Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Statistical Approach to Typosquatting Detection DNS Ops Workshop, 4-5 June 2008 Alessandro Linari and Oxford Brookes University.

Published byKelly Powers Modified over 9 years ago

Similar presentations

Presentation on theme: "A Statistical Approach to Typosquatting Detection DNS Ops Workshop, 4-5 June 2008 Alessandro Linari and Oxford Brookes University."— Presentation transcript:

1 A Statistical Approach to Typosquatting Detection DNS Ops Workshop, 4-5 June 2008 Alessandro Linari alessandro@nominet.org.uk and Oxford Brookes University

2 2 Introduction Typosquatting is the practice of registering a domain name which contains a typographical error if compared to the name of a trademark or a famous domain Growing phenomenon over the Internet –Well-understood from a legal point of view –Lack of a technical characterisation First attempt for –Technical definition –Statistical characterisation

3 3 Typosquatting: gooogle.co.uk

4 4 Syntactic and Confusing Similarity goo o gle.co.uk goog g le.co.uk b google.co.uk google-news.co.uk google-groups.co.uk askgoogles.co.uk Syntactically similarConfusingly similar GOOGL3.co.uk GO0GLE.co.uk Visually similar

5 5 Syntactic Neighbourhood Given a domain D, the syntactic neighbourhood of D set of all domains in the registry whose edit distance from D is equal to 1 D Registry N dist = 1

6 6 Syntactic Neighbourhood Given a domain D, the syntactic neighbourhood of D set of all domains in the registry whose edit distance from D is equal to 1 Edit distance –Minimum number of operations needed to transform one string into the other –An operation is an insertion, deletion, or substitution of a single character D Registry N dist = 1

7 7 Syntactic Neighbourhood Given a domain D, the syntactic neighbourhood of D set of all domains in the registry whose edit distance from D is equal to 1 ominet 1 m ominet on minet ominet no o minet d=1 d=2

8 8 Outline Correlation between popularity of a domain name and size of its neighbourhood Presence of “typosquatters friendly” registrars in the neighbourhood of popular domains anyYdomain anyA-domain Aany-domain … NEIGHBOURHOOD amazon bbc nominet yahoo REST-OF-THE-REGISTRY ebay theregister aol ANY-DOMAIN (.co.uk)

9 9 Outline Correlation between popularity of a domain name and size of its neighbourhood Presence of “typosquatters friendly” registrars in the neighbourhood of popular domains anyYdomain anyA-domain Aany-domain … NEIGHBOURHOOD amazon bbc nominet yahoo REST-OF-THE-REGISTRY ebay theregister aol ANY-DOMAIN (.co.uk)

10 10 Experimental Setting Choose a domain name X Compute the distance between X and all domains in the registry Compute the size of X’s neighbourhood Compute the average size of a neighbourhood for domains of each length –E.g., bbc.co.uk and allianceandleicester.co.uk have different distributions

11 11 Experimental Setting Only.co.uk web sites considered (March 2008) –Length refers to the third-level label Set of random domains (expected behaviour) –1000 domains for each length (random sample) Set of top-1000 popular domains (source NetCraft.com) –Band A: domains with ranking in [1,100] –Band B: domains with ranking in [101,500] –Band C: domains with ranking in [501,1000]

12 12 Neighbourhood and Popularity

13 13 Outline Correlation between popularity of a domain name and size of its neighbourhood Presence of “typosquatters friendly” registrars in the neighbourhood of popular domains anyYdomain anyA-domain Aany-domain … NEIGHBOURHOOD amazon bbc nominet yahoo REST-OF-THE-REGISTRY ebay theregister aol ANY-DOMAIN (.co.uk)

14 14 Distribution of Registrars Fraction of domain names owned by each registrar

15 15 Experimental Setting Consider only domains in Band A’s neighbourhood –i.e., any domain at dist=1 from at least one domain in Band A Compute the number of domains owned by each of registrars (distribution) For each registrar, compute the percent increase wrt to the previous distribution

16 16 Distribution of Registrars (Band A)

17 17 Discussion Analysis (manual) of 25 registrars whose size is between 100 and 1000 domains –Big registrars are complex to analyse (not present in this chart) –Small registrars do not contribute to reliable statistics

18 18 Discussion One of the big domain names owns the majority of its neighbourhood Interesting activity for 6 5 registrars –A big fraction of their domains syntactically or confusingly similar to popular domain names Normal activity for 8 registrars (false positives) No relevant findings in the other cases

19 19 Further Research Directions Insight in the typosquatting phenomenon –Domain name neighbourhood –First attempt toward statistical characterisation More questions than answers –Name servers used by typosquatters –Domain names containing common words –Content of the website –…

20 20 Bibliography A. Banerjee, D. Barman, M. Faloutsos, Laxmi Bhuyan. Cyber-Fraud is One Typo Away. INFOCOM, 2008 Y.Wang, D. Beck, J. Wang, C. Verbowski, B. Daniels. Strider Typo-Patrol: Discovery and Analysis of Systematic Typo-Squatting. SRUTI (Usenix WS), 2006. McAfee. What’s In A Name: The State of Typo-Squatting 2007. http://us.mcafee. com/root/identitytheft.asp?id=safe_typo (valid as in Jan. 2008). WIPO. DNS Developments Feed Growing Cybersquatting Concerns. http://www. wipo.int/pressroom/en/articles/2008/article_0015.html (valid as in May 2008).

21 Thank you!!!

22 Questions?

23 Backup Slides

24 24 Length of a domain name co.uk domains only Length always refers to the third level domain

25 25 Length of a domain name 3- and 4- chars domains not meaningful Neighbourhood of 5-chars domains is in the 4-chars space

26 26 Distance between domain names ~100 domains (for each length) compared against whole dataset Average number of domains at a given distance Statistical characterisation

27 27 Top-100 (band A) domain names ~10 domains (for each length) compared against whole dataset Average number of domains at a given distance Statistical characterisation

Download ppt "A Statistical Approach to Typosquatting Detection DNS Ops Workshop, 4-5 June 2008 Alessandro Linari and Oxford Brookes University."

Similar presentations

What makes an image memorable?

What makes an image memorable?
General Statistics Ch En 475 Unit Operations. Quantifying variables (i.e. answering a question with a number) 1. Directly measure the variable. - referred.

General Statistics Ch En 475 Unit Operations. Quantifying variables (i.e. answering a question with a number) 1. Directly measure the variable. - referred.
Editing and Imputing VAT Data for the Purpose of Producing Mixed- Source Turnover Estimates Hannah Finselbach and Daniel Lewis Office for National Statistics,

Editing and Imputing VAT Data for the Purpose of Producing Mixed- Source Turnover Estimates Hannah Finselbach and Daniel Lewis Office for National Statistics,
Typo-Squatting: a Nuisance or a Threat to Your Traffic? Mishari Almishari.

Typo-Squatting: a Nuisance or a Threat to Your Traffic? Mishari Almishari.
FTP Biostatistics II Model parameter estimations: Confronting models with measurements.

FTP Biostatistics II Model parameter estimations: Confronting models with measurements.
Prediction, Correlation, and Lack of Fit in Regression (§11. 4, 11

Prediction, Correlation, and Lack of Fit in Regression (§11. 4, 11
Record Linkage Simulation Biolink Meeting June 3 2013 Adelaide Ariel.

Record Linkage Simulation Biolink Meeting June Adelaide Ariel.
Alias Detection in Link Data Sets Master’s Thesis Paul Hsiung.

Alias Detection in Link Data Sets Master’s Thesis Paul Hsiung.
Advancing Wireless Link Signatures for Location Distinction J. Zhang, M. H. Firooz, N. Patwari, S. K. Kasera MobiCom’ 08 Presenter: Yuan Song.

Advancing Wireless Link Signatures for Location Distinction J. Zhang, M. H. Firooz, N. Patwari, S. K. Kasera MobiCom’ 08 Presenter: Yuan Song.
Lesson #17 Sampling Distributions. The mean of a sampling distribution is called the expected value of the statistic. The standard deviation of a sampling.

Lesson #17 Sampling Distributions. The mean of a sampling distribution is called the expected value of the statistic. The standard deviation of a sampling.
Accurately Detect Parked Domain Typo- squatting Attacks Mishari Almishari and Xiaowei Yang University of California, Irvine Donald Bren School of Information.

Accurately Detect Parked Domain Typo- squatting Attacks Mishari Almishari and Xiaowei Yang University of California, Irvine Donald Bren School of Information.
Typo-Squatting: a Nuisance or a Threat to Your Traffic? Mishari Almishari.

Typo-Squatting: a Nuisance or a Threat to Your Traffic? Mishari Almishari.
Geometric Crossovers for Supervised Motif Discovery Rolv Seehuus NTNU.

Geometric Crossovers for Supervised Motif Discovery Rolv Seehuus NTNU.
Chapter 41. 2 In Chapter 3… … we used stemplots to look at shape, central location, and spread of a distribution. In this chapter we use numerical summaries.

Chapter In Chapter 3… … we used stemplots to look at shape, central location, and spread of a distribution. In this chapter we use numerical summaries.
Statistical Treatment of Data Significant Figures : number of digits know with certainty + the first in doubt. Rounding off: use the same number of significant.

Statistical Treatment of Data Significant Figures : number of digits know with certainty + the first in doubt. Rounding off: use the same number of significant.
Knowledge is Power Marketing Information System (MIS) determines what information managers need and then gathers, sorts, analyzes, stores, and distributes.

Knowledge is Power Marketing Information System (MIS) determines what information managers need and then gathers, sorts, analyzes, stores, and distributes.
Chapter 6 Variance And Covariance. Studying sets of numbers as they are is unwieldy. It is usually necessary to reduce the sets in two ways: (1) by calculating.

Chapter 6 Variance And Covariance. Studying sets of numbers as they are is unwieldy. It is usually necessary to reduce the sets in two ways: (1) by calculating.
New gTLD Basics. 2  Overview about domain names, gTLD timeline and the New gTLD Program  Why is ICANN doing this; potential impact of this initiative.

New gTLD Basics. 2  Overview about domain names, gTLD timeline and the New gTLD Program  Why is ICANN doing this; potential impact of this initiative.
Ioannis Iglezakis Domain Names. The Domain Name System A domain name is an electronic address of a computer connected to the Internet. The actual address.

Ioannis Iglezakis Domain Names. The Domain Name System A domain name is an electronic address of a computer connected to the Internet. The actual address.
1 Revised: April 29, 2013. What is a Web Domain?  A HOSTNAME that identifies one or more IP addresses (web servers)  IP address (Internet Protocol)

1 Revised: April 29, What is a Web Domain?  A HOSTNAME that identifies one or more IP addresses (web servers)  IP address (Internet Protocol)

Similar presentations

Ads by Google