Transcript Detecting Typo- squatting Domains Mishari Almishari
Detecting Typo squatting Domains
Mishari Almishari [email protected]
http://www.ics.uci.edu/~malmisha
Problem Definition & Goals
Typo-squatting refers to the act of intentionally registering domain names that are typographical errors of other well-known domain names to hijack their traffic, for traffic monetization, malicious,…etc.
Goals: Develop a methodology for automatically identifying typo squatting domains Quantify the amount of traffic hijacked by typo-squatters Develop a system that reduces access to typo-squatting domains
Detection Methodology
For a domain to be typo-squatting domain it must satisfies two criteria: Typo of a well-known target domain edit distance function more than 50% are false positives Hijacking Intention Dominant hijacking indicator is ads-listing (parked domain 88.5%) Developed a machine learning classifier to identify parked domain (accuracy 96%)
Measurements
Use 8-month DNS traces of UCI name resolvers to measure hijacked traffic Given a 500 well-known popular domains, we found 1,786 typo-squatting domains Total hits to those domains are 23,989 15%(12%) of squatting domains were not detected by Google (Yahoo) typo correctors
System Implementation
Integrate with Mozilla Firefox 2.0.0.9 as an add-ons extension Typo-squatting domains are detected on the fly Overhead is small For 100 typo domains, avg is 53 ms For 100 typo domains that are not squatting domains avg is 79 ms