[domainrep] Reputation algorithms
Tyson Macaulay <tmacaulay@2keys.ca> Tue, 22 May 2012 11:24 UTC
Return-Path: <tmacaulay@2keys.ca>
X-Original-To: domainrep@ietfa.amsl.com
Delivered-To: domainrep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C47BC21F852B for <domainrep@ietfa.amsl.com>; Tue, 22 May 2012 04:24:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AztpAyQWu3ld for <domainrep@ietfa.amsl.com>; Tue, 22 May 2012 04:24:57 -0700 (PDT)
Received: from mail.2keys.ca (mail.2keys.ca [72.1.200.74]) by ietfa.amsl.com (Postfix) with ESMTP id 10E1E21F848F for <domainrep@ietf.org>; Tue, 22 May 2012 04:24:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.2keys.ca (Postfix) with ESMTP id 224C4281192 for <domainrep@ietf.org>; Tue, 22 May 2012 07:17:03 -0400 (EDT)
X-Virus-Scanned: amavisd-new at 2keys.ca
Received: from mail.2keys.ca ([127.0.0.1]) by localhost (mail.2keys.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dDztQCqkY9gX for <domainrep@ietf.org>; Tue, 22 May 2012 07:16:58 -0400 (EDT)
Received: from [10.0.0.139] (unknown [65.48.164.194]) by mail.2keys.ca (Postfix) with ESMTPSA id 4B0002810E2 for <domainrep@ietf.org>; Tue, 22 May 2012 07:16:58 -0400 (EDT)
User-Agent: Microsoft-MacOutlook/14.2.1.120420
Date: Tue, 22 May 2012 07:24:52 -0400
From: Tyson Macaulay <tmacaulay@2keys.ca>
To: domainrep@ietf.org
Message-ID: <CBE0EFC4.8C41%tmacaulay@2keys.ca>
Thread-Topic: Reputation algorithms
In-Reply-To: <mailman.26.1334689205.19668.domainrep@ietf.org>
Mime-version: 1.0
Content-type: text/plain; charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
Subject: [domainrep] Reputation algorithms
X-BeenThere: domainrep@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Domain Reputation discussion list <domainrep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/domainrep>, <mailto:domainrep-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/domainrep>
List-Post: <mailto:domainrep@ietf.org>
List-Help: <mailto:domainrep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/domainrep>, <mailto:domainrep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 May 2012 11:24:57 -0000
HI again, In a soon to be released INFORMATIONAL RFC - draft-macaulay-6man-reputation-intelligence-00 we propose criteria for reputation intelligence algorithms. These appear to partially overlap with your complimentary conclusions in draft-ietf-repute-media-type-02 - Section 3.1, but we have some supplementary criteria. (It will be a few more days before I get the INFORMATIONAL RFC on line due to a family vacation. Email me if you want a pre-00 version right away.) Also - it is entirely possibly your intention that many of these criteria are implicit and not required in the replies to reputation queries.(?) In our current model, all criteria except the reputation score itself is held within the intelligence algorithm rather than communicated in the reputation query-response. Below I have tried to map your reputation criterium against ours - or indicate where there is no mapping: REPUTON "Rater" = Implicit in selection of query destination in our model. REPUTON "Application" = Implicit intended app is "packet staining" as per draft-macaulay-6man-packet-stain-00 REPUTON "Assertion" = no mapping REPUTON "Rated" = indicated by the source address of the packet REPUTON "Rating" = Reputation score to be encoded in header extension REPUTON "Confidence" = no mapping at this time. REPUTON "Authenticity" = no mapping. This is a management control (business-level decision) in our model. REPUTON "Sample size" = Function 8 (approximately) REPUTON "Updated" = Function 2, 6, 7 (approximately) Algorithmic functions as per draft-macaulay-6man-reputation-intelligence-00 Function 1: to account for large Internet portals with many, independent URLs with good reputations, but also some proportion of dangerous (bad reputation) URLs sharing the same IP address = no REPUTON mapping? Function 2: to account for the distance in time between the last observed suspicious or illicit behaviour and the present Function 3: to account for the reputations of both adjacent IP addresses or domains = REPUTON "Updated" (approximately?) Function 4: to account for the original, per-processed source of the intelligence (open source, closed source, domain of control, uncontrolled domain) = no REPUTON mapping Function 5: to account for the velocity of suspicious or illicit behaviour (IE. high Spam rate) = no REPUTON mapping Function 6: to account for the duration of suspicious or illicit behaviour (IE. sustained spam at low velocity) = REPUTON "Updated" (approximately?) Function 7: to account for lifetime of domain to source IP associations (IE. newly minted domain names or previously unobserved/ un-assigned addresses = REPUTON "Updated" (approximately) Function 8: to account for the proportion of traffic from this source which is benign versus demonstrably illicit = REPUTON "Sample size" (approximately?) Function 9: to account of the nature of the suspicious or illicit behaviour (automated port scanning versus malware-drop) = no REPUTON mapping What are your impressions of this criteria from our draft? Do you feel they are valid in the context of intelligence algorithms? Is there any particular reason they are not explicit in your "Reputon Keys" in Section 3.1? Thanks, Tyson PS - again - we (my co-authors) think your work here is great, and the direction we need to go in order to establish networks with the necessary assurance in the future. -- Tyson Macaulay, BA CISSP CISA VP Technology 2Keys Security Solutions Phone: +1 613 292 9132 email: tmacaulay@2keys.ca
- [domainrep] Test application reg under repute-med… Tyson Macaulay
- [domainrep] Reputation algorithms Tyson Macaulay
- Re: [domainrep] Test application reg under repute… Murray S. Kucherawy
- Re: [domainrep] Reputation algorithms Murray S. Kucherawy
- Re: [domainrep] Reputation algorithms Murray S. Kucherawy