1. Detecting Typo- squatting Domains Mishari Almishari malmisha@ics.uci.edu http://www.ics.uci.edu/~malmisha

2. Problem Definition & Goals Typo-squatting refers to the act of intentionally registering domain names that are typographical errors of other well-known domain names to hijack their traffic, for traffic monetization, malicious,…etc. Goals:  Develop a methodology for automatically identifying typo- squatting domains  Quantify the amount of traffic hijacked by typo-squatters  Develop a system that reduces access to typo-squatting domains

3. Detection Methodology For a domain to be typo-squatting domain it must satisfies two criteria:  Typo of a well-known target domain edit distance function more than 50% are false positives  Hijacking Intention Dominant hijacking indicator is ads-listing (parked domain 88.5%) Developed a machine learning classifier to identify parked domain (accuracy 96%)

4. Measurements Use 8-month DNS traces of UCI name resolvers to measure hijacked traffic Given a 500 well-known popular domains, we found 1,786 typo-squatting domains Total hits to those domains are 23,989 15%(12%) of squatting domains were not detected by Google (Yahoo) typo correctors

5. System Implementation Integrate with Mozilla Firefox 2.0.0.9 as an add-ons extension Typo-squatting domains are detected on the fly Overhead is small  For 100 typo domains, avg is 53 ms  For 100 typo domains that are not squatting domains avg is 79 ms