Beyond the lock icon: real-time detection of phishing websites using public key certificates

2015 APWG Symposium on Electronic Crime Research (eCrime) Pub Date : 2015-05-26 DOI:10.1109/ECRIME.2015.7120795

Zheng Dong, Apu Kapadia, J. Blythe, L. Camp

{"title":"Beyond the lock icon: real-time detection of phishing websites using public key certificates","authors":"Zheng Dong, Apu Kapadia, J. Blythe, L. Camp","doi":"10.1109/ECRIME.2015.7120795","DOIUrl":null,"url":null,"abstract":"We propose a machine-learning approach to detect phishing websites using features from their X.509 public key certificates. We show that its efficacy extends beyond HTTPS-enabled sites. Our solution enables immediate local identification of phishing sites. As such, this serves as an important complement to the existing server-based anti-phishing mechanisms which predominately use blacklists. Blacklisting suffers from several inherent drawbacks in terms of correctness, timeliness, and completeness. Due to the potentially significant lag prior to site blacklisting, there is a window of opportunity for attackers. Other local client-side phishing detection approaches also exist, but primarily rely on page content or URLs, which are arguably easier to manipulate by attackers. We illustrate that our certificate-based approach greatly increases the difficulty of masquerading undetected for phishers, with single millisecond delays for users. We further show that this approach works not only against HTTPS-enabled phishing attacks, but also detects HTTP phishing attacks with port 443 enabled.","PeriodicalId":127631,"journal":{"name":"2015 APWG Symposium on Electronic Crime Research (eCrime)","volume":"20 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-05-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"50","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2015 APWG Symposium on Electronic Crime Research (eCrime)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ECRIME.2015.7120795","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 50

Abstract

We propose a machine-learning approach to detect phishing websites using features from their X.509 public key certificates. We show that its efficacy extends beyond HTTPS-enabled sites. Our solution enables immediate local identification of phishing sites. As such, this serves as an important complement to the existing server-based anti-phishing mechanisms which predominately use blacklists. Blacklisting suffers from several inherent drawbacks in terms of correctness, timeliness, and completeness. Due to the potentially significant lag prior to site blacklisting, there is a window of opportunity for attackers. Other local client-side phishing detection approaches also exist, but primarily rely on page content or URLs, which are arguably easier to manipulate by attackers. We illustrate that our certificate-based approach greatly increases the difficulty of masquerading undetected for phishers, with single millisecond delays for users. We further show that this approach works not only against HTTPS-enabled phishing attacks, but also detects HTTP phishing attacks with port 443 enabled.

查看原文本刊更多论文

锁图标之外:使用公钥证书实时检测钓鱼网站

我们提出了一种机器学习方法，利用X.509公钥证书中的特征来检测网络钓鱼网站。我们展示了它的功效超出了支持https的站点。我们的解决方案可以立即在本地识别钓鱼网站。因此，这是对现有的主要使用黑名单的基于服务器的反网络钓鱼机制的重要补充。黑名单在正确性、及时性和完整性方面存在一些固有的缺点。由于在网站被列入黑名单之前存在潜在的显著滞后，这为攻击者提供了机会之窗。其他本地客户端网络钓鱼检测方法也存在，但主要依赖于页面内容或url，这可能更容易被攻击者操纵。我们说明了我们基于证书的方法大大增加了钓鱼者伪装而不被发现的难度，对用户来说只有一毫秒的延迟。我们进一步展示了这种方法不仅可以对付启用https的网络钓鱼攻击，还可以检测启用端口443的HTTP网络钓鱼攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2015 APWG Symposium on Electronic Crime Research (eCrime)

自引率

0.00%

发文量