Presentation is loading. Please wait.

Presentation is loading. Please wait.

Off the Hook: Real-Time Client- Side Phishing Prevention System July 28 th, 2016 University of Helsinki Samuel Marchal*, Giovanni Armano*, Kalle Saari*,

Published byGary Smith Modified over 8 years ago

Similar presentations

Presentation on theme: "Off the Hook: Real-Time Client- Side Phishing Prevention System July 28 th, 2016 University of Helsinki Samuel Marchal*, Giovanni Armano*, Kalle Saari*,"— Presentation transcript:

1 Off the Hook: Real-Time Client- Side Phishing Prevention System July 28 th, 2016 University of Helsinki Samuel Marchal*, Giovanni Armano*, Kalle Saari*, Nidhi Singh †, N.Asokan* *Aalto University - † Intel Security samuel.marchal@aalto.fi

2 2 Outline Phishing detection system –minimal training data, language-independence, scalability, resilient to adaptive attack –highly accurate & fast (comparable to state-of-the-art) –locally computable Target identification mechanism –language-independent, fast –highly accurate (comparable to state-of-the-art) Browser Add-on –client-side computation, redirection to target

3 3 Outline Phishing detection system –minimal training data, language-independence, scalability, resilient to adaptive attack –highly accurate & fast (comparable to state-of-the-art) –locally computable Target identification mechanism –language-independent, fast –highly accurate (comparable to state-of-the-art) Browser Add-on –client-side computation, redirection to target

4 4 Phishing Website

5 5 Data Sources Starting URL Landing URL Redirection chain Logged links HTML source code: –Text –Title –HREF links –Copyright http://my-standard.bankaccount-online.com/login http://redirect-phish.ru http://phishing.net/standard-bank/phish …

6 6 Phisher’s Control & Constraints Phishers have different level of control and are placed under some constraints while building a webpage: Control: External loaded content (logged links) and external HREF links are not controlled by page owner. Constraints: Registered domain name part of URL cannot be freely defined: constrained by registration (DNS) policies.

7 7 Conjectures By modeling control/constraints in a feature set we can improve identification of phishing webpages –Will have good generalizability, be language independent and circumvention will be difficult. By analyzing terms used in controlled and constrained sources we can identify the target of a phish

8 8 URL Structure https://www.amazon.co.uk/ap/signin?_encoding=UTF8 Protocol = https FQDN = www.amazon.co.uk RDN = amazon.co.uk mld = amazon FreeURL = {www, /ap/signin?_encoding=UTF8} protocol://[subdomains.]mld.ps[/path][?query] FreeURL FQDN RDNFreeURL

9 9 Data Sources: Control & Constraints Control / Constraint separation: –RDNs are constrained in composition –FreeURL, text, title, etc. are not constrained –RDNs in redirection chain controlled (internal) by page owner –Others RDNs (HREFs and logged links) not controlled (external) Data sources separation: UnconstrainedConstrained Controlled Text Title Copyright Internal FreeURL Internal RDNs Uncontrolled External FreeURLExternal RDNs

10 10 Phishing Classification System Feature extraction (212) from data sources: –URL features (106) –Term usage consistency (66) –Usage of starting and landing mld (22) –RDN usage (13) –Webpage content (5) Gradient Boosting classification: –Feature selection and weighting –Robustness to over-fitting (generalizability)

11 11 Classification Performance (language independence) Classifier Training: –4,531 English legitimate webpages (Intel Security) –1,036 phishing webpages (PhishTank) Assessment: –Legitimate webpages (Intel Security): 100,000 English 10,000 each in French, German, Italian, Portuguese and Spanish –1,216 phishing webpages (PhishTank)

12 12 Classification Performance (language independence) ROC CurvePrecision vs. Recall 100,000 English legitimate / 1,216 phishs (≈ real world repartition) PrecisionRecallFP RateAUCAccuracy 0.9560.9580.00050.999

13 13 Outline Phishing detection system –minimal training data, language-independence, scalability, resilient to adaptive attack –highly accurate & fast (comparable to state-of-the-art) –locally computable Target identification mechanism –language-independent, fast –highly accurate (comparable to state-of-the-art) Browser Add-on –client-side computation, redirection to target

14 14 Target Identification Target identification: identify a set of terms representing the impersonated service and brand: keyterms Assumption: keyterms appear in several data sources Query search engine with top keyterms to identify: –If the website is legitimate (appearing in top search results) –The potential targets of the phishing website Intersect sets of terms extracted from different visible data sources (title, text, starting/landing URL, Copyright, HREF links)

15 15 Target Identification Performance 600 phishing webpages with identified target: –(unverified phishes listed by PhishTank; identification done manually) TargetsIdentifiedUnknownMissedSuccess rate Top-1526175790.5% Top-2558172595.8% Top-3567171697.3% Complementarity with phishing detection: –53 mislabeled legitimate webpages (0.0005 FP rate) –39 identified as legitimate in target identification Reduction of FP rate to 0.0001 (0.01%)

16 16 Outline Phishing detection system –minimal training data, language-independence, scalability, resilient to adaptive attack –highly accurate & fast (comparable to state-of-the-art) –locally computable Target identification mechanism –language-independent, fast –Highly accurate (comparable to state-of-the-art) Browser Add-on –client-side computation, redirection to target

17 17 Add-on Implementation Client-side implementation –Privacy friendly –Resilient to adaptive attacks Multi-browser –Chrome, Firefox, Safari (in progress) Cross platform –Windows (>= 8), Mac OSX (>= 10.8), Ubuntu (>= 12.04) Phishing warning –Redirection to target –Suspicious webpage displayed (user education)

18 18 Phishing warning

19 19 Performance Memory usage –256 MB Impact on Web surfing –Phishing webpages: Interaction blocked in < 0.5 seconds Warning displayed (and target identified) in < 2 seconds –Legitimate webpages: None (albeit false positives)

20 20 Summary Phishing website detection system: –Language independent / resilient to adaptive attacks –Fast ( < 0.5 second per webpage) –> 99.9% accuracy with < 0.05% false positives Target identification system: –Fast ( < 2 seconds per webpage) –Success rate > 90% for 1 target / 97.3% for a set of targets Phishing detection add-on: –Guidance towards likely target –Privacy friendly (client-side-only implementation)

21 21 Questions ? https://ssg.aalto.fi/projects/phishing/

Download ppt "Off the Hook: Real-Time Client- Side Phishing Prevention System July 28 th, 2016 University of Helsinki Samuel Marchal*, Giovanni Armano*, Kalle Saari*,"

Similar presentations

The Biosafety Clearing-House of the Cartagena Protocol on Biosafety Tutorial – BCH common features.

The Biosafety Clearing-House of the Cartagena Protocol on Biosafety Tutorial – BCH common features.
Internet Basics Instructors : Connie Hutchison & Christopher McCoy.

Internet Basics Instructors : Connie Hutchison & Christopher McCoy.
Reporter: Jing Chiu Advisor: Yuh-Jye Lee 2015/7/181Data Mining & Machine Learning Lab.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
© www.teach-ict.com All Rights Reserved Web Browser A software application that enables you to view and interact with pages on the World Wide Web. Examples.

© All Rights Reserved Web Browser A software application that enables you to view and interact with pages on the World Wide Web. Examples.
Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing Emails I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing emails. In Proceedings.

Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing s I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing s. In Proceedings.
Design and Evaluation of a Real-Time URL Spam Filtering Service

Design and Evaluation of a Real-Time URL Spam Filtering Service
PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.

PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.
Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,

Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Page-level Template Detection via Isotonic Smoothing Deepayan ChakrabartiYahoo! Research Ravi KumarYahoo! Research Kunal PuneraUniv. of Texas at Austin.

Page-level Template Detection via Isotonic Smoothing Deepayan ChakrabartiYahoo! Research Ravi KumarYahoo! Research Kunal PuneraUniv. of Texas at Austin.
Introduction to Web Based Application. Web-based application TCP/IP (HTTP) protocol Using WWW technology & software Distributed environment.

Introduction to Web Based Application. Web-based application TCP/IP (HTTP) protocol Using WWW technology & software Distributed environment.
CM143 - Web Week 2 Basic HTML. Links and Image Tags.

CM143 - Web Week 2 Basic HTML. Links and Image Tags.
Verma - ICISS 2014 R easoning M ining NLP Defense Rakesh M. Verma ReMiND Laboratory Catching Classical and Hijack-based Phishing Attacks.

Verma - ICISS 2014 R easoning M ining NLP Defense Rakesh M. Verma ReMiND Laboratory Catching Classical and Hijack-based Phishing Attacks.
Chapter 14 Introduction to HTML

Chapter 14 Introduction to HTML
Dawn Pedersen Art Institute. Introduction All your hard design work will suffer in anonymity if people can't find your site. The most common way people.

Dawn Pedersen Art Institute. Introduction All your hard design work will suffer in anonymity if people can't find your site. The most common way people.
Large-Scale Cost-sensitive Online Social Network Profile Linkage.

Large-Scale Cost-sensitive Online Social Network Profile Linkage.
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.
Samuvel Johnson 1286120 2 nd MCA B. Contents  Introduction to Real-time systems  Two main types of system  Testing real-time software  Difficulties.

Samuvel Johnson nd MCA B. Contents  Introduction to Real-time systems  Two main types of system  Testing real-time software  Difficulties.
PhishScore: Hacking Phishers’ Minds

PhishScore: Hacking Phishers’ Minds
Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

Similar presentations

Ads by Google