A machine learning approach for detecting CNAME cloaking-based tracking on the Web

TL;DR

This paper presents a supervised machine learning method to detect CNAME cloaking-based tracking on websites without relying on on-demand DNS lookup APIs, outperforming existing filter lists.

Contribution

The authors develop a novel ML-based detection approach that works without DNS lookups and effectively identifies CNAME cloaking tracking sites and requests.

Findings

The approach achieves F1 scores of 0.790 for sites and 0.885 for requests.

It outperforms well-known tracking filter lists.

Features like script count and URL length are key discriminators.

Abstract

Various in-browser privacy protection techniques have been designed to protect end-users from third-party tracking. In an arms race against these counter-measures, the tracking providers developed a new technique called CNAME cloaking based tracking to avoid issues with browsers that block third-party cookies and requests. To detect this tracking technique, browser extensions require on-demand DNS lookup APIs. This feature is however only supported by the Firefox browser. In this paper, we propose a supervised machine learning-based method to detect CNAME cloaking-based tracking without the on-demand DNS lookup. Our goal is to detect both sites and requests linked to CNAME cloaking-related tracking. We crawl a list of target sites and store all HTTP/HTTPS requests with their attributes. Then we label all instances automatically by looking up CNAME record of subdomain, and applying wildcard matching based on well-known tracking filter lists. After extracting features, we build a supervised classification model to distinguish site and request related to CNAME cloaking-based tracking. Our evaluation shows that the proposed approach outperforms well-known tracking filter lists: F1 scores of 0.790 for sites and 0.885 for requests. By analyzing the feature permutation importance, we demonstrate that the number of scripts and the proportion of XMLHttpRequests are discriminative for detecting sites, and the length of URL request is helpful in detecting requests. Finally, we analyze concept drift by using the 2018 dataset to train a model and obtain a reasonable performance on the 2020 dataset for detecting both sites and requests using CNAME cloaking-based tracking.