Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DeepPhish: Simulating malicious AI

1,587 views

Published on

In this work we describe how threat actors may use AI algorithms to bypass AI phishing detection systems. We analyzed more than a million phishing URLs to understand the different strategies that threat actors use to create phishing URLs. Assuming the role of an attacker, we simulate how different threat actors may leverage Deep Neural Networks to enhance their effectiveness rate. Using Long Short-Term Memory Networks, we created DeepPhish, an algorithm that learns to create better phishing attacks. By training the DeepPhish algorithm for two different threat actors, they were able to increase their effectiveness from 0.69% to 20.9%, and 4.91% to 36.28%, respectively.

Published in: Data & Analytics
  • Be the first to comment

DeepPhish: Simulating malicious AI

  1. 1. DeepPhish Simulating Malicious AI IvanTorroledo – Lead Data Scientist Alejandro Correa Bahnsen –VP, Research Luis Camacho – Lead Research Data Architect
  2. 2. CYXTERA TECHNOLOGIES 2  Portfolio of cybersecurity software and services  Intelligent and adaptive  Cloud-native and hybrid-ready  Global colocation leader  57 data centers in 29 global markets  2.6M sq. feet of data center space  195 megawatts of power  3,500 customers  1,100 employees  Headquartered in Miami with offices globally  Experienced leadership in infrastructure and security CyxteraTechnologies
  3. 3. CYXTERA TECHNOLOGIES 3 80 % of cyber crimes are being committed by sophisticated attackers The total USA market for cyber insurance is 3B in 2017
  4. 4. CYXTERA TECHNOLOGIES 4
  5. 5. CYXTERA TECHNOLOGIES 5
  6. 6. CYXTERA TECHNOLOGIES AI to Classify Phishing URLs 6  Identify & Classify Malicious URLs and Domains with Prediction - Not Blacklists.  The system calculates the probability of a URL being used to host a phishing attacks using Deep Neural Networks. It correctly classify URLs with over 98% of accuracy.
  7. 7. CYXTERA TECHNOLOGIES Long-Short Term Memory Networks 7 URL h t t p : / / w w w . p a p a y a . c o m One hot Encoding … … … … … … … … … … … … … … … … … … … … … Embedding 3.2 1.2 … 1.7 6.4 2.3 … 2.6 6.4 3.0 … 1.7 3.4 2.6 … 3.4 2.6 3.8 … 2.6 3.5 3.2 … 6.4 1.7 4.2 … 6.4 8.6 2.4 … 6.4 4.3 2.9 … 6.4 2.2 3.4 … 3.4 3.2 2.6 … 2.6 4.2 2.2 … 3.5 2.4 3.2 … 1.7 2.9 1.7 … 8.6 3.0 6.4 … 2.6 2.6 6.4 … 3.8 3.8 3.4 … 3.2 3.3 2.6 … 2.2 3.1 2.2 … 2.9 1.8 3.2 … 3.0 2.5 6.4 … 2.6 LSTM LSTM LSTM LSTM Sigmoid …
  8. 8. CYXTERA TECHNOLOGIES 8
  9. 9. CYXTERA TECHNOLOGIES 9
  10. 10. Asthreatactorsimprovetheirattacks,isAIthe newtechnologytheywilluse?
  11. 11. CYXTERA TECHNOLOGIES The Experiment Process Identify individual threat actors Ran them through our own AI detection system Improved their attacks using AI
  12. 12. CYXTERA TECHNOLOGIES Uncovering Threat Actors 12  Objective: We want to understand effective patterns of each attacker to improve them through a AI model  As we can not know them directly, we must learn from them through their attacks  Database with 1.1M confirm phishing URLs collected from Phishtank
  13. 13. CYXTERA TECHNOLOGIES Threat Actor 1 13 naylorantiques.com 406 URLs http://naylorantiques.com/components/com_contact/vi ews/contact/tmpl/62 http://naylorantiques.com/docs/Auto/Atendimento/5BB ROPI6S3 http://naylorantiques.com/Atualizacao Segura/pictures/XG61YYMT_FXW0PWR8_5P2O7T2U_P9H NDPQR/ http://naylorantiques.com/zifn3p72bsifn9hx9ldecd8jzl2f0 xlwf8f http://www.naylorantiques.com/JavaScript/charset=iso- 8859-1/http-equiv/margin-bottom Keywords atendimento, jsf, identificacao, ponents, views, TV, mail, SHOW, COMPLETO, VILLA, MIX, ufi, pnref, story, tryy2ilr, Autentico 106 domains naylorantiques.com, netshelldemos.com, debbiebright.co.z, waldronfamilygppractice.co.uk , avea-vacances.com , psncodes2013.com uni5.net , 67.228.96.204, classificadosmaster.com.br, ibjjf.org Visual Check Check in database Visual Check
  14. 14. CYXTERA TECHNOLOGIES Threat Actor 2 14 vopus.org 13 URLs http://www.vopus.org/es/images/cursos/thumbs/tdcanadatr ust http://www.vopus.org/ru/media/tdcanadatrust/index.html http://vopus.org/common/index.htm http://www.vopus.org/es/images/cursos/thumbs/tdcanadatr ust/index.html http://vopus.org/descargas/otros/tdcanadatrust/index.html Keyword tdcanadatrust/index.html 19 domains friooptimo.com, kramerelementary.org, kalblue.com, vopus.org, artwood.co.kr, stephenpizzuti.com, heatherthinks.com, corvusseo.com, natikor.by, optioglobal.com, backfire.se, fncl.ma, greenant.de, mersintenisakademisi.com, cavtel.net Visual Check Check in database Visual Check
  15. 15. CYXTERA TECHNOLOGIES Threat Actors Efficiency 15 0.24% 0.69% 4.91% All Attacks (1,146,441) Threat Actor 1 (1,009) Threat Actor 2 (102)
  16. 16. SimulatingMaliciousAI
  17. 17. CYXTERA TECHNOLOGIES DeepPhish Algorithm - Training 17 Non Effective URLs Effective URLs Encoding … … … … … Model Az Rolling Window Concatenate andcreate Transform Train http://www.naylorantiques.com/content/centrais/fone_facil http://kisanart.com/arendivento/menu-opcoes-fone-facil/ http://naylorantiques.com/atendimento/menu-opcoes-fone-facil/3 http://www.naylorantiques.com/content/centr ais/fone_facilhttp://kisanart.com/arendivento/ menu-opcoes-fone- facil/http://naylorantiques.com/atendimento/ menu-opcoes-fone-facil/3
  18. 18. CYXTERA TECHNOLOGIES DeepPhish LSTM Network 18 URL h t t p : / / w w w . p a p a y a . c o m One hot Encoding … … … … … … … … … … … … … … … … … … … … … LSTM LSTM LSTM LSTM Softmax … tanH tanH tanH tanH …
  19. 19. CYXTERA TECHNOLOGIES DeepPhish Algorithm – Prediction 19 Compromised Domains Allowed Paths + Model Filterpaths Predict Next Character Iteratively Synthetic URLs /arendipemto/nenu-opcines-fone-facil vfone/faci/Atondime+ http:// + www.naylorantiques.com + /arendipemto/nenu-opcines-fone-facilvone/facil/Atondime Create
  20. 20. CYXTERA TECHNOLOGIES Simulating Malicious AI using DeepPhish 20  We selected the two most effective threat actors.With each subsample of effective URLs by threat actor, we implemented DeepPhish algorithm.
  21. 21. CYXTERA TECHNOLOGIES TraditionalAttacksvs.AI-DrivenAttacks 21 0.69% 20.90% Traditional DeepPhish 4.91% 36.28% Traditional DeepPhish Threat Actor 1 Threat Actor 2
  22. 22. CYXTERA TECHNOLOGIES Takeaways! 22 AIenhancesattackersefficiencies ML and AI driven detection systems Deep Adversarial Learning Relentless monitoring Multi-layered approach to anti- fraud
  23. 23. CYXTERA TECHNOLOGIES 23 The Power of Adversary AI  More & Better Phishing Attacks Increasingly Powerful Self-Spreading Malware Weaken Authentication Controls Cheat Rule-based Transaction Monitoring
  24. 24. CYXTERA TECHNOLOGIES 24  1-Minute ResearchVideo Brief  2 Page Research Summary  Slides (Extended Version)  Academic paper AIvs.AI:CanPredictiveModelsStoptheTideofHackerAI? www.easysol.net/ai-project
  25. 25. www.cyxtera.com IvanTorroledo – ivan.torroledo@cyxtera.com Alejandro Correa Bahnsen – alejandro.correa@cyxtera.com Luis Camacho – luis.camacho@cyxtera.com

×