Abstract
The possibility to include Unicode characters in domain names allows users to deal with domains in their regional languages. This is done by introducing Internationalized Domain Names (IDN). However, the visual similarity between different Unicode characters - called homoglyphs - is a potential security threat, as visually similar domain names are often used in phishing attacks. Timely detection of suspicious homograph domain names is an important step towards preventing sophisticated attacks, since this can prevent unaware users to access those homograph domains that actually carry malicious content. We therefore propose a structured approach to identify suspicious homograph domain names based not on use, but on characteristics of the domain name itself and its associated DNS records. To achieve this, we leverage the OpenINTEL active DNS measurement platform, which performs a daily snapshot of more than 65% of the DNS namespace. In this paper, we first extend the existing Unicode homoglyph tables (confusion tables). This allows us to detect on average 2.97 times homograph domains compared to existing tables. Our proactive detection of suspicious IDN homograph domains provides an early alert that would help both domain owners as well as security researchers in preventing IDN homograph abuse.
Original language | English |
---|---|
Title of host publication | 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS & PW) |
Place of Publication | Piscataway, NJ |
Publisher | IEEE |
Pages | 559-564 |
Number of pages | 6 |
ISBN (Electronic) | 978-1-7281-8597-2 |
ISBN (Print) | 978-1-7281-8598-9 |
DOIs | |
Publication status | Published - 1 Sept 2020 |
Event | IEEE European Symposium on Security and Privacy Workshops 2020 - Virtual Event, Genoa, Italy Duration: 7 Sept 2020 → 11 Sept 2020 |
Conference
Conference | IEEE European Symposium on Security and Privacy Workshops 2020 |
---|---|
Country/Territory | Italy |
City | Genoa |
Period | 7/09/20 → 11/09/20 |
Keywords
- Homoglyph
- IDN
- Homograph attacks
- Suspicious domains
- Active DNS measurements
- Cybersecurity
- 22/3 OA procedure