Presentation is loading. Please wait.

Presentation is loading. Please wait.

Phishing Website Detection & Target Identification October 30 th, 2015 Samuel Marchal*, Kalle Saari*, Nidhi Singh †, N.Asokan* *Aalto University - † Intel.

Published byJeffery Heath Modified over 9 years ago

Similar presentations

Presentation on theme: "Phishing Website Detection & Target Identification October 30 th, 2015 Samuel Marchal*, Kalle Saari*, Nidhi Singh †, N.Asokan* *Aalto University - † Intel."— Presentation transcript:

1 Phishing Website Detection & Target Identification October 30 th, 2015 Samuel Marchal*, Kalle Saari*, Nidhi Singh †, N.Asokan* *Aalto University - † Intel Security samuel.marchal@aalto.fi

2 2 Outline Phishing detection system –minimal training data, language-independence, scalability –high accuracy, fast, locally computable (comparable to state-of- the-art) Target identification mechanism –language-independence, fast –High accuracy (comparable to state-of-the-art)

3 3 Outline Phishing detection system –minimal training data, language-independence, scalability, –high accuracy, fast, locally computable (comparable to state-of- the-art) Target identification mechanism –language-independence, fast –High accuracy (comparable to state-of-the-art)

4 4 Phishing Website

5 5 Data Sources Starting URL Landing URL Redirection chain Logged links HTML source code: –Text –Title –HREF links –Copyright Screenshot http://my-standard.bankaccount-online.com/login http://redirect-phish.ru http://phishing.net/standard-bank/phish …

6 6 Phisher’s Control & Constraints Phishers have different level of control and are placed under some constraints while building a webpage: Control: External loaded content (logged links) and external HREF links are not controlled by page owner. Constraints: Registered domain name part of URL cannot be freely defined: constrained by registration (DNS) policies.

7 7 Hypothesis By modeling control/constraints in a feature set we can improve identification of phishing webpages –Will have good generalizability and be language independent By analyzing terms used in controlled and constrained sources we can identify the target of a phish

8 8 URL Structure https://www.amazon.co.uk/ap/signin?_encoding=UTF8 Protocol = https FQDN = www.amazon.co.uk RDN = amazon.co.uk mld = amazon FreeURL = {www, /ap/signin?_encoding=UTF8} protocol://[subdomains.]mld.ps[/path][?query] FreeURL FQDN RDNFreeURL

9 9 Data Sources Control & Constraints Control / Constraint separation: –RDNs are constrained in composition –FreeURL, text, title, etc. are not constrained –RDNs in redirection chain controlled (internal) by page owner –Others RDNs (HREFs and logged links) not controlled (external) Data sources separation: UnconstrainedConstrained Controlled Text Title Copyright Internal FreeURL Internal RDNs Uncontrolled External FreeURLExternal RDNs

10 10 Phishing Classification System Features extraction (212) from data sources: –URL features (106) –Term usage consistency (66) –Usage of starting and landing mld (22) –RDN usage (13) –Webpage content (5) Gradient Boosting classification: –Feature selection and weighting –Robustness to over-fitting (generalizability)

11 11 Classification Performance (language independence) Classifier Training: –4,531 English legitimate webpages –1,036 phishing webpages Assessment: –100,000 English legitimate webpages –10,000 French legitimate webpages –10,000 German legitimate webpages –10,000 Italian legitimate webpages –10,000 Portuguese legitimate webpages –10,000 Spanish legitimate webpages –1,216 phishing webpages

12 12 Classification Performance (language independence) ROC CurvePrecision vs. Recall 100,000 English legitimate / 1,216 phishs PrecisionRecallFP RateAUCAccuracy 0.9560.9580.00050.999

13 13 Scalability

14 14 Outline Phishing detection system –minimal training data, language-independence, scalability, –high accuracy, fast, locally computable (comparable to state-of- the-art) Target identification mechanism –language-independence, fast –High accuracy (comparable to state-of-the-art)

15 15 Target identification Target identification: identify a set of terms represented the impersonated service and brand: keyterms Assumption: keyterms appear in several data sources Query search engine with top keyterms to identify: –If the website is legitimate (appearing in top search results) –The potential targets of the phishing website Intersect sets of terms extracted from different visible data sources (title, text, starting/landing URL, Copyright, HREF links)

16 16 Target Identification Performance 600 phishing webpages with identified target: –(unverified phishes listed by PhishTank; identification done manually) TargetsIdentifiedUnknownMissedSuccess rate Top-1526175790.5% Top-2558172595.8% Top-3567171697.3% Complementarity with phishing detection: –53 mislabeled legitimate webpages (0.0005 FP rate) –39 identified as legitimate in target identification Reduction of FP rate to 0.0001 (0.01%)

17 17 Concluding Remarks Phishing website detection system: –Language independent –Scalable –Fast ( < 1 second per webpage) –Client-side implementable –> 99.9% accuracy with < 0.05% false positives Target identification system: –Fast –Success rate > 90% for 1 target / 97.3% for a set of target

18 18 Demo Pipeline with both systems in a chain –Classify unverified phishs from PhishTank –Identify target

19 Phishing Website Detection & Target Identification October 30 th, 2015 Samuel Marchal*, Kalle Saari*, Nidhi Singh †, N.Asokan* *Aalto University - † Intel Security samuel.marchal@aalto.fi

Download ppt "Phishing Website Detection & Target Identification October 30 th, 2015 Samuel Marchal*, Kalle Saari*, Nidhi Singh †, N.Asokan* *Aalto University - † Intel."

Similar presentations

The Biosafety Clearing-House of the Cartagena Protocol on Biosafety Tutorial – BCH common features.

The Biosafety Clearing-House of the Cartagena Protocol on Biosafety Tutorial – BCH common features.
Mobile Chicago User Group. LP Mobile Each Month… 60 Million Visits Monitored 4 Million Messages Sent.

Mobile Chicago User Group. LP Mobile Each Month… 60 Million Visits Monitored 4 Million Messages Sent.
Reporter: Jing Chiu Advisor: Yuh-Jye Lee 2015/7/181Data Mining & Machine Learning Lab.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
Large-Scale Entity-Based Online Social Network Profile Linkage.

Large-Scale Entity-Based Online Social Network Profile Linkage.
SharePoint User Group Chicago: 1/24/2013 SharePoint 2013 Search Overview.

SharePoint User Group Chicago: 1/24/2013 SharePoint 2013 Search Overview.
Rapid Object Detection using a Boosted Cascade of Simple Features Paul Viola, Michael Jones Conference on Computer Vision and Pattern Recognition 2001.

Rapid Object Detection using a Boosted Cascade of Simple Features Paul Viola, Michael Jones Conference on Computer Vision and Pattern Recognition 2001.
RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.
Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing Emails I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing emails. In Proceedings.

Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing s I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing s. In Proceedings.
Design and Evaluation of a Real-Time URL Spam Filtering Service

Design and Evaluation of a Real-Time URL Spam Filtering Service
PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.

PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.
Page-level Template Detection via Isotonic Smoothing Deepayan ChakrabartiYahoo! Research Ravi KumarYahoo! Research Kunal PuneraUniv. of Texas at Austin.

Page-level Template Detection via Isotonic Smoothing Deepayan ChakrabartiYahoo! Research Ravi KumarYahoo! Research Kunal PuneraUniv. of Texas at Austin.
Automatic Discovery and Classification of search interface to the Hidden Web Dean Lee and Richard Sia Dec 2 nd 2003.

Automatic Discovery and Classification of search interface to the Hidden Web Dean Lee and Richard Sia Dec 2 nd 2003.
Towards Semantic Web Mining Bettina Berndt Andreas Hotho Gerd Stumme.

Towards Semantic Web Mining Bettina Berndt Andreas Hotho Gerd Stumme.
Chapter 5 Searching for Truth: Locating Information on the WWW.

Chapter 5 Searching for Truth: Locating Information on the WWW.
Viola and Jones Object Detector Ruxandra Paun EE/CS/CNS 148 - Presentation 04.28.2005.

Viola and Jones Object Detector Ruxandra Paun EE/CS/CNS Presentation
WUCM1 exam 1WUCM1. Exam format DURATION: 2 HOURS INSTRUCTIONS – Answer all questions in Section A (50 marks) and two questions from Section B (25 marks.

WUCM1 exam 1WUCM1. Exam format DURATION: 2 HOURS INSTRUCTIONS – Answer all questions in Section A (50 marks) and two questions from Section B (25 marks.
A field is a unit of information. Limit search by the title field.

A field is a unit of information. Limit search by the title field.
Verma - ICISS 2014 R easoning M ining NLP Defense Rakesh M. Verma ReMiND Laboratory Catching Classical and Hijack-based Phishing Attacks.

Verma - ICISS 2014 R easoning M ining NLP Defense Rakesh M. Verma ReMiND Laboratory Catching Classical and Hijack-based Phishing Attacks.
 Official Site: facility.org/research/evaluation/clef-ip-10http://www.ir- facility.org/research/evaluation/clef-ip-10.

 Official Site: facility.org/research/evaluation/clef-ip-10http:// facility.org/research/evaluation/clef-ip-10.

Similar presentations

Ads by Google