Post on 12-Jan-2016
•Surachai CHITPINITYON•Kasom KOHT-ARSA•Surasak SANGUANPONG•Anan Phonphoem
•Office of Computer Services•Kasetsart University•E-mail: Surachai.Ch@ku.ac.th
Automatic Phishing Site Automatic Phishing Site Detection and BlockingDetection and Blocking
•APAN 2008, Haweii 23 January 2008This work is partially supported by Commission of Higher Education (CHE), UniNET, Thailand
2Network Operation Center Kasetsart University Office of Computer Services
Agenda
What is Phishing ? Why Phishing Site Detection and Blocking
are needed? Phishing Site Detection Techniques Proposed Solution: Detection and
Blocking Techniques Current Deployment Future Work
3Network Operation Center Kasetsart University Office of Computer Services
Agenda
What is Phishing ? Why Phishing Site Detection and Blocking Why Phishing Site Detection and Blocking
are needed?are needed? Phishing Site Detection TechniquesPhishing Site Detection Techniques Proposed Solution: Detection and Proposed Solution: Detection and
Blocking TechniquesBlocking Techniques Current DeploymentCurrent Deployment Future WorkFuture Work
4Network Operation Center Kasetsart University Office of Computer Services
What is Phishing ?Attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details
We concentrate only Detection and Blocking phishing site inside campus network
5Network Operation Center Kasetsart University Office of Computer Services
Agenda
What is Phishing ?What is Phishing ? Why Phishing Site Detection and
Blocking are needed? Phishing Site Detection TechniquesPhishing Site Detection Techniques Proposed Solution :Blocking TechniquesProposed Solution :Blocking Techniques Current DeploymentCurrent Deployment Future WorkFuture Work
6Network Operation Center Kasetsart University Office of Computer Services
Why Phishing Site Detection and Blocking are needed?
Steal consumer’personal identity data Financial account credentials
7Network Operation Center Kasetsart University Office of Computer Services
Agenda
What is Phishing ?What is Phishing ? Why Phishing Site Detection and Blocking Why Phishing Site Detection and Blocking
are needed?are needed? Phishing Site Detection Techniques Proposed Solution: Detection and Proposed Solution: Detection and
Blocking TechniquesBlocking Techniques Current DeploymentCurrent Deployment Future WorkFuture Work
8Network Operation Center Kasetsart University Office of Computer Services
Phishing Site Detection Techniques
E-mail Detection at Mail GatewayE-mail Detection at Mail Gateway
https://signin.ebay.com
9Network Operation Center Kasetsart University Office of Computer Services
Agenda
What is Phishing ?What is Phishing ? Why Phishing Site Detection and Blocking Why Phishing Site Detection and Blocking
are needed?are needed? Phishing Site Detection TechniquesPhishing Site Detection Techniques Proposed Solution: Detection and
Blocking Techniques Current DeploymentCurrent Deployment Future WorkFuture Work
10Network Operation Center Kasetsart University Office of Computer Services
Detection and Blocking Techniques
Solution 1:Detection: Phishing Site URLBlocking: URL filtering techniques
Solution 2: Detection: Phishing Site Content
BBlocking: Firewall
11Network Operation Center Kasetsart University Office of Computer Services
Campus
Network
Gateway
Phishing Site
Solution 1: Traffic Flows
Phishing Site Detection and Blocking
Engine
Internet
12Network Operation Center Kasetsart University Office of Computer Services
Solution 1: Structure
Communicator
URL Analyzer
Internet
Internet
mirror traffic (incoming)
URL pattern
Regular Expression URL matching
Session Controller
TCP Termination
Phishing site blocking
Phishing Site Detection and Blocking Engine
13Network Operation Center Kasetsart University Office of Computer Services
Campus
Network
Solution 1: Procedure
Gateway
Phishing Site Detection and Blocking
Engine
Internet
Phishing Site
GET
3
1
GET
search
??
Matching
5
FIN2
GET
4
FIN
Phishing URL Lists
2
GET
14Network Operation Center Kasetsart University Office of Computer Services
FilteringFiltering
Solution 1: Session Hijacking
SYN J
SYN K , ACK J+1
ACK K+1
FIN L
ClientClient ServerServer
Data (request)
Data
(reply)Packet will be ignoredPacket will be ignored
Faked FIN by Filtering EngineFaked FIN by Filtering Engine
15Network Operation Center Kasetsart University Office of Computer Services
Solution 1: Session Hijacking
FIN L
ClientClient ServerServerFilteringFiltering
Data (request)
Data
(reply)
Successful filtering
ACK L+1Faked FINFaked FIN
FIN Mignoredignored
Unsuccessful filtering
ACK M+1
FIN L
Faked FINFaked FIN
16Network Operation Center Kasetsart University Office of Computer Services
Solution 1: A Closure Look of Hijacking
tt33 < t < t44
tt3 3 - t- t00 < t < t4 4 -- tt00
tt3 3 - t- t11 < RTT < RTT
Success Condition
From our measurement, From our measurement, tt3 – 3 – tt1 is 1 is less than 0.6 milliseconds. The less than 0.6 milliseconds. The average of average of tt3 –3 – t t1 is about 1 is about 0.2*RTT.0.2*RTT.
17Network Operation Center Kasetsart University Office of Computer Services
Campus
Network
Gateway
Phishing Site
Solution 2: Traffic Flows
Phishing Site Detection and Blocking
Engine
Internet 1 2
34
4
18Network Operation Center Kasetsart University Office of Computer Services
Solution 2: Structure
Communicator
Content Analyzer
Internet
Internet
mirror traffic (outgoing)
Content pattern
Regular Expression
content matching
Firewall
Phishing site blocking
Phishing Site Detection and Blocking Engine
19Network Operation Center Kasetsart University Office of Computer Services
Solution 2: Phishing site pattern
20Network Operation Center Kasetsart University Office of Computer Services
Campus
Network
Solution 2: Procedure
Gateway
Firewall
Phishing Site Detection and Blocking
Engine
Internet
Phishing Site
1
GET
2
GET
2
GET
Phishing
Content Lists
3
Reply
4
Reply
4
Reply
Reply ??
Matching
search
block
5
ReplyX
21Network Operation Center Kasetsart University Office of Computer Services
Agenda
What is Phishing ?What is Phishing ? Why Phishing Site Detection and Blocking Why Phishing Site Detection and Blocking
are needed?are needed? Phishing Site Detection TechniquesPhishing Site Detection Techniques Proposed Solution: Detection and Proposed Solution: Detection and
Blocking TechniquesBlocking Techniques Current Deployment Future WorkFuture Work
22Network Operation Center Kasetsart University Office of Computer Services
Current Deployment: Structure
Uninet Thaisarn
OCS KU
firewall
Phishing Site Detection Engine
Ethernet 10 Gbps
CPU : 2xDual Core Xeon 3.0 GhzRAM : 1 GBHD : SATA 1 TB
WebScreen Agent
Ethernet 1 Gbps
23Network Operation Center Kasetsart University Office of Computer Services
Current Deployment: TestingUninet Thaisarn
OCS KU
firewall Google phishing site detection Used “About Google” key word
24Network Operation Center Kasetsart University Office of Computer Services
Agenda
What is Phishing ?What is Phishing ? Why Phishing Site Detection and Blocking Why Phishing Site Detection and Blocking
are needed?are needed? Phishing Site Detection TechniquesPhishing Site Detection Techniques Proposed Solution: Detection and Proposed Solution: Detection and
Blocking TechniquesBlocking Techniques Current DeploymentCurrent Deployment Future Work
25Network Operation Center Kasetsart University Office of Computer Services
Future Work
Use picture, such as logo, for detection Use AI to classified phishing site
26Network Operation Center Kasetsart University Office of Computer Services
Q&A
27Network Operation Center Kasetsart University Office of Computer Services
Thank You