The Netherlands Domain Registration Foundation has developed a tool that estimates the risk of abuse for Dutch domain names. RegCheck gives new .nl domains a risk score that estimates the likelihood of the domain being used for malware, for example.
The administrator of the .nl domain writes that it already replaces the Registery Check, or RegCheck has been in use since August last year. The tool is intended to recognize domains that are used for spam or cybercrime, for example to host a phishing site or point to a command-and-control server. SIDN trained a model based on 2100 .nl domains that had been abused and on 103,000 legitimate registrations over a year and a half. The first category are domains that appeared on Netcraft’s abuse list within thirty days of being registered. Netcraft is a service that searches for abuse domains and then tries to have them taken offline via the abuse list.
SIDN acknowledges that there are several tools such as RegCheck and Premadoma. However, according to SIDN, they did not meet all the requirements that the authority sets for such a tool. For example, it should not only display accurate results and be easy to use, but the algorithms behind it should be clear and the tool should be adaptable to different needs. In addition, SIDN wants to make the tool available to other registries that may work with different policies or lists than Netcraft.
The tool allows registry parties to draw up their own models to give a website a risk score. SIDN itself offers two linear models in the tool. One of these is a knowledge-driven model in which a person always has to monitor the input. The other model is data-driven, using a logistic regression machine learning algorithm. The models both look at eleven different risk factors. SIDN does not write which these are, but mentions as an example that there are certain suspicious character combinations in a URL or if the registrant’s account details are not consistent.
The tool also has the option of adding new factors or use other algorithms. Registries can also add abuse lists themselves via a csv file.
