Evaluating the Wisdom of Crowds in Assessing Phishing Sites

Similar documents
An Empirical Analysis of Phishing Attack and Defense

Temporal Correlations between Spam and Phishing Websites

Fighting Phishing I: Get phish or die tryin.

Automated Context and Incident Response

Security Reputation Metrics for Hosting Providers

Standard Categories for Incident Response (definitions) V2.1. Standard Categories for Incident Response Teams. Definitions V2.1.

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Machine-Powered Learning for People-Centered Security

Incident Play Book: Phishing

But it Was Such a Little Phish February 2016 Webinar

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Reputation Management in P2P Systems

Protect Your Organization from Cyber Attacks

Maximum Security with Minimum Impact : Going Beyond Next Gen

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

FAQ. Usually appear to be sent from official address

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

Certified Cyber Security Analyst VS-1160

Cyber Security Guide. For Politicians and Political Parties

Choose Your Battles How To Fight The Right Wars. Eyal Paz, Security Researcher

3.5 SECURITY. How can you reduce the risk of getting a virus?

The Mimecast Security Risk Assessment Quarterly Report May 2017

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Online Threats. This include human using them!

Network Economics and Security Engineering

Phishing Activity Trends

Whois Study Table Updated 18 February 2009

Net Trust: User-Centered Detection of Pharming, Phishing and Fraud. L Jean Camp

Train employees to avoid inadvertent cyber security breaches

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

DEFENCE IN DEPTH HOW ANTIVIRUS, TRADITIONAL FIREWALLS, AND DNS FIREWALLS WORK TOGETHER

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

SE Labs Test Plan for Q Endpoint Protection : Enterprise, Small Business, and Consumer

ITU Regional Cybersecurity Forum for Asia-Pacific

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

To learn more about Stickley on Security visit You can contact Jim Stickley at

Who We Are! Natalie Timpone

STAYING SAFE FROM SOCIAL ENGINEERING SCHEMES

Overview of Information Security

SOC Operations on the Autobahn. Don t let the green grass fool you

WHOIS Proxy/Privacy Abuse

SE Labs Test Plan for Q Endpoint Protection : Enterprise, Small Business, and Consumer

Scalability, Performance & Caching

Employee Privacy in the Electronic Workplace

Distributed-Application Security

How Enterprise Tackles Phishing. Nelson Yuen Technology Manager, Cybersecurity Microsoft Hong Kong

2. On classification and related tasks

Phishing Activity Trends Report August, 2006

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

Re-Evaluating the Wisdom of Crowds in Assessing Web Security

CSE 565 Computer Security Fall 2018

Five steps to securing personal data online Gary Shipsey Managing Director

Recommendation/Reputation. Ennan Zhai

Cyber Hygiene Guide. Politicians and Political Parties

Fighting Spam, Phishing and Malware With Recurrent Pattern Detection

Compliance Is Security. Presented by: Jeff Hall Optiv Security

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Phishing Activity Trends Report August, 2005

Scalability, Performance & Caching

Fast Flux Hosting Final Report. GNSO Council Meeting 13 August 2009

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

Must Have Items for Your Cybersecurity or IT Budget in 2018

Automating Security Response based on Internet Reputation

DETECTING, DETERMINING AND LOCALIZING MULTIPLE ATTACKS IN WIRELESS SENSOR NETWORK - MALICIOUS NODE DETECTION AND FAULT NODE RECOVERY SYSTEM

2017 Annual Meeting of Members and Board of Directors Meeting

Efficient DHT attack mitigation through peers ID distribution

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

Webomania Solutions Pvt. Ltd. 2017

Securing The Reputation Management in WINNOWING P2P Scheme. Nawaf Almudhahka Matthew Locklear

PHISHING Takedown Process

Security 08. Black Hat Search Engine Optimisation. SIFT Pty Ltd Australia. Paul Theriault

Sophos Central Admin. help

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

The Interactive Guide to Protecting Your Election Website

Security & Phishing

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

SOCIAL NETWORKING IN TODAY S BUSINESS WORLD

Cybersecurity and Hospitals: A Board Perspective

ROBOCYBERWALL INC. External Penetration Test Report. September 13, 2017

RSA FRAUDACTION ANTI-PHISHING SERVICE: BENEFITS OF A COMPREHENSIVE MITIGATION STRATEGY

Webroot Phishing Threat Trends

Dell Service Level Agreement for Microsoft Online Services

Automatic Web Forms II

ANATOMY OF A SPEAR PHISHING ATTACK. A Menlo Security Research Report

Failure models. Byzantine Fault Tolerance. What can go wrong? Paxos is fail-stop tolerant. BFT model. BFT replication 5/25/18

Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks

CS Paul Krzyzanowski

SafeAssignment 2.0 Instructor Manual

CSE 565 Computer Security Fall 2018

Fraud Update: Why Fraudsters Love Wires and How to Stop Them. Luis Rojas, Director, Product Management WesPay 2014

Launch successful marketing campaigns that build your customer list and bring in new sales with little to no effort on your part

How to Catch a Thief. Trends & Technologies in the Fight Against Fraud. Rohan Langley SAS

Divisibility Rules and Their Explanations

Neustar Security Solutions Overview

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

Transcription:

Evaluating the Wisdom of Crowds in Assessing Phishing Websites and Richard Clayton University of Cambridge Computer Laboratory 12th International Financial Cryptography and Data Security Conference (FC08) Jan. 28, 2008, Cozumel Mexico

Outline 1 Introduction to PhishTank data collection and analysis 2 3 4

Outline 1 Introduction to PhishTank data collection and analysis 2 3 4

PhishTank Online community established in 2006 using the wisdom of crowds to fight phishing Users contribute in two ways 1 Submit reports of suspected phishing sites 2 Vote on whether others submissions are really phishing or not Data collection We examined reports from 200 908 phishing URLs submitted between February and September 2007 For 24 254 reports, the site was removed before voting was completed, leaving 176 366 complete submissions 3 798 users participated, casting 881 511 votes = 53 submissions and 232 votes per user. But...

Density of user submissions and votes Count 1 5 50 500 Count 1 5 50 500 1 100 10000 # submissions per user 1 100 10000 # votes cast per user Top two submitters (93 588 and 31 910) are anti-phishing organizations Some leading voters are PhishTank moderators the 25 moderators cast 74% of votes

User participation in PhishTank follows power law Prob(# subs > x), users > 60 subs 0.001 0.005 0.050 0.500 5e+01 5e+02 5e+03 5e+04 Number of submissions x Prob(# votes > x),users > 30 votes 1e 04 1e 02 1e+00 5e+01 5e+02 5e+03 5e+04 Power-law dist. Kolmogorov-Smirnov α x min D p-value Submissions 1.642 60 0.0533 0.9833 Votes 1.646 30 0.0368 0.7608 Number of votes cast x

User participation in PhishTank follows power law What does a power-law distribution mean in this context? A few highly-active users carry the load Most users participate very little, but their aggregated contribution is substantial Why do we care? Power-law distributions appear often in real-world contexts, including many types of social interaction This suggests skewed participation naturally occurs for crowd-sourced applications Power laws invalidate Byzantine fault tolerance subverting one highly active participant can undermine system

Rock-phish attacks and duplicate submissions to PhishTank Rock-phish gang operate different to ordinary phishing sites 1 Purchase several innocuous-sounding domains (lof80.info) 2 Send out phishing email with URL http://www.volksbank.de.netw.oid3614061.lof80.info/vr 3 Gang-hosted DNS server resolves domain to IP addresses of compromised machines that proxy to a back-end server Wildcard DNS confuses phishing-report collators 120 662 PhishTank reports (60% of all submissions) Reduces to just 3 260 unique domains 893 users voted 550 851 times on these domains, wasting users resources that could be focused elsewhere

Outline 1 Introduction to PhishTank data collection and analysis 2 3 4

Miscategorization in PhishTank Nearly all submitted URLs are verified as phishing only 3% are voted down as invalid Many invalid URLs are still dubious 419 scams, malware hosts, mule-recruitment sites Even moderators sometimes get it wrong 1.2% of their submissions are voted down PhishTank rewrites history when it is wrong, so we could identify 39 false positives and 3 false negatives False positives include real institutions: ebay.com, ebay.de, 53.com, nationalcity.com False negatives include a rock-phish domain already voted down previously

Does experience improve user accuracy? 1 2 10 11 100 101 1000 1001 10000 10001 100000 100001 up Percentage 0 10 20 30 40 50 Invalid submissions Disputed votes 1 2 10 11 100 101 1000 1001 10000 10001 100000 Percentage 0 10 20 30 40 50 Figure: Inaccuracy of user submissions and votes according to the total number of submissions and votes per user, respectively (left). Proportion of all invalid user submissions grouped by number of submissions (right).

Do users with bad voting records vote together? High-conflict users: HC=93 users where most votes are bad Empirical measure of voting overlap overlap(hc) = V A V B = 254 A HC B HC,B A Expected overlap if relationship between users is random (thanks to Jaeyeon Jung) E(overlap) = min( V A, V B ) ( VA ) ( i T VA ) V i B i ) = 0.225 A HC B HC,B A i=1 ( T V B

Outline 1 Introduction to PhishTank data collection and analysis 2 3 4

Can PhishTank s open submission and voting policies be exploited by attackers? Other anti-phishing groups have been targeted by DDoS attacks Attacks on PhishTank 1 Submitting invalid reports accusing legitimate websites. 2 Voting legitimate websites as phish. 3 Voting illegitimate websites as not-phish. Selfish attacker protects her own phishing websites by voting down any accusatory report as invalid Undermining attacker goes after PhishTank s credibility by launching attacks 1&2 repeatedly

Simple countermeasures don t work 1 Place upper limit on the votes/submissions from a single user Power-law distribution of participation means that restrictions would undermine the hardest-working users Sybil attacks 2 Require users to participate correctly n times before counting contribution PhishTank developers tell us they implement this countermeasure Since 97% of submissions are valid, attacker can quickly build up reputation by voting is-phish repeatedly there is no honor among thieves Savvy attacker can minimize positive contribution by only voting for rock-phish URLs

Simple countermeasures don t work (cont d.) 3 Ignore any user with more than n invalid submissions/votes Power-law distribution of participation means that good users make many mistakes One top valid submitter, antiphishing, also has the most invalid submissions (578) 4 Ignore any user with more than x% invalid submissions/votes Power law still causes problems attackers can pad their good statistics to also do bad Significant collateral damage ignoring users with > 5% bad submissions wipes out 44% of users and 5% of phishing URLs 5 Use moderators exclusively if suspect an attack Moderators already cast 74% of votes, so it might work OK Silencing the whole crowd to root out attackers is intellectually unsatisfying, though

Lessons for secure crowd-sourcing 1 The distribution of user participation matters Skewed distributions such as power laws are a natural consequence of user participation Corrupting a few key users can undermine system security Since good users can participate extensively, bad users can too 2 Crowd-sourced decisions should be difficult to guess Any decision that can be reliably guessed can be automated and exploited by an attacker Underlying accuracy of PhishTank (97% phish) makes boosting reputation by guessing easy 3 Do not make users work harder than necessary Requiring users to vote multiple times for rock-phish is a bad use of the crowd s intelligence

Outline 1 Introduction to PhishTank data collection and analysis 2 3 4

PhishTank s open feed vs. company s closed feed Ordinary phishing sites Rock-phish domains PhishTank Company PhishTank Company 2 585 5 711 3 019 127 459 544 Verdict PhishTank and the company s feeds are similar for ordinary sites, but the company is much more comprehensive on rock-phish Both have significant gaps in coverage, which motivates sharing feeds

Verification speed: PhishTank vs. company Voting introduces significant delays to verification 46 hr average delay (15 hr median) Company, by contrast, uses employees to verify immediately Impact can be seen by examining sites reported to both feeds PhishTank Ordinary phishing URLs Rock-phish domains Company Submission Verification Submission Verification Mean (hrs) 0.188 15.9 12.4 24.7 Median (hrs) 0.0481 10.9 9.37 20.8

Conclusions While leveraging the wisdom of crowds sounds appealing, it may not always be appropriate for information security tasks After examining one such effort, we found its decisions to be mostly accurate but vulnerable to manipulation Compared to a similar proprietary effort, PhishTank is less complete and less timely Moving forward, user participation as input to security mechanisms should be treated with caution For more, see http://www.cl.cam.ac.uk/~twm29/ and http://www.lightbluetouchpaper.org/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback