The Need for a standard

Attacks on network infrastructure, trademark, or copyright infringements; dangerous content, like phishing or hosted malware or illegal content, like child exploitation material, all have an origin or a source. Informing the owner or maintainer of the source, to stop the attacks or take down the content in question, is the only way to mitigate these issues, and therefore is an essential part of the internet infrastructure. Unfortunately, the status quo for reporting abuse is a very unstructured and cluttered environment, which is the primary reason for the lack of efficiency in operationalizing abuse report metadata today.

XARF is a standard developed to improve the ability of recipients of abuse reports to operationalize the data. Unlike previous methods of sharing network abuse data, XARF is simple, extensible, and structured, and, therefore, easily automated. XARF aims to improve security measures in a few ways:

  • Extend the capabilities of current network abuse report sharing
  • Add the flexibility to adapt to new use cases as they occur quickly
  • Easy to generate
  • Easy to read (machine- as well as human-readable)
  • Provide the basis for a unified and holistic approach to abuse handling

XARF is an open, community-driven effort that provides free specifications to aid in the automated expression of information about network abuse observed.

XARF

XARF, short for the eXtended Abuse Reporting Format, is a standardized set of schemas developed by Abusix and a community around for describing abusive behavior or abusive content. It has been adopted as a quasi-standard by several governments, Enterprises, and a large ISPs and Hosting Companies and other involved organizations. Designed to be shared via email, which is still the standard for abuse reporting, it can be shared by other mechanisms like HTTP as well. Structured in a fashion that at least has to contain the bare minimum set of information to act upon the origin of abusive behavior within a network makes XARF light and slim. Simplicity is the most significant benefit compared with STIX/TAXII or IODEF or other formats that serve a completely different use case.

Use Cases

XARF schemas conform to a wide range of pre-existing report types, so that the receiving network operator may easily automate and consume the format. Field naming in one schema maps to other schemas making scaling easier, allowing the network operator to act on vulnerabilities, abuse, and fraud with higher speed.

tc
Trademark and Copyright

Brand and Intellectual Property Theft is one of the most abundant forms of fraud that pervades the internet today. Shapeshifting imposters and unauthorized resellers of media or fake knockoffs, profit off of the hard work of others. Furthermore, a network operator that does not have clean processes for handling these types of abuse reports places their safe harbor at risk.

XARF provides a uniform reporting format that helps both the Trademark Holder and Copyright Owner by allowing the network operator to apply automation to alerts and takedown requests. This reduces workload since it does no longer require a human to open every single unique report and manually work through them, one by one.

imgpsh_fullsize_anim
Dictionary Attacks via Fail2Ban

SSH attacks are the most common ways that bad actors compromise accounts. Fail2Ban is the most common open-source solution for dealing with these attacks.

XARF provides a uniform reporting format that helps the network operator to apply uniform automation to address compromised systems and bad actors hiding in their network, thus mitigating and resolving these problems quickly at their root.

imgpsh_fullsize_anim (1)
Spam and Phish Reporting

Spam, whether its unwanted mail, phish, or spear phish, all present a huge problem. The quicker evidence gets into the hands of the Network Operator in a uniform format, the sooner patterns of abuse can emerge.

XARF provides a way for network operators to digest in a common format, built from MARF, the IETF standard for reporting generic “This is Spam” complaint, but extends it adding additional functionality.

Abusix’s AbuseHQ – the security and abuse orchestration platform - increases network security, lowers reputational and legal risk, and increases subscriber’s safety, by allowing network service providers to receive, automatically analyze, cluster, understand and manage XARF and many other types of abuse reports and related logs, easily.

system
ONLINE RESOURCES

There are many ways to get involved with XARF. If you’d like to engage with the community and contribute to creation efforts, you can join here in our Github Project.

Join in