Presentation is loading. Please wait.

Presentation is loading. Please wait.

Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing Emails I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing emails. In Proceedings.

Published byScott Nicholson Modified over 9 years ago

Similar presentations

Presentation on theme: "Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing Emails I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing emails. In Proceedings."— Presentation transcript:

1 Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing Emails I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing emails. In Proceedings of the International World Wide Web Conference (WWW), pages 649–656, 2007.

2 Outline 2 Introduction Method Empirical evaluation Conclusion

3 Introduction 3 Phishing (Spoofed websites) Stealing account information Logon credentials Identity information Phishing Problem – Hard

4 Method 4 PILFER – A Machine Learning based approach to classification. phishing emails / ham (good) emails Feature Set Features as used in email classification

5 5 IP-based URLs: http://192.168.0.1/paypal.cgi?fix_account Phishing attacks are hosted off of compromised PCs. This feature is binary.

6 6 Age of linked-to domain names Legitimate-sounding domain name Palypal.com paypal-update.com These domains often have a limited life WHOIS query date is within 60 days of the date the email was sent – “fresh” domain. This is a binary feature

7 7 Nonmatching URLs This is a case of a link that says paypal.com but actually links to badsite.com. Such a link looks like paypal.com. This is a binary feature.

8 8 “Here” links to non-modal domain “Click here to restore your account access” Link with the text “link”, “click”, or “here” that links to a domain other than this “modal domain” This is a binary feature.

9 9 HTML emails Emails are sent as either plain text, HTML, or a combination of the two - multipart/alternative format. To launch an attack without using HTML is difficult. This is a binary feature.

10 10 Number of links The number of links present in an email. in HTML tag This is a continuous feature.

11 11 Number of domains Simply take the domain names previously extracted from all of the links, and simply count the number of distinct domains. Look at the “main” part of a domain https://www.cs.university.edu/ http://www.company.co.jp/ This is a continuous feature.

12 12 Number of dots Subdomains like http://www.my-bank.update.data.com. Redirection script, such as http://www.google.com/url?q=http://www.badsite.com This feature is simply the maximum number of dots (`.') contained in any of the links present in the email, and is a continuous feature.

13 13 Contains javascript Attackers can use JavaScript to hide information from the user, and potentially launch sophisticated attacks. An email is flagged with the “contains javascript” feature if the string “javascript” appears in the email, regardless of whether it is actually in a or tag This is a binary feature.

14 14 Spam-filter output This is a binary feature, using the trained version of SpamAssassin with the default rule weights and threshold. “Ham” or “Spam” This is a Binary feature.

15 Empirical Evaluation 15 Machine-Learning Implementation Testing Spam Assassin Datasets Additional Challenges False Positives vs. False Negatives

16 16 Machine-Learning Implementation-PILFER First, run a set of scripts to extract all the features listed. Second, we train and test a classifier using 10-fold cross validation. Random Forest (classifier) Random forests create a number of decision trees and each decision tree is made by randomly choosing an attribute to split on at each level, and then pruning the tree.

17 17 we use a random forest as a classifier.

18 18 Testing SpamAssassin SpamAssassin is a widely-deployed freely-available spam filter that is highly accurate in classifying spam emails. We classify the exact same dataset using SpamAssassin version 3.1.0, using the default thresholds and rules. Using “Untrain” SpamAssassin “Training” on 10-fold

19 19 Datasets Two publicly available datasets. ham corpora from the SpamAssassin project 6950 non-phishing non-spam emails Phishingcorpus approximately 860 email messages

20 20 Additional Challenges The age of the dataset. Phishing websites are short-lived. Some of our features can therefore not be extracted from older emails, making our tests difficult. EX: Domain linked to

21 Result 21

22 22

23 Conclusion 23 it is possible to detect phishing emails with high accuracy by using a specialized filter, using features that are more directly applicable to phishing emails than those employed by general purpose spam filters.

24 Reference 24 I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing emails. In Proceedings of the International World Wide Web Conference (WWW), pages 649–656, 2007. www.ics.uci.edu/.../Learning%20to%20Detect%2 0Phishing%20Emails.pptx www.ics.uci.edu/.../Learning%20to%20Detect%2 0Phishing%20Emails.pptx http://armorize- cht.blogspot.com/2010/01/phishing-mail.html http://armorize- cht.blogspot.com/2010/01/phishing-mail.html

25 25

Download ppt "Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing Emails I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing emails. In Proceedings."

Similar presentations

On the Optimality of Probability Estimation by Random Decision Trees Wei Fan IBM T.J.Watson.

On the Optimality of Probability Estimation by Random Decision Trees Wei Fan IBM T.J.Watson.
Reporter: Jing Chiu Advisor: Yuh-Jye Lee 2015/7/181Data Mining & Machine Learning Lab.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
Learning to Detect Phishing s

Learning to Detect Phishing s
What is Spam  Any unwanted messages that are sent to many users at once.  Spam can be sent via email, text message, online chat, blogs or various other.

What is Spam  Any unwanted messages that are sent to many users at once.  Spam can be sent via , text message, online chat, blogs or various other.
All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2010/12/06 1.

All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2010/12/06 1.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW 2007 2008.09.09 Yue Zhang, Jason Hong, and Lorrie Cranor.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
Design and Evaluation of a Real-Time URL Spam Filtering Service

Design and Evaluation of a Real-Time URL Spam Filtering Service
Privacy Wizards for Social Networking Sites Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/01/17 1.

Privacy Wizards for Social Networking Sites Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/01/17 1.
Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,

Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,
Decision Tree Algorithm

Decision Tree Algorithm
Deep Belief Networks for Spam Filtering

Deep Belief Networks for Spam Filtering
Document Classification Comparison Evangel Sarwar, Josh Woolever, Rebecca Zimmerman.

Document Classification Comparison Evangel Sarwar, Josh Woolever, Rebecca Zimmerman.
Goal: Goal: Learn to automatically  File e-mails into folders  Filter spam e-mailMotivation  Information overload - we are spending more and more time.

Goal: Goal: Learn to automatically  File s into folders  Filter spam Motivation  Information overload - we are spending more and more time.
Rotation Forest: A New Classifier Ensemble Method 交通大學 電子所 蕭晴駿 2007.3.7 Juan J. Rodríguez and Ludmila I. Kuncheva.

Rotation Forest: A New Classifier Ensemble Method 交通大學 電子所 蕭晴駿 Juan J. Rodríguez and Ludmila I. Kuncheva.
Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.

Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.
COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.

COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.
Web Spam Detection: link-based and content-based techniques Reporter : 鄭志欣 Advisor : Hsing-Kuo Pao 2010/11/8 1.

Web Spam Detection: link-based and content-based techniques Reporter : 鄭志欣 Advisor : Hsing-Kuo Pao 2010/11/8 1.
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.
PhishScore: Hacking Phishers’ Minds

PhishScore: Hacking Phishers’ Minds

Similar presentations

Ads by Google