Who Is .Com? Learning to Parse WHOIS Records

Who Is .Com? Learning to Parse WHOIS Records

Who is .com? Learning to Parse WHOIS Records Suqi Liu Ian Foster Stefan Savage [email protected] [email protected] [email protected] Geoffrey M. Voelker Lawrence K. Saul [email protected] [email protected] Department of Computer Science and Engineering University of California, San Diego ABSTRACT 1. INTRODUCTION WHOIS is a long-established protocol for querying information about Most common Internet protocols today offer standardized syntax the 280M+ registered domain names on the Internet. Unfortunately, and schemas. Indeed, it is the ability to easily parse and normal- while such records are accessible in a “human-readable” format, ize protocol fields that directly enables a broad array of network they do not follow any consistent schema and thus are challeng- measurement research (e.g., comparing and correlating from dis- ing to analyze at scale. Existing approaches, which rely on manual parate data sources including BGP route tables, TCP flow data and crafting of parsing rules and per-registrar templates, are inherently DNS measurements). By contrast, the WHOIS protocol—the sole limited in coverage and fragile to ongoing changes in data repre- source of information mapping domain names to their rich owner- sentations. In this paper, we develop a statistical model for parsing ship and administrative context—is standard only in its transport WHOIS records that learns from labeled examples. Our model is mechanism, while the format and contents of the registration data a conditional random field (CRF) with a small number of hidden returned varies tremendously among providers. This situation sig- states, a large number of domain-specific features, and parameters nificantly hampers large-scale analyses using WHOIS data, and even that are estimated by efficient dynamic-programming procedures those researchers who do use it commonly document the complexi- for probabilistic inference. We show that this approach can achieve ties and limitations in doing so [1, 7, 8, 17, 24, 25, 26]. While there extremely high accuracy (well over 99%) using modest amounts of are a number of open source and commercial WHOIS parsers avail- labeled training data, that it is robust to minor changes in schema, able, the lack of an underlying data schema requires them to con- and that it can adapt to new schema variants by incorporating just a stantly update hand-written parsing rules or templates, both limit- handful of additional examples. Finally, using our parser, we con- ing coverage and increasing fragility to format changes. For exam- duct an exhaustive survey of the registration patterns found in 102M ple, in one recent study of domain name registration, Janos reports com domains. that the tool used (PHPWhois) was only able to parse registrant in- formation for 65% of their data [25]. Overall, the situation is well summarized in a recent statement by the Coalition Against Unso- Categories and Subject Descriptors licited Commercial Email (CAUCE): I.5.4 [Pattern Recognition]: Applications—Text processing; C.2.3 [Computer-Communication Networks]: Network Operations— Currently whois is offered on something of a “hob- Public networks; K.4.1 [Computer and Society]: Public Policy byist” basis, particularly in TLDs that use the “thin” Issues whois model. At one provider it will use one format, while at other times and at other providers, it will use General Terms another. This lack of consistent formatting, along with restrictive access policies, makes whois access some- Measurement thing that’s only suitable for small scale interactive “craft” access rather than being a production-ready and Keywords robust service that’s appropriate for the volume of do- WHOIS; Named Entity Recognition; Machine Learning; Informa- mains and other resources involved in today’s domain tion Extraction name ecosystem [2]. In this paper, we offer a statistical, data-driven approach to tack- Permission to make digital or hard copies of all or part of this work for personal or WHOIS classroom use is granted without fee provided that copies are not made or distributed ling the parsing problem. Since such data is designed to be for profit or commercial advantage and that copies bear this notice and the full cita- “human-readable” [4], we hypothesize that modest amounts of la- tion on the first page. Copyrights for components of this work owned by others than beled data could be sufficient to train a more general model. To this ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- end, we show that conditional random fields (CRFs) [15]—a popu- publish, to post on servers or to redistribute to lists, requires prior specific permission lar class of models for problems in statistical language processing— and/or a fee. Request permissions from [email protected]. are particularly well-suited to the problem of parsing WHOIS records. IMC’15, October 28–30, 2015, Tokyo, Japan. 100 c 2015 ACM. ISBN 978-1-4503-3848-6/15/10 ...$15.00. Using a highly customized CRF, we show that random train- DOI: http://dx.doi.org/10.1145/2815675.2815693. ing examples are sufficient to obtain over 98% parsing accuracy on com WHOIS records and 1000 such examples brings accuracy 2.2 Through Thick and Thin to well over 99%. Historically, com is operated using a “thin” reg- At the core of this transition, domain registration was split into istry model that places no limits on format diversity and is, by far, two independent functions: registries, who managed the zone files the hardest top-level domain (TLD) to parse—yet, com accounts for their own top-level domains (TLDs), and registrars, who con- for 45% of all registered domains in the Internet. Moreover, we tracted with registries for the right to sell domains in their TLDs demonstrate that this model generalizes well to other TLDs and is to consumers. Thus, today Verisign operates the registry for com, robust in the sense that deviations or evolutions in data format are while GoDaddy is a registrar who sells com domains (among oth- incorporated into the model with a handful of additional labeled ers) to consumers. One of the complexities of this split was how examples. Finally, using our trained statistical parser, we systemat- to handle WHOIS data and two distinct proposals were introduced: ically crawl and parse the com WHOIS registration data. Using this “thick” registries and “thin” registries. Thick registries would cen- data set, our final contribution is to provide an initial characteriza- trally manage all registration data and thus a WHOIS query could tion of com registration data. return all available information. By contrast, thin registries would only maintain a subset of this information (particularly the iden- tity of the registrar, dates and status of registration, and the ad- 2. BACKGROUND dress of the responsible name servers). All other information, no- The WHOIS protocol was introduced in the early 1980s to pro- tably regarding the identity and nature of the registrant, would be vide directory information for domains, people and resources (e.g., maintained by the individual registrar who had been contracted for the IP address space). Over time it has become the principal mech- that domain. Thus, in thin registries, to obtain the full registration anism by which outside stakeholders associate registered domain record is a two step process: first querying the registry for the thin names with corresponding metadata such as the identity of the reg- record, extracting the designated registrar, and then sending an ad- istrar, the registrant and contact information for administrative and ditional WHOIS query to that registrar. At the time of this change, technical issues. Among these uses, ICANN identifies the follow- Network Solutions opted to create a thin registry for the TLDs it ing: allowing network administrators to find and fix system prob- managed: com, net and org.3 lems, determining domain name availability, combating inappro- This operational distinction, thick vs. thin, indirectly impacted priate uses such as spam or fraud, facilitating the identification of the diversity of schemes used for WHOIS data. Thick registries typ- trademark infringement and enhancing domain registrant account- ically created a single schema (driven by the operational needs of ability [14]. Unfortunately, for a variety of reasons, WHOIS data domain provisioning), and thus each such TLD exported a single is stored in a wide assortment of unstructured text formats and schema for all of its domains (and many such TLDs share schemas thus, while it is easily human readable, bulk systematic parsing due to the use of common software). By contrast, since thin reg- of WHOIS data is challenging in practice. Indeed, when the Na- istries did not store or manage this data, their registrars could for- tional Opinion Research Center (NORC) was contracted to study mat it as they saw fit. With many more registrars than registries WHOIS data accuracy for ICANN, they only examined 2,400 do- (there are over 1400 accredited registrars for com alone4 and an mains in com and net and admitted that “many domains need[ed] unknown number of unaccredited resellers), this delineation of re- to be parsed by hand” [13]. sponsibilities implicitly encouraged diversity of WHOIS schemas. In the remainder of this section, we briefly outline the evolution With the benefit of hindsight, there is widespread sentiment that of WHOIS operations, explain how this evolution has produced the the “thick” registry model is preferable—particularly due to the key data parsing challenges

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    12 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us