Systematization of Knowledge (SoK): A Systematic Review of Software Based Web Phishing Detection PDF

Document Details

Uploaded by Deleted User

Zuochao Dou, Issa Khalil, Abdallah Khreishah, Ala Al-Fuqaha, Mohsen Guizani

Tags

phishing detection cyber security software knowledge

Summary

This publication systematically examines software-based methods for detecting web phishing. It covers different approaches, evaluation datasets, detection features, and metrics. The article aims to provide insights for developing more effective phishing detection systems.

Full Transcript

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2017.2752087, IEEE...

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2017.2752087, IEEE Communications Surveys & Tutorials 1 Systematization of Knowledge (SoK): A Systematic Review of Software Based Web Phishing Detection Zuochao Dou, Student Member, IEEE, Issa Khalil, Member, IEEE, Abdallah Khreishah, Member, IEEE, Ala Al-Fuqaha, Senior Member, IEEE and Mohsen Guizani, Fellow, IEEE Abstract—Phishing is a form of cyber attacks that leverages solutions (e.g., website filtering); (2) Preventive solutions social engineering approaches and other sophisticated techniques (e.g., strong authentication , , , , , , to harvest personal information from users of websites. The ); and (3) Corrective solutions (e.g., Site takedown , average annual growth rate of the number of unique phishing websites detected by Anti Phishing Working Group (APWG) ). In this paper, we focus on detective solutions. More is 36.29% for the past six years and 97.36% for the past two specifically, we look at software-based phishing detection years. In the wake of this rise, alleviating phishing attacks has schemes that are specialized in identifying and classifying received a growing interest from the cyber security community. phishing websites. This class of approaches is arguably more Extensive research and development have been conducted to important than other approaches because it helps in reducing detect phishing attempts based on their unique content, network, and URL characteristics. Existing approaches differ significantly human errors. Preventative and corrective solutions take a in terms of intuitions, data analysis methods as well as evaluation different approach, but if the user behind the keyboard has methodologies. This warrants a careful systematization so that been successfully tricked by a phishing attempt, and willingly the advantages and limitations of each approach, as well as submitted sensitive information, then no firewall, encryption the applicability in different contexts, could be analyzed and software, certificates, or authentication mechanism can help in contrasted in a rigorous and principled way. This paper presents a systematic study of phishing detection preventing the attack from materializing. Software-based schemes, especially, software based ones. Starting from the phish- phishing detection also delivers improved results compared ing detection taxonomy, we study evaluation datasets, detection to detection by user education (e.g., , , ) because features, detection techniques and evaluation metrics. Finally, we phishing attacks normally aim at exploiting human weaknesses provide insights that we believe will help guide the development. For example, a study of phishing detection using user of more effective and efficient phishing detection schemes. education shows a 29% false negative rate (F N R) for the best performance, while the software based approaches that are I. I NTRODUCTION surveyed by the same study have F N R in the range of 0.1% Phishing, one form of cyber-attacks, continues to be a to 10%. For this reason, we focus our study on software based growing concern not only to cyber security specialists but also phishing detection systems, and the term “phishing detection” to e-business users and owners. The severity of such cyber will refer only to this form of detection in the rest of the paper. attack vector is continuously growing with the exponential Although the research area of phishing detection and classi- increase in digital information generation and the increased fication is relatively rich, there is a lack of systematic analysis reliance of people and business on cyber space. The Anti- of the requirements, the capabilities, and the shortcomings of Phishing Working Group (APWG) has seen rapid growth in the existing anti-phishing techniques. For example, websites the number of unique phishing websites detected from 2014 that offer identification and classification of phishing as a to 2016. The average annual growth rate is 97.36% and service have been popular in recent years, however, those is expected to continue to grow. Estimates of annual direct services leverage different evaluation datasets from various financial loss to the US economy caused by phishing activities sources at different time periods to validate their outcomes. range from $61 million to $3 billion. Albeit those schemes may have similar performance results To mitigate the increasing damage caused by phishing, a (e.g., in terms of false positive rate, true positive rate, etc.), broad range of anti-phishing mechanisms have been proposed it is difficult to compare their performance because of the over the past two decades. These anti-phishing techniques can variation in the evaluation datasets employed. Consequently, a be categorized into three broad groups : (1) Detective systematic assessment of the datasets used to validate phishing detection approaches is desired, as well as necessary, in order Zuochao Dou is with the Electrical and Computer Engineering Department, to provide a foundation for comprehensive comparisons among New Jersey Institute of Technology, Newark, USA, E-mail: [email protected]. Issa Khalil is with the Qatar Computing Research Institute (QCRI), Hamad different phishing detection schemes, and ultimately, select the bin Khalifa University (HBKU), Doha, Qatar. E-mail: [email protected]. best in practice. Abdallah Khreishah is with the Electrical and Computer Engineering In this work, we complement the existing survey papers Department, New Jersey Institute of Technology, Newark, USA, E-mail: [email protected]. on phishing detection, including , , and , by Ala Al-Fuqaha is with the NEST Research Lab, College of Engineering & providing a broad systematic analysis of software based anti- Applied Sciences Computer Science Department, Western Michigan Univer- phishing approaches. In , the authors focus on studying, sity, Kalamazoo, USA, E-mail: [email protected]. Mohsen Guizani is with the Electrical and Computer Engineering Depart- analyzing, and classifying the most significant and novel ment, University of Idaho, Moscow, USA, E-mail: [email protected]. detection techniques, and pointed out the advantages and 1553-877X (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2017.2752087, IEEE Communications Surveys & Tutorials 2 TABLE I: MOST POPULAR DEFINITIONS OF PHISHING disadvantages of each approach. On the other hand, we present Definition a more comprehensive systematic review of phishing detection PhishTank Phishing is a fraudulent attempt, usually schemes, not only from the perspective of detection algo- made through email, to steal your personal rithms, but also from a broader perspective that covers other information. APWG Phishing is a criminal mechanism employing important aspects including the phishing detection life cycle, both social engineering and technical taxonomy of phishing detection schemes, evaluation datasets, subterfuge to steal consumers’ personal detection features, and evaluation metrics and strategies. The identity data & financial account credentials. Xiang et al. Phishing is a form of identity theft, in work in focuses more on the attack side of phishing. which criminals build replicas of target Web More specifically, it presents details about phishing attacks sites and lure unsuspecting victims to including the anatomy of such attacks, why people fall in disclose their sensitive information like passwords, personal identification numbers phishing attacks and how bad phishing is. However, it only (PINs), etc.. provides a high level analysis of the state-of-the-art phishing Whittaker et al. A phishing page is any web page countermeasures. In order to provide a systematic review of that, without permission, alleges to act on behalf of a third party with the intention the phishing detection research, we first present the necessary of confusing viewers into performing an action information about the phishing attacks by answering three with which the viewer would only trust a true questions: (1) What is phishing?, (2) How does phishing work? agent of the third party. Khonji et al. Phishing is a type of computer attack that and (3) What is the current status of phishing? Then, we communicates socially engineered messages to conduct systematic review of phishing detection schemes in humans via electronic communication channels a detailed and comprehensive manner. Finally, Khonji et al. in order to persuade them to perform certain actions for the attacker’s benefit. present a literature survey about anti-phishing solutions Ramesh et al. Phishing is a fraudulent act to acquire (e.g., user training, email filtering and website detection, etc.), sensitive information from unsuspecting users including their classification, detection techniques and evalu- by masking as a trustworthy entity in an electronic commerce. ation metrics. Compared to , we focus on the software based phishing website detection schemes, which are proved TABLE II: TARGETS AND STRATEGIES OF PHISHING to be the most effective anti-phishing solutions and are not Target Strategy systematically studied in. PhishTank Personal information Social engineering Identity data, In a nutshell, the objective of this paper is to provide APWG Financial account Social engineering a systematic understanding of existing phishing detection credentials studies and provide a comprehensive way to evaluate phishing Xiang et al. Sensitive information Not specified Whittaker et al. Not specified Not specified detection approaches from different perspectives in order to Khonji et al. Not specified Social engineering guide future developments and validations of new or upgraded Rameshe et al. Sensitive information Not specified anti-phishing techniques. We summarize our contributions in this work as follows: away lessons for researchers and practitioners in the area of Compile a comprehensive profile of phishing through its phishing detection. Section VI concludes the paper. various definitions, detailed ecosystem (i.e., in terms of phishing life cycle, actors involved and their operations, etc.), and the state-of-the-art phishing trends. II. BACKGROUND Present a systematic review of the software based phish- A. State-of-the-art Phishing Attacks ing detection schemes from different perspectives includ- In this section, we first present the various definitions of ing the life cycle, taxonomy, evaluation datasets, detection phishing, then we introduce some statistics about phishing features, detection techniques and evaluation metrics. between January 2010 and June 2016. Finally, we describe Introduce a novel feature, Network Round Trip Time the phishing ecosystem. (N RT T ), for efficient and real time detection of phishing 1) What is Phishing?: There is no consensus on how attacks. phishing should be defined. Different phishing definitions Provide detailed takeaway lessons for researchers and lead to different research directions and approaches (e.g., practitioners in the area of phishing detection that we email filtering or website detection). It is important to clearly believe will help guide the development of effective identify the target of any phishing detection approach to phishing detection schemes. avoid confusion about its applicability in different scenarios. The rest of the paper is organized as following: Section The target and scope of phishing detection approaches can II describes the state-of-the-art phishing attacks, and presents be analyzed from the definition of phishing which has been the life cycle of phishing detection approaches. Section III adopted by such approaches. Therefore, presenting a back- introduces the taxonomy of phishing detection schemes with ground on the different definitions of phishing can help the the corresponding literature review. Section IV presents a sys- readers understand the scope and the capabilities of different tematic review of software based phishing detection schemes approaches. Table I summarizes the popular definitions of from different perspectives: (1) phishing detection datasets; (2) phishing. On one hand, the definitions of PhishTank , phishing detection features; (3) phishing detection techniques; APWG , Xiang et al. , Tameshe et al. cover the and (4) evaluation metrics. Section V provides detailed take- majority of cases in which phishers aim at stealing sensitive 1553-877X (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2017.2752087, IEEE Communications Surveys & Tutorials 3 TABLE III: OPERATIONS OF DIFFERENT PLAYERS INVOLVED IN PHISHING personal information such as authentication credentials. Table Basic Operations Advanced Operations II shows the comparison of those phishing definitions based 1.Data collection 1. Evasion of anti-phishing on phishing target and phishing strategy. The most dominant A 2.Website development techniques phishing strategies are social engineering (e.g., through fraudu- 3.Email engineering 1.User behavior detection lent emails) and technical subterfuge (e.g., malware infection). B 1.Blacklist announcement 2.Strong authentications However, sophisticated techniques (e.g., pharming ) are C 1.Human detection 1.Phishing detection toolbar also used to harvest users’ personal information from the 2.Browser filter D 1.Policy enforcement 1.Brand monitoring Internet. On the other hand, the definitions of Whittaker et 1.Phishing data analysis 1.Law enforcement al. and Khonji et al. do not limit the attacker’s E 2.Anti-Phishing solutions 2.Government coalition target (e.g., sensitive personal information). They describe the 1.Email filtering F 1.Employee training 2.Phishing detection software phishing strategy (e.g., phishing website or socially engineered A: Phisher; B: Web service provider; C: Web service subscriber; messages) without stating a specific phishing target (e.g., D: Web hosting provider; E: Anti-Phishing institute; only state the attackers’ benefit). To sum up, the definition F: Spear Phishing targets of Whittaker et al. is the most general among those reviewed, while APWG defines the most commonly used phishing attacks in a specific manner. on-line shopping, etc.) on the Internet (usually through a website). 2) How Does Phishing Work?: In this section, we intro- Web service subscriber: Customers who subscribe to duce the ecosystem of phishing in terms of phishing process, web services provided by the web service provider. Sub- actors involved, their actions and interactions. scribers are the potential targets of traditional phishing (i) Phishing Process: In a generic/traditional phishing attacks. scenario (i.e., mass-email phishing campaigns), an attacker Web hosting provider: Companies that provide website hosts a fake website, and presents users of a web service hosting services to web service companies. with convincing emails containing a link to the fake website. Anti-phishing institutes: Institutes that support those When a user of the web service opens the link and enters tackling the phishing menace and provide advice on anti- her sensitive data, data is collected by the server hosting the phishing controls and information on current trends. fake website. As shown in Figure 1, Mihai and Giurea Spear phishing targets: Specific individuals or compa- suggest that a generic phishing process can be identified in nies targeted by phishers. five steps: (1) Reconnaissance: Phishers look for famous web service brands with a broad customer base; (2) Weaponization: Each actor involved in the phishing process has different Phishers design the phishing websites and social engineer actions and reactions (summarized in Table III). Phishers try on email spam; (3) Distribution: Phishers deliver emails to to use sophisticated techniques to evade phishing detection the victims; (4) Exploitation: Phishers exploit weaknesses of approaches (e.g., DNS poisoning ). In addition, there is a humans to lure the victims into phishing traps via socially growing trend in which phishers have decoupled the process of engineered emails. (5) Exfiltration: Phishers collect sensitive phishing website hosting from the process of sending phishing data from the phishing databases. emails in order to evade the anti-phishing solutions (Han, Kheir, & Balzarotti ). Unlike generic phishing attacks, spear phishing targets par- Web service providers usually announce blacklists of phish- ticular individuals or organizations.. Spear ing websites and recommend users to use strong authentication phishing attacks typically extract sensitive data from their schemes (e.g., , , , , ). Additionally, web victims by attaching a type of malware to emails or in service subscribers highly depend on browser filters (e.g., the phishing website. Industry statistics indicate that spear Google Safe Browser ) and other third party anti-phishing phishing attacks have a success rate of 19%, while the success toolbars (e.g., Netcraft ) to detect and block phishing rate of generic phishing attacks is less than 5%. attempts. For the purpose of this paper, we will not consider email fil- The role of web hosting providers is rather ambiguous in the tering (e.g., , , ) as a phishing detection method. phishing process. Reputable providers usually enforce strict Our focus is on detection of website phishing for both generic “Terms of Use” and avail certain anti-phishing solutions (e.g., and spear phishing attacks. brand monitoring ). Due to financial constraints, many (ii) Phishing Actors: There are six actors involved in a free-to-use web hosting providers may not be able to afford typical phishing life cycle (see Figure 2), as defined in the deploying good anti-phishing security measures, which leaves following paragraphs: their customers not only vulnerable, but even worse, attractive Phisher: Individuals or organizations that conduct phish- targets for phishing. ing attacks in order to obtain a certain type of benefit, Anti-phishing institutes collect and analyze phishing data such as financial gain, identity hiding (e.g., refers to the (e.g., suspicious websites reported by users) from various situation in which phishers do not use the stolen identities sources (e.g., users’ reports via anti-phishing toolbars), and directly, but rather sell them to interested criminals and provide anti-phishing suggestions and solutions (e.g., up-to- cyber attackers.), fame and notoriety, etc.. date phishing website blacklist, phishing detection toolbars, Web service provider: Companies that provide a certain etc.). In addition, they may also cooperate with government type of service (e.g., email, social network, e-banking, agencies such as public security and law enforcement to detect 1553-877X (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2017.2752087, IEEE Communications Surveys & Tutorials 4 Fig. 1: Illustration of the phishing process. Fig. 2: Players involved in the phishing process. 1553-877X (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2017.2752087, IEEE Communications Surveys & Tutorials 5 160,000 140,000 120,000 100,000 80,000 60,000 Fig. 4: The number of phishing sites that use HTTPS. Re-printed from. 40,000 20,000 B. Life cycle of phishing detection As mentioned in Section I, we do not incorporate phishing 0 2010 Jan. 2010 Dec. 2011 Dec. 2012 Dec. 2013 Dec. 2014 Dec. 2015 Dec.2016 Jun. detection approaches that rely on user education due to their poor performance. In addition, we do not cover phishing Fig. 3: The number of unique phishing sites per month from Jan. 2010 to Jun. 2016. detection methods that perform email filtering because it is a different detection theme that warrants a separate compre- hensive study on its own. we reemphasize here that our focus is on the area of software-based phishing detection which aims and prevent cyber attacks. at detecting or blocking phishing websites. The life-cycle of software-based phishing detection is il- 3) What is the Current State of Phishing?: According lustrated in Figure 5. Starting from the initial inputs, the to phishing activity trends reports published by APWG detection scheme extracts phishing detection features (or called from Jan. 2010 to Jun. 2016 (shown in Figure 3), the number heuristics, as detailed in Section IV-B ) and/or blacklists from of unique phishing websites established per month increased various sources (e.g., URL related information, trusted third significantly since 2015 (i.e., the average number for 2016 party, WHOIS server, etc.) via different feature mining ap- is 2.93 times the average from prior years). It is clear that proaches (e.g., search engines, target identification algorithms, phishers profited from this type of cyber-attacks, which result etc.). Then, it applies different data mining algorithms and/or in financial loss for both web subscribers and business owners. proposes various detection strategies to the engineered features Therefore, agile techniques to mitigate phishing will continue to achieve its objectives (e.g., identifying phishing links, to be a pressing need. blocking phishing websites, etc.). To evaluate the performance Phishing attacks tend to empoly advanced techniques to of phishing detection schemes, various evaluation datasets lure web service users into their rogue websites. Using the are collected from different sources (e.g., PhishTank, Yahoo database from Trend Micro web reputation technology, Pajares directory, etc.). Finally, leveraging the collected datasets and reports the number of phishing sites that use HTTPS following various validation strategies (e.g., cross validation), connections increased significantly in 2014 compared to 2010 the proposed scheme is evaluated based on multiple metrics (shown in Figure 4). Attackers become more cautious and (e.g., False Positive Rate, False Negative Rate, etc.). attentive when designing phishing websites to evade existing In the coming sections, following the life cycle of software- phishing detection methods. Some phishing groups are based phishing detection schemes, we present a comprehen- capable and desire to perform more advanced phishing attacks. sive study of the phishing detection research from 5 differ- Avalanche (commonly known as the Avalanche Gang) is a ent perspectives, namely, classification of phishing detection criminal syndicate involved in phishing attacks. In 2010, techniques, validation datasets, detection features, detection APWG reported that Avalanche was responsible for two-thirds techniques and detection criteria. of all phishing attacks in the second half of 2009, describing it as “one of the most sophisticated and damaging on the III. P HISHING DETECTION SCHEMES : TAXONOMY AND Internet” and “the world’s most prolific phishing gang”. It THE CORRESPONDING LITERATURE REVIEW has been discovered that Avalanche uses different techniques In phishing literature, software-based phishing detection to evade the anti-phishing mechanisms. schemes are usually categorized into heuristic and blacklist In addition, more and more sophisticated techniques are based schemes. Heuristic-based approaches examine being used to implement phishing attacks. For example, the contents of the web pages including: (1) surface level content pharming attack, a refined version of phishing attacks, is (e.g., the URL); (2) textual content (e.g., terms or words that designed to steal users’ credentials by redirecting them to appear on a given web page); (3) visual content (e.g., the fraudulent websites using DNS-based techniques ,. layout, and the block regions etc.). These methods can Many computer security experts predict that the use of pharm- detect phishing attacks as soon as they are launched but also ing attacks will continue to grow as more criminals embrace introduce relatively high false positive rates (F P R). Blacklist- these techniques. based approaches have a higher level of accuracy. However, 1553-877X (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2017.2752087, IEEE Communications Surveys & Tutorials 6 toolbars typically come in the form of web browser extensions (i.e., default extensions or third party extensions) that warn Heuristic users about a suspicious phishing site after clicking on its Blacklist URL/Blacklist Features Data Sources URL. Publicly available anti-phishing toolbars are either embed- ded in the browser as default extensions (e.g., Microsoft SmartScreen Filter ) or can be downloaded from third Phishing/Legitimate party websites (e.g., Netcraft ). They both display security Feature Mining Approach Data Sources warnings on screen when certain actions are triggered in the browser. These security warnings can be classified into two types : Passive warnings: Passive warnings display various in- Machine Detection formation (e.g., user ratings, site suggestions, etc.) about Learning Evaluation Data Set Strategy Algorithm the website that is currently being visited but do not block the content of the website, as depicted in Figure 6. Active warnings: Active warnings display warning in- formation about the website a user is trying to visit and Evaluation Criteria block the content of the website, as depicted in Figure 7. Many studies have shown that the majority of web ser- Validation Strategy vice users ignore security warnings provided by anti-phishing toolbars. Furthermore, Egelman et. al. found that active warnings are much more effective than Fig. 5: Life Cycle of typical phishing detection schemes passive warnings (79% of participants paid attention to active warnings while only 13% participants paid attention to passive warnings). Table V summarizes the information gathered about they do not defend against zero-hour attacks. Com- the state-of-the-art anti-phishing toolbars. In the following binations of heuristic and blacklist based approaches provide paragraphs, we discuss the details of those toolbars: more robust and flexible defense against phishing attacks than Google Safe Browsering: It uses a browser to check either one on a standalone basis. URLs against Google’s constantly updated blacklist of unsafe In this paper, we classify phishing detection approaches as web resources (e.g., phishing websites) and provides either public phishing detection toolbars or academic phishing active warnings to the end users. According to Google Safe detection/classification schemes. Phishing detection toolbars Browsing’s website, for different platform and threat types, it use blacklists and/or selected heuristics to identify phishing examines pages against the safe browsing lists. It also issues websites. There is usually little information about what heuris- reminders before users access risky links. tics these toolbars use and how they are used. Academic McAfee SiteAdvisor: This is a web application that reports phishing detection solutions are similar to phishing detec- on the identity of websites by scanning them for potential mal- tion toolbars, but usually apply more complex technologies ware and spam. The detection result is decided according and are usually not available/feasible for public use. Most to a combination of heuristics and manual verification, such academic phishing classification schemes apply combinations as the age and country of the domain registration, the number of heuristics features into various data mining algorithms to of links to other known-good sites, third-party cookies, and enhance the classification accuracy. Table IV summarizes the user reviews. In addition, it provides passive warnings. differences between phishing detection toolbars and academic Netcraft Anti-Phishing Toolbar:Provides Internet security phishing detection/classification schemes. Note, the “scheme services including anti-fraud and anti-phishing services, ap- details” column in Table IV estimates the amount of publicly plication testing and PCI scanning. According to its available details about detection schemes, such as detection website, Netcraft’s toolbar screens and identifies the deceiving methodology, data mining algorithms, and datasets. contents in URLs. It also ensures that the navigational controls Furthermore, based on the heuristic/blacklist classification, (e.g., toolbar and address bar) are activated in order to prevent we further classify the academic phishing detection approaches pop-up windows (particularly for Firefox). In addition, it into more specific and fine-grained sub-categories, namely, shows the geographic information of the hosting location (1) heuristic: URL based methods; (2) heuristic: page content of the sites and analyzes fraudulent URLs (e.g., the real based methods; (3) heuristic: visual similarity based methods; citibank.com or barclays.co.uk sites have little possibility to (4) heuristic: other methods; (5) blacklist based methods; (6) be located in the former Soviet Union ). hybrid methods. Details about each category are introduced in SpoofGuard: A heuristics-based anti-phishing toolbar de- Section IV-B. veloped for Internet Explorer with passive warnings. The heuristics used include (1) Domain name check: examines A. Public phishing detection toolbars if the domain name for the attempted URL matches recent Many freely available anti-phishing toolbars offer detection entries; (2) URL Check: checks if the username, the port and blocking services against Internet phishing attacks. These number, as well as the domain name, are suspicious; (3) Email 1553-877X (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2017.2752087, IEEE Communications Surveys & Tutorials 7 TABLE IV: SUMMARY OF DIFFERENCES BETWEEN PHISHING DETECTION TOOLBARS AND ACADEMIC PHISHING DETECTION/CLASSIFICATION SCHEMES Public usage Data Mining Exact Scheme Blacklist Goal availability Algorithms Heuristics Details Publicly available Yes Very little Very little Yes Little Detect and block phishing websites Phishing detection toolbars Academic phishing Very little Yes Yes Little Yes Detect or classify phishing websites detection/classification schemes TABLE V: INFORMATION ABOUT SELECTED STATE-OF-THE-ART ANTI-PHISHING TOOLBARS Technology Warning Type Platform Google Safe Browsing BlacklistHeuristics(Suspected) Active Internet Explorer, Firefox and Chrome McAfee SiteAdvisor Heuristics, Blacklist(Manual verification) Passive Internet Explorer, Firefox and Chrome Netcraft Anti-Phishing Toolbar BlacklistHeuristics Active Internet Explorer, Firefox and Chrome SpoofGuard Heuristics Passive Internet Explorer Microsoft SmartScreen Filter Blacklist Active Internet Explorer Blacklist(User ratings and manual verification), EarthLink Toolbar Passive Internet Explorer and Firefox Heuristics (Unknown) eBay Toolbar BlacklistHeuristics Passive Internet Explorer Blacklist Third-party reputation services and GeoTrust TrustWatch Toolbar Passive Internet Explorer certificate authorities WOT (Web of Trust) Blacklist(User ratings, Third-party information) Active Internet Explorer, Firefox and Chrome Check: determines whether the current URL directs to the more, it blocks the initial attempt when visiting potentially browser via email; (4) Password Field Check: determines if the unsafe websites and warns users in case of a risk in revealing input fields of type “password” are located in the document; information to the site. (5) Link Check: searches for risky links in the body of the Web of Trust (WOT): A browser extension that tells the document; (6) Image Check: analyzes the images of the new user which websites he can trust via active warnings. It site vs. the previous sites; (7) Password Tracking: prevents the ensues the user’s Internet safety from scams, malware, rogue user from typing the same username and password for multiple web stores and dangerous links based on community ratings sites. and reviews. Microsoft SmartScreen Filter: A blacklist-based phishing and malware filter implemented in several Microsoft browsers, B. Academic phishing detection/classification schemes including Internet Explorer and Microsoft Edge. When browsing the site, SmartScreen helps monitor and identify the Unlike the public anti-phishing toolbars, which aim at pro- possibility of visiting a suspicious page. If so, it issues an viding real-time warnings about the legitimacy of visited web- active warning before next step is taken, as well as soliciting sites, academic phishing detection and classification schemes feedback from users. SmartScreen also maintains a list of normally focus on improving the detection accuracy and reported phishing and software sites. It screens the list to check reducing the number of false alerts by employing sophisticated if a match is found. In that case, it issues a warning message technologies and various machine learning algorithms. Table while blocking the site for user’s safety. In addition, security VI shows the time-based (from 2005 to 2016) development checks are also performed when the user starts a download of 41 selected academic phishing detection/classification ap- from the site. Moreover, SmartScreen compares the download proaches. In order to choose the most representative studies, to a list of existing downloads by other users. A warning is in this paper, we comply with the following criteria based on issued if it’s a brand new download. state-of-the-art literature: EarthLink Toolbar: Helps to protect the user from on-line Pioneering: Research that introduces new ideas or meth- scams by displaying a security rating (i.e., passive warning) ods to the literature. for all the websites the user visited previously. Additionally, Attention: Research that receives more attentions in it alerts the user if he tries to access a previously known terms of the number of citations. fraudulent website. It appears to rely on a combination of Completeness: Research that presents their work follow- heuristics, user ratings, and manual verification. ing the entire life cycle of phishing detection in depth. eBay Toolbar: Helps the buyers and sellers with real time Based on the proposed criteria, all of the 41 selected alerts and keeps users safe from spoofing and fraudulent works are introduced in the following sections and twelve attacks by detecting fake sites via a combination of heuristics representative studies are chosen as examples to illustrate the and blacklists through passive warnings. detailed detection methodology in each category. They are GeoTrust TrustWatch Toolbar: Provides website veri- listed in Table VI and introduced below. fication service that alerts the users to potentially unsafe, Visual similarity based methods: Chen et. al. describe or phishing web sites based on the information of several a novel heuristic anti-phishing system that explicitly employs third-party reputation services and certificate authorities via gestalt and decision theory concepts to model perceptual passive warnings. TrustWatch notifies the users that the similarity. More specifically, they apply logistic regression website has passed the verification scan based on a list of algorithm to a set of normalized page content features. The disreputable sites. It would also recommend additional caution proposed scheme can achieve 100% true positive rate and when inputting sensitive information to the website. Further- 0.74% false positive rate. 1553-877X (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2017.2752087, IEEE Communications Surveys & Tutorials 8 Fig. 6: Passive warnings from Netcraft anti-phishing toolbar. Reprinted from: http://toolbar.netcraft.com/. Fig. 7: Active warning from Google Safe Browsering. Reprinted from: https://googleblog.blogspot.com/2015/03/protecting-people-across-web-with.html. 1553-877X (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2017.2752087, IEEE Communications Surveys & Tutorials 9 TABLE VI: TIME-LINE BASED DEVELOPMENT OF PHISHING DETECTION SCHEMES FROM 2005 TO 2016 Research Year Represented(Y/N) EMD based visual similarity for detection of phishing webpages 2005 Phishing web page detection 2005 Anomaly based web phishing page detection 2006 Detecting phishing web pages with visual similarity assessment based on earth mover’s distance (EMD) 2006 Y Cantina: a content-based approach to detecting phishing web sites 2007 Y A framework for detection and measurement of phishing attacks 2007 Y Anti-phishing based on automated individual white-list 2008 A phishing sites blacklist generator 2008 Visual similarity-based phishing detection 2008 B-apt: Bayesian anti-phishing toolbar 2008 Phishzoo: An automated web phishing detection approach based on profiling and fuzzy matching 2009 Fighting phishing with discriminative keypoint features 2009 Beyond blacklists: Learning to detect malicious web sites from suspicious URLs 2009 Y A hybrid phish detection approach by identity discovery and keywords retrieval 2009 Identifying suspicious URLs: An application of large-scale online learning 2009 Y Visual similarity-based phishing detection without victim site information 2009 Automatic detection of phishing target from phishing webpage 2010 Phishnet: predictive blacklisting to detect phishing attacks 2010 Y Large-scale automatic classification of phishing pages 2010 Y Lexical feature based phishing URL detection using online learning 2010 Detecting visually similar web pages: Application to phishing detection 2010 Intelligent phishing detection system for e-banking using fuzzy data mining 2010 Using domain top-page similarity feature in machine learning-based web phishing detection 2010 Textual and visual content based anti-phishing: A bayesian approach 2011 Cantina+: A feature-rich machine learning framework for detecting phishing web sites 2011 Y PhishDef: URL names say it all 2011 Design and evaluation of a real-time URL spam filtering service 2011 Y Antiphishing through phishing target discovery 2012 Using visual website similarity for phishing detection and reporting 2012 PhishAri: Automatic realtime phishing detection on twitter 2012 Phishing Website detection using latent Dirichlet allocation and AdaBoost 2012 Phishing detection plug-in toolbar using intelligent Fuzzy-classification mining techniques 2013 Phishstorm: Detecting phishing with streaming analytics 2014 An efficacious method for detecting phishing webpages through target domain identification 2014 Y An anti-phishing system employing diffused information 2014 Y Predicting phishing websites based on self-structuring neural network 2014 Examination of data, rule generation and detection of phishing URL using online logistic regression 2014 Feature extraction and classification phishing websites based on URL 2015 New rule-based phishing detection method 2016 Know Your Phish: Novel Techniques for Detecting Phishing Sites and their Targets 2016 Y PhishWHO: Phishing webpage detection via identity keywords extraction and target domain name finder 2016 The most representative work in this category is done by Fu et. al.. They propose an effective phishing website detection approach via visual similarity assessment based on dij = N Df eature (ϕi , ϕj ) = p ∗ N Dcolor (dci ; dcj ) Earth Mover’s Distance (EMD). The detection process +q ∗ N Dcentroid (Cdci ; Cdcj ) contains two phases, namely, generating signature of web pages and computing visual similarity score from EMD. where ϕi =< dci , Cdci >, dc =< dA; dR; dG; dB > is the The web page processing phase (i.e., generate the signature) color tuple, and Cdc is the centroid value. Suppose we have contains three steps: (1) obtain the image of a web page signature Ss,a and signature Ss,b , the EMD between Ss,a and from its URL using Graphic Device Interface (GDI) API; Ss,b can be calculated as: (2) perform image normalization (the normalized image size P fij ∗ dij is 100 x 100, and Lanczos algorithm is used to resize EM D{Ss,a , Ss,b } = P fij the image); (3) transform the web page image by a visual signature. The signature is comprised of the image color tuple where fij is the flow matrix calculated through linear program- using the [Alpha, Red, Green, and Blue] (ARGB) scheme and ming. Note that if EMD=0, the two images are identical, the centroid of its position in the image. if EMD=1, they are completely different. The second step is to compute the EMD between the visual Finally, the EMD-based visual similarity of two images is similarity signatures of the two web pages (legitimate site and defined as: phishing site). Firstly, the normalized Euclidean distance of V S{Ss,a , Ss,b } = 1 − [EM D{Ss,a , Ss,b }]α the degraded ARGB colors and the centroids are computed. Then the two distances are added up with their corresponding where α ∈ (0, +∞) is an amplification factor that limits the weights (i.e., p and q, p + q = 1). The normalized feature skewness of the visual similarity for the distributed in the (0,1) distance between ϕi and ϕj is defined as: range. 1553-877X (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2017.2752087, IEEE Communications Surveys & Tutorials 10 Large-scale experiments with 10,281 suspected web pages learning techniques to detect phishing. It has been shown to are carried out and the proposed scheme achieves 0.71% false achieve 0.4% false positive rate and over 92% true positive positive rate and 89% true positive rate. rate. Similar works based on visual similarly include Similar works based on page content include.. Page content based methods: Zhang et. al. propose URL based methods: Garera et. al. claim that it is of- CANTINA, a novel content-based approach for detecting ten possible to tell whether or not a URL belongs to a phishing phishing web sites based on the Term Frequency/Inverse attack without requiring any knowledge of the corresponding Document Frequency (TF-IDF) information retrieval metric. page data. By applying several selected features (i.e., page In addition, using some heuristics, the false positive rate is rank, domain name white list and URL based features) into reduced. Generally, CANTINA works as follows: logistic regression learning algorithm, the proposed scheme is 1) CANTINA calculates the TF-IDF scores of each term efficient and has a high accuracy. of the content in the given website. The most representative work in this category is done by 2) CANTINA generates a lexical signature by taking the Ma et. al.. They propose a phishing detection approach five terms with highest TF-IDF weights. to automatically classify URLs based on different data mining 3) CANTINA sends the lexical signature to a search engine algorithms across both lexical and host based URL features. (i.e., in their case, Google Search). The lexical features selected in this method include the 4) If the domain name of the current website matches the length of the hostname, the length of the entire URL, as well as domain name of the top N search results, it is considered the number of dots in the URL. In addition, the authors create to be a legitimate website. Otherwise, it is concluded to a binary feature for each token in the hostname (delimited by be a phishing site. Note that, the value of N affects the “.”) and in the path URL (strings delimited by “/”, “?’, “.”, “=”, false positives. “-” and “ ”). The host-based features contain: (1) IP address CANTINA with TF-IDF alone results in a relatively high false properties (e.g., is the IP address in a blacklist?); (2) WHOIS positive rate. Therefore, several heuristics are used to reduce properties (e.g., the date of registration, update, and expira- the false positive rate, including: tion); (3) Domain name properties (e.g., the time-to-live (TTL) value for the DNS records associated with the hostname); (4) Age of Domain: it examines the age of the domain name. Geographic properties (e.g., the continent/country/city that the If the page has been registered for more than 12 months, IP address belongs to). the heuristic returns +1 (i.e., legitimate), otherwise it All the features of the URL are encoded into high dimen- returns -1 (phishing). sional feature vectors and then different types of classifiers are Known Images: it examines whether a page contains applied to them. Here are some examples of the classifiers: inconsistent well-known logos. Naive Bayes: Let x denote the feature vectors and y ∈ Suspicious URL: it examines if the URL contains an “@” {0, 1} denote the label of the website, with y = 1 for or a “-” in the domain name. malicious and y = 0 for legitimate ones. P (x|y) denotes Suspicious Links: for each link in the webpage, it per- the conditional probability of the feature vector given forms the above three URL checks. its label. Then, assuming that malicious and legitimate IP Address: it examines if the URL contains an IP websites are equally probable, the posterior probability address. that the feature vector x belongs to a malicious URL is Dots in URL: it examines the number of dots in the URL. computed as: Forms: it examines if a web page contains any HTML text entry form requesting sensitive personal data (e.g., P (x|y = 1) P (y = 1|x) = password). P (x|y = 1) + P (x|y = 0) In addition, CANTINA uses a simple forward linear model Finally, the right hand side of the equation is thresholded to make the decision: to predict the binary label of the feature vector x. X Support Vector Machine (SVM): The decision using S = f( wi ∗ hi ) SVMs is expressed in terms of a kernel function K(x, x0 ) where hi is the result of each heuristic, wi is the weight of that computes the similarity between two feature vectors each heuristic, and f is a simple threshold function. and non-negative coefficients αi that indicate which train- ing examples lie close to the decision boundary. SVMs f (x) = 1 if x > 0, f (x) = −1 if x 99% False Positive Rate 0.71% 1% 0.7% 0.1% 3%

Use Quizgecko on...
Browser
Browser