Field
This field is generally related to the domain name system (DNS) and domain name impersonation.
Related Art
A communication network allows data to be transferred between two different locations. To transmit data over a network, the data is often divided into pieces, known as packets or blocks. Each packet or block may have a destination network address, such as an internet protocol (IP) address that indicates a destination of the packet and intermediate forwarding devices where the packet should be routed. These addresses are typically numerical, difficult to remember, and may frequently change. Because of this difficulty, these addresses are frequently associated with a “domain name,” a readable string that is typically associated with the owner of one of the addresses. A domain name consists of substrings called “labels” which are delimited by dots, such as “www.example.com.”, where “www”, “example”, and “com” are the labels. When typed into a networking application, such as a web browser, the domain name is translated into an IP address that represents the true form of the destination network address. For example, the Google search engine is associated with a fully qualified domain name (FQDN) “www.google.com.”, and when typed into a web browser, this domain name may be translated into a numerical IP address such as “192.168.1.0”.
The DNS is the system that enables this translation. The DNS stores mappings between domain names and their respective IP addresses, tracks any changes in the mappings where domain names may be remapped to different IP addresses or vice versa, and performs the translation of a domain name to an IP address. The DNS is thus often referred to as a “phone book” for the internet, where domain names and their respective IP addresses are stored. The DNS translates domain names to IP addresses at the behest of a network application such as a web browser, so that a user of the network application can simply remember a domain name rather than a numerical IP address. The DNS may divide the domain space into a hierarchy with different organizations controlling different portions of the hierarchy. In different portions of the hierarchy, different name servers may store resource records that map domain names to network addresses.
To look up a network address from a domain name, the DNS may use resolvers that execute a sequence of queries to different name servers. For example, the sequence of queries to resolve www.example.com may start at the root name server, which indicates the address of the name server for the gTLD “.com”. Then, the DNS resolver may query the name server for the “.com” domain for the address of the name server for example.com. Then, the DNS resolver may query the name server for example.com for the address of www.example.com. In practice, so that a resolver does not need to go through the entire sequence for each request, the resolver may cache the addresses of the various name servers.
The DNS is subject to significant security concerns because of both the age of the DNS and the ingenuity of nefarious parties. In particular, creating a new entry in the DNS is fairly unregulated. A party may register a domain name and its respective IP address through a number of domain name registrar services, which are essentially private businesses that are certified to create new records in the DNS that map IP addresses and new domain names. Many new domain names are registered every day. Some domain names are registered for malicious purposes.
One of these malicious purposes can be broadly termed “domain name impersonation,” in which a nefarious party may register a new domain name in an attempt to fool common internet users into believing that the new domain name is associated with some well-known company or brand name. By impersonating a well-known entity, the nefarious party may trick internet users into directing their traffic to the party's own website or other server, where an illicit activity may be performed. When a user attempts to access that domain name, the DNS may translate that domain name to a network address (such as an IP address) that is completely unexpected by the user and that may exist for nefarious purposes.
The nefarious purposes could include introducing malware into the user's computer system or perpetrating a type of Internet-based confidence scam known as “phishing”. A phishing website may provide the appearance of a legitimate company to trick the user into revealing confidential personal information, such as passwords and credit card numbers. These nefarious actions can dilute the brand value of a particular company as their brand name and online presence comes to be thought of as untrustworthy.
Domain name impersonation can take on many forms that are designed to fool users with different tactics. For example, a nefarious party may register a new domain name that includes extraneous characters such as dashes of an otherwise well-known domain name. For example, a legitimate domain name “www.coca-cola.com” may be impersonated by another domain name with the same letters and additional dash characters, such as “www.co-ca-col-a.com”. A nefarious party may register a domain name that, when read, has a similar pronunciation to a brand name, e.g. “www.koka-kola.com”. In another instance, a domain name may be registered that replaces characters with different characters with a similar appearance, such as replacing a character for the letter “l” with character for the number “1”. This problem is also further compounded by the more recent advances towards internationalized domain names (IDNs), where characters from non-Latin alphabets may also be used in domain names and are translatable by the DNS. In all cases, these domain names may translate to IP addresses that may perform nefarious actions on the user visiting them.
Thus, systems and methods are needed to detect potential instances of domain name impersonation of a company's brands and domain names.