DNS Homographs Detection in the Wild

Monday, August 12, 2019 - 4:30 pm5:00 pm

Femi Olumofin and Chhaya Choudhary, Infoblox


Since early 2000 when internationalized domain name (IDN) gained traction, people have had more choices on the characters to use for creating Internet domain names. Extending character choices beyond ASCII to Unicode provides the needed coverage for most of the world's writing systems. Unfortunately, the IDN mechanism also put Internet users at risk of homograph attacks as many Unicode characters have strikingly similar or close visual appearance to ASCII characters. For example, through the clever choices of Unicode characters, anyone can create an "infoblox.com" domain, which looks indistinguishable from the legitimate ASCII-only "infoblox.com". The former domain is called a homograph or homoglyph, and the latter a target. The homograph in the example is using the Cyrillic small letter "o" instead of the ASCII "o". Attackers exploit such visual ambiguity or semblance existing with many Unicode characters to create homographs that impersonate priced targets. Homograph domains damage the reputation of targets and pose a threat to users that visit them. Moreover, these attacks can be employed in various types of phishing scams to steal sensitive information or to gain access to protected resources.

In this talk, we will introduce DNS homograph attacks and provide some highlights of relevant background work to detect them. We will then describe how we trained and fielded a machine learning classifier for homographs detection, and share examples of homographs caught in the wild over several months of passive DNS data.

Femi Olumofin, Infoblox

Femi Olumofin is currently a senior member of the data science and analytics team at Infoblox in the San Francisco Bay Area. He has made contributions to research and development in the areas of privacy enhancing technologies, security, applied cryptography, big data analytics, and machine learning. He holds a Ph.D. in Computer Science from the University of Waterloo in Canada.

Chhaya Choudhary, Infoblox

Chhaya Choudhary is currently working as a Data Scientist at Infoblox, Tacoma. She recently graduated with Master's degree in Computer Science from the University of Washington. She has worked on solving challenging data problems involving malware detection and classification using Machine Learning and Deep Learning techniques. She has multiple accepted publications in the field of cybersecurity using AI/ML. Her masters thesis was about evaluating state-of-the-art DGA classifiers against adversarial examples using autoencoders and Generative Adversarial Networks.

@conference {238503,
author = {Femi Olumofin and Chhaya Choudhary},
title = {{DNS} Homographs Detection in the Wild},
year = {2019},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = aug