Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A3_1_Detection of phished brands logos with Con...

JPAAWG
November 14, 2019
0
75

A3_1_Detection of phished brands logos with Convolutional Neural Networks

JPAAWG

November 14, 2019
Tweet

More Decks by JPAAWG

See All by JPAAWG
Google & ⽶国Yahoo!の迷惑メール 対策強化について
jpaawg
1
3.4k
A14_Future of DNS DoH / DoT_1
jpaawg
0
440
A14_Future of DNS DoH / DoT_2
jpaawg
0
150
A14_Future of DNS DoH / DoT_3
jpaawg
0
170
A15_DMARC Case Study
jpaawg
0
330
A16_Meeting for Japanese ISPs (Part 2)
jpaawg
0
360
B15_Abuse Desk Best Practices
jpaawg
1
1.7k
B14_Sharing Knowledge of Domain, Spam and DNS Investigation
jpaawg
0
130
A13_General Data Protection Regulation (GDPR) How does it impact Asia?
jpaawg
0
220

Featured

See All Featured
GitHub's CSS Performance
jonrohan
1030
460k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
Thoughts on Productivity
jonyablonski
67
4.3k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
Designing for humans not robots
tammielis
250
25k
The Language of Interfaces
destraynor
154
24k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Statistics for Hackers
jakevdp
796
220k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
120
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
Optimizing for Happiness
mojombo
376
70k

Transcript

  1. Detection of phished brands logos with Convolutional Neural Networks Vade

    Secure Sébastien Goutal Chief Science Officer

  2. Introduction 2 • Fact : More and more threats evade

    traditional filtering technologies by using images: • Sextortion, phishing, etc... • Solution : Apply Computer Vision to extract relevant content: • Text, logo, etc... • Existing technologies: Google Vision, Microsoft Azure Computer Vision • Limitations: List of logos is fixed • Decision: Build our own logo detection technology Example of phishing with image attached to email, no relevant content in body Brand logo Typical phishing text

  3. Data pipeline

  4. Data pipeline 4 Training corpus Test corpus 125 images without

    logo 1 713 images with logo Annotate images Convolve & square images Collect Images (Duplicates are removed) Benign emails Phishing emails Benign webpages Phishing webpages Logos Images Dictionaries Fonts Randomness Generate annotated images 43 663 images Split images 510 images 1 203 images Augment images 132 434 images 635 images 176 097 images, 30 brands, 66 logos

  5. Data pipeline Annotate images 5 • Human task: identify logo,

    draw bounding box and label logo • Minimal size for a logo is 40x30 • There may be several logos in an image • There may be variants of a brand logo: different geometry, different color, etc. → Same label Wells Fargo Yahoo! Scaling is costly as annotation is manual

  6. Data pipeline Convolve & square images 6 • First purpose:

    Increase resilience of CNN regarding logo position → Logos are often in the same position (top, top left) which increases CNN overfitting • Second purpose: Fit image to 512x512 square CNN input • How? Move a 512x512 sliding window on image and keep image if at least one logo is visible Image with two logos (Office, Microsoft) Image is rejected Image is kept

  7. Data pipeline Generate annotated images 7 • First purpose: Increase

    diversity of images to reduce CNN overfitting → Collected images often have a similar look & feel • Second purpose: Automate annotation to ease scaling → Annotation of collected images is manual: costly, time consuming • Generation is based on ‘randomness’: • Choice of resources: Images, words, fonts • Position of logo • Alterations of logo: down sampling, color balance, contrast, scaling Logos Images Dictionaries Fonts Randomness Generate annotated images

  8. Training and prediction

  9. Training 9 • VGG-16 and ResNet CNN used for training

    and prediction • CNN input size increased to 512x512 • Transfer learning: • Models are pre-trained on ImageNet (~14M images, 20K classes) • Additional training performed with training corpus Transfer learning is the improvement of learning in a new task through the transfer of knowledge from a related task that has already been learned. (Lisa Torrey and Jude Shavlik, University of Wisconsin)

  10. Prediction 12 Input image Resize and pad to fit 512x512

    input VGG-16 ResNet Combine predictions (Proprietary algorithm) Final prediction

  11. Performance evaluation 13 Images without logo 125 Images with logo

    510 Total 635 • Comparison with Google Vision logo detection • Google Vision logo detection : • General purpose (2D and 3D) • Number of logos supported unknown (>200) • Vade Secure logo detection : • 2D only (3D logo irrelevant in the context of threat detection) • Number of logos supported: 66 • Only logos supported by both are considered • Test set is used (independent from training set) Test set 𝑟𝑟𝑟𝑟𝑟𝑟 1 score Vade 0.95 0.94 0.94 Google 0.98 0.76 0.86 • Vade outperforms Google Vision • High number of FN for Google Vision 𝑒𝑒𝑒𝑒𝑒𝑒𝑒𝑒𝑒𝑒𝑒𝑒𝑒𝑒 = + 𝐹𝐹 𝑟𝑟𝑟𝑟𝑟𝑟 = + 1 = 2 . 𝑟𝑟𝑟𝑟𝑟𝑟 + 𝑟𝑟𝑟𝑟𝑟𝑟 Metrics for evaluation:

  12. Use case: ASTRD

  13. ASTRD 15 Emails from feedback loops Emails from honey pots

    Extract images Cluster images Analyze and label images QR Code Scanner QR Code are used for crypto payments Optical Character Recognition Natural Language Processing Logo Detection Classify images Images blacklist Global Network Intelligence (GNI)

  14. ASTRD – Example with phishing 16 Image attached to email,

    no relevant text in body Clue 1: Chase logo How? Extract logo with logo detection API Clue 2:Typical phishing text How? Extract text with OCR and classify text with NLP

  15. Thank you for your listening!