Abstract: Systems and methods determine whether domain names are potentially maliciously registered variants of a set of monitored domain names. A computer system can receive domain names from a feed of newly registered domain names. For each received domain name, the computer system can generate a series of images of the domain name in different fonts and/or with various distortions applied thereto. The computer system can then transform the domain name images back to text via optical character recognition. Due to the differences in fonts and/or distortions applied to the generated images of the received domain name, the optical character recognition process can produce different text strings than the originally received domain name. The converted textual domain names are then analyzed to determine whether any one is sufficiently similar to a monitored domain name, indicating that the received domain name could be a malicious variant thereof.

Abstract: A system and method for characterizing a connection configuration of a client connecting to a computer system. The system can host a web service to which a client is redirected or connected to establish a client session between the client and the web service. The web service then actively and/or passively measures various attributes associated with the communication layers, such as latencies and/or configuration settings associated with each of the communication layers. Based on differences between the attributes of the communication layers, the computer system can characterize the client connection configuration. Various client connection configurations can include conventional connections, connections utilizing an external domain name service, connections through virtual private networks, connections through various proxies, and so on.

Abstract: Systems and methods determine whether domain names are potentially maliciously registered variants of a set of monitored domain names. A computer system can receive domain names from a feed of newly registered domain names. For each received domain name, the computer system can generate a series of images of the domain name in different fonts and/or with various distortions applied thereto. The computer system can then transform the domain name images back to text via optical character recognition. Due to the differences in fonts and/or distortions applied to the generated images of the received domain name, the optical character recognition process can produce different text strings than the originally received domain name. The converted textual domain names are then analyzed to determine whether any one is sufficiently similar to a monitored domain name, indicating that the received domain name could be a malicious variant thereof.

Abstract: Systems and methods determine whether domain names are potentially maliciously registered variants of a set of monitored domain names. A computer system can receive domain names from a feed of newly registered domain names. For each received domain name, the computer system can generate a series of images of the domain name in different fonts and/or with various distortions applied thereto. The computer system can then transform the domain name images back to text via optical character recognition. Due to the differences in fonts and/or distortions applied to the generated images of the received domain name, the optical character recognition process can produce different text strings than the originally received domain name. The converted textual domain names are then analyzed to determine whether any one is sufficiently similar to a monitored domain name, indicating that the received domain name could be a malicious variant thereof.

Abstract: A system and method for characterizing a connection configuration of a client connecting to a computer system. The system can host a web service to which a client is redirected or connected to establish a client session between the client and the web service. The web service then actively and/or passively measures various attributes associated with the communication layers, such as latencies and/or configuration settings associated with each of the communication layers. Based on differences between the attributes of the communication layers, the computer system can characterize the client connection configuration. Various client connection configurations can include conventional connections, connections utilizing an external domain name service, connections through virtual private networks, connections through various proxies, and so on.

Abstract: Systems and methods determine whether domain names are potentially maliciously registered variants of a set of monitored domain names. A computer system can receive domain names from a feed of newly registered domain names. For each received domain name, the computer system can generate a series of images of the domain name in different fonts and/or with various distortions applied thereto. The computer system can then transform the domain name images back to text via optical character recognition. Due to the differences in fonts and/or distortions applied to the generated images of the received domain name, the optical character recognition process can produce different text strings than the originally received domain name. The converted textual domain names are then analyzed to determine whether any one is sufficiently similar to a monitored domain name, indicating that the received domain name could be a malicious variant thereof.