Abstract

A web identity is an identifier that uniquely identifies and represents an entity in the Cyberspace. Web identity security focuses on accurate identity verification and prevention of identity impersonation, fraud, leakage, theft, etc. Nowadays, the increasing scale of the Web gives rise to the problems of “Password Fatigue”, "Phishing Attacks" and "Brute Force Password Attacks", and brings great challenges to the currently dominant password-based web identity authentication scheme.

In this talk, we will first present the threats and challenges to Web identity security and then introduce our solutions and suggestions. In particular, we propose a new web identity authentication mechanism by introducing a module named “Trusted User Agent” in the authentication process, which is compatible with the current password-based mechanism. Specifically, the user account information is automatically generated by, stored in the trusted user agent, and directly sent to the corresponding server, which authorizes the corresponding session on the specific terminal after successful authentication. This forms a secure closed authentication loop, in which credentials will never be sent to, and stolen by phishers at the browser. The proposed mechanism helps users automatically register new accounts with unlinkable identities and strong passwords, thus free from password cracking. We develop a system based on this mechanism and implement automatic change of passwords as well. Analyses and user studies have been conducted to show its security, usability, and deployability, being superior to the current password-based mechanism.

A phishing detection mechanism based on parasitic community will then be presented, which not only reaches an accuracy of 99.2%, but is the only system in the world capable of discovering phishing targets. A deep learning based solution will also be presented, which can detect a phishing URL with a very fast speed (20ms) and a very high precision (TPR=98.45% while FPR=0.01%).