Detecting Homoglyph Attacks with a Siamese Neural Network

05/24/2018
by   Jonathan Woodbridge, et al.
0

A homoglyph (name spoofing) attack is a common technique used by adversaries to obfuscate file and domain names. This technique creates process or domain names that are visually similar to legitimate and recognized names. For instance, an attacker may create malware with the name svch0st.exe so that in a visual inspection of running processes or a directory listing, the process or file name might be mistaken as the Windows system process svchost.exe. There has been limited published research on detecting homoglyph attacks. Current approaches rely on string comparison algorithms (such as Levenshtein distance) that result in computationally heavy solutions with a high number of false positives. In addition, there is a deficiency in the number of publicly available datasets for reproducible research, with most datasets focused on phishing attacks, in which homoglyphs are not always used. This paper presents a fundamentally different solution to this problem using a Siamese convolutional neural network (CNN). Rather than leveraging similarity based on character swaps and deletions, this technique uses a learned metric on strings rendered as images: a CNN learns features that are optimized to detect visual similarity of the rendered strings. The trained model is used to convert thousands of potentially targeted process or domain names to feature vectors. These feature vectors are indexed using randomized KD-Trees to make similarity searches extremely fast with minimal computational processing. This technique shows a considerable 13 of area under the receiver operating characteristic curve (ROC AUC). In addition, we provide both code and data to further future research.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
06/17/2023

GlyphNet: Homoglyph domains dataset and detection using attention-based Convolutional Neural Networks

Cyber attacks deceive machines into believing something that does not ex...
research
06/24/2020

PhishGAN: Data Augmentation and Identification of Homoglpyh Attacks

Homoglyph attacks are a common technique used by hackers to conduct phis...
research
09/02/2022

TypoSwype: An Imaging Approach to Detect Typo-Squatting

Typo-squatting domains are a common cyber-attack technique. It involves ...
research
10/10/2019

Would a File by Any Other Name Seem as Malicious?

Successful malware attacks on information technology systems can cause m...
research
03/21/2019

Scalable Similarity Joins of Tokenized Strings

This work tackles the problem of fuzzy joining of strings that naturally...
research
02/24/2019

MaskDGA: A Black-box Evasion Technique Against DGA Classifiers and Adversarial Defenses

Domain generation algorithms (DGAs) are commonly used by botnets to gene...
research
09/17/2019

ShamFinder: An Automated Framework for Detecting IDN Homographs

The internationalized domain name (IDN) is a mechanism that enables us t...

Please sign up or login with your details

Forgot password? Click here to reset