Presentation is loading. Please wait.

Presentation is loading. Please wait.

CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University."— Presentation transcript:

1 CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University

2 Phishing email Subject: eBay: Urgent Notification From Billing Department We regret to inform you that your eBay account could be suspended if you don’t update your account information.

3 Phishing is a Plague on the Internet Estimated 3.5 million people have fallen for phishing Estimated to cost $1-2.8 billion a year (and growing) 9255 unique phishing sites reported in June 2006 Easier (and safer) to phish than rob a bank

4 Strategies to Counter Phishing Make it invisible –Taking down phishing web pages –Filtering out phishing email –Detecting phishing web pages (SpoofGuard, etc) Provide better user interfaces –Extended certificate verification –Anti-phishing toolbars (SpoofGuard, eBay, Netcraft, etc) Train the users –Embedded training (Kumaguru et al, CHI 2007) –Games (Sheng et al, SOUPS 2007)

5 Two Ways of Detecting Phishing Pages Human-verified Blacklists –No false positives, easy to implement, robust to new attacks –But tedious, slow to update, and not comprehensive –Only one toolbar found more than 60% phishing sites (Egelman et al, NDSS 2007) Heuristics –Fast to find new phishing sites (zero-day) –But false positives, may be fragile to new attacks –Not much work in this area –Our work contributes to the understanding of heuristics

6 Our Solution: CANTINA CANTINA uses a simple content-based approach –Examines content of a web page and creates a “fingerprint” –Sends that fingerprint as a query to a search engine –Sees if the web page in question is in the top search results If so, then we label it legitimate Otherwise, we label it phishing Nice properties: –Fast –Scales well –No maintenance by us (done by search engines) –Highly accurate

7 Talk Overview Problem Statement and Overview Using Robust Hyperlinks for Fingerprinting CANTINA Iteration #1 CANTINA Iteration #2 Conclusions

8 How Robust Hyperlinks Work Developed by Phelps and Wilensky to solve “404 not found” problem (D-Lib Magazine 2000) Add lexical signature to URLs –If link doesn’t work, then feed signature to search engine –Ex. http://abc.com/page.html?sig=“word1+word2+...+word5”http://abc.com/page.html?sig=“word1+word2+...+word5 How to generate useful signatures? –Term Frequency / Inverse Document Frequency (TF-IDF) –Their informal evaluation found using top five words as scored by TF-IDF was surprisingly effective

9 Adapting TF-IDF for Anti-Phishing Can same basic approach be used for anti-phishing? 1.Scammers often directly copy legitimate web pages or include keywords like name of legitimate organization Fake

10 Adapting TF-IDF for Anti-Phishing Can same basic approach be used for anti-phishing? 1.Scammers often directly copy legitimate web pages or include keywords like name of legitimate organization Real

11 Adapting TF-IDF for Anti-Phishing Can same basic approach be used for anti-phishing? 1.Scammers often directly copy legitimate web pages or include keywords like name of legitimate organization 2.With Google, phishing site should have low page rank APWG states that phishing sites alive 4.5 days Few sites link to phishing sites Hence, phishing sites unlikely to be in top search results Hypothesis: –CANTINA will be able to discriminate between legitimate and phishing sites quite well

12 How CANTINA Works (Iteration #1) Given a web page, calculate TF-IDF score for each word in that page Take five words with highest TF-IDF weights Feed these five words into a search engine (Google) If domain name of current web page is in top N search results, we consider it legitimate –N=30 worked well –No improvement by increasing N

13 Fake eBay, user, sign, help, forgot

14 Real eBay, user, sign, help, forgot

15

16

17 Evaluating Effectiveness of CANTINA In past work, built testbed to evaluate toolbars –Manual testing tedious and required too much pizza –See Egelman et al (NDSS 2007)

18 Evaluating CANTINA (Iteration #1) 100 phishing URLs from PhishTank.com –We used unverified URLs, manually verified them ourselves 100 legitimate URLs from another study on phishing –From 3Sharp, popular web sites, banks, etc Four conditions –Basic TF-IDF –Basic TF-IDF + domain name (ebay.com -> “ebay”) –Basic TF-IDF + ZMP (zero results means phishing) –Basic TF-IDF + domain name + ZMP

19 Evaluating CANTINA (Iteration #1) Good results False positives a little high Let’s call this Final TF-IDF

20 Talk Overview Problem Statement and Overview How Robust Hyperlinks Work CANTINA Iteration #1 CANTINA Iteration #2 Conclusions

21 How CANTINA Works (Iteration #2) Wanted to reduce false positives Added several heuristics from SpoofGuard and PILFER (see next talk) –Age of domain –Known images (logos) –Page is at suspicious URL (has @ or -) –Page contains suspicious links (see above) –IP Address in URL –Dots in URL (>= 5 dots) –Page contains text entry fields –TF-IDF

22 How CANTINA Works (Iteration #2) Used simple forward linear model to weight these –The more effective a heuristic, the larger the weight –Used 100 phishing URLs, 100 legitimate to find weights

23 Evaluating CANTINA (Iteration #2) Compared CANTINA to SpoofGuard and NetCraft –SpoofGuard uses all heuristics –NetCraft 1.7.0 uses heuristics (?) and extensive blacklist 100 phishing URLs from PhishTank.com 100 legitimate URLs –35 sites often attacked (citibank, paypal) –35 top pages from Alexa (most popular sites) –30 random web pages from random.yahoo.com

24 Evaluating CANTINA (Iteration #2)

25 Discussion of Evaluation Good results again for CANTINA (iteration #2) –97% with 6% false positive, 89% with 1% false positive –1% false positive due to JavaScript phishing site CANTINA close to Netcraft (human-verified) Conducted another evaluation on URLs gathered from email –Versus those from a phishing feed –CANTINA still pretty good, see paper for details

26 Discussion of CANTINA Overall Limitations –Does not work well for non-English web sites (TF-IDF) –System performance (querying Google each time) Early results from our latest work => low latency crucial CANTINA may be better for backend work than browser Attacks by criminals –Using images instead of words But has to look legitimate (no CAPTCHAs) –Invisible text –But phishing page still has to be in top search results Circumventing TF-IDF and PageRank (hard in practice?)

27 Conclusions CANTINA uses TF-IDF + search engines + heuristics to find phishing web sites –~97% true positives with 6% false positives –~89% true positives with 1% false positives Shifts problem of identifying phishing sites to a search engine problem Part of Carnegie Mellon’s effort to fight phishing –Better algorithms –Better user interfaces –Better training –See http://cups.cs.cmu.edu for more infohttp://cups.cs.cmu.edu

28 Acknowledgments NSF, ARO, CyLab Tom Phelps Related Conferences –SOUPS (July 18-20 in Pittsburgh) –APWG e-Crime summit (Oct 4-5 in Pittsburgh)

29 Other Work by Our Research Group Algorithms –PILFER –CANTINA –Automated evaluation of toolbars (NDSS 2007) User Interfaces Training people not to fall for Phish –Embedded training system (CHI 2007) –Anti-phishing Phil game (SOUPS 2007)

Download ppt "CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University."

Similar presentations

PhishZoo: Detecting Phishing Websites By Looking at Them

PhishZoo: Detecting Phishing Websites By Looking at Them
Crawling, Ranking and Indexing. Organizing the Web The Web is big. Really big. –Over 3 billion pages, just in the indexable Web The Web is dynamic Problems:

Crawling, Ranking and Indexing. Organizing the Web The Web is big. Really big. –Over 3 billion pages, just in the indexable Web The Web is dynamic Problems:
Query Chains: Learning to Rank from Implicit Feedback Paper Authors: Filip Radlinski Thorsten Joachims Presented By: Steven Carr.

Query Chains: Learning to Rank from Implicit Feedback Paper Authors: Filip Radlinski Thorsten Joachims Presented By: Steven Carr.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW 2007 2008.09.09 Yue Zhang, Jason Hong, and Lorrie Cranor.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
CSCD 303 Essential Computer Security Winter 2014 Lecture 3 - Social Engineering1 Phishing Reading: See links at end of lecture.

CSCD 303 Essential Computer Security Winter 2014 Lecture 3 - Social Engineering1 Phishing Reading: See links at end of lecture.
C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.

C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.
Design and Evaluation of a Real-Time URL Spam Filtering Service

Design and Evaluation of a Real-Time URL Spam Filtering Service
PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.

PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.
Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,

Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,
“ The Anatomy of a Large-Scale Hypertextual Web Search Engine ” Presented by Ahmed Khaled Al-Shantout ICS 542 - 072.

“ The Anatomy of a Large-Scale Hypertextual Web Search Engine ” Presented by Ahmed Khaled Al-Shantout ICS
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
Jason Hong, PhD Carnegie Mellon University Wombat Security Technologies Teaching Johnny Not to Fall for Phish.

Jason Hong, PhD Carnegie Mellon University Wombat Security Technologies Teaching Johnny Not to Fall for Phish.
The PageRank Citation Ranking “Bringing Order to the Web”

The PageRank Citation Ranking “Bringing Order to the Web”
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
CMU Usable Privacy and Security Laboratory A Brief History of Semantic Attacks or How Not to Get Screwed Online Serge Egelman.

CMU Usable Privacy and Security Laboratory A Brief History of Semantic Attacks or How Not to Get Screwed Online Serge Egelman.
Usable Privacy and Security: Protecting People from Online Phishing Scams Alessandro Acquisti Lorrie Cranor Julie Downs Jason Hong Norman Sadeh Carnegie.

Usable Privacy and Security: Protecting People from Online Phishing Scams Alessandro Acquisti Lorrie Cranor Julie Downs Jason Hong Norman Sadeh Carnegie.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
Usable Privacy and Security Jason I. Hong Carnegie Mellon University.

Usable Privacy and Security Jason I. Hong Carnegie Mellon University.
Verma - ICISS 2014 R easoning M ining NLP Defense Rakesh M. Verma ReMiND Laboratory Catching Classical and Hijack-based Phishing Attacks.

Verma - ICISS 2014 R easoning M ining NLP Defense Rakesh M. Verma ReMiND Laboratory Catching Classical and Hijack-based Phishing Attacks.

Similar presentations

Ads by Google