ParkedGuard: An Efficient and Accurate Parked Domain Detection System Using Graphical Locality Analysis and Coarse-To-Fine Strategy
As world wild internet has non-stop developments, making profit by lending registered domain names emerges as a new business in recent years. Unfortunately, the larger the market scale of domain lending service becomes, the riskier that there exist malicious behaviors or malwares hiding behind parked domains will be. Also, previous work for differentiating parked domain suffers two main defects: 1) too much data-collecting effort and CPU latency needed for features engineering and 2) ineffectiveness when detecting parked domains containing external links that are usually abused by hackers, e.g., drive-by download attack. Aiming for alleviating above defects without sacrificing practical usability, this paper proposes ParkedGuard as an efficient and accurate parked domain detector. Several scripting behavioral features were analyzed, while those with special statistical significance are adopted in ParkedGuard to make feature engineering much more cost-efficient. On the other hand, finding memberships between external links and parked domains was modeled as a graph mining problem, and a coarse-to-fine strategy was elaborately designed by leverage the graphical locality such that ParkedGuard outperforms the state-of-the-art in terms of both recall and precision rates.
[1] D. Kesmodel, The Domain Game: How People Get Rich from Internet
Domain Names. Xlibris Corporation, 2008.
[2] “Buying & selling domain names,” Tech. Rep., accessed on 2017-02-28.
(Online). Available: http://www.igoldrush.com/domain-guide/
domain-name-monetization/buying-selling-domain-nameshttp:
//www.igoldrush.com/domain-guide/domain-name-monetization/
buying-selling-domain-names
[3] P. Agten, W. Joosen, F. Piessens, and N. Nikiforakis, “Seven months’
worth of mistakes: A longitudinal study of typosquatting abuse,” in
Proceedings of the 22nd Network and Distributed System Security
Symposium (NDSS 2015). Internet Society, 2015.
[4] T. Vissers, W. Joosen, and N. Nikiforakis, “Parking sensors: Analyzing
and detecting parked domains,” in Proceedings of the ISOC Network
and Distributed System Security Symposium (NDSS ’15), 2015.
[5] S. Alrwais, K. Yuan, E. Alowaisheq, Z. Li, and X. Wang, “Understanding
the dark side of domain parking,” in 23rd USENIX Security Symposium
(USENIX Security 14), 2014, pp. 207–222.
[6] Z. Li, S. Alrwais, Y. Xie, F. Yu, and X. Wang, “Finding the linchpins of
the dark web: a study on topologically dedicated hosts on malicious web
infrastructures,” in Security and Privacy (SP), 2013 IEEE Symposium
on. IEEE, 2013, pp. 112–126.
[7] L. Metcalf and J. Spring, “Domain parking: Not as malicious as
expected,” DTIC Document, Tech. Rep., 2014.
[8] Y. Amit, D. Geman, and X. Fan, “A coarse-to-fine strategy for multiclass
shape detection,” IEEE Transactions on Pattern Analysis and Machine
Intelligence, vol. 26, no. 12, pp. 1606–1621, 2004.
[9] Sedo, “Domain parking terms and conditions.” accessed on
2017-02-28. (Online). Available: https://sedo.com/us/about-us/policies/
domain-parking-terms-and-conditions-sedocom/?tracked=1&partnerid=
38758&language=us.
[10] “Domain or Direct Navigation Traffic for Affiliate Campaigns,” accessed
on 2017-03-27. (Online). Available: http://www.matomy.com/blog/
using-domaindirect-navigation-traffic-for-mobile-affiliate-campaigns/
[11] K. Hartog, “System and method for pay-per-click revenue sharing,”
Mar. 22 2005, uS Patent App. 11/086,813.
[12] B. PALSER, “Pay-per-click,” American Journalism Review, vol. 23,
no. 8, pp. 82–82, 2001.
[13] L. Zhang and Y. Guan, “Detecting click fraud in pay-per-click streams of
online advertising networks,” in Distributed Computing Systems, 2008.
ICDCS’08. The 28th International Conference on. IEEE, 2008, pp.
77–84.
[14] T. P. Barber, “Method of charging for pay-per-access information over
a network,” Jul. 27 1999, uS Patent 5,930,777.
[15] ——, “Bandwidth-preserving method of charging for pay-per-access
information on a network,” Dec. 5 2000, uS Patent 6,157,917.
[16] S. A. Alrwais, A. Gerber, C. W. Dunn, O. Spatscheck, M. Gupta,
and E. Osterweil, “Dissecting ghost clicks: Ad fraud via misdirected
human clicks,” in Proceedings of the 28th Annual Computer Security
Applications Conference. ACM, 2012, pp. 21–30.
[17] T. Blizard and N. Livic, “Click-fraud monetizing malware: A survey and
case study,” in Malicious and Unwanted Software (MALWARE), 2012
7th International Conference on. IEEE, 2012, pp. 67–72.
[18] B. Miller, P. Pearce, C. Grier, C. Kreibich, and V. Paxson, “Whats
clicking what? techniques and innovations of todays clickbots,” in
International Conference on Detection of Intrusions and Malware, and
Vulnerability Assessment. Springer, 2011, pp. 164–183.
[19] V. Dave, S. Guha, and Y. Zhang, “Viceroi: Catching click-spam in search
ad networks,” in Proceedings of the 2013 ACM SIGSAC conference on
Computer & communications security. ACM, 2013, pp. 765–776.
[20] P. Pearce, C. Grier, V. Paxson, V. Dave, D. McCoy, G. M. Voelker,
and S. Savage, “The zeroaccess auto-clicking and search-hijacking click
fraud modules,” DTIC Document, Tech. Rep., 2013.
[21] V. Dave, S. Guha, and Y. Zhang, “Measuring and fingerprinting
click-spam in ad networks,” ACM SIGCOMM Computer Communication
Review, vol. 42, no. 4, pp. 175–186, 2012.
[22] J. Jung and E. Sit, “An empirical study of spam traffic and the use of
dns black lists,” in Proceedings of the 4th ACM SIGCOMM conference
on Internet measurement. ACM, 2004, pp. 370–375.
[23] J. Caballero, C. Grier, C. Kreibich, and V. Paxson, “Measuring
pay-per-install: The commoditization of malware distribution.” in Usenix
security symposium, 2011, p. 15.
[24] J. Szurdi, B. Kocso, G. Cseh, J. Spring, M. Felegyhazi, and C. Kanich,
“The long taile of typosquatting domain names,” in 23rd USENIX
Security Symposium (USENIX Security 14), 2014, pp. 191–206.
[25] Y.-M. Wang, D. Beck, J. Wang, C. Verbowski, and B. Daniels, “Strider
typo-patrol: Discovery and analysis of systematic typo-squatting.”
SRUTI, vol. 6, pp. 31–36, 2006.
[26] R. Bhalla, “Trademark trafficking in cyberspace an analytical study,”
2011.
[27] N. Nikiforakis, S. Van Acker, W. Meert, L. Desmet, F. Piessens, and
W. Joosen, “Bitsquatting: Exploiting bit-flips for fun, or profit?” in
Proceedings of the 22nd international conference on World Wide Web.
ACM, 2013, pp. 989–998.
[28] M. Almishari and X. Yang, “Ads-portal domains: Identification and
measurements,” ACM Transactions on the Web (TWEB), vol. 4, no. 2,
p. 4, 2010.
[29] M. Kuhrer, C. Rossow, and T. Holz, “Paint it black: Evaluating the ¨
effectiveness of malware blacklists,” in International Workshop on
Recent Advances in Intrusion Detection. Springer, 2014, pp. 1–21.
[30] F. J. Damerau, “A technique for computer detection and correction of
spelling errors,” Communications of the ACM, vol. 7, no. 3, pp. 171–176,
1964.
[31] “Orange3,” accessed on 2017-02-28. (Online). Available: https:
//github.com/biolab/orange3
[32] E. Theodorsson-Norheim, “Kruskal-wallis test: Basic computer program
to perform nonparametric one-way analysis of variance and multiple
comparisons on ranks of several independent samples,” Computer
methods and programs in biomedicine, vol. 23, no. 1, pp. 57–62, 1986.
[33] S. Bird, “Nltk: the natural language toolkit,” in Proceedings of the
COLING/ACL on Interactive presentation sessions. Association for
Computational Linguistics, 2006, pp. 69–72.
[34] “Dns census 2013,” accessed on 2017-02-28. (Online). Available:
http://dnscensus2013.neocities.org/
[1] D. Kesmodel, The Domain Game: How People Get Rich from Internet
Domain Names. Xlibris Corporation, 2008.
[2] “Buying & selling domain names,” Tech. Rep., accessed on 2017-02-28.
(Online). Available: http://www.igoldrush.com/domain-guide/
domain-name-monetization/buying-selling-domain-nameshttp:
//www.igoldrush.com/domain-guide/domain-name-monetization/
buying-selling-domain-names
[3] P. Agten, W. Joosen, F. Piessens, and N. Nikiforakis, “Seven months’
worth of mistakes: A longitudinal study of typosquatting abuse,” in
Proceedings of the 22nd Network and Distributed System Security
Symposium (NDSS 2015). Internet Society, 2015.
[4] T. Vissers, W. Joosen, and N. Nikiforakis, “Parking sensors: Analyzing
and detecting parked domains,” in Proceedings of the ISOC Network
and Distributed System Security Symposium (NDSS ’15), 2015.
[5] S. Alrwais, K. Yuan, E. Alowaisheq, Z. Li, and X. Wang, “Understanding
the dark side of domain parking,” in 23rd USENIX Security Symposium
(USENIX Security 14), 2014, pp. 207–222.
[6] Z. Li, S. Alrwais, Y. Xie, F. Yu, and X. Wang, “Finding the linchpins of
the dark web: a study on topologically dedicated hosts on malicious web
infrastructures,” in Security and Privacy (SP), 2013 IEEE Symposium
on. IEEE, 2013, pp. 112–126.
[7] L. Metcalf and J. Spring, “Domain parking: Not as malicious as
expected,” DTIC Document, Tech. Rep., 2014.
[8] Y. Amit, D. Geman, and X. Fan, “A coarse-to-fine strategy for multiclass
shape detection,” IEEE Transactions on Pattern Analysis and Machine
Intelligence, vol. 26, no. 12, pp. 1606–1621, 2004.
[9] Sedo, “Domain parking terms and conditions.” accessed on
2017-02-28. (Online). Available: https://sedo.com/us/about-us/policies/
domain-parking-terms-and-conditions-sedocom/?tracked=1&partnerid=
38758&language=us.
[10] “Domain or Direct Navigation Traffic for Affiliate Campaigns,” accessed
on 2017-03-27. (Online). Available: http://www.matomy.com/blog/
using-domaindirect-navigation-traffic-for-mobile-affiliate-campaigns/
[11] K. Hartog, “System and method for pay-per-click revenue sharing,”
Mar. 22 2005, uS Patent App. 11/086,813.
[12] B. PALSER, “Pay-per-click,” American Journalism Review, vol. 23,
no. 8, pp. 82–82, 2001.
[13] L. Zhang and Y. Guan, “Detecting click fraud in pay-per-click streams of
online advertising networks,” in Distributed Computing Systems, 2008.
ICDCS’08. The 28th International Conference on. IEEE, 2008, pp.
77–84.
[14] T. P. Barber, “Method of charging for pay-per-access information over
a network,” Jul. 27 1999, uS Patent 5,930,777.
[15] ——, “Bandwidth-preserving method of charging for pay-per-access
information on a network,” Dec. 5 2000, uS Patent 6,157,917.
[16] S. A. Alrwais, A. Gerber, C. W. Dunn, O. Spatscheck, M. Gupta,
and E. Osterweil, “Dissecting ghost clicks: Ad fraud via misdirected
human clicks,” in Proceedings of the 28th Annual Computer Security
Applications Conference. ACM, 2012, pp. 21–30.
[17] T. Blizard and N. Livic, “Click-fraud monetizing malware: A survey and
case study,” in Malicious and Unwanted Software (MALWARE), 2012
7th International Conference on. IEEE, 2012, pp. 67–72.
[18] B. Miller, P. Pearce, C. Grier, C. Kreibich, and V. Paxson, “Whats
clicking what? techniques and innovations of todays clickbots,” in
International Conference on Detection of Intrusions and Malware, and
Vulnerability Assessment. Springer, 2011, pp. 164–183.
[19] V. Dave, S. Guha, and Y. Zhang, “Viceroi: Catching click-spam in search
ad networks,” in Proceedings of the 2013 ACM SIGSAC conference on
Computer & communications security. ACM, 2013, pp. 765–776.
[20] P. Pearce, C. Grier, V. Paxson, V. Dave, D. McCoy, G. M. Voelker,
and S. Savage, “The zeroaccess auto-clicking and search-hijacking click
fraud modules,” DTIC Document, Tech. Rep., 2013.
[21] V. Dave, S. Guha, and Y. Zhang, “Measuring and fingerprinting
click-spam in ad networks,” ACM SIGCOMM Computer Communication
Review, vol. 42, no. 4, pp. 175–186, 2012.
[22] J. Jung and E. Sit, “An empirical study of spam traffic and the use of
dns black lists,” in Proceedings of the 4th ACM SIGCOMM conference
on Internet measurement. ACM, 2004, pp. 370–375.
[23] J. Caballero, C. Grier, C. Kreibich, and V. Paxson, “Measuring
pay-per-install: The commoditization of malware distribution.” in Usenix
security symposium, 2011, p. 15.
[24] J. Szurdi, B. Kocso, G. Cseh, J. Spring, M. Felegyhazi, and C. Kanich,
“The long taile of typosquatting domain names,” in 23rd USENIX
Security Symposium (USENIX Security 14), 2014, pp. 191–206.
[25] Y.-M. Wang, D. Beck, J. Wang, C. Verbowski, and B. Daniels, “Strider
typo-patrol: Discovery and analysis of systematic typo-squatting.”
SRUTI, vol. 6, pp. 31–36, 2006.
[26] R. Bhalla, “Trademark trafficking in cyberspace an analytical study,”
2011.
[27] N. Nikiforakis, S. Van Acker, W. Meert, L. Desmet, F. Piessens, and
W. Joosen, “Bitsquatting: Exploiting bit-flips for fun, or profit?” in
Proceedings of the 22nd international conference on World Wide Web.
ACM, 2013, pp. 989–998.
[28] M. Almishari and X. Yang, “Ads-portal domains: Identification and
measurements,” ACM Transactions on the Web (TWEB), vol. 4, no. 2,
p. 4, 2010.
[29] M. Kuhrer, C. Rossow, and T. Holz, “Paint it black: Evaluating the ¨
effectiveness of malware blacklists,” in International Workshop on
Recent Advances in Intrusion Detection. Springer, 2014, pp. 1–21.
[30] F. J. Damerau, “A technique for computer detection and correction of
spelling errors,” Communications of the ACM, vol. 7, no. 3, pp. 171–176,
1964.
[31] “Orange3,” accessed on 2017-02-28. (Online). Available: https:
//github.com/biolab/orange3
[32] E. Theodorsson-Norheim, “Kruskal-wallis test: Basic computer program
to perform nonparametric one-way analysis of variance and multiple
comparisons on ranks of several independent samples,” Computer
methods and programs in biomedicine, vol. 23, no. 1, pp. 57–62, 1986.
[33] S. Bird, “Nltk: the natural language toolkit,” in Proceedings of the
COLING/ACL on Interactive presentation sessions. Association for
Computational Linguistics, 2006, pp. 69–72.
[34] “Dns census 2013,” accessed on 2017-02-28. (Online). Available:
http://dnscensus2013.neocities.org/
@article{"International Journal of Information, Control and Computer Sciences:75649", author = "Chia-Min Lai and Wan-Ching Lin and Hahn-Ming Lee and Ching-Hao Mao", title = "ParkedGuard: An Efficient and Accurate Parked Domain Detection System Using Graphical Locality Analysis and Coarse-To-Fine Strategy", abstract = "As world wild internet has non-stop developments, making profit by lending registered domain names emerges as a new business in recent years. Unfortunately, the larger the market scale of domain lending service becomes, the riskier that there exist malicious behaviors or malwares hiding behind parked domains will be. Also, previous work for differentiating parked domain suffers two main defects: 1) too much data-collecting effort and CPU latency needed for features engineering and 2) ineffectiveness when detecting parked domains containing external links that are usually abused by hackers, e.g., drive-by download attack. Aiming for alleviating above defects without sacrificing practical usability, this paper proposes ParkedGuard as an efficient and accurate parked domain detector. Several scripting behavioral features were analyzed, while those with special statistical significance are adopted in ParkedGuard to make feature engineering much more cost-efficient. On the other hand, finding memberships between external links and parked domains was modeled as a graph mining problem, and a coarse-to-fine strategy was elaborately designed by leverage the graphical locality such that ParkedGuard outperforms the state-of-the-art in terms of both recall and precision rates.", keywords = "Coarse-to-fine strategy, domain parking service,
graphical locality analysis, parked domain.", volume = "11", number = "6", pages = "679-11", }
