Skip to main content
Resources

Internet Identifier System Security, Stability, and Resiliency Research

SSR Objective

The SSR Team is pivotal in enhancing the security, stability, and resilience of the Internet's critical infrastructure, aligning with ICANN's mission to oversee the global system of unique identifiers. Our work focuses on scientific research and the development of innovative solutions (tools, software, methods) to safeguard the Internet's foundational elements, including addressing Domain Name System (DNS) abuse—a growing concern in maintaining a secure, unified, and stable network.

Supporting ICANN's crucial role, we aim to bolster the operational security of the Internet's core systems against evolving cyber threats and DNS abuse. By understanding the significance of the Internet in global socio-economic activities, we dedicate our efforts to protecting its infrastructure. This ensures seamless access to services, enables commerce, and facilitates critical operations, all while combating DNS abuse that threatens the integrity of the Internet.

In many cases our work involves collecting data, making measurements, and generating metrics. Where these things exist, we look at how we can make the best use of them or how we might improve them; where they do not exist, we look at how we can create them. Since metrics are used to guide policy decisions, it is crucial that they are clearly understood and presented in an accurate, non-misleading manner.

Meet SSR Team Members

Carlos Ganan

Sion Lloyd

Samuel Cheadle

Collaborations

Our work is often collaborative in nature, working with other teams within ICANN and externally. These collaborations are essential to our work, allowing us to leverage the collective expertise of both industry and academic institutions such as Université Grenoble Alpes, Delft University of Technology, and Yokohama National University. By working closely with these leading research teams, we engage in cutting-edge research that contributes to the development of innovative solutions and thought leadership in the field of Internet security. The outcomes of these collaborations often take the form of joint academic papers, presentations at international conferences, and comprehensive papers that shape the direction of cybersecurity research. Our collaborations also extend to a broad spectrum of stakeholders within the ICANN community, including Regional Internet Registries (RIRs) like Réseaux IP Européens Network Coordination Centre  and the Latin American and Caribbean Internet Addresses Registry, as well as country code top-level domain operators such as Stichting Internet Domeinregistratie Nederland  and Nominet. These partnerships allow us to stay at the forefront of emerging threats and technologies, ensuring that our research remains both relevant and impactful.

Research & Development

SSR Research works in various ways to achieve this aim, including:

Operability and Resiliency of Internet Identifier Technologies

SSR examines the technologies and protocols that are foundational to Internet identifiers, focusing on enhancing their global operability and efficiency. One example is the Registration Data Access Protocol, where we made notable advancements. Our contributions in this space aim to improve the functionality and accessibility of domain registration data, offering more robust and standardized methods for data retrieval. This is crucial for maintaining the transparency and accountability of domain registrations, ensuring a more secure and trustworthy Internet infrastructure. We also look into the operability of the Internet Protocol (IP) space, autonomous systems, as well as domain names and their related technologies.

Security of Internet Identifier Technologies

In this area, the SSR team concentrates on tackling security topics related to domains and IP addresses, such as DNS abuse, through practical and effective strategies. We critically assess reputation block lists (RBLs) to gauge their efficiency in screening out harmful domains. Additionally, our work involves using machine learning techniques to identify patterns that could predict future malicious domain registrations. This approach allows us to contribute valuable insights and tools aimed at preemptively addressing potential security threats, thereby helping maintain the integrity of the Internet's infrastructure. This topic also includes research on insecurities around DNS infrastructure.

New Technologies Related to the Internet Identifier Ecosystem

Exploring the cutting edge of Internet identifier technologies, our research delves into the potential of blockchains for creating decentralized domain name systems. This includes investigating alternative, blockchain-based domains that could offer new paradigms for domain registration and management, characterized by enhanced security, transparency, and resistance to censorship. Our work in this area is aimed at understanding how these novel technologies can be integrated into the existing Internet infrastructure, assessing their implications for the future of Internet identifiers and how they would expand the existing infrastructure.

Artificial Intelligence for Internet Identifier Resilience

The SSR team also researches the role of artificial intelligence (AI) in the DNS abuse ecosystem. This area of research studies how attackers use AI to improve their methods, like phishing and malware distribution, while also exploring how the ICANN community can use these technologies to better understand and combat these threats. By applying AI, the SSR team aims to detect and understand patterns, helping to strengthen the overall security and stability of the Internet.

Tools

Domain Abuse Activity Reporting (DAAR)

Domain Name Security Threat Information Collection & Reporting (DNSTICR)

ICANN Domain Metrica

Projects

Inferential Analysis of Maliciously Registered Domains (INFERMAL)

Papers

Methodology for Evaluation of Reputation Block Lists

RBLs are lists that contain information about Internet identifiers (domain names, IP addresses, full URLs, etc.) that have been observed to be involved in a form of malicious activity. The lists vary: for example in the methods of data collection, the intended use, the amount of validation performed on entries, and the type and quality of metadata provided. Lists may be provided by commercial entities, individuals, or nonprofit organizations and therefore they come with varying degrees of certainty as to their accuracy, update frequency, availability, and licensing arrangements.

For many years, different communities such as ICANN, RIRs, security companies, threat intelligence researchers, as well as the academic community made use of RBLs – often for different purposes. At the same time, certain aspects of this ecosystem have remained somewhat unexplored: How can we characterize an RBL? How do multiple RBLs interact? Can we assess the advantages of adding new datasets, and which RBLs are most suited to our needs?

In work published as part of the proceedings of APWG.EU Tech 2023 and in an OCTO publication, we shared the methodology that we use in the SSR team. In this research, we designed and proposed a number of metrics to measure different aspects of RBLs, from how easily the feed can be integrated into our existing corpus of RBLs to whether we believe the collection method fills a gap in our current set. We do this through looking at the documentation for the RBL, making direct and indirect measurements, discussing different points with the providers, and so on. We also look at how different RBLs interact with one another, how much they overlap (if at all), where they overlap, and does one consistently get entries earlier than others? Do they complement each other or give largely the same information?

The OCTO publication gives more details, and also includes the database schema that we use to store the RBLs we read, the metrics we used to evaluate the lists, and some code snippets that show how we create the visual comparisons used.

Detecting "Parked" Pages

In a peer-reviewed research paper, published in the 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), we look at detecting domains that, for one reason or another, are not displaying content under the control of the registrant. There can be many reasons for this, but by far the most common is when we come across "parked" pages that show adverts and are controlled by a third-party parking service. The main reason why we looked into this research question was: In order to investigate what percentage of a registrar or registries's domain space is abused in various DNS threats, we first need to identify the portion of domains that serve active content. In other words, we need to have a more accurate size (attack surface) estimate.

Many of these pages are controlled by a relatively small number of services, and the way they operate is to have DNS settings that direct any visitors to the appropriate page. Due to these two factors, we see that in most cases the status of the domain can be determined just by looking at various DNS markers and at the final URL arrived at after any redirections are followed. This determination is relatively accurate, with a very low false positive rate, but it does have an appreciable false negative rate (that is, parked pages that are not detected) depending on the exact classifications used.

We see that domains in these states are not evenly distributed. For example, different top-level domains or different registrar groups see higher or lower proportions of parked pages. We argue that when calculating abuse metrics, removing these domains from any considerations might be a valid step and show how removing domains with these markers can change statistics and league tables.

This work will be further documented in an forthcoming OCTO publication.

Methodology to Classify Security Threats Delivered via Unsolicited Emails

In another peer-reviewed paper published in the proceedings of 22nd IEEE International Conference on Trust, Security, and Privacy in Computing and Communications and as an OCTO publication, we designed a methodology to classify security threats that are delivered via unsolicited emails. This work aimed at tackling the challenge in utilizing RBLs which often do not offer the ability to trace the origins of threat indicators. However, exceptions exist where original unsolicited emails, serving as the source of the threat, are shared among trusted entities. Our investigation showed that these emails encapsulate a broad spectrum of threats, spanning from spam and phishing to various scams. Despite the availability of mechanisms, accurately identifying and categorizing such threats continues to pose a formidable challenge.

In this paper, we have developed a state-of-the-art classification system capable of categorizing unsolicited emails with high accuracy based on the threat they delivered. We showcased the efficacy of this method by applying it to the Anti-Phishing Working Group (APWG) email dataset. With this vast dataset comprising over 10.8 million emails and spanning a period of 4.5 years, our machine learning-based classifier was meticulously trained to differentiate between various threat categories, including spam, phishing, scams, and adult content. The classifier was language-agnostic, demonstrating proficiency across diverse languages such as Spanish, French, Russian, Japanese, Portuguese, and German.

Latest Publications

Blog: Inviting ccTLD Operators to Join and Benefit From ICANN Domain Metrica (September 2025)
Blog: How Choice of Reputation Blocklists Affects DNS Abuse Metrics (July 2025)
Report: Insights and Clarifications on the INFERMAL Study (June 2025)
Material: ICANN Domain Metrica Brochure (May 2025)
Blog: How Choice of Reputation Blocklists Affects DNS Abuse Metrics (July 2025)
Blog: ICANN Domain Metrica Release Update: Access Now Open to All Users (February 2025)
Blog: Building Better Tools: ICANN81 Updates on ICANN Domain Metrica and INFERMAL (December 2024)
Blog: INFERMAL Project: Analyzing Features of Malicious Domain Registrations (October 2024)
Blog: ICANN Domain Metrica Project Update and Timeline (October 2024)
Blog: Updates on ICANN's Domain Abuse Activity Monthly Reports (October 2024)
Announcement: Recent Patterns Observed by ICANN's Domain Abuse Activity Reports Input Data (July 2024)
Blog: ICANN's SSR Research Team Publishes 2023 Look Back Report (May 2024)
Blog: A New ICANN Project to Measure Metadata on Domain Names (February 2024)

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."