PhishTrack - Dynamical Blacklist Evolution

• Main Authors: Kuei-Ching Lee, 李奎慶
• Other Authors: Hsin-Hsi Chen
• Format: Others
• Language: zh-TW
• Published: 2014
• Online Access: http://ndltd.ncl.edu.tw/handle/85126810610627190366

碩士 === 國立臺灣大學 === 電機工程學研究所 === 102 === With time moving on, the technologies used in Phishing area is evolved as well. Owing to the updating mechanism and matching process used in static blacklist, it is hard to protect network users in time with only static blacklist approach. Many rising Phishing use toolkit to change the appearance of URLs to escape the detection from static blacklist with exactly matching. So we need more quickly and efficient ways to update the blacklist to adapt the evolution of Phishing and provide network users more powerful and prompt protection. Pawan Prakash et al. (2010) propose a PhishNet system. It does cluster training on known Phishing URL set in advance and propose five Heuristic approaches to replace TLD, Hostname, Target Page, Query String and Brand Name of Phishing URLs to discover more unknown Phishing URLs. Therefore the blacklist can be updated and enlarge the protection scope. In our research, we implement the five Heuristic approaches proposed in PhishNet as five components in our system, and proposed two more components originated in the observation of Phishing behaviors to form PhishTrack system proposed in this thesis. Phishing history started in early 1987 and the word "Phishing" is used in 1996 to address the focus on Phishing attacks, but the behavior and the nature of luring network users for their privacy information are not changed. From our research, we observe large quantity of Phishing URLs from blacklist of PhishTank and find out that 46% of them have URL redirection. From one point of view, that avoids the detection the Phishing''s behavior from blacklist. From another point of view, the ultimate goal of Phishing is to cheat the personal information of network users. Therefore, it must provide a form to users for them to fill in and submit information. According to our analysis, the submission will bring users to another page which requires more detail information to fill in. From the above discussion, we develop another two dynamic components J1-J2. Based on our experiments, J1-J2 can save the time required in H1-H5 for early stage on Cluster training. In addition，J1-J2 perform well on discovering more unknown Phishing URLs than H1-H5。