Home » MAP Abuse Analytics

NetBeacon Measurement and Analytics Platform (MAP)

NetBeacon Map measures and tracks the use of the DNS for phishing and malware.

MAP reports can be
consumed in three formats

NetBeacon Measurement and Analytics Platform delivers a reliable, independent, transparent, and granular way of measuring DNS Abuse in order to ultimately reduce it at the DNS level.

Interactive Charts

An interactive format to consume data. Users can explore a variety of charts, hovers, and tooltips for additional information.

Individual Dashboards

Individualized data on phishing and malware for registrars across domains under management (DUM)or within their “zones.”

Monthly Analysis

Reports that provide the latest snapshot of aggregate data on abuse, including mitigation rates, speeds, and registration types.

Data handled with integrity

NetBeacon MAP follows a stringent methodology for data collection and analysis in collaboration with our academic research partner Kor Labs

Our guiding principals for data gathering and analysis are:

Transparency: The methodology that collects, cleans, and aggregates the data must be as transparent as possible. To the extent that anyone should wish, they could replicate the process.

Credibility and Independence: We aim to have an academically robust and independent approach, separate from commercial interests.

Accuracy and Reliability:
The goal of these reports is to enable focused conversations, and to identify opportunities for abuse reduction. The data needs to be of high enough quality to serve as the foundation for meaningful changes to the ecosystem.

Read our FAQs for more information.


NetBeacon MAP

NetBeacon MAP is a collaboration with KOR Labs, led by Dr. Maciej Korczynski a professor at Grenoble Alpes University in France.

KOR Labs collect the data using an academically robust, transparent methodology. This data is provided to the Institute. The Institute works with PIR’s Data Analytics team to create the interactive charts, reports, and individualized dashboards.

Our approach is one of collaboration and engagement. We are committed to refining this project as work continues and welcome insights from across the industry to help us iterate and improve.

NetBeacon Institute Impact

"We appreciate the NetBeacon Institute’s commitment to capturing the true scope of DNS Abuse. The transparency of their methodology ensures that their results can be duplicated and trusted. Their NetBeacon MAP data provides reliable insight and helps registries and registrars understand and collaborate on areas for possible improvement."
Alvaro Alvarez
EVP, General Counsel & Secretary, Identity Digital, Inc

NetBeacon MAP focuses on the use of the Domain Name System (DNS) for phishing and malware.

Phishing is an attempt to trick people into sharing important or sensitive information, for example logins, passwords, credit card numbers, or banking information in either a personal or business context.

Malware is malicious software designed to compromise a device on which it is installed.

Our methodology includes a process to determine whether any mitigation has been observed. This involves taking an initial measurement of various factors related to the URL and repeating these measurements for one month.

The information collected by KOR Labs includes the content of the malicious URL and the home page of the registered domain name, DNS, and RDAP/WHOIS records. KOR Labs extract features used to determine whether the maliciously registered domain has been removed from the zone and/or hosting service has been suspended and/or abusive content has been removed from the website. After the initial measurement, performed at the time of acquiring the malicious URL, KOR Labs repeat the measurements for one month: 5 minutes after blocklisting, 15m, 30m, 1 hour, 2h, 3h, 4h, 5h, 6h, 12h and then once every 12 hours. 

Typically, malware delivery and phishing attacks are mitigated within the first day after blocklisting. Therefore, KOR Labs perform more granular scans at the beginning of the measurements and less frequent measurements later. See our Methodology for more information.

We cannot definitively know which party took mitigating actions.This data could include mitigation taken by the registry, the host, or any other relevant party. The reference to a registrar is indicative that the domain is under their management.

We have published a transparent and comprehensive Methodology.

We define a special domain as a domain name that provides subdomains or a redirection that can be abused by attackers, but the original purpose of the registered domain name is legitimate. Those domain names are generally registered by operators of URL shorteners (e.g., bitly.com) or subdomain providers, for example, dynamic DNS providers (e.g., duckdns.org), free subdomain providers (e.g., 000webhost.com), or file

sharing services (e.g., docs.google.com). KOR Labs maintains and manually updates a list of special domains which is available to the research community. KOR Labs NetBeacon MAP methodology keeps only domain names likely to have been registered by end users and excludes special domain names, to avoid, for example, google.com being flagged as abusive. See our Methodology for more information.

Yes. See our Monthly Reports. Registrars and registries can also view their own data in their MAP Dashboard.

MAP is a collaboration between The NetBeacon Institute and KOR Labs, led by Dr. Maciej Korczynski, a professor at Grenoble Alpes University in France. This data is then provided to the Institute. The Institute works with PIR’s Data Analytics team to create the interactive charts and for the purposes of writing this report.

The four labels used to measure mitigation are Mitigated, Not Mitigated, Uncategorized, or Unprocessed. 

Mitigated: We believe a mitigating action has occurred. This action could be taken by a registrar, registry, a hosting provider, or another relevant actor.

Not Mitigated: We did not detect any indication of mitigation.

Uncategorized: We were unable to determine whether or not mitigation occurred.

Unprocessed: The domains were not processed due to network connectivity or server problems.

Our methodology includes three labels:

Malicious: a domain registered for malicious purposes (i.e., to carry out DNS Abuse).

Compromised: A benign domain name that has been compromised at the website, hosting, or DNS level. 

Uncategorized: A domain that our methodology was unable to categorize for a number of reasons, including problems in collecting the metadata necessary to categorize domain names accurately.