All domains are presorted on a so-called 'whitelist' root name server basis before being included in our DNS system.
Specially developed sandbox solutions supplied by different manufacturers, dedicated crawlers as well as an entirely new type of algorithm are used to evaluate whether a domain is to be included in our Blue Shield Umbrella platform.
All web codes are scanned for faulty software and every incorporated web link checked, e.g. for CDN networks, forum links, etc. - we are setting new standards when it comes to zero-day prevention measures.
Instead of saving results, the connection data of each target are checked in real-time whenever they are accessed; subsequently, they are assessed by means of algorithms using historical data to determine whether their behavior is 'good' or 'bad'.
Whenever an infrastructure changes so drastically that its historical data do not match current behavior, we will block the domain concerned until a new real-time prevention profile has been created.
Code scans based on the new mathematical algorithm including a customized sandbox are operating in parallel in the background for all accessed hosts in order to immediately identify any malicious code changes in addition to the relevant connection data.
This information is used on an ongoing basis to determine whether the domain in question is still being accepted by the clones of our root name servers.
Web servers, domains, IPs and authoritative servers not recognized by the BSU are blocked for the time being. During this period, our system will analyze the new target in order to learn more about it:
• Connection behavior
• Code assessment including hidden subdirectories
• Any other traffic (such as MX)
Additionally, we use passive DNS learning - we have been building a database for machine learning since 2013.
• Which domains are pointing at the target, have they behaved suspiciously in the past?
• Domain owner including its history
• Authoritative name server
Only when all criteria have received a positive assessment, a domain is incorporated in our dedicated root name server and then additionally scrutinized by means of real-time prevention and code scans through an AI.
We are currently blocking all domains of more than 4,000 authoritative name servers - and rising.
Over 248 million new domains are created every quater, of which more than 70% are either faulty or command & control domains, disqualifying them from being included in our platform.