PunyVis: A Visual Analytics Approach for Identifying Homograph Phishing Attacks
Attackers seeking to deceive web users into visiting malicious websites can exploit limitations of the tools intended to help browsers translate domain names containing non-ASCII characters, or internationalized domain names (IDNs). These attacks, called homograph phishing, involve registering Unico...
Uloženo v:
| Vydáno v: | IEEE Symposium on Visualization for Cyber Security (VIZSEC) (Online) s. 1 - 10 |
|---|---|
| Hlavní autoři: | , , , |
| Médium: | Konferenční příspěvek |
| Jazyk: | angličtina |
| Vydáno: |
IEEE
01.10.2019
|
| Témata: | |
| ISSN: | 2639-4332 |
| On-line přístup: | Získat plný text |
| Tagy: |
Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
|
| Abstract | Attackers seeking to deceive web users into visiting malicious websites can exploit limitations of the tools intended to help browsers translate domain names containing non-ASCII characters, or internationalized domain names (IDNs). These attacks, called homograph phishing, involve registering Unicode domain names that are visually similar to legitimate ones but direct users to distinct servers. Tools exist to identify when domains use non-ASCII characters, which get translated by the Punycode protocol to work with the Domain Name System (DNS); however, these tools cannot automatically distinguish between benign use cases and ones with malicious intent, leading to high rates of false-positive alerts and increasing the workload of analysts looking for evidence of homograph phishing.To address this problem, we present PunyVis, a visual analytics system for exploring and identifying potential homograph attacks on large network datasets. By targeting instances of Punycode that use easily-confusable ASCII characters to spoof popular websites, PunyVis quickly condenses large datasets into a small number of potentially malicious records. Using the interactive tool, analysts can evaluate potential phishing instances and view supporting information from multiple data sources, as well as gain insight about overall risk and threat regarding homograph attacks. We demonstrate how PunyVis supports analysts in a case study with domain experts, and identified divergent analysis strategies and the need for interactions that support how analysts begin exploration and pivot around hypotheses. Finally, we discuss design implications and opportunities for cyber visual analytics. |
|---|---|
| AbstractList | Attackers seeking to deceive web users into visiting malicious websites can exploit limitations of the tools intended to help browsers translate domain names containing non-ASCII characters, or internationalized domain names (IDNs). These attacks, called homograph phishing, involve registering Unicode domain names that are visually similar to legitimate ones but direct users to distinct servers. Tools exist to identify when domains use non-ASCII characters, which get translated by the Punycode protocol to work with the Domain Name System (DNS); however, these tools cannot automatically distinguish between benign use cases and ones with malicious intent, leading to high rates of false-positive alerts and increasing the workload of analysts looking for evidence of homograph phishing.To address this problem, we present PunyVis, a visual analytics system for exploring and identifying potential homograph attacks on large network datasets. By targeting instances of Punycode that use easily-confusable ASCII characters to spoof popular websites, PunyVis quickly condenses large datasets into a small number of potentially malicious records. Using the interactive tool, analysts can evaluate potential phishing instances and view supporting information from multiple data sources, as well as gain insight about overall risk and threat regarding homograph attacks. We demonstrate how PunyVis supports analysts in a case study with domain experts, and identified divergent analysis strategies and the need for interactions that support how analysts begin exploration and pivot around hypotheses. Finally, we discuss design implications and opportunities for cyber visual analytics. |
| Author | Fouss, Brett Gomez, Steven R. Wollaber, Allan B. Ross, Dennis M. |
| Author_xml | – sequence: 1 givenname: Brett surname: Fouss fullname: Fouss, Brett organization: MIT Lincoln Laboratory – sequence: 2 givenname: Dennis M. surname: Ross fullname: Ross, Dennis M. organization: MIT Lincoln Laboratory – sequence: 3 givenname: Allan B. surname: Wollaber fullname: Wollaber, Allan B. organization: MIT Lincoln Laboratory – sequence: 4 givenname: Steven R. surname: Gomez fullname: Gomez, Steven R. organization: MIT Lincoln Laboratory |
| BookMark | eNotkMtOwzAURA0CiVLyBWz8Ayn32okf7KIKaKVKrQR0WzmO3RjaJIrTRfh6iujqSLOYM5p7ctO0jSOEIswQQT9tw8-7s5lCIWcMUM80Csw1XJFES4WSKeRKCn5NJkxwnWacszuSxPgFAJwBzxEnZL05NeM2xGda0DNO5kCLxhzGIdhIi67rW2Nr6tueLivXDMGPodnTRXts973parqpQ6z_omIYjP2OD-TWm0N0yYVT8vn68jFfpKv123JerNJwNg8p86K0DHXuVGmz89C8LKG0RigPGchKotTgMa9AeSs0aMOAaTSq0pJxrfiUPP73BufcruvD0fTj7nIB_wXmF1KB |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1109/VizSec48167.2019.9161590 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 9781728138763 1728138760 |
| EISSN | 2639-4332 |
| EndPage | 10 |
| ExternalDocumentID | 9161590 |
| Genre | orig-research |
| GroupedDBID | 6IE 6IF 6IL 6IN AAJGR AAWTH ABLEC ADZIZ ALMA_UNASSIGNED_HOLDINGS BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO IEGSK OCL RIE RIL |
| ID | FETCH-LOGICAL-i203t-2f6bc2195e8bc41385bb0bca68f0407d71790f15d08fc6909a20291a8d9723983 |
| IEDL.DBID | RIE |
| ISICitedReferencesCount | 3 |
| ISICitedReferencesURI | http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000792443000008&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| IngestDate | Wed Aug 27 02:33:44 EDT 2025 |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-i203t-2f6bc2195e8bc41385bb0bca68f0407d71790f15d08fc6909a20291a8d9723983 |
| PageCount | 10 |
| ParticipantIDs | ieee_primary_9161590 |
| PublicationCentury | 2000 |
| PublicationDate | 2019-Oct. |
| PublicationDateYYYYMMDD | 2019-10-01 |
| PublicationDate_xml | – month: 10 year: 2019 text: 2019-Oct. |
| PublicationDecade | 2010 |
| PublicationTitle | IEEE Symposium on Visualization for Cyber Security (VIZSEC) (Online) |
| PublicationTitleAbbrev | VIZSEC |
| PublicationYear | 2019 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| SSID | ssj0003203511 |
| Score | 2.1035364 |
| Snippet | Attackers seeking to deceive web users into visiting malicious websites can exploit limitations of the tools intended to help browsers translate domain names... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 1 |
| SubjectTerms | cyber security homograph phishing human factors Human-centered computing-Visualization- Visualization application domains-Visual analytics Security and privacy-Systems security-Browser security Unicode visual analytics visualization design |
| Title | PunyVis: A Visual Analytics Approach for Identifying Homograph Phishing Attacks |
| URI | https://ieeexplore.ieee.org/document/9161590 |
| WOSCitedRecordID | wos000792443000008&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1JSwMxGA21ePBUtRV3cvDotMksWbwVsfRUB9TSW5lsOKBTaWcE_fVmGSuCF08ZAoGZfGS-Jd97D4ArrLhKZSwipoSxCQpJokIrEdngNU2oUUihIDZBZzO2WPC8A663WBittW8-00P36O_y1Uo2rlQ24i484TZB36GUBKzWtp6SxP5O7LtZB_HRvPx80DJlmFDXwsWH7fJfOirejUx6_3uBfTD4wePBfOtpDkBHV4eg9y3IANvz2Qf3eVN9zMvNDRxDOzTFC_SkI46KGY5b9nBow1QY8Lke4wSnq9fAWw3z51CRguO6dtj7AXia3D3eTqNWMSEq7efXUWyIkPYflGkmpHVPLBMCCVkQZuxhpYo6Pi6DM4WYkTYv5kWMYo4Lppz4GGfJEehWq0ofA0gZz4zgTBusUqViwROBMUGS2yREGHIC-m5_lm-BFGPZbs3p39NnYM-ZIHTBnYNuvW70BdiV73W5WV96S34B7ECfTw |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1bS8MwFD6MKejT1E28mwcf7ZbeE9-GOCbOWXCOvY3mhgXtZGsF_fUmaZ0IvviUkofQ5pCeS873fQAXrqAi4B5ziGBKJyiR76RSMEcHr4EfK4EFrsQm4vGYzGY0acDlGgsjpbTNZ7JrHu1dvljw0pTKetSEJ1Qn6BthEHi4QmutKyq-Z2_Fvtt1MO1Ns89HyQPiRrFp4qLdeoFfSirWkQxa_3uFHej8IPJQsvY1u9CQ-R60viUZUH1C2_CQlPnHNFtdoT7SQ5m-IEs7YsiYUb_mD0c6UEUVQteinNBw8VoxV6PkuapJoX5RGPR9B54GN5ProVNrJjiZ_vzC8VTEuP4LhZIwrh0UCRnDjKcRUfq4xiI2jFzKDQUmiuvMmKYe9qibEmHkxyjx96GZL3J5ACgmNFSMEqlcEQjhMeoz140wpzoNYSo6hLbZn_lbRYsxr7fm6O_pc9gaTu5H89Ht-O4Yto05qp64E2gWy1KewiZ_L7LV8sxa9QtlwaKW |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=IEEE+Symposium+on+Visualization+for+Cyber+Security+%28VIZSEC%29+%28Online%29&rft.atitle=PunyVis%3A+A+Visual+Analytics+Approach+for+Identifying+Homograph+Phishing+Attacks&rft.au=Fouss%2C+Brett&rft.au=Ross%2C+Dennis+M.&rft.au=Wollaber%2C+Allan+B.&rft.au=Gomez%2C+Steven+R.&rft.date=2019-10-01&rft.pub=IEEE&rft.eissn=2639-4332&rft.spage=1&rft.epage=10&rft_id=info:doi/10.1109%2FVizSec48167.2019.9161590&rft.externalDocID=9161590 |