同形异义的国际化域名检测与测量

Detecting and measuring IDN homograph attack

国际化域名为同形异义钓鱼攻击提供了一种便捷的途径.为进一步理解国际化域名被攻击者滥用的现状,设计了一种基于被动DNS数据集和图像相似度算法的轻量级测量系统,以研究目前国际化域名用于同形异义钓鱼攻击的现状.在检测阶段,系统从360被动DNS数据集中提取活跃国际化域名列表,采用基于指纹信息的图像相似度算法,检测国际化域名是否与知名域名形近.在测量阶段,分析同形异义的国际化域名注册信息,DNS请求规模,网站用途.结果显示,同形异义国际化域名被抢注的现象严重,已有172个国际化域名被攻击者滥用,包括钓鱼攻击,域名恶意停放服务等.国际化域名的品牌保护已经成为亟待解决的问题.

Internationalized domain names(IDNs) provid a convenient way for homograph phishing attack. To better understand the abusing of IDNs by an attacker,a light-weight detection system based on passive DNS data and graph similarity fingerprint algorithm is proposed to identify IDN homograph domains. At the detection stage,active IDNs are extracted from 360 passive DNS data,and the similarity with the famous domain name is analyzed by a graph similarity algorithm based on fingerprint information. At the measurement stage,the domain names with the register information,DNS query number and content types of web sites are analyzed. The experimental results show that,IDN cybersquatting is a serious problem in real world,172 IDNs have been used toward malicious activities,including phishing and malicious domain parking,etc. There is an urgent need for a better regulation of domain brand protection.