Content-Agnostic Detection of Phishing Domains using Certificate Transparency and Passive DNS

Mashael Alsabah, Mohamed Nabeel, Yazan Boshmaf, Euijin Choo

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

4 Citations (Scopus)

Abstract

Existing phishing detection techniques mainly rely on blacklists or content-based analysis, which are not only evadable, but also exhibit considerable detection delays as they are reactive in nature. We observe through our deep dive analysis that artifacts of phishing are manifested in various sources of intelligence related to a domain even before its contents are online. In particular, we study various novel patterns and characteristics computed from viable sources of data including Certificate Transparency Logs, and passive DNS records. To compare benign and phishing domains, we construct thoroughly-verified realistic benign and phishing datasets. Our analysis shows clear differences between benign and phishing domains that can pave the way for content-agnostic approaches to predict phishing domains even before the contents of these webpages are up and running. To demonstrate the usefulness of our analysis, we train a classifier with distinctive features, and we show that we can (1) perform content-agnostic predictions with a very low FPR of 0.3%, and high precision (98%) and recall (90%), and (2) predict phishing domains days before they are discovered by state-of-the-art content-based tools such as VirusTotal.

Original languageEnglish
Title of host publicationProceedings of 25th International Symposium on Researchin Attacks, Intrusions and Defenses, RAID 2022
PublisherAssociation for Computing Machinery
Pages446-459
Number of pages14
ISBN (Electronic)9781450397049
DOIs
Publication statusPublished - 26 Oct 2022
Event25th International Symposium on Researchin Attacks, Intrusions and Defenses, RAID 2022 - Limassol, Cyprus
Duration: 26 Oct 202228 Oct 2022

Publication series

NameACM International Conference Proceeding Series

Conference

Conference25th International Symposium on Researchin Attacks, Intrusions and Defenses, RAID 2022
Country/TerritoryCyprus
CityLimassol
Period26/10/2228/10/22

Keywords

  • certificate transparency
  • machine learning
  • passive DNS
  • phishing domains detection

Fingerprint

Dive into the research topics of 'Content-Agnostic Detection of Phishing Domains using Certificate Transparency and Passive DNS'. Together they form a unique fingerprint.

Cite this