Pelican: Continual Adaptation for Phishing Detection

Abstract

An increasing number of people are using social media services and with it comes a more attractive outlet for phishing attacks. Our initial focus is to analyze Twitter as it is one of the most popular social media services. Phishers on Twitter curate tweets that lead users to websites that download malware. This is a major issue as phishers can then gain access to the user's digital identity and perform malicious acts. Phishing attacks have the potential to be similar in different regions, perhaps at different times. We have developed a novel semi-supervised machine learning algorithm, which we call Pelican, that detects potential phishing attacks in real-time on Twitter. Pelican can be used for early detection of potential phishing attacks and is able to detect potential new attacks without pre-existing assumptions about the type of data or understanding of the characteristics of the attacks. The technique uses ensembles and sampling methods to handle class imbalances in real-world applications. The technique continuously detects unusual behaviour or changes in Twitter. We have investigated changes in trends across Twitter to detect changes in online behaviour of potential phishing links. The technique uses a change detector that enables automatic retraining when there is unusual behaviour detected. Pelican is a novel technique that adapts to changes within phishing attacks in real-time. The technique detects 93.94% of the phishing tweets in real-world data that we collected over a 9 month period, which is higher than benchmark algorithms.