1 / 27

Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem

Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th. Automatic Phishing Site Detection and Blocking. APAN 2008, Haweii 23 January 2008.

millereric
Download Presentation

Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th Automatic Phishing Site Detection and Blocking APAN 2008, Haweii 23 January 2008 This work is partially supported by Commission of Higher Education (CHE), UniNET, Thailand

  2. What is Phishing ? Why Phishing Site Detection and Blocking are needed? Phishing Site Detection Techniques Proposed Solution: Detection and Blocking Techniques Current Deployment Future Work Agenda

  3. What is Phishing ? Why Phishing Site Detection and Blocking are needed? Phishing Site Detection Techniques Proposed Solution: Detection and Blocking Techniques Current Deployment Future Work Agenda

  4. What is Phishing ? Attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details We concentrate only Detection and Blocking phishing site inside campus network

  5. What is Phishing ? Why Phishing Site Detection and Blocking are needed? Phishing Site Detection Techniques Proposed Solution :Blocking Techniques Current Deployment Future Work Agenda

  6. Why Phishing Site Detection and Blocking are needed? • Steal consumer’personal identity data • Financial account credentials

  7. What is Phishing ? Why Phishing Site Detection and Blocking are needed? Phishing Site Detection Techniques Proposed Solution: Detection and Blocking Techniques Current Deployment Future Work Agenda

  8. Phishing Site Detection Techniques • E-mail Detection at Mail Gateway https://signin.ebay.com

  9. What is Phishing ? Why Phishing Site Detection and Blocking are needed? Phishing Site Detection Techniques Proposed Solution: Detection and Blocking Techniques Current Deployment Future Work Agenda

  10. Detection and Blocking Techniques Solution 1: Detection: Phishing Site URL Blocking: URL filtering techniques Solution 2: Detection: Phishing Site Content Blocking: Firewall

  11. Gateway Campus Network Internet Phishing Site Phishing Site Detection and Blocking Engine Solution 1: Traffic Flows  

  12. URL pattern Regular Expression Solution 1: Structure URL Analyzer Session Controller URL matching TCP Termination Communicator Phishing Site Detection and Blocking Engine Phishing site blocking mirror traffic (incoming) Internet

  13. ?  ? GET GET GET 1 Gateway Campus Network Internet 2   2 4 Phishing URL Lists 5 search Phishing Site FIN FIN Phishing Site Detection and Blocking Engine GET 3 Solution 1: Procedure Matching

  14. Filtering SYN J SYN K , ACK J+1 ACK K+1 Data (request) FINL Data (reply) Solution 1: Session Hijacking Client Server Faked FIN by Filtering Engine Packet will be ignored

  15. Data (request) FINL FINL Data (reply) ACK L+1 FIN M ACK M+1 Solution 1: Session Hijacking Filtering Client Server Successful filtering Faked FIN ignored Faked FIN Unsuccessful filtering

  16. Solution 1: A Closure Look of Hijacking Success Condition t3 < t4 t3 - t0 < t4 -t0 t3 - t1 < RTT From our measurement, t3 –t1 is less than 0.6 milliseconds. The average of t3 – t1 is about 0.2*RTT.

  17. Gateway Campus Network 2 1 Internet 3 4 4 Phishing Site Phishing Site Detection and Blocking Engine Solution 2: Traffic Flows

  18. Content pattern Regular Expression Solution 2: Structure Content Analyzer content matching Communicator Phishing Site Detection and Blocking Engine mirror traffic (outgoing) Phishing site blocking Internet Firewall

  19. Solution 2: Phishing site pattern

  20. ?  ? GET GET GET Firewall 1 Gateway Campus Network Internet 2 4 3 5   4 2 block Reply Reply Reply Reply Reply search Phishing Site Phishing Site Detection and Blocking Engine Phishing Content Lists Solution 2: Procedure X Matching

  21. What is Phishing ? Why Phishing Site Detection and Blocking are needed? Phishing Site Detection Techniques Proposed Solution: Detection and Blocking Techniques Current Deployment Future Work Agenda

  22. Current Deployment: Structure Thaisarn Uninet Ethernet 10 Gbps Ethernet 1 Gbps firewall WebScreen Agent CPU : 2xDual Core Xeon 3.0 GhzRAM : 1 GBHD : SATA 1 TB Phishing Site Detection Engine OCS KU

  23. Thaisarn Uninet firewall OCS KU Current Deployment: Testing • Google phishing site detection • Used “About Google” key word

  24. What is Phishing ? Why Phishing Site Detection and Blocking are needed? Phishing Site Detection Techniques Proposed Solution: Detection and Blocking Techniques Current Deployment Future Work Agenda

  25. Future Work • Use picture, such as logo, for detection • Use AI to classified phishing site

  26. Q&A

  27. Thank You

More Related