vWitness: Certifying Web Page Interactions with Computer Vision
He Shuang, Lianying Zhao, David Lie
TL;DR
vWitness uses computer vision to verify that web page interactions are genuine and match server specifications, helping servers detect compromised clients and malicious manipulations.
Contribution
It introduces a novel approach combining computer vision with web interaction certification to enhance security against client-side manipulations.
Findings
Achieves 99.97% accuracy in interaction verification
Adds 197ms overhead on average
Compatible with modern web pages and resilient to adversarial attacks
Abstract
Web servers service client requests, some of which might cause the web server to perform security-sensitive operations (e.g. money transfer, voting). An attacker may thus forge or maliciously manipulate such requests by compromising a web client. Unfortunately, a web server has no way of knowing whether the client from which it receives a request has been compromised or not -- current "best practice" defenses such as user authentication or network encryption cannot aid a server as they all assume web client integrity. To address this shortcoming, we propose vWitness, which "witnesses" the interactions of a user with a web page and certifies whether they match a specification provided by the web server, enabling the web server to know that the web request is user-intended. The main challenge that vWitness overcomes is that even benign clients introduce unpredictable variations in the way…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsNetwork Security and Intrusion Detection · Advanced Malware Detection Techniques · Internet Traffic Analysis and Secure E-voting