1 / 19

PhishScore: Hacking Phishers ’ Minds

PhishScore: Hacking Phishers ’ Minds. CNSM 2014 – Fault Tolerance and Security Track November 18, 2014. Samuel Marchal, Jérôme François, Radu State and Thomas Engel {samuel.marchal,radu.state,thomas.engel}@uni.lu jerome.francois@inria.fr. PhishScore at a glance.

andrewhayes
Download Presentation

PhishScore: Hacking Phishers ’ Minds

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PhishScore: Hacking Phishers’ Minds CNSM 2014 – Fault Tolerance and Security Track November 18, 2014 Samuel Marchal, Jérôme François, Radu State and Thomas Engel {samuel.marchal,radu.state,thomas.engel}@uni.lu jerome.francois@inria.fr

  2. PhishScore at a glance PhishScore: Hacking Phishers‘ Minds – Samuel Marchal 1 / 16

  3. What is Phishing ? • Use of technical subterfuges and social engineering to steal any kind of valuable consumers’ data: • Identity information • Web-sites credentials: login, password, etc. • Credit card information • Etc. • Cause billions of dollars of loss every year PhishScore: Hacking Phishers‘ Minds – Samuel Marchal 2 / 16

  4. Phishing techniques and statistics • Web based delivery • Trojan hosts • Content Injection (website) • Phishing emails • Instant messaging • Fake websites • etc. PhishScore: Hacking Phishers‘ Minds – Samuel Marchal 3 / 16

  5. Phishing website example PhishScore: Hacking Phishers‘ Minds – Samuel Marchal 4 / 16

  6. Phishing URLs characteristics www.paypal.creasconsultores.com/www.paypal.com/Resolutioncenter.php shevkun.org/css/paypal.com/cgi-bin/cmd%3D_login-submit/css/websc.php us-mg6.mail.yahoo.com.dwarkamaigroup.com/Yahoo.html emailoans.hostingventure.com.au/bankofamerica.com nitkowski.pl/components/wellsfargo/questions.php URL characteristics: • Long URLs (many level domains, long path, etc.) • Composed of many labels • Embed targeted brand at different URL level e.g. Yahoo, Wells Fargo • Embed specific key words 5 / 16 PhishScore: Hacking Phishers‘ Minds – Samuel Marchal

  7. Prior Work • URL lexicalanalysis • Garreraet al. [WORM `07] • Logistic regression withwordbased features • Ma et al. [SIGKDD `09] • Batchclassificationmethodwithlexical and hostbased features • Blum et al. [AISec`10] • Refinedtechniquewithbinary feature for eachword/level • Le et al. [Infocom`11] • Batch and online learningwithlexical features and URL features PhishScore: Hacking Phishers‘ Minds – Samuel Marchal 6 / 16

  8. Phishing URLs characteristics www.paypal.creasconsultores.com/www.paypal.com/Resolutioncenter.php shevkun.org/css/paypal.com/cgi-bin/cmd%3D_login-submit/css/websc.php us-mg6.mail.yahoo.com.dwarkamaigroup.com/Yahoo.html emailoans.hostingventure.com.au/bankofamerica.com nitkowski.pl/components/wellsfargo/questions.php • The registered domain has no relationship with the rest of the URL • Most parts of URLs can be freely defined • Except the registered domain:main level domain + public suffix http:// 4ld.3ld. mld.ps /path1/path2?key1=value1&key2=value2 7 / 16 PhishScore: Hacking Phishers‘ Minds – Samuel Marchal

  9. Proposition for Phishing URL Detection • Hypothesis: • Components of legitimate URLs are all related • Registered domains (mld.ps) of phishing URLs are not related to the remaining of the URL Analyse relatedness between mld.ps and the remaining part of a URL : Intra-URL relatedness 8 / 16 PhishScore: Hacking Phishers‘ Minds – Samuel Marchal

  10. Intra-URL relatedness URL labelextraction: http://4ld.3ld.mld.ps/path1/path2?key1=value1&key2=value2 “mld” & “mld.ps” Basic splitting • login.paypal.com/securepayment • RDurl= {paypal;paypal.com} • REMurl= {login; secure; payment} PhishScore: Hacking Phishers‘ Minds – Samuel Marchal 9 / 16

  11. Intra-URL relatedness evaluation Howtoevaluate intra-URL relatedness ? • Compare the two sets RDurl and REMurl • Existing word relatedness techniques : Wordnet [Miller90], NGD [Cilibrasi07], Disco [Kolb08], etc. • Problem:all dictionary based and ”Internet” vocabulary is not necessarily contained in dictionary • Idea : use Search Engine Query Data • Web searches reflect the cognitive behaviour of users looking for services on Internet (what phishers try to identify and to mimic) • Request well-known services: Google Trends & Yahoo Clues • See which words are requested together in search engines to infer word relatedness PhishScore: Hacking Phishers‘ Minds – Samuel Marchal 10 / 16

  12. Intra-URL relatedness evaluation PhishScore: Hacking Phishers‘ Minds – Samuel Marchal 11 / 16

  13. Features set 12 features representing intra-URL relatedness: Word set relatedness (Jaccard index) Words embedded in URL cardrem JRR JRA JAA JAR JARrd JARrem Popularity of registered domain Popularity of words in URL mldres mld.psres ranking ratioArem ratioRrem PhishScore: Hacking Phishers‘ Minds – Samuel Marchal 12 / 16

  14. Feature analysis • Datasets: • 48,009 phishing URLs (source: PhishTank) • 48,009 legitimate URLs (source DMOZ) • Features extraction for all dataset PhishScore: Hacking Phishers‘ Minds – Samuel Marchal 13 / 16

  15. URL classification • Machine learning approach: • Determine the best classifier to identify phishing URLs • 7 classifiers tested: Random Forest, C4.5, JRip, SVM, etc. • 10-fold cross-validation on the presented feature set (96,016 URLs) • Random Forest: • 94.91% accuracy • 1.44% FPrate PhishScore: Hacking Phishers‘ Minds – Samuel Marchal 14 / 16

  16. URL rating • Random Forest based rating system: • Use soft prediction score [0;1] as URL score: • 1: phishing URL • 0: legitimate URL • 0: 22,863 legitimate // 40 phishing • 1: 26 legitimate // 34,790 phishing • 99.89% correctness on • 60.11% of the dataset • [0;0.1] and [0.9;1] • 99.22% correctness on • 83.97% of the dataset PhishScore: Hacking Phishers‘ Minds – Samuel Marchal 15 / 16

  17. Conclusion PhishScore • Lexical analysis to detect phishing URLs: • Intra-URL relatedness • Word relatedness inferred with search engine query data • Phishing URL detection: 95% accuracy (FP rate = 1.44%) • URL rating system: >99% correctness for > 80% URLs • Future Work: • Use distributed on-line processing (Big Data) to reduce delay • Implementation as phishing email filtering and browser add-on URL Semantic Analysis for Phishing Detection – Samuel Marchal 16 / 16

  18. PhishScore: Hacking Phishers’ Minds CNSM 2014 – Fault Tolerance and Security Track November 18, 2014 Samuel Marchal, Jérôme François, Radu State and Thomas Engel {samuel.marchal,radu.state,thomas.engel}@uni.lu jerome.francois@inria.fr

  19. Phishing summary • Phishing: • seeks to steal different kind of data • targets several industry sector • uses various techniques • Is there a global characteric for phishing ? , but most of phishing attacks rely on fake websites using redirecting links Phishing detection technique with wide scope: Phishing URL identification No PhishScore: Hacking Phishers‘ Minds – Samuel Marchal 5 / 17

More Related