ParkedGuard: An Efficient and Accurate Parked Domain Detection System Using Graphical Locality Analysis and Coarse-To-Fine Strategy
Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 32847
ParkedGuard: An Efficient and Accurate Parked Domain Detection System Using Graphical Locality Analysis and Coarse-To-Fine Strategy

Authors: Chia-Min Lai, Wan-Ching Lin, Hahn-Ming Lee, Ching-Hao Mao


As world wild internet has non-stop developments, making profit by lending registered domain names emerges as a new business in recent years. Unfortunately, the larger the market scale of domain lending service becomes, the riskier that there exist malicious behaviors or malwares hiding behind parked domains will be. Also, previous work for differentiating parked domain suffers two main defects: 1) too much data-collecting effort and CPU latency needed for features engineering and 2) ineffectiveness when detecting parked domains containing external links that are usually abused by hackers, e.g., drive-by download attack. Aiming for alleviating above defects without sacrificing practical usability, this paper proposes ParkedGuard as an efficient and accurate parked domain detector. Several scripting behavioral features were analyzed, while those with special statistical significance are adopted in ParkedGuard to make feature engineering much more cost-efficient. On the other hand, finding memberships between external links and parked domains was modeled as a graph mining problem, and a coarse-to-fine strategy was elaborately designed by leverage the graphical locality such that ParkedGuard outperforms the state-of-the-art in terms of both recall and precision rates.

Keywords: Coarse-to-fine strategy, domain parking service, graphical locality analysis, parked domain.

Digital Object Identifier (DOI):

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1209


[1] D. Kesmodel, The Domain Game: How People Get Rich from Internet Domain Names. Xlibris Corporation, 2008.
[2] “Buying & selling domain names,” Tech. Rep., accessed on 2017-02-28. (Online). Available: domain-name-monetization/buying-selling-domain-nameshttp: // buying-selling-domain-names
[3] P. Agten, W. Joosen, F. Piessens, and N. Nikiforakis, “Seven months’ worth of mistakes: A longitudinal study of typosquatting abuse,” in Proceedings of the 22nd Network and Distributed System Security Symposium (NDSS 2015). Internet Society, 2015.
[4] T. Vissers, W. Joosen, and N. Nikiforakis, “Parking sensors: Analyzing and detecting parked domains,” in Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS ’15), 2015.
[5] S. Alrwais, K. Yuan, E. Alowaisheq, Z. Li, and X. Wang, “Understanding the dark side of domain parking,” in 23rd USENIX Security Symposium (USENIX Security 14), 2014, pp. 207–222.
[6] Z. Li, S. Alrwais, Y. Xie, F. Yu, and X. Wang, “Finding the linchpins of the dark web: a study on topologically dedicated hosts on malicious web infrastructures,” in Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013, pp. 112–126.
[7] L. Metcalf and J. Spring, “Domain parking: Not as malicious as expected,” DTIC Document, Tech. Rep., 2014.
[8] Y. Amit, D. Geman, and X. Fan, “A coarse-to-fine strategy for multiclass shape detection,” IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 26, no. 12, pp. 1606–1621, 2004.
[9] Sedo, “Domain parking terms and conditions.” accessed on 2017-02-28. (Online). Available: domain-parking-terms-and-conditions-sedocom/?tracked=1&partnerid= 38758&language=us.
[10] “Domain or Direct Navigation Traffic for Affiliate Campaigns,” accessed on 2017-03-27. (Online). Available: using-domaindirect-navigation-traffic-for-mobile-affiliate-campaigns/
[11] K. Hartog, “System and method for pay-per-click revenue sharing,” Mar. 22 2005, uS Patent App. 11/086,813.
[12] B. PALSER, “Pay-per-click,” American Journalism Review, vol. 23, no. 8, pp. 82–82, 2001.
[13] L. Zhang and Y. Guan, “Detecting click fraud in pay-per-click streams of online advertising networks,” in Distributed Computing Systems, 2008. ICDCS’08. The 28th International Conference on. IEEE, 2008, pp. 77–84.
[14] T. P. Barber, “Method of charging for pay-per-access information over a network,” Jul. 27 1999, uS Patent 5,930,777.
[15] ——, “Bandwidth-preserving method of charging for pay-per-access information on a network,” Dec. 5 2000, uS Patent 6,157,917.
[16] S. A. Alrwais, A. Gerber, C. W. Dunn, O. Spatscheck, M. Gupta, and E. Osterweil, “Dissecting ghost clicks: Ad fraud via misdirected human clicks,” in Proceedings of the 28th Annual Computer Security Applications Conference. ACM, 2012, pp. 21–30.
[17] T. Blizard and N. Livic, “Click-fraud monetizing malware: A survey and case study,” in Malicious and Unwanted Software (MALWARE), 2012 7th International Conference on. IEEE, 2012, pp. 67–72.
[18] B. Miller, P. Pearce, C. Grier, C. Kreibich, and V. Paxson, “Whats clicking what? techniques and innovations of todays clickbots,” in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 2011, pp. 164–183.
[19] V. Dave, S. Guha, and Y. Zhang, “Viceroi: Catching click-spam in search ad networks,” in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013, pp. 765–776.
[20] P. Pearce, C. Grier, V. Paxson, V. Dave, D. McCoy, G. M. Voelker, and S. Savage, “The zeroaccess auto-clicking and search-hijacking click fraud modules,” DTIC Document, Tech. Rep., 2013.
[21] V. Dave, S. Guha, and Y. Zhang, “Measuring and fingerprinting click-spam in ad networks,” ACM SIGCOMM Computer Communication Review, vol. 42, no. 4, pp. 175–186, 2012.
[22] J. Jung and E. Sit, “An empirical study of spam traffic and the use of dns black lists,” in Proceedings of the 4th ACM SIGCOMM conference on Internet measurement. ACM, 2004, pp. 370–375.
[23] J. Caballero, C. Grier, C. Kreibich, and V. Paxson, “Measuring pay-per-install: The commoditization of malware distribution.” in Usenix security symposium, 2011, p. 15.
[24] J. Szurdi, B. Kocso, G. Cseh, J. Spring, M. Felegyhazi, and C. Kanich, “The long taile of typosquatting domain names,” in 23rd USENIX Security Symposium (USENIX Security 14), 2014, pp. 191–206.
[25] Y.-M. Wang, D. Beck, J. Wang, C. Verbowski, and B. Daniels, “Strider typo-patrol: Discovery and analysis of systematic typo-squatting.” SRUTI, vol. 6, pp. 31–36, 2006.
[26] R. Bhalla, “Trademark trafficking in cyberspace an analytical study,” 2011.
[27] N. Nikiforakis, S. Van Acker, W. Meert, L. Desmet, F. Piessens, and W. Joosen, “Bitsquatting: Exploiting bit-flips for fun, or profit?” in Proceedings of the 22nd international conference on World Wide Web. ACM, 2013, pp. 989–998.
[28] M. Almishari and X. Yang, “Ads-portal domains: Identification and measurements,” ACM Transactions on the Web (TWEB), vol. 4, no. 2, p. 4, 2010.
[29] M. Kuhrer, C. Rossow, and T. Holz, “Paint it black: Evaluating the ¨ effectiveness of malware blacklists,” in International Workshop on Recent Advances in Intrusion Detection. Springer, 2014, pp. 1–21.
[30] F. J. Damerau, “A technique for computer detection and correction of spelling errors,” Communications of the ACM, vol. 7, no. 3, pp. 171–176, 1964.
[31] “Orange3,” accessed on 2017-02-28. (Online). Available: https: //
[32] E. Theodorsson-Norheim, “Kruskal-wallis test: Basic computer program to perform nonparametric one-way analysis of variance and multiple comparisons on ranks of several independent samples,” Computer methods and programs in biomedicine, vol. 23, no. 1, pp. 57–62, 1986.
[33] S. Bird, “Nltk: the natural language toolkit,” in Proceedings of the COLING/ACL on Interactive presentation sessions. Association for Computational Linguistics, 2006, pp. 69–72.
[34] “Dns census 2013,” accessed on 2017-02-28. (Online). Available: