Phishing URL Detection: A Network-based Approach Robust to Evasion

Taeri Kim; Noseong Park; Jiwon Hong; Sang Wook Kim

doi:10.1145/3548606.3560615

Phishing URL Detection: A Network-based Approach Robust to Evasion

Taeri Kim, Noseong Park, Jiwon Hong, Sang Wook Kim

Graduate School

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Many cyberattacks start with disseminating phishing URLs. When clicking these phishing URLs, the victim's private information is leaked to the attacker. There have been proposed several machine learning methods to detect phishing URLs. However, it still remains under-explored to detect phishing URLs with evasion, i.e., phishing URLs that pretend to be benign by manipulating patterns. In many cases, the attacker i) reuses prepared phishing web pages because making a completely brand-new set costs non-trivial expenses, ii) prefers hosting companies that do not require private information and are cheaper than others, iii) prefers shared hosting for cost efficiency, and iv) sometimes uses benign domains, IP addresses, and URL string patterns to evade existing detection methods. Inspired by those behavioral characteristics, we present a network-based inference method to accurately detect phishing URLs camouflaged with legitimate patterns, i.e., robust to evasion. In the network approach, a phishing URL will be still identified as phishy even after evasion unless a majority of its neighbors in the network are evaded at the same time. Our method consistently shows better detection performance throughout various experimental tests than state-of-the-art methods, e.g., F-1 of 0.891 for our method vs. 0.840 for the best feature-based method.

Original language	English
Title of host publication	CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	1769-1782
Number of pages	14
ISBN (Electronic)	9781450394505
DOIs	https://doi.org/10.1145/3548606.3560615
Publication status	Published - 2022 Nov 7
Event	28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022 - Los Angeles, United States Duration: 2022 Nov 7 → 2022 Nov 11

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)	1543-7221

Conference

Conference	28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022
Country/Territory	United States
City	Los Angeles
Period	22/11/7 → 22/11/11

Bibliographical note

Funding Information:
The work of Sang-Wook Kim was supported by the Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No. RS-2022-00155586) and by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (No. 2018R1A5A7059549). The work of Noseong Park was supported by the Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korean government (MSIT) (No. 2020-0-01361, Artificial Intelligence Graduate School Program (Yonsei University)).

Publisher Copyright:
© 2022 ACM.

All Science Journal Classification (ASJC) codes

Software
Computer Networks and Communications

Access to Document

10.1145/3548606.3560615

Cite this

Kim, T., Park, N., Hong, J., & Kim, S. W. (2022). Phishing URL Detection: A Network-based Approach Robust to Evasion. In CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (pp. 1769-1782). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery. https://doi.org/10.1145/3548606.3560615

@inproceedings{5a88d48d74274c62bc27bc05e7103c80,

title = "Phishing URL Detection: A Network-based Approach Robust to Evasion",

abstract = "Many cyberattacks start with disseminating phishing URLs. When clicking these phishing URLs, the victim's private information is leaked to the attacker. There have been proposed several machine learning methods to detect phishing URLs. However, it still remains under-explored to detect phishing URLs with evasion, i.e., phishing URLs that pretend to be benign by manipulating patterns. In many cases, the attacker i) reuses prepared phishing web pages because making a completely brand-new set costs non-trivial expenses, ii) prefers hosting companies that do not require private information and are cheaper than others, iii) prefers shared hosting for cost efficiency, and iv) sometimes uses benign domains, IP addresses, and URL string patterns to evade existing detection methods. Inspired by those behavioral characteristics, we present a network-based inference method to accurately detect phishing URLs camouflaged with legitimate patterns, i.e., robust to evasion. In the network approach, a phishing URL will be still identified as phishy even after evasion unless a majority of its neighbors in the network are evaded at the same time. Our method consistently shows better detection performance throughout various experimental tests than state-of-the-art methods, e.g., F-1 of 0.891 for our method vs. 0.840 for the best feature-based method.",

author = "Taeri Kim and Noseong Park and Jiwon Hong and Kim, {Sang Wook}",

note = "Funding Information: The work of Sang-Wook Kim was supported by the Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No. RS-2022-00155586) and by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (No. 2018R1A5A7059549). The work of Noseong Park was supported by the Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korean government (MSIT) (No. 2020-0-01361, Artificial Intelligence Graduate School Program (Yonsei University)). Publisher Copyright: {\textcopyright} 2022 ACM.; 28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022 ; Conference date: 07-11-2022 Through 11-11-2022",

year = "2022",

month = nov,

day = "7",

doi = "10.1145/3548606.3560615",

language = "English",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

pages = "1769--1782",

booktitle = "CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security",

}

Kim, T, Park, N, Hong, J & Kim, SW 2022, Phishing URL Detection: A Network-based Approach Robust to Evasion. in CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery, pp. 1769-1782, 28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, Los Angeles, United States, 22/11/7. https://doi.org/10.1145/3548606.3560615

Phishing URL Detection : A Network-based Approach Robust to Evasion. / Kim, Taeri; Park, Noseong; Hong, Jiwon et al.

CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2022. p. 1769-1782 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Phishing URL Detection

T2 - 28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022

AU - Kim, Taeri

AU - Park, Noseong

AU - Hong, Jiwon

AU - Kim, Sang Wook

N1 - Funding Information: The work of Sang-Wook Kim was supported by the Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No. RS-2022-00155586) and by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (No. 2018R1A5A7059549). The work of Noseong Park was supported by the Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korean government (MSIT) (No. 2020-0-01361, Artificial Intelligence Graduate School Program (Yonsei University)). Publisher Copyright: © 2022 ACM.

PY - 2022/11/7

Y1 - 2022/11/7

N2 - Many cyberattacks start with disseminating phishing URLs. When clicking these phishing URLs, the victim's private information is leaked to the attacker. There have been proposed several machine learning methods to detect phishing URLs. However, it still remains under-explored to detect phishing URLs with evasion, i.e., phishing URLs that pretend to be benign by manipulating patterns. In many cases, the attacker i) reuses prepared phishing web pages because making a completely brand-new set costs non-trivial expenses, ii) prefers hosting companies that do not require private information and are cheaper than others, iii) prefers shared hosting for cost efficiency, and iv) sometimes uses benign domains, IP addresses, and URL string patterns to evade existing detection methods. Inspired by those behavioral characteristics, we present a network-based inference method to accurately detect phishing URLs camouflaged with legitimate patterns, i.e., robust to evasion. In the network approach, a phishing URL will be still identified as phishy even after evasion unless a majority of its neighbors in the network are evaded at the same time. Our method consistently shows better detection performance throughout various experimental tests than state-of-the-art methods, e.g., F-1 of 0.891 for our method vs. 0.840 for the best feature-based method.

AB - Many cyberattacks start with disseminating phishing URLs. When clicking these phishing URLs, the victim's private information is leaked to the attacker. There have been proposed several machine learning methods to detect phishing URLs. However, it still remains under-explored to detect phishing URLs with evasion, i.e., phishing URLs that pretend to be benign by manipulating patterns. In many cases, the attacker i) reuses prepared phishing web pages because making a completely brand-new set costs non-trivial expenses, ii) prefers hosting companies that do not require private information and are cheaper than others, iii) prefers shared hosting for cost efficiency, and iv) sometimes uses benign domains, IP addresses, and URL string patterns to evade existing detection methods. Inspired by those behavioral characteristics, we present a network-based inference method to accurately detect phishing URLs camouflaged with legitimate patterns, i.e., robust to evasion. In the network approach, a phishing URL will be still identified as phishy even after evasion unless a majority of its neighbors in the network are evaded at the same time. Our method consistently shows better detection performance throughout various experimental tests than state-of-the-art methods, e.g., F-1 of 0.891 for our method vs. 0.840 for the best feature-based method.

UR - http://www.scopus.com/inward/record.url?scp=85143082305&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85143082305&partnerID=8YFLogxK

U2 - 10.1145/3548606.3560615

DO - 10.1145/3548606.3560615

M3 - Conference contribution

AN - SCOPUS:85143082305

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 1769

EP - 1782

BT - CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

Y2 - 7 November 2022 through 11 November 2022

ER -

Phishing URL Detection: A Network-based Approach Robust to Evasion

Abstract

Publication series

Conference

Bibliographical note

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this