theDocumentId => 1341549 Researchers Create New Approach to Detect Brand ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/16/2021
04:29 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Create New Approach to Detect Brand Impersonation

A team of Microsoft researchers developed and trained a Siamese Neural Network to detect brand impersonation attacks.

Security researchers have designed a new way to detect brand impersonation using Siamese Neural Networks, which can learn and make predictions based on smaller amounts of data.

Related Content:

State Dept. to Pay Up to $10M for Information on Foreign Cyberattcks

Special Report: Building the SOC of the Future

New From The Edge: 10 Mistakes Companies Make In Their Ransomware Responses

These attacks, in which adversaries craft content to mimic known brands and trick victims into sharing information, have grown harder to detect as technology and techniques improve, says Justin Grana, applied researcher at Microsoft. While business-related applications are most often spoofed in these types of attacks, criminals can forge brand logos for any organization.

"Brand impersonation has increased in its fidelity, in the sense that, at least from a visual [perspective], something that is malicious brand impersonation can look identical to the actual, legitimate content," Grana explains. "There's no more copy-and-paste, or jagged logos." In today's attacks, visual components of brand impersonation almost exactly mimic true content.

This presents a clear security hurdle, he continues, because people and technology can no longer look for artifacts that previously distinguished fake content from the real thing. "Those visual cues are not there anymore," says Grana of a key challenge the research team faced.

Most people are familiar with the concept of image recognition. What makes detecting brand impersonation different is twofold: For one, a victim may receive different types of content that aim to imitate the same brand. An impersonation attack spoofing Microsoft, for example, might send one malicious email that mimics Excel, and another designed to look like Word.

"Those are two very different pieces of content, even though they both represent Microsoft," Grana says.

While too many types of content can present a detection challenge, too few can do the same. Many brands, such as regional banks and other small organizations, aren't often seen in brand impersonation, so there might only be a handful of training examples for a system to learn from.

"The standard deep learning that requires tons and tons of examples per class – class is the brand in this case – really wouldn't work in our situation," he notes.

To address the issue of detecting brand impersonation attacks, Grana teamed up with software engineer Yuchao Dai, software architect Nitin Kumar Goel, and senior applied researcher Jugal Parikh. Together, they developed and trained a Siamese Neural Network on labeled images to detect these types of attacks. Unlike standard deep learning, which is trained on many examples, Siamese Neural Networks are designed to generate better predictions using a smaller number of samples.

[The researchers will discuss their approach, further applications, and planned improvements in their upcoming Black Hat briefing, "Siamese Neural Networks for Detecting Brand Impersonation" on Wednesday, Aug. 4]

 

The team's dataset consists of more than 50,000 screenshots of malicious login pages spanning more than 1,000 brand impersonations. Each image is a collection of numbers, Grana says, and the team translated those numbers into what he describes a "point" on an N-dimensional coordinate plane. Instead of an image, which has three dimensions of all its different pixels, it becomes numbers. The team sought a way to make the numbers meaningful and in doing so, distinguish fake from real brand images.

"Our algorithm that we used, we rewarded it for … translating content of the same brand to similar numbers, and contents of different brands to different numbers, so that way, when we look at these new numbers that are now meaningful because we trained our network to do so, any numbers that were close together were likely from the same brand," he explains.

Their Siamese Neural Network learns to embed images of the same brand relatively close together in a low-dimensional space, while images of different brands are embedded further apart. They then do a "nearest neighbor classification" in the embedded space.

Training Models, Learning Lessons
Grana says the team faced quite a few challenges and learned some lessons along the way.

"Dealing with skewed data is a large issue," he notes. "When you have a dataset that only has a couple observations per brand or per class, it really does require special techniques. We did some testing with the normal neural network, and it just wasn't sufficient for our purposes."

Determining the specific techniques that will work requires a lot of trial and error, Grana says of the research process. Which method will best suit the data you have? "There's the science behind machine learning, but there is also the art of it, to say, 'which optimization algorithm should we try; which network architecture should we try,'" he explains.

The researchers' work is still ongoing, he adds. Their next goal is to examine how this approach might work with a smart and adaptive adversary, as a means of improving the technology and response to attackers' evolving techniques. The screenshots they used in this research won't be the same ones used in future attacks, and security tech needs to keep pace.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37443
PUBLISHED: 2021-07-25
NCH IVM Attendant v5.12 and earlier allows path traversal via the logdeleteselected check0 parameter for file deletion.
CVE-2021-37444
PUBLISHED: 2021-07-25
NCH IVM Attendant v5.12 and earlier suffers from a directory traversal weakness upon uploading plugins in a ZIP archive. This can lead to code execution if a ZIP element's pathname is set to a Windows startup folder, a file for the inbuilt Out-Going Message function, or a file for the the inbuilt Au...
CVE-2021-37445
PUBLISHED: 2021-07-25
In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via logprop?file=/.. for file reading.
CVE-2021-37446
PUBLISHED: 2021-07-25
In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via documentprop?file=/.. for file reading.
CVE-2021-37447
PUBLISHED: 2021-07-25
In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via documentdelete?file=/.. for file deletion.