Presentation is loading. Please wait.

Presentation is loading. Please wait.

PhishNet: Predictive Blacklisting to Detect Phishing Attacks Pawan Prakash Manish Kumar Ramana Rao Kompella Minaxi Gupta Purdue University, Indiana University.

Published byGarey Jonathan Bell Modified over 9 years ago

Similar presentations

Presentation on theme: "PhishNet: Predictive Blacklisting to Detect Phishing Attacks Pawan Prakash Manish Kumar Ramana Rao Kompella Minaxi Gupta Purdue University, Indiana University."— Presentation transcript:

1 PhishNet: Predictive Blacklisting to Detect Phishing Attacks Pawan Prakash Manish Kumar Ramana Rao Kompella Minaxi Gupta Purdue University, Indiana University INFOCOM (March, 2010) 2010/8/031

2 Outline Introduction Component1 Component2 Evaluation Related Work Conclusion 2010/8/032

3 Phishing Attacks Simplicity and Ubiquity of the Web Attract several miscreants – lure innocent to revealing sensitive information Above all. Today, such an miscreants attack of common and increasing by day is Phishing – http://www.antifishing.org/events/events.html http://www.antifishing.org/events/events.html – APWG’s anti-phishing contents of work 2010/8/033

4 Popular Solution Add additional feature s within an Internet browser Often provided by a mechanism is known as Blacklisting – Simple to design and easy to implement Major problem: Incompleteness – cyber-criminals are extremely savvy so that they are easy to evade blacklists 2010/8/034

5 Observation Malicious URLs do often tend to occur in groups that are close to each other either syntactically or semantically – www1.rogue.com, www2.rogue.com – two URLs with hostnames resolves to the same IP address 2010/8/035

6 Implication First, discover new sources of maliciousness in and around the original blacklist entries and add them into blacklist Second, exact match implementation of a blacklist to an approximate match that is aware of several of the legal mutations that often exist within these URLs 2010/8/036

7 PhishNet Comprise two major components: A. a URL prediction component B. an approximate URL matching component 2010/8/037

8 Outline Introduction Component1 Component2 Evaluation Related Work Conclusion 2010/8/038

9 Predicting Malicious URLs Predicting new URLs from existing blacklist entries – e.g., PhishTank, http://www.phishtank.com/index.phphttp://www.phishtank.com/index.php Use five heuristics for generating new URLs Basic idea – combine pieces of known phishing URLs(parent) from a blacklist to generate new URLs(child) Then, test the existence of these child URLs using a verification process 2010/8/039

10 Heuristics H1, Replacing TLD (Top Level Domain) – find such variants of original blacklist entries obtained by changing the TLDs – use 3210 effective TLDs (eq, co.in) H2, IP address equivalence – URLs have same IP address are grouped together into clusters – create new URLs by considering all combinations of hostnames and pathnames 2010/8/0310

11 Heuristics (Conti.) H3, Directory structure similarity – URLs with similar directory structure are grouped together – build new URLs by exchanging the filenames among URLs belonging to the same group H4, Query string substitution – build new URLs by exchanging the query strings among URLs 2010/8/0311

12 Heuristics (Conti.) H5, Brand name equivalence – phishers often target multiple brand name using the same URL structure – build new URLs by substituting brand names occurring in phishing URLs with other brand names 2010/8/0312

13 Verificaiton Eliminate URLs that are either non-existent or are non-phishing sites – conduct DNS lookup – establish a connection to the corresponding server – initiate a HTTP GET request to obtain content from the server – if request is successful, use publicly available detection tool 2010/8/0313

14 Outline Introduction Component1 Component2 Evaluation Related Work Conclusion 2010/8/0314

15 Approximate Matching Determine whether a given URL is a phishing site or not Perform approximate match of a given URL to the entries in the blacklist by first breaking the input URL into four different entities – IP address – hostname – directory structure – brand name 2010/8/0315

16 Approximate Matching (Conti.) 2010/8/0316

17 Approximate Matching (Conti.) M1: Matching IP address – drect match – assign a normalized score based on the number of blacklist entries that map to a given IP address – IP address IP i is common to n i URLs – scores computing as following: 2010/8/0317

18 Approximate Matching (Conti.) M2: Matching hostname – classify between WHS (Web Host Service)and non- WHS 2010/8/0318

19 Approximate Matching (Conti.) M2: Matching hostname – A. Matching WHSes: if match succeeds, confidence score is computed using (1), on the number of URLs that have the same primary domain – B. Matching non-WHSes: based on syntactic similarity across labels If match succeeds, confidence score is computed using(1), n i referring to the number of URLs that match a given regular expression 2010/8/0319

20 Approximate Matching (Conti.) M3: Matching directory structure – If match succeeds, confidence score is computed using(1), n i representing the number of URLs corresponding to a directory structure in the hash map M4: Matching brand names – If match succeeds, confidence score is computed using(1), n i being the number of occurrences of the brand name 2010/8/0320

21 Outline Introduction Component1 Component2 Evaluation Related Work Conclusion 2010/8/0321

22 Predicting Malicious URLs Collected URLs over a period of 24 days starting from 2nd July 2009 to 25th July 2009 Generated almost 1.55 million child URLs from the approximately 6,000 parent URLs About 34489 out of 1.55 million could be fetched (%2), be compared with parent URL using page similarity tool – http://www.webconfs.com http://www.webconfs.com – greater than 90% similarity are reported as our new malicious URLs 2010/8/0322

23 Approximate Matching Effectiveness and the URL processing time Use data from four sources The experimental setup consists of two phases—training and testing For evaluation, use the following weight to different normalized scores : – W(M1) = 1.0 – W(M2) = 1.0 – W(M3) = 1.5 – W(M4) = 1.5 2010/8/0323

24 Approximate Matching 2010/8/0324

25 Approximate Matching 2010/8/0325 14% of URLs Gen 80% of 14% of URLs Gen (11.2% of URLs Gen) 2.2% of 14% of URLs Gen (2% of URLs Gen)

26 Outline Introduction Component1 Component2 Evaluation Related Work Conclusion 2010/8/0326

27 Related Work APWG regularly publishes facts and figures about phishing such as list of TLDs and brand names targeted, trends in phishing URL structure Highly Predictive blacklisting – Rely on tens of thousands of features based on extra information from outside sources such as WhoIS, registrar information 2010/8/0327

28 Outline Introduction Component1 Component2 Evaluation Related Work Conclusion 2010/8/0328

29 Conclusion Blacklisting is the most common technique to defend against phishing attacks PhishNet suffers from low false positives and is remarkably effective at flagging new URLs that were not part of the original blacklist 2010/8/0329

30 THANK YOU 2010/8/0330

Download ppt "PhishNet: Predictive Blacklisting to Detect Phishing Attacks Pawan Prakash Manish Kumar Ramana Rao Kompella Minaxi Gupta Purdue University, Indiana University."

Similar presentations

11 PhishNet: Predictive Blacklisting to detect Phishing Attacks Reporter: Gia-Nan Gao Advisor: Chin-Laung Lei 2010/4/26.

11 PhishNet: Predictive Blacklisting to detect Phishing Attacks Reporter: Gia-Nan Gao Advisor: Chin-Laung Lei 2010/4/26.
Reporter: Jing Chiu Advisor: Yuh-Jye Lee 2015/7/181Data Mining & Machine Learning Lab.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW 2007 2008.09.09 Yue Zhang, Jason Hong, and Lorrie Cranor.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
Phishing for Phish in the Phispond A lab on understanding Phishing attacks and defenses … Group 21-B Sagar Mehta.

Phishing for Phish in the Phispond A lab on understanding Phishing attacks and defenses … Group 21-B Sagar Mehta.
Design and Evaluation of a Real-Time URL Spam Filtering Service

Design and Evaluation of a Real-Time URL Spam Filtering Service
PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.

PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.

Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.
Learning to Advertise. Introduction Advertising on the Internet = $$$ –Especially search advertising and web page advertising Problem: –Selecting ads.

Learning to Advertise. Introduction Advertising on the Internet = $$$ –Especially search advertising and web page advertising Problem: –Selecting ads.
Typo-Squatting: a Nuisance or a Threat to Your Traffic? Mishari Almishari.

Typo-Squatting: a Nuisance or a Threat to Your Traffic? Mishari Almishari.
1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.

1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.
Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Learning Table Extraction from Examples Ashwin Tengli, Yiming Yang and Nian Li Ma School of Computer Science Carnegie Mellon University Coling 04.

Learning Table Extraction from Examples Ashwin Tengli, Yiming Yang and Nian Li Ma School of Computer Science Carnegie Mellon University Coling 04.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Examining the Effectiveness and Techniques of the Anti-Phishing Technology in Leading Web Browsers and Security Toolbars. Wesley W. Owen

Examining the Effectiveness and Techniques of the Anti-Phishing Technology in Leading Web Browsers and Security Toolbars. Wesley W. Owen
Predicting Missing Provenance Using Semantic Associations in Reservoir Engineering Jing Zhao University of Southern California Sep 19 th,

Predicting Missing Provenance Using Semantic Associations in Reservoir Engineering Jing Zhao University of Southern California Sep 19 th,

Similar presentations

Ads by Google