Detecting and mitigating registrar collusion in drop-add acquisitions of domain names

US 10,375,017 B2
Filed: 12/31/2015
Issued: 08/06/2019
Est. Priority Date: 12/31/2015
Status: Active Grant

First Claim

Patent Images

1. A system for detecting domain name system (DNS) registrar collusion, comprising:

a collusion detector at a DNS registry; and

a non-transitory memory storing instructions that, when executed by at least one processor of the collusion detector, cause the collusion detector to perform a method comprising;

obtaining information related to a plurality of name acquisition requests, wherein a plurality of DNS registrars submit the plurality of name acquisition requests attempting to acquire one or more targeted domain names in a drop pool of expired domain names, wherein the drop pool of expired domain names comprises one or more domain names that are scheduled to be dropped from the DNS registry after a registration period of each of the one or more domain names has expired;

providing, for the plurality of DNS registrars, a plurality of attempt sets containing the one or more targeted domain names, wherein the plurality of attempt sets each contains at least one targeted domain name that a respective DNS registrar of the plurality of DNS registrars attempted to acquire via at least one of the plurality of name acquisition requests;

determining a similarity of overlap between two or more attempt sets of the plurality of attempt sets corresponding to a pair of DNS registrars of the plurality of DNS registrars;

estimating a likelihood of collusion between the pair of DNS registrars based on the similarity; and

performing mitigation actions in response to the likelihood of collusion.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and method for detecting domain name system (DNS) registrar collusion include a collusion detector at a registry. The collusion detector obtains information related to name acquisition requests submitted by DNS registrars attempting to acquire domain names in a drop pool of expired domain names and provides attempt sets containing the domain names targeted by the DNS registrars for acquisition. Each attempt set contains at least one targeted domain name that a respective DNS registrar attempted to acquire via at least one name acquisition request. The collusion detector determines a degree of similarity between two or more attempt sets corresponding to a pair of the DNS registrars, estimates a likelihood of collusion between the pair of DNS registrars based on the degree of similarity, and performs any mitigation action warranted by the likelihood of collusion.

11 Citations

View as Search Results

20 Claims

1. A system for detecting domain name system (DNS) registrar collusion, comprising:
- a collusion detector at a DNS registry; and
  
  a non-transitory memory storing instructions that, when executed by at least one processor of the collusion detector, cause the collusion detector to perform a method comprising;
  
  obtaining information related to a plurality of name acquisition requests, wherein a plurality of DNS registrars submit the plurality of name acquisition requests attempting to acquire one or more targeted domain names in a drop pool of expired domain names, wherein the drop pool of expired domain names comprises one or more domain names that are scheduled to be dropped from the DNS registry after a registration period of each of the one or more domain names has expired;
  
  providing, for the plurality of DNS registrars, a plurality of attempt sets containing the one or more targeted domain names, wherein the plurality of attempt sets each contains at least one targeted domain name that a respective DNS registrar of the plurality of DNS registrars attempted to acquire via at least one of the plurality of name acquisition requests;
  
  determining a similarity of overlap between two or more attempt sets of the plurality of attempt sets corresponding to a pair of DNS registrars of the plurality of DNS registrars;
  
  estimating a likelihood of collusion between the pair of DNS registrars based on the similarity; and
  
  performing mitigation actions in response to the likelihood of collusion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the instructions cause the collusion detector to further perform providing the plurality of attempt sets by:
    - analyzing the plurality of attempt sets for highly targeted domain names, wherein the highly targeted domain names are targeted by at least a predetermined number of the plurality of DNS registrars; and
      
      filtering the two or more attempt sets to exclude the highly targeted domain names to provide two or more filtered attempt sets.
  - 3. The system of claim 1, wherein the instructions cause the collusion detector to further perform determining the similarity by:
    - determining an overlap between two or more attempt sets of the plurality of attempt sets corresponding to the pair of DNS registrars.
  - 4. The system of claim 1, wherein the instructions cause the collusion detector to further perform determining the similarity by:
    - determining an overlap between two or more attempt sets of the plurality of attempt sets corresponding to the pair of DNS registrars and a timeslot.
  - 5. The system of claim 1, wherein the instructions cause the collusion detector to further perform determining the similarity by:
    - performing a longitudinal analysis of two or more attempt sets of the plurality of attempt sets corresponding to the pair of DNS registrars and a plurality of timeslots longitudinal across a period of time.
  - 6. The system of claim 1, wherein the instructions cause the collusion detector to further perform determining the similarity by:
    - generating a heat map indicating registrar overlap based on the two or more attempt sets corresponding to pairs of the plurality of DNS registrars, wherein x- and y-axes of the heat map each corresponds to the plurality of DNS registrars; and
      
      determining the similarity between the pairs of DNS registrars based on the heat map.
  - 7. The system of claim 1, wherein the plurality of name acquisition requests include a plurality of Extensible Provisioning Protocol requests.
  - 8. The system of claim 1, wherein the instructions cause the collusion detector to further perform:
    - filtering the one or more targeted domain names to include only domain names that the plurality of DNS registrars attempted to acquire during one or more timeslots.
  - 9. The system of claim 1, wherein the instructions cause the collusion detector to further perform:
    - filtering the one or more targeted domain names to include only domain names that are in at least one top-level domain.
  - 10. The system of claim 1, wherein the instructions cause the collusion detector to further perform:
    - filtering the one or more targeted domain names to exclude domain names that are in at least one top-level domain.
  - 11. The system of claim 1, wherein the instructions cause the collusion detector to further perform providing the plurality of attempt sets by:
    - removing duplicate domain names in each attempt set of the plurality of attempt sets.
  - 12. The system of claim 1, wherein the instructions cause the collusion detector to further perform:
    - determining that the likelihood of collusion between the two or more DNS registrars satisfies a predetermined threshold; and
      
      blocking at least one name acquisition request from at least one of the two or more DNS registrars.

13. A method for detecting domain name system (DNS) registrar collusion, the method comprising:
- obtaining information related to a plurality of name acquisition requests, wherein a plurality of DNS registrars submit the plurality of name acquisition requests attempting to acquire one or more targeted domain names in a drop pool of expired domain names, wherein the drop pool of expired domain names comprises one or more domain names that are scheduled to be dropped from the DNS registry after a registration period of each of the one or more domain names has expired;
  
  providing, for the plurality of DNS registrars, a plurality of attempt sets containing the one or more targeted domain names, wherein the plurality of attempt sets each contains at least one targeted domain name that a respective DNS registrar of the plurality of DNS registrars attempted to acquire via at least one of the plurality of name acquisition requests;
  
  determining a similarity of overlap between two or more attempt sets of the plurality of attempt sets corresponding to a pair of DNS registrars of the plurality of DNS registrars;
  
  estimating a likelihood of collusion between the pair of DNS registrars based on the similarity; and
  
  performing mitigation actions in response to the likelihood of collusion.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13, wherein providing the plurality of attempt sets further comprises:
    - analyzing the plurality of attempt sets for highly targeted domain names, wherein the highly targeted domain names are targeted by at least a predetermined number of the plurality of DNS registrars; and
      
      filtering the two or more attempt sets to exclude the highly targeted domain names to provide two or more filtered attempt sets.
  - 15. The method of claim 13, wherein determining the similarity further comprises:
    - determining an overlap between two or more attempt sets of the plurality of attempt sets corresponding to the pair of DNS registrars.
  - 16. The method of claim 13, wherein determining the similarity further comprises:
    - determining an overlap between two or more attempt sets of the plurality of attempt sets corresponding to the pair of DNS registrars and a timeslot.
  - 17. The method of claim 13, wherein determining the similarity further comprises:
    - performing a longitudinal analysis of two or more attempt sets of the plurality of attempt sets corresponding to the pair of DNS registrars and a plurality of timeslots longitudinal across a period of time.
  - 18. The method of claim 13, further comprising:
    - filtering the one or more targeted domain names to include only domain names that the plurality of DNS registrars attempted to acquire during one or more timeslots.
  - 19. The method of claim 13, further comprising:
    - filtering the one or more targeted domain names to include only domain names that are in at least one top-level domain.

20. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor at a domain name system (DNS) registry, causes the at least one processor to execute a method for detecting DNS registrar collusion, the method comprising:
- obtaining information related to a plurality of name acquisition requests, wherein a plurality of DNS registrars submit the plurality of name acquisition requests attempting to acquire one or more targeted domain names in a drop pool of expired domain names, wherein the drop pool of expired domain names comprises one or more domain names that are scheduled to be dropped from the DNS registry after a registration period of each of the one or more domain names has expired;
  
  providing, for the plurality of DNS registrars, a plurality of attempt sets containing the one or more targeted domain names, wherein the plurality of attempt sets each contains at least one targeted domain name that a respective DNS registrar of the plurality of DNS registrars attempted to acquire via at least one of the plurality of name acquisition requests;
  
  determining a similarity of overlap between two or more attempt sets of the plurality of attempt sets corresponding to a pair of DNS registrars of the plurality of DNS registrars;
  
  estimating a likelihood of collusion between the pair of DNS registrars based on the similarity; and
  
  performing mitigation actions in response to the likelihood of collusion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Kakhki, Arash Molavi, West, Andrew, Jawalkar, Nipun, Russo, Vincenzo
Primary Examiner(s)
Lazaro, David R
Assistant Examiner(s)
Shitayewoldetadik, Berhanu

Application Number

US14/985,569
Publication Number

US 20170195285A1
Time in Patent Office

1,314 Days
Field of Search

709245, 709232
US Class Current
CPC Class Codes

H04L 61/3005   Mechanisms for avoiding nam...

H04L 61/302   Administrative registration...

H04L 61/3025   Domain name generation or a...

H04L 61/4511   using domain name system [DNS]

Detecting and mitigating registrar collusion in drop-add acquisitions of domain names

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Detecting and mitigating registrar collusion in drop-add acquisitions of domain names

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others