現今網域寄放服務愈來愈成熟，網域寄放服務是一個可以讓網域擁有者不用擔心如何尋找廣告商及建立網站，便可快速且方便的藉由結合網域與網頁廣告獲取利益。網域寄放成功的原因在於網域擁有者可以透過網域寄放平台產生網頁及廣告到未開發的網域上，藉由廣告與網域寄放平台平分廣告商提供的費用。儘管網域寄放服務很受歡迎，它仍帶來了一些資安的議題。先前的研究指出網域寄放服務在賺取利益的方法上，有許多會影響使用者的濫用與不法行為，例如惡意程式、不當的內容、流量詐欺......等。在本篇研究中，我們的目標在於偵測寄放網域以減少使用者受到其濫用及不法行為的威脅。

我們提供一個結合特徵比對及網域與其外部連結關係圖的方法偵測寄放網域，特別是「目標寄放網域」，目標寄放網域在其頁面上缺乏明顯寄放網域特徵，但可藉由網域與其外部連結關係進行偵測。透過本方法，我們開發了一個偵測寄放網域的系統-ParkedGuard。本方法藉由萃取網域的網頁特徵標記這些網域，並且透過這些網域與其外部連接關係建立關係圖，再利用本方法提出之網域外部連結鄰居關係演算法偵測寄放網域。

本研究結果顯示召回率優於先前之研究，本研究有以下幾點貢獻：(1)改善計算網頁特徵之高延遲率問題。(2)創建網域與外部連結關係圖以利偵測寄放網域，特別是目標寄放網域。(3)提出網域外部連結鄰居關係演算法偵測寄放網域，特別是目標寄放網域。(4)開發偵測寄放網域之系統-ParkedGuard。

The technology of domain parking service is mature recently. Domain parking service is a service from making domain owners more easier to incorporate with website advertisements(Ads) without worrying about finding advertisers and setting up websites. Domain parking becomes so successful due to domain owners can not only stop worrying about putting ads on the website but also start making profits simply because the commission paid by the advertiser based on how many links have been visited. In spite of the domain parking services have been here for many years, these services also bring several security issues. Previous works studied that the monetization chains of these services have many abuses and illicit activities that influence users such as malware, inappropriate content, traffic spam and etc. In this study, we choose to focus on how to detect parked domain to let users avoid to suffer those threats in the domain parking services.

In this thesis, we proposed a combination of signature-based mechanism and domain URL relation graph approach to detect the parked domain, especially the “targeted parked domain” without significant scripting behavior characteristics of parked domain but still can be observed by their relationships of links. Furthermore, we developed a system, called ParkedGuard, which is the implementation of the proposed method. First, the proposed mechanism extracts the scripting behavior features of the domain website. Second, it labels the domain which using in the domain URL relation graph, also called candidate domain. Third, it uses the relationships between the candidate domains and its external URL links to generate the domain URL relation graph. Finally, it uses the algorithm called the Parked Domain URL Neighbors Detection which detects the candidate domain is parked or not.

The experiment results show that the recall rate of our approach is better than the previous work. The proposed approach gives the following contributions: (1) Improving the high latency problem in calculating scripting behavior features; (2) Proposing a Domain URL Relation Graph Generator to detect targeted parked domain; (3) Proposing an algorithm called Parked Domain URL Neighbors Detection to detect parked domain, especially the targeted parked domain; (4) Developing a system to detect the parked domain, especially the targeted parked domain.

[1]  “Buying & selling domain names,” Tech. Rep. [Online]. Avail- able: http://www.igoldrush.com/domain-guide/domain-name-monetization/ buying-selling-domain-nameshttp://www.igoldrush.com/domain-guide/ domain-name-monetization/buying-selling-domain-names 

[2]  “Dns census 2013.” [Online]. Available: http://dnscensus2013.neocities.org/ 

[3]  “Domain name.” [Online]. Available: https://en.wikipedia.org/wiki/Domain_ name 

[4]  “Domain name system.” [Online]. Available: https://en.wikipedia.org/wiki/ Domain_Name_System 

[5]  “Malicious or scam calls.” [Online]. Available: https://www. theguernseydirectory.com/Content/pdfs/Malicious%20Calls.pdf 

[6]  “Orange3.” [Online]. Available: https://github.com/biolab/orange3 

[7]  “Virustotal - free online virus, malware and url scanner.” [Online]. Available: https://www.virustotal.com 

[8]  “Internet grows to 294 million domain names in the first quarter of 2015,” Tech. Rep., jun 2015. [Online]. Available: https://investor.verisign.com/releasedetail.cfm?releaseid=920138https: //investor.verisign.com/releasedetail.cfm?releaseid=920138

[9]  “Top 10 best free domain parking companies,” Tech. Rep., jan 2015. [Online]. Available: http://hubpages.com/business/ Top-10-Free-Domain-Parking-Companies-of-2013 

[10]  A. ALLEMANN, “Sedo reports continuing decline in domain parking,” november 2013. [Online]. Available: https://domainnamewire.com/2013/11/12/ sedo-reports-continuing-decline-in-domain-parking/ 

[11]  M. Almishari and X. Yang, “Ads-portal domains: Identification and measure- ments,” ACM Transactions on the Web (TWEB), vol. 4, no. 2, p. 4, 2010. 

[12]  S.Alrwais,K.Yuan,E.Alowaisheq,Z.Li,andX.Wang,“Understandingthedark side of domain parking,” in 23rd USENIX Security Symposium (USENIX Security 14), 2014, pp. 207–222. 

[13]  S.A.Alrwais,A.Gerber,C.W.Dunn,O.Spatscheck,M.Gupta,andE.Osterweil, “Dissecting ghost clicks: Ad fraud via misdirected human clicks,” in Proceedings of the 28th Annual Computer Security Applications Conference. ACM, 2012, pp. 21–30. 

[14]  D. S. Anderson, C. Fleizach, S. Savage, and G. M. Voelker, “Spamscatter: Char- acterizing internet scam hosting infrastructure,” in Usenix Security, 2007, pp. 1– 14. 

[15]  T.P.Barber,“Methodofchargingforpay-per-accessinformationoveranetwork,” July 27 1999, uS Patent 5,930,777.

[16]  T. P. Barber, “Bandwidth-preserving method of charging for pay-per-access in- formation on a network,” Dec. 5 2000, uS Patent 6,157,917. 

[17]  R. Bhalla, “Trademark trafficking in cyberspace an analytical study,” 2011. 

[18]  L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi, “Exposure: Finding malicious domains using passive dns analysis.” in NDSS, 2011. 

[19]  S. Bird, “Nltk: the natural language toolkit,” in Proceedings of the COLING/ACL on Interactive presentation sessions. Association for Computational Linguistics, 2006, pp. 69–72. 

[20]  T. Blizard and N. Livic, “Click-fraud monetizing malware: A survey and case study,” in Malicious and Unwanted Software (MALWARE), 2012 7th Interna- tional Conference on. IEEE, 2012, pp. 67–72. 

[21]  J. Caballero, C. Grier, C. Kreibich, and V. Paxson, “Measuring pay-per-install: The commoditization of malware distribution.” in Usenix security symposium, 2011, p. 15. 

[22]  P.-A. Chirita, J. Diederich, and W. Nejdl, “Mailrank: using ranking for spam de- tection,” in Proceedings of the 14th ACM international conference on Information and knowledge management. ACM, 2005, pp. 373–380. 

[23]  S.E.Coull,A.M.White,T.-F.Yen,F.Monrose,andM.K.Reiter,“Understanding domain registration abuses,” in IFIP International Information Security Conference. Springer, 2010, pp. 68–79.

[24]  M. Cova, C. Kruegel, and G. Vigna, “Detection and analysis of drive-by- download attacks and malicious javascript code,” in Proceedings of the 19th international conference on World wide web. ACM, 2010, pp. 281–290. 

[25]  F. J. Damerau, “A technique for computer detection and correction of spelling errors,” Communications of the ACM, vol. 7, no. 3, pp. 171–176, 1964. 

[26]  V. Dave, S. Guha, and Y. Zhang, “Measuring and fingerprinting click-spam in ad networks,” ACM SIGCOMM Computer Communication Review, vol. 42, no. 4, pp. 175–186, 2012. 

[27]  V. Dave, S. Guha, and Y. Zhang, “Viceroi: Catching click-spam in search ad networks,” in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013, pp. 765–776. 

[28]  T. Halvorson, J. Szurdi, G. Maier, M. Felegyhazi, C. Kreibich, N. Weaver, K. Levchenko, and V. Paxson, “The biz top-level domain: ten years later,” in In- ternational Conference on Passive and Active Network Measurement. Springer, 2012, pp. 221–230. 

[29]  K.Hartog,“Systemandmethodforpay-per-clickrevenuesharing,”Mar.222005, uS Patent App. 11/086,813. 

[30]  T. Holgers, D. E. Watson, and S. D. Gribble, “Cutting through the confusion: A measurement study of homograph attacks,” in Proceedings of the 2006 USENIX Annual Technical Conference, Boston, MA, USA, May 30 - June 3, 2006, 2006, pp. 261–266. [Online]. Available: http://www.usenix.org/events/usenix06/tech/ holgers.html 

[31]  J. Jung and E. Sit, “An empirical study of spam traffic and the use of dns black lists,” in Proceedings of the 4th ACM SIGCOMM conference on Internet measurement. ACM, 2004, pp. 370–375. 

[32]  C. Kanich, N. Weaver, D. McCoy, T. Halvorson, C. Kreibich, K. Levchenko, V. Paxson, G. M. Voelker, and S. Savage, “Show me the money: Characterizing spam-advertised revenue.” in USENIX Security Symposium, 2011, pp. 15–15. 

[33]  D. Kesmodel, The Domain Game: How People Get Rich from Internet Domain Names. Xlibris Corporation, 2008.

[34]  R. Kohavi and F. Provost, Glossary of terms. Special Issue on Applications of Machine Learning and the Knowledge Discovery Process, 1988, vol. 30, pp. 271–274. 

[35]  M. Kührer, C. Rossow, and T. Holz, “Paint it black: Evaluating the effective- ness of malware blacklists,” in International Workshop on Recent Advances in Intrusion Detection. Springer, 2014, pp. 1–21. 

[36]  Z. Li, S. Alrwais, Y. Xie, F. Yu, and X. Wang, “Finding the linchpins of the dark web: a study on topologically dedicated hosts on malicious web infrastructures,” in Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013, pp. 112– 126. 

[37]  Z. Li, K. Zhang, Y. Xie, F. Yu, and X. Wang, “Knowing your enemy: understanding and detecting malicious web advertising,” in Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 2012, pp. 674–686. 

[38]  D. MAHJOUB, “A look at the relationship between parked domains and malware.” March 2013. [Online]. Available: http://labs.umbrella.com/2013/03/20/ discovery-of-new-suspicious-domains-using-authoritative-dns-traffic-and-parked-domains-anal 

[39]  B.Miller,P.Pearce,C.Grier,C.Kreibich,andV.Paxson,“What’sclickingwhat? techniques and innovations of today’s clickbots,” in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 2011, pp. 164–183. 

[40]  T.MooreandB.Edelman,“Measuringtheperpetratorsandfundersoftyposquatting,” in International Conference on Financial Cryptography and Data Security. Springer, 2010, pp. 175–191. 

[41]  N. Nikiforakis, M. Balduzzi, L. Desmet, F. Piessens, and W. Joosen, “Sound- squatting: Uncovering the use of homophones in domain squatting,” in International Conference on Information Security. Springer, 2014, pp. 291–308. 

[42]  N. Nikiforakis, S. Van Acker, W. Meert, L. Desmet, F. Piessens, and W. Joosen, “Bitsquatting: Exploiting bit-flips for fun, or profit?” in Proceedings of the 22nd international conference on World Wide Web. ACM, 2013, pp. 989–998. 

[43]  W. J. P. Agten and N. Nikiforakis, “Seven months’ worth of mistakes: A longitudinal study of typosquatting abuse,” in Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS ’15), 2015. 

[44]  B. PALSER, “Pay-per-click,” American Journalism Review, vol. 23, no. 8, pp. 82–82, 2001. 

[45]  P.Pearce,C.Grier,V.Paxson,V.Dave,D.McCoy,G.M.Voelker,andS.Savage, “The zeroaccess auto-clicking and search-hijacking click fraud modules,” DTIC Document, Tech. Rep., 2013. 

[46]  C.Rossow,C.Dietrich,andH.Bos,“Large-scale analysis of malware downloaders,” in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 2012, pp. 42–61. 

[47]  Sedo, “Domain parking terms and conditions.” [Online]. Available: https:// sedo.com/us/about-us/policies/domain-parking-terms-and-conditions-sedocom/ ?tracked=1&partnerid=38758&language=us. 

[48]  J. Szurdi, B. Kocso, G. Cseh, J. Spring, M. Felegyhazi, and C. Kanich, “The long “taile”of typosquatting domain names,” in 23rd USENIX Security Symposium
(USENIX Security 14), 2014, pp. 191–206.

[49]  E. Theodorsson-Norheim, “Kruskal-wallis test: Basic computer program to perform nonparametric one-way analysis of variance and multiple comparisons on ranks of several independent samples,” Computer methods and programs in biomedicine, vol. 23, no. 1, pp. 57–62, 1986. 

[50]  T. Vissers, W. Joosen, and N. Nikiforakis, “Parking sensors: Analyzing and detecting parked domains,” in Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS ’15), 2015. 

[51]  Y.-M. Wang, D. Beck, J. Wang, C. Verbowski, and B. Daniels, “Strider typopatrol: Discovery and analysis of systematic typo-squatting.” SRUTI, vol. 6, pp. 31–36, 2006. 

[52]  Y.-M.Wang,M.Ma,Y.Niu,andH.Chen,“Spamdouble-funnel:Connectingweb spammers with advertisers,” in Proceedings of the 16th international conference on World Wide Web. ACM, 2007, pp. 291–300. 

[53]  A. Zarras, A. Kapravelos, G. Stringhini, T. Holz, C. Kruegel, and G. Vigna, “The dark alleys of madison avenue: Understanding malicious advertisements,” in Pro- ceedings of the 2014 Conference on Internet Measurement Conference. ACM, 2014, pp. 373–380. 

[54]  L. Zhang and Y. Guan, “Detecting click fraud in pay-per-click streams of online advertising networks,” in Distributed Computing Systems, 2008. ICDCS’08. The 28th International Conference on. IEEE, 2008, pp. 77–84.