OpenDNS developed a tool prototype using natural language processing technology Nlprank

Absrtact: Cloud security technology company OpenDNS recently announced the development of a tool to use natural language processing technology prototype Nlprank, the tool can automatically identify the malicious domain name (phishing) and the attack on High-value targets. The so-called malicious (preemptive) domain

Cloud security technology company OpenDNS recently announced the development of a tool to use natural language processing technology prototype Nlprank, the tool can automatically identify the malicious domain name (phishing) and the attack on High-value targets.

The so-called malicious (preemptive) domain name is usually used for phishing websites, that is, the spelling of domain names is often similar to the well-known websites we are familiar with. Cyber criminals who have registered these domain names will make the site very similar to a well-known site, Once the user wants to visit those well-known websites, the wrong individual letter (such as g00gle.com) will enter the phishing site, because the interface is very similar, some users do not realize, and then continue to enter the personal account password and other sensitive information resulting in privacy disclosure. Some network hackers use the user to pay attention to the psychology of security, through a variety of ways to send a number of security update prompts, and the link address provided by the well-known site seems to have a relationship with the domain name (such as adobeupdates[.] COM), tricking the user into entering.

Traditionally, security software solutions are handled afterwards. Because the domain name is too many, the malicious domain name is unable to collect the complete beforehand, therefore usually only after the user suffers the report to be able to recognize certain domain names to have the threat. However, OpenDNS engineers use this kind of malicious domain name at least deliberately with well-known sites similar to the characteristics of the past used in biological information and data Mining natural language processing technology, combined with ASN mapping and empowering, The WHOIS data pattern and the HTML tag analysis, combined with OPENDNS global network data, have developed a tool prototype Nlprank that can identify malicious domain names in real time.

Jeremiah O ' Connor, the OpenDNS researcher, first analyzed the attacks and data of the Darkhotel and Mandiant APT1 two cyber-crime syndicates, and found that they were more similar in their approach to phishing attacks. And after getting the data from these criminal groups, he found that the sites used by these phishing websites follow some similar patterns, and the idea of doing nlprank is sprouting.

This real-time detection model includes a popular legal domain dictionary (such as "Java", "Gmail", "Adobe", etc.) that is often used to refer to phishing sites, and then uses English words (such as "Install", "Update", "Download") that are common to phishing activities. ) For comparison. It then uses the sequence of bioinformatics to rate the domain names such as "Install-ad0be", and then evaluates the likelihood of their being used for fishing operations. For example, a domain name and well-known sites are similar, Nlprank will be the IP address of this domain name and the corresponding IP library to compare, to see if it belongs to the well-known site IP library range, if not, then this domain name is the possibility of a phishing site is relatively high.

This method of real-time detection using natural language processing technology should be a relatively novel approach, this is not only in its real-time, and phishing site will be more difficult, because if the fishing site to name and well-known sites are not so similar to avoid the possibility of being identified by the software, users may not be so easily deceived by that domain name.