Advertisement

Deepsquatting: Learning-Based Typosquatting Detection at Deeper Domain Levels

  • Paolo Piredda
  • Davide Ariu
  • Battista BiggioEmail author
  • Igino Corona
  • Luca Piras
  • Giorgio Giacinto
  • Fabio Roli
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10640)

Abstract

Typosquatting consists of registering Internet domain names that closely resemble legitimate, reputable, and well-known ones (e.g., Farebook instead of Facebook). This cyber-attack aims to distribute malware or to phish the victims users (i.e., stealing their credentials) by mimicking the aspect of the legitimate webpage of the targeted organisation. The majority of the detection approaches proposed so far generate possible typo-variants of a legitimate domain, creating thus blacklists which can be used to prevent users from accessing typo-squatted domains. Only few studies have addressed the problem of Typosquatting detection by leveraging a passive Domain Name System (DNS) traffic analysis. In this work, we follow this approach, and additionally exploit machine learning to learn a similarity measure between domain names capable of detecting typo-squatted ones from the analyzed DNS traffic. We validate our approach on a large-scale dataset consisting of 4 months of traffic collected from a major Italian Internet Service Provider.

References

  1. 1.
    Spaulding, J., Upadhyaya, S.J., Mohaisen, A.: The landscape of domain name typosquatting: techniques and countermeasures. In: The 11th International Conference on Availability, Reliability and Security. Volume abs/1603.02767 (2016)Google Scholar
  2. 2.
    Senate, U.: The anticybersquatting consumer protection act, 5 August 1999Google Scholar
  3. 3.
    Zetter, K.: Researchers’ typosquatting stole 20 GB of e-mail from fortune 500, August 2011. Wired.com
  4. 4.
    Edelman, B.: Large-scale registration of domains with typographical errors. Technical report, Berkman Center for Internet & Society - Harvard Law School (2003)Google Scholar
  5. 5.
    Wang, Y.M., Beck, D., Wang, J., Verbowski, C., Daniels, B.: Strider typo-patrol: discovery and analysis of systematic typo-squatting. In: Proceedings of the 2nd Conference on Steps to Reducing Unwanted Traffic on the Internet, SRUTI 2006, vol. 2, p. 5. USENIX Association, Berkeley (2006)Google Scholar
  6. 6.
    Holgers, T., Watson, D.E., Gribble, S.D.: Cutting through the confusion: a measurement study of homograph attacks. In: Proceedings of the Annual Conference on USENIX 2006 Annual Technical Conference, ATEC 2006, p. 24. USENIX Association, Berkeley (2006)Google Scholar
  7. 7.
    Banerjee, A., Barman, D., Faloutsos, M., Bhuyan, L.N.: Cyber-fraud is one typo away. In: IEEE INFOCOM 2008 - The 27th Conference on Computer Communications, April 2008Google Scholar
  8. 8.
    Moore, T., Edelman, B.: Measuring the perpetrators and funders of typosquatting. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 175–191. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14577-3_15 CrossRefGoogle Scholar
  9. 9.
    Nikiforakis, N., Acker, S.V., Meert, W., Desmet, L., Piessens, F., Joosen, W.: Bitsquatting: exploiting bit-flips for fun, or profit? In: 22nd International World Wide Web Conference, WWW 2013, Rio de Janeiro, Brazil, 13–17 May 2013, pp. 989–998 (2013)Google Scholar
  10. 10.
    Szurdi, J., Kocso, B., Cseh, G., Spring, J., Felegyhazi, M., Kanich, C.: The long “taile” of typosquatting domain names. In: Proceedings of the 23rd USENIX Conference on Security Symposium, SEC 2014, pp. 191–206. USENIX Association, Berkeley (2014)Google Scholar
  11. 11.
    Nikiforakis, N., Balduzzi, M., Desmet, L., Piessens, F., Joosen, W.: Soundsquatting: uncovering the use of homophones in domain squatting. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 291–308. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-13257-0_17 Google Scholar
  12. 12.
    Agten, P., Joosen, W., Piessens, F., Nikiforakis, N.: Seven months’ worth of mistakes: a longitudinal study of typosquatting abuse. In: 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, 8–11 February 2015 (2015)Google Scholar
  13. 13.
    Khan, M.T., Huo, X., Li, Z., Kanich, C.: Every second counts: quantifying the negative externalities of cybercrime via typosquatting. In: 2015 IEEE Symposium on Security and Privacy, pp. 135–150, May 2015Google Scholar
  14. 14.
    Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote Javascript inclusions. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 736–747. ACM, New York (2012)Google Scholar
  15. 15.
    Mazeika, A., Böhlen, M.H.: Cleansing databases of misspelled proper nouns. In: Proceedings of the First International VLDB Workshop on Clean Databases, CleanDB 2006, Seoul, Korea, 11 September 2006 (Co-located with VLDB 2006) (2006)Google Scholar
  16. 16.
    Perdisci, R., Corona, I., Giacinto, G.: Early detection of malicious Flux networks via large-scale passive DNS traffic analysis. IEEE Trans. Dependable Secure Comput. 9(5), 714–726 (2012)Google Scholar
  17. 17.
    Bilge, L., Sen, S., Balzarotti, D., Kirda, E., Kruegel, C.: Exposure: a passive DNS analysis service to detect and report malicious domains. ACM Trans. Inf. Syst. Secur. 16(4), 14:1–14:28 (2014)CrossRefGoogle Scholar
  18. 18.
    Hao, S., Kantchelian, A., Miller, B., Paxson, V., Feamster, N.: Predator: proactive recognition and elimination of domain abuse at time-of-registration. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1568–1579. ACM, New York (2016)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Paolo Piredda
    • 2
  • Davide Ariu
    • 1
    • 2
  • Battista Biggio
    • 1
    • 2
    Email author
  • Igino Corona
    • 1
    • 2
  • Luca Piras
    • 1
    • 2
  • Giorgio Giacinto
    • 1
    • 2
  • Fabio Roli
    • 1
    • 2
  1. 1.Pluribus OneCagliariItaly
  2. 2.Department of Electrical and Electronic EngineeringUniversity of CagliariCagliariItaly

Personalised recommendations