1 minute read
Infoblox’s Threat Intelligence Group develops scoring algorithm for domains and nameservers
Ranking and comparing cyber threats can be very complicated, especially given the shifting landscape of cybersecurity from day to day. Therefore, having a robust, quantifiable, and repeatable process for scoring large amounts of data can be invaluable as defenders prioritise their limited resources for securing systems and analysing their traffic and alerts.
While there have been a number of attempts at creating such an algorithm, with the most recent notable attempt by Spamhaus, most fall short of producing scores that can be interpreted by a wide variety of audiences and can be easily used to provide meaningful comparisons.
In response to this need, researchers from Infoblox’s Threat Intelligence Group developed a new, generic scoring algorithm that can be applied to data such as top-level domains and nameservers.
To introduce the algorithm and demonstrate its usefulness, Infoblox researchers applied it to the past six months of anonymised DNS data from the company’s resolvers to determine the
Al-Moneer, Regional Sr. Director, META, Infoblox.
cfd, click, icu, ml, quest, rest, top, and ws.
The new reputation-scoring algorithm uses only two pieces of information: the total number of observations and the number of observations meeting a specific criterion. When the algorithm is applied to TLDs to generate risk scores, the values are the total number of observed domains in the TLD and the number of observed malicious domains in the TLD. Using these two values, the algorithm produces a score from zero to ten: that is, [0:10].
reputation, or risk, associated with com, net, and other top-level domains that appeared in the traffic. With high confidence, the researchers classified ten as high-risk, meaning that these TLDs were more likely to contain malicious domains than other TLDs were: bid, cam,
A score of 5 is interpreted as the normal, expected score and is classified as moderate risk. The scores of 4 and 6 are close enough that they are also classified as moderate risk. Scores below 5 have a lower-than-average score, i.e., a lower-than-average percentage of malicious domains, while scores above 5 have a higherthan-average score, i.e., a higher-than-average percentage of malicious domains .
