18

-No

v

20

-No

v

22

-No

v

24

-No

v

26

-No

v

28

-No

v

30

-No

v

2-D

ec

4-D

ec

6-D

ec

8-D

ec

10

-Dec

Sep Oct Nov Dec

agency

biz

cloud

co.kr

fit

gdn

icu

info

life

live

monster

net

org

pet

ru

site

tokyo

top

us

work

world

xyz

Cumulative Blocked Domains (excluding .com)

.us increases

17

ECAINA Plan

◼ ECAINA will operate a trusted, neutral, public clearinghouse

◼ ECAINA will use trusted reputation data sources with additional high fidelity “curation”

◼ ECAINA will expand the reputation data to allow classification and analysis of

additional security threats

◼ ECAINA will operate as a research project at George Mason University

◼ University and commercial participation will be part of ECAINA’s DNA

◼ Interisle staff will participate as co-Principal Investigators to provide subject matter

expertise, recommend research activities, co-advise University graduate research

assistants, and solicit industry or foundation participation and financial support

18

ECAINA Project

Phase 1:Publish Reports

Phase 2: Reports, aggregated data,

ECAINA-sourced and licensed underlying data

Phase 1.1: Reports and underlying aggregated

data available

Phase 1.2: Reports, aggregated data, ECAINA-sourced underlying data

ECAINA DATA REPOSITORY and

ANALYTICS ENGINE

Data collected by ECAINAfrom public sources

“Raw”subscription

data

Pre-processed subscription data

19

ECAINA – The Players So Far

◼ Interisle

⧫ Dave Piscitello

⧫ Lyman Chapin

⧫ Colin Strutt

◼ Illumintel

⧫ Greg Aaron

◼ George Mason University (GMU)

⧫ Eric Osterweil

◼ Others welcome!

20