Presentation is loading. Please wait.

Presentation is loading. Please wait.

Parking Sensors: Analyzing and Detecting Parked Domains

Published byBlaze McKenzie Modified over 9 years ago

Similar presentations

Presentation on theme: "Parking Sensors: Analyzing and Detecting Parked Domains"— Presentation transcript:

1 Parking Sensors: Analyzing and Detecting Parked Domains
NDSS 2015 Thomas Vissers, Wouter Joosen , Nick Nikiforakis Presented by Yi Yuan Networking and Distributed System Security

2 Motivation Domain names Domainers Domain parking services
- First-come first-serve  one for each person/company  paying model Domainers - selling domain names : wine.com casino.com - Pay-Per-Click Domain parking services - incorporate ads on their domains - no worrying about finding advertisers and setting up contracts.

3 Outline Background Domain Parking Ecosystem Analysis of Parked Domains
-Motivation, related works, contributions. Domain Parking Ecosystem Analysis of Parked Domains Detecting Parked Domains - classifier with evaluation Discussion and Conclusion

4 Related Works Alrwais et al. studied domain parking form the point of view of advertiser and domain owner: hiding clicks, click fraud[1] - only focus on the abuse against advertiser. Almishar et al. developed a classifier for “ads-portal” domains in 2008: tyopsquatting abuse [2] - did not incorporate HAR features - did not take into account redirection, no in-depth frame analysis Typosquatting research -51% of all the possible tyopsquatting domains of websites in the Alexa top 10,000 were registered and active in [3] - 63% of tyopsquatting domains were using Google PPC ads. [4]

5 Contributions: Study of domain parking services, mapping out the entire ecosystem: focus on everyday web users Parked pages expose the user to a series of dangers: malware, scams and inappropriate content Present of an large number of tyopsquatting domains and demonstrate the lack of control Propose a classifier for detecting parked pages

6 Domain Parking Ecosystem

7 Domain Parking Ecosystem
How do users end up on parked domains? Typosquatting: wikipdeia.org  wikipedia.org “guess” domain name Gather Parked Domains a survey amongst Domainers, the top results of Alexa.com and Google.com when querying for domain parking, and a thread from a popular domaining forum  collection of 15 services Search the record of DNS Census dataset (2.5 billion DNS records) Match the configurations of 15 services Total 8,064,914 actively parked domains from the 15 services

8 Domain Parking Ecosystem

9 Domain Parking Ecosystem

10 Domain Parking Ecosystem

11 Analysis of Parked Domains
Parked Domain Owners Request WHOIS data from 3k randomly-selected parked domains Filter out the records: anonymized or unpassable Extract information & group together: same name, address… Merge clusters of domains: same individual or organization Results: 910 distance domain owners with 1,582 parked domains

12 Analysis of Parked Domains

13 Analysis of Parked Domains
Advertisement Syndicators Advertising: pay-per-click (PPC) - user  domain owner, domain parking service Third-party ad syndicators - easier, more scalable Sampled 3k parked domains - Crawl those domains, and inspected their source code - AdSense, DoubleClick, Media.net and Chango

14 Analysis of Parked Domains
Doubleclick(90%+1.1%) Adsense (88%+1.2%), both google products Google stopped their own hosted parking service due to lawsuits. At same time, google start to keep parked pages away from its search results. .

15 Analysis of Parked Domains
Typosquatting abuse Typosquatting sites are illegal under the AntiCybersquatting Consumer Protection Act (ACPA) eg: vacebook.com  facebook.com Reverse-typo transformation Two example: missing-dot: wwwfacebook.com  Character-insertion:  Apply reverse-typo transformation to the 8 million parked domains Total 131,673 tyopsquatting domains (1.63%).

16 Analysis of Parked Domains
Parking a tyopsquatting Domain experiment Register a tyopsquatting domain: stcakoverflow.com stackoverflow.com Domain name was owned by a typo-squatter but expired Both four services need verification But not a single service denied the submission of this abusive domain According to the services’ statistics, parking page was receiving victors daily Result Taking advantage of squatting domains appears to be part of domain parking services everyday operations.

17 Analysis of Parked Domains
Trademark abuse Typosquatting domains belong to the trademark abuse category Eg: facebookonline.com  facebook.com Randomly selected 500 parked domains 79 (16%+/-3.2%) of 500 were abusing trademarking 29 (6%+/-2%) of domains abusing existing trademark, displayed advertisements of competitor.

18 Analysis of Parked Domains
Malicious redirections Domain parking companies help visitor by showing tem relevant advertising links: true for domains without trademark or tyopsquatting issue Three types of malicious redirection Malware - host may download executable that are flagged as malware - convince visitor to download a malicious update their Flash player or browser. Scams - Persuade users to hand over sensitive info such as SSN - Claims that the visitor’s computer is infected with malware Adult websites

19 Analysis of Parked Domains
Detecting and Bypassing Ad-Blockers Ad-blocking extension Domain parking services attempt to detect and bypass advertising blockers: NameDriver: Additional detection mechanism for ad blockers Fabulous.com: Contain JavaScript code that verifies whether the JavaScript object named google exists.

20 Detecting Parked Domains
Gathering data 3k random sample from parked page, 3k pages from the Alexa top 1 million Crawl 6k pages and collect data from serval different sources. Gather the HTML source code Record a trace of all HTTP requests initiated by the web page (HAR),chains of main page and every frame Inspect properties of all domain itself such as tyopsquatting occurrence and WHOIS records. Extract feature that can serve as input for classifier

21 Detecting Parked Domains
Feature set HTML features: Average and maximum link length Average source length External link and external source ratio Website directory presence. Link-to-global text ratio Amount of non-link characters Text-to-HTML ratio Redirection mechanisms

22 Detecting Parked Domains
Feature set HAR features Third-party requests ratio Third-party data ratio Third-party HTML content ratio Initial response size and ratio

23 Detecting Parked Domains
Feature set Frame features Amount of frames Main frame and iframe redirections Different final domain Domain name feature Typosquatting domain

24 Detecting Parked Domains
Classification Learning method: Use Random Forest algorithm Decision trees Quick in the detection phase

25 Detecting Parked Domains
Classification Dataset handling: Train and test dataset: 2/3 train data, ½ test data Data transformation: remove outlier and extreme values from training set Omitted features: remove two feature which are less discriminative and reduce performance.

26 Detecting Parked Domains
Classification Evaluation: Using Random Forest with 10-fold cross validation 1000 unseen parked and 1000 unseen benign instances. Two threshold points: 0.5 and 0.7

27 Detecting Parked Domains

28 Detecting Parked Domains
Classification Detection Evasion: Decrease the relative presence of third-party advertising by either providing a large portion of first0party content for each domain Redirection chains and mechanism are tracked in every frame, so the PPR would need to be abandoned. Typosquatting domains could be excluded from parked domain to reduce detection Domain parking industry would either be forced to a more legal business model or lose its remaining exposure to users.

29 Discussion Limited added value to the web
Business climate for Domainers has changed Advances in browser technologies: reduced type-in traffic for parking pages Adoption of ad-blocking tools Google decided to exclude parked domains from Google’s search results. Typosquatting domains are still a regular part of business model Redirected to malware, scams and adult material: pay more than legal redirections. Domain parking has become a threat for all users on web as well as for the legal advertising industry

30 Conclusion Ecosystem of domain parking
identify popular parking services, types of parked domains, advertising content Multiple types of abuse: malware, scams, adult pages Discover tyopsquatting domains can be monetized through domain parking Design and built a classifier Opinion

31 Quiz Name four different parties in ecosystem of domain parking.
What is the role of threshold in the classifier? Authors pointed that domain parking had become a threat for all users on the web as well as for the legal advertising industry, what do you think?(open)

32 References List [1] S. Alrwais, K. Yuan, E. Alowaisheq, Z. Li, and X. Wang, “Understanding the Dark Side of Domain Parking,” in Proceedings of the 23rd USENIX Security Symposium, 2014 [2] M. Almishari and X. Yang, “Ads-portal domains: Identification and measurements,” ACM Transactions on the Web (TWEB), vol. 4, no. 2, p. 4, [3] Y.-M. Wang, D. Beck, J. Wang, C. Verbowski, and B. Daniels, “Strider typo-patrol: discovery and analysis of systematic typo-squatting,” in Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2, ser. SRUTI’06. Berkeley, CA, USA: USENIX Association, [4] ] T. Moore and B. Edelman, “Measuring the perpetrators and funders of typosquatting,” in Financial Cryptography and Data Security, vol. 6052, 2010, pp. 175–191.

33 Question?

Download ppt "Parking Sensors: Analyzing and Detecting Parked Domains"

Similar presentations

PhishZoo: Detecting Phishing Websites By Looking at Them

PhishZoo: Detecting Phishing Websites By Looking at Them
TrustPort Net Gateway Web traffic protection. WWW.TRUSTPORT.COM Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.

TrustPort Net Gateway Web traffic protection. Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
Typo-Squatting: a Nuisance or a Threat to Your Traffic? Mishari Almishari.

Typo-Squatting: a Nuisance or a Threat to Your Traffic? Mishari Almishari.
Understanding and Detecting Malicious Web Advertising

Understanding and Detecting Malicious Web Advertising
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing Emails I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing emails. In Proceedings.

Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing s I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing s. In Proceedings.
Design and Evaluation of a Real-Time URL Spam Filtering Service

Design and Evaluation of a Real-Time URL Spam Filtering Service
Cloak and Dagger. In a nutshell… Cloaking Cloaking in search engines Search engines’ response to cloaking Lifetime of cloaked search results Cloaked pages.

Cloak and Dagger. In a nutshell… Cloaking Cloaking in search engines Search engines’ response to cloaking Lifetime of cloaked search results Cloaked pages.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Accurately Detect Parked Domain Typo- squatting Attacks Mishari Almishari and Xiaowei Yang University of California, Irvine Donald Bren School of Information.

Accurately Detect Parked Domain Typo- squatting Attacks Mishari Almishari and Xiaowei Yang University of California, Irvine Donald Bren School of Information.
Typo-Squatting: a Nuisance or a Threat to Your Traffic? Mishari Almishari.

Typo-Squatting: a Nuisance or a Threat to Your Traffic? Mishari Almishari.
Verma - ICISS 2014 R easoning M ining NLP Defense Rakesh M. Verma ReMiND Laboratory Catching Classical and Hijack-based Phishing Attacks.

Verma - ICISS 2014 R easoning M ining NLP Defense Rakesh M. Verma ReMiND Laboratory Catching Classical and Hijack-based Phishing Attacks.
Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.

Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.
Www.infotech.monash.edu SIEVE—Search Images Effectively through Visual Elimination Ying Liu, Dengsheng Zhang and Guojun Lu Gippsland School of Info Tech,

SIEVE—Search Images Effectively through Visual Elimination Ying Liu, Dengsheng Zhang and Guojun Lu Gippsland School of Info Tech,
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.

With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Similar presentations

Ads by Google