Download to read offline
Uploaded byJoshua S. White, PhD josh@securemind.org
Phishing spie 2012 presentation - jsw - d2
This document outlines a method for automated detection of phishing websites through analysis of both site characteristics and images. The method collects page characteristics like links, images, forms and meta tags using PHP. Images are collected using a headless browser, hashed using pHash which reduces the image to 8x8 pixels, and compared using Hamming distance. The method was verified and then used to analyze the top 5 most spoofed sites, finding some false characteristic matches. Future work includes integrating this detection technique into a social media analytics toolkit.
More Related Content
![[IJET V2I5P15] Authors: V.Preethi, G.Velmayil](https://cdn.slidesharecdn.com/ss_thumbnails/ijet-v2i5p15-161107143444-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Phishing spie 2012 presentation - jsw - d2
![5G Explained! A High Level Overview [Introduction]](https://cdn.slidesharecdn.com/ss_thumbnails/5gexplainedahighleveloverview-260119165306-cc137a3e-thumbnail.jpg?width=640&height=640&fit=bounds)
Phishing spie 2012 presentation - jsw - d2
- 1. A Method forAutomated D etection of P hishing Websites: Through B oth S ite Characteristics and Image Analysis Joshua S. White Jeanna N. Matthews, PhD
- 2. Outline • Problem • Method – Image Analysis (in detail) • Method Verification • Results • Conclusion • References
- 3. P roblem •Phishing site detection – A largely manual process • Requires human visual review of site to eliminate false positives / negatives – URL's comes from actual phishing attempts • Email, and other user report URL's – Analysis is responsive, not proactive
- 4.
- 5. Method • Forrapid proof of concept – Data collected using the 140Dev php script and MySQL schema • Page characteristics collected using PHP for DOM object parsing – Links, Images, Forms, Iframes, Meta Tags
- 6. Image Analysis •Collected using headless web-browser – CutyCapt, XVFB-RUN • Hashing of resultant images – MD5Sum, SHA512, PHash • Final choice was PHash (Perceptual Hash) – Uses descrete cosign transformation » Reduces Sampling Frequency • Hamming Distance used to compare each hash value
- 7.
- 8. Image Analysis • Process: – Reduce the size of the image 32 x 32 – Reduce the color to greyscale – Calculate the DCT (creates frequency scalars) – Reduce the DCT to 8 x 8 pixels – Second DCT reduction, set bits to 1 or 0 depending on placement above or below average DCT – Take Hash
- 9.
- 10. R esults •After our method was verified we concentrated on the top 5 most spoofed sites: • Some False Characteristic Matches:
- 11. Conclusion • PhishingURL posting on social media networks is a growing problem • We have developed a tool that quickly and effectively detects matches between legitimate and spoofed sites • Future work includes: – Integration of our characteristic mapping and image analysis technique into our social media analytics toolkit
- 12.
- 13.
- 14.