A Case of Identity: Detection of Suspicious IDN Homograph Domains Using Active DNS Measurements

Ramin Yazdani, Olivier van der Toorn, Anna Sperotto

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

Abstract

The possibility to include Unicode characters in domain names allows users to deal with domains in their regional languages. This is done by introducing Internationalized Domain Names (IDN). However, the visual similarity between different Unicode characters - called homoglyphs - is a potential security threat, as visually similar domain names are often used in phishing attacks. Timely detection of suspicious homograph domain names is an important step towards preventing sophisticated attacks, since this can prevent unaware users to access those homograph domains that actually carry malicious content. We therefore propose a structured approach to identify suspicious homograph domain names based not on use, but on characteristics of the domain name itself and its associated DNS records. To achieve this, we leverage the OpenINTEL active DNS measurement platform, which performs a daily snapshot of more than 65% of the DNS namespace. In this paper, we first extend the existing Unicode homoglyph tables (confusion tables). This allows us to detect on average 2.97 times homograph domains compared to existing tables. Our proactive detection of suspicious IDN homograph domains provides an early alert that would help both domain owners as well as security researchers in preventing IDN homograph abuse.
Original languageEnglish
Title of host publication2020 IEEE European Symposium on Security and Privacy Workshops (EuroS & PW)
Place of PublicationPiscataway, NJ
PublisherIEEE
Pages559-564
Number of pages6
ISBN (Electronic)978-1-7281-8597-2
ISBN (Print)978-1-7281-8598-9
DOIs
Publication statusPublished - 1 Sep 2020
EventIEEE European Symposium on Security and Privacy Workshops 2020 - Genoa, Italy
Duration: 7 Sep 202011 Sep 2020

Conference

ConferenceIEEE European Symposium on Security and Privacy Workshops 2020
CountryItaly
CityGenoa
Period7/09/2011/09/20

Keywords

  • Homoglyph
  • IDN
  • Homograph attacks
  • Suspicious domains
  • Active DNS measurements
  • Cybersecurity

Cite this