As Fisher points out in his proof-of-concept blog post, there are various user-interface changes Google could make to prevent or at least mitigate this phishing technique—but as a thought experiment, let’s imagine some ways machine learning (ML) could be leveraged to detect and prevent this sort of attack.
One effective countermeasure may be to use computer vision techniques to classify individual images. In particular, when dealing with images, the most obvious modeling approaches entail using convolutional neural networks. Convolutional neural networks, often simply called CNNs or ConvNets, are one of the reasons deep learning has become so popular: CNNs enable state-of-the-art performance on various image-related tasks like object recognition, image segmentation, and image captioning.
To address the inception bar attack, a naïve approach is to try supervised machine learning to classify individual images on a webpage as benign or malicious with a CNN or another type of classifier. Ideally, this would identify the inception bar URL bar image as malicious. However, it’s questionable whether such an approach would have sufficiently high true-positive and true-negative rates because even to a human, there’s nothing about the inception bar URL image that looks particularly malicious (indeed, that’s the whole point of the attack). Perhaps images of URL bars are rare enough on benign webpages that a classifier would learn such images are malicious, but this would need to be borne out by experiments.
Another approach would be to use image modeling in a data mining context. For example, in work previously published by the Cylance Data Science team, we showed how a convolutional autoencoder could be used to learn from image features for the purposes of benign vs. malicious classification. One could similarly use a convolutional autoencoder to learn a compressed representation of images, and then use that compressed representation to look for similarly labeled images in a database.
In other words, take each image on a webpage, run it through the convolutional autoencoder to get the compressed representation, and then check your database for images with a similar compressed representation. If the similar images are known to be malicious, then you may assume the unknown image is also malicious. This is essentially a kind of k-nearest neighbors classifier. Doing k-nearest neighbors in high dimensions poses various scalability problems, but image searching at scale is a rich area of study.
For example, the hsbc.com inception bar image might appear on a phishing site, and the holistic model would correctly output that the webpage is malicious. But when that same exact hsbc.com inception bar image appears on James Fisher’s blog explaining the inception bar attack, the holistic model could have enough context to realize that the page is benign, even though it has the same exact inception bar image as the malicious phishing site.
In summation, advances in machine learning—especially deep learning applications—will soon neutralize attacks of the nature Fisher describes in the inception bar proof of concept, as well as working to undermine other forms of browser-borne phishing, social engineering, and drive-by attacks.