ipTrust Knowledge API Technical Documentation 1 PROPRIETARY AND CONFIDENTIAL Table of Contents INTRODUCTION ............................................................................................................................. 3 IPTRUST KNOWLEDGE API – BENEFITS .......................................................................................................3 PRODUCT DESCRIPTION................................................................................................................. 4 DELIVERABLE DESCRIPTION ........................................................................................................... 4 IPTRUST KNOWLEDGE API DATA DESCRIPTION ............................................................................................4 IPTRUST KNOWLEDGE API DESCRIPTION.....................................................................................................5 JSON Format Delivery.....................................................................................................................5 XML Format Delivery......................................................................................................................6 CSV Format Delivery.......................................................................................................................6 IPTRUST SCORING METHODOLOGY................................................................................................ 6 VALUE DEFINES ......................................................................................................................................7 SCORING ...............................................................................................................................................7 RESEARCH METHODOLOGY............................................................................................................ 7 PASSIVE INSPECTION ...............................................................................................................................8 BOTNET SINKHOLE NETWORK ...................................................................................................................8 FEATURE SETS........................................................................................................................................8 DATA & CORRELATION DETAILS ................................................................................................................8 Global Geo-location and Organization...........................................................................................8 Malicious Networks........................................................................................................................8 Botnet Sinkholes.............................................................................................................................9 Intrusion Detection Systems (IDS) Feeds ........................................................................................9 POINT OF CONTACT ....................................................................................................................... 9 ABOUT ENDGAME SYSTEMS .......................................................................................................... 9 2 PROPRIETARY AND CONFIDENTIAL Introduction Reputation systems today are one- dimensional, focusing primarily on IP Accvity measuring spam email to determine if an Internet Protocol (IP) address is “good” Other AS Threats or “bad.” The ipTrust Knowledge API leverages Internet-wide intelligence and sophisticated multivariate analysis to compute a rational and useful metric for Time Interval Organizacon the overall trustworthiness of any given IP address. ipTrust Knowledge API is a Events cloud-based information service designed Locaon Detected to integrate rich IP reputation information into any at-risk system or Surrounding application without any expensive on-site Nodes infrastructure. Figure 1 - Example of the confidence scoring representation This representation shows a scored IP in wHicH we have seen activity, but not any malicious events. The weight was driven down based on locale and surrounding nodes. ipTrust Knowledge API – Benefits Access to complete, in-depth IP reputation data is invaluable in being cognizant of the threat associated with both known and unknown connections. ipTrust Knowledge API offers customers: • Leverage the full capacity of Endgame Systems’ (“Endgame”) internet threat intelligence apparatus via a lightweight and easy to use web-based API • Updated hourly on the latest threats, largest botnets, most relevant security events, and our correlated decision models • In-the-cloud or hosted deployment • Zero additional equipment needed to support a successful implementation • Inject true, real-time threat intelligence data into existing fraud and security management processes • Correlate existing fraud cases to specific security threats • Prevent fraud by leveraging granular external threat intelligence into real-time authentication systems • Improve internal enterprise security controls by leveraging external threat intelligence 3 PROPRIETARY AND CONFIDENTIAL Product Description The ipTrust Reputation API delivers to the customer the best, most complete, and most versatile IP reputation service on the market. While others focus on single-factor scoring, ipTrust provides a much richer view of the true risk associated with any IP address in near real-time. Endgame aggressively harvests, analyzes, and classifies malware and botnet samples obtaining information used for its IP address reputation and scoring. IP address scores are based on malicious events, event frequency, duration between events and other risk factors. All of these efforts are condensed into a single score, which puts ipTrust users in the driver’s seat to completely customize responses to specific events based on your unique and specific requirements. Deliverable Description ipTrust Knowledge API Data Description ipTrust computes its risk score based on many variables for over 250 million Internet hosts. Our data set includes identification and descriptions of many types of devices including the following: • Botnet tracking • Downadup/Conficker • Mariposa • BlackEnergy • Zeus • PoisonIvy • Precision weighting factors • Fewer false positives, time-scored results • Accounting for DHCP churn • Accounting for proxy hosts • Accounting for the age of events • Accounting for type of malicious traffic seen and how often events are triggered • Botnet controller or command and control nodes • Issue commands to bot-infected hosts • Anonymous Web Connections • TOR exit nodes and Open/Anonymous proxies • Worm infected hosts - Slammer, Code Red, etc. • Active hostile hosts • Brute force attacks • Malware propagation • Malicious behavior • Spam / Firewall Blacklists 4 PROPRIETARY AND CONFIDENTIAL ipTrust Knowledge API Description The Application Programming Interface (API) calls to Endgame cloud-based instances follow industry standards, which include three types of return formats (e.g. XML, JSON, CSV). URL: /confidence.{format} Formats: XML, JSON, CSV Methods: GET or POST Requires: APIKEY API Rate: Limited Query String Parameters: addr 1.2.3.4 An IP address in dotted quad notation (comma can act as a delimiter for multiple values in the same submission) key {UID} The API Key assigned to your account. Access to the API is located: http://api.endgamesystems.com/xml-rpc/confidence.{format}?key={APIKEY}&q={QUERYLIST} JSON Format Delivery Request: http://api.endgamesystems.com/xml-rpc/confidence.json?key={APIKEY}&q={QUERY LIST} Response: { "hosts": [ { "addr": "200.105.189.113", "confidence": "0.90889213", "events": { "Conficker A/B": "1273724080", "Conficker C": "1273455293", "Mariposa": "1270076434" } } ] } Inside the response is an array of hosts (one for each IP requested to be queried). Within that host record exists the last event for significant categories (e.g. Conficker A/B variant, Conficker C, Mariposa). The confidence score is represented as a floating point to be interpreted as a percentage value between 0% - 100%. The event timestamp is recorded as the number of seconds since the standard UNIX epoch. 5 PROPRIETARY AND CONFIDENTIAL XML Format Delivery <endgames> <status> <code>200</code> <message>OK</message> </status> <hosts> <host> <addr>200.105.189.113</addr> <confidence>0.90889213</confidence> <events> <event> <type>Conficker C</type> <date>1273455293</date> </event> <event> <type>Mariposa</type> <date>1270076434</date> </event> <event> <type>Conficker A/B</type> <date>1273724080</date> </event> </events> </host> </hosts> </endgames> XML provides the same criteria as JSON, but in XML version="1.0" encoding="UTF-8" canonicalization format. CSV Format Delivery 200.105.189.113,0.90889213 CSV is the most limited form of return. Use CSV if you do not need insight into the last offending malicious categories seen for the queried IP. CSV will only return the confidence level. ipTrust Scoring Methodology While tracking, monitoring, reverse engineering, and analyzing malicious software (e.g. Bots), Endgame Systems creates weighted scales based on several criteria (see Figure 1) and change those weights based on current events, anomalous behavior, or various detected changes. The general scoring model for the confidence score per IP address is defined below. 6 PROPRIETARY AND CONFIDENTIAL Value Defines Hours Is → (Short Interval) = (Hours in a Week) = 168 Week ⎛ ⎛ 1 ⎞ ⎞ Hours Im → (Medium Interval) = Hours in ⎜ ⎟ Year = 2184