190 likes | 437 Vues
Lexical Feature Based Phishing URL Detection Using Online Learning. Reporter: Jing Chiu Advisor: Yuh-Jye Lee Email: D9815013@mail.ntust.edu.tw. Paper Information. Authors: Aaron Blum (University of Alabama, Birmingham) Brad Wardman (University of Alabama, Birmingham)
E N D
Lexical Feature Based Phishing URL Detection Using Online Learning Reporter: Jing Chiu Advisor: Yuh-Jye Lee Email: D9815013@mail.ntust.edu.tw Data Mining and Machine Learning Lab.
Paper Information • Authors: • Aaron Blum (University of Alabama, Birmingham) • Brad Wardman(University of Alabama, Birmingham) • Thamar Solorio(University of Alabama, Birmingham) • Source: • ACM Artificial Intelligence Security Workshop 3rd, 2010 Data Mining and Machine Learning Lab.
Outline • Introduction • Related Work • Approach • Data • Evaluation • Conclusion Data Mining and Machine Learning Lab.
Introduction • Phishing • A cybercrime comes from spammed emails and fraudulent websites • Entice victims to provide sensitive information • The information is used to steal identities or gain access to money • Characteristics • Highly dynamic environment • Model need to be updated frequently • New ideas • Combine online learning with content-inspection based approach • Model trained only by largely lexical features (without host based features) • Provide results to show the performance of URL inspection based detection is as well as content inspection based detection Data Mining and Machine Learning Lab.
Related Work • Content based Phishing URL Detection • Use the similarity between the content files to detect phishing websites • Purely URL based Malicious URL Detection • Use host information and URL lexical features with online learning algorithms • PhishNet • Extend the usability of blacklists • Domain Blacklisting • Expand blacklist by the DNS zone file data and WHOIS information Data Mining and Machine Learning Lab.
Approach • Feature Extraction • Delimiters: “/”, ”?”, ”.”, ”=” and “_” • Bigram combination • Lexical feature groups • Learning algorithm • Confident Weighted Algorithm • Updating model by different weights of the features’ occurrence Data Mining and Machine Learning Lab.
Approach (cont.) • MD5 Matching • Use files’ MD5 checksum to check files similarity • Easy to evade ( by varying the content) • Examples • Deep MD5 Matching • Download all the associated content files • Compare the similarity between two websites’ content files by Kulczynski 2 coefficient Data Mining and Machine Learning Lab.
Data • Data Source • UAB Phishing Data Mine • Two and half a year collecting time • Benigns may look “phishy” (e.g.) • 9,506unique domains • 25,203 URLs (6,114 malicious) • Cyveillance • 18,990 unique domains • 34,234 URLs (all malicious) • All feeds are fully de-duplicated • Datasets • UAB Feeds • Cyveillance full • Cyveillance abridged • Mixed Data Mining and Machine Learning Lab.
Data (cont.) • Percentage of total URLs vs. Individual Domains Data Mining and Machine Learning Lab.
Evaluation • Experiment setting • Training and testing set was conducted on daily batches • Training initially conducted on UAB data • Model will be updated by a daily URL blacklist/whitelist feed • False positive and false negative error rates were computed every prediction Data Mining and Machine Learning Lab.
Evaluation(cont.) Data Mining and Machine Learning Lab.
Evaluation(cont.) Data Mining and Machine Learning Lab.
Evaluation(cont.) Data Mining and Machine Learning Lab.
Conclusion • Lexical features based learning provide robust performance by CW algorithm • Quality diverse training data could approve a accuracy higher than 97% • For proposed system • Training data could be collected from any blacklists • Easy implement and robust performance Data Mining and Machine Learning Lab.
Thanks for your attention • Q&A? Data Mining and Machine Learning Lab.
Lexical Feature Group Data Mining and Machine Learning Lab.
URLs including the recipient’s email Data Mining and Machine Learning Lab.
Data in UAB Phishing Data Mine Data Mining and Machine Learning Lab.