论文信息 - Using AP-TED to Detect Phishing Attack Variations

Using AP-TED to Detect Phishing Attack Variations

It is well known that many phishing attacks are variations of previous phishing attacks. We evaluate here the feasibility of applying Pawlik and Augsten's recent implementation of Tree Edit Distance (AP-TED) calculations as a way to compare DOMs and identify similar phishing attack instances. We also compare this tree method with an existing method that uses the distance between tag vectors to quantity similarity between phishing sites. We observe that no single distance method perfectly detects all types of phishing attack variations. We find that the tree method is more demanding for computing equipment, but it better discriminates the similarity with known attacks. We also introduce a method to reduce the volume of calculations by 99.4% when calculating pairwise edit distance on trees with respect to AP-TED calculations on all data.

[1] Karl Bringmann,et al. Tree Edit Distance Cannot be Computed in Strongly Subcubic Time (Unless APSP Can) , 2017, SODA.

[2] Nikolaus Augsten,et al. Tree edit distance: Robust and memory-efficient , 2016, Inf. Syst..

[3] Qian Cui,et al. Tracking Phishing Attacks Over Time , 2017, WWW.

[4] Carolyn Penstein Rosé,et al. CANTINA+: A Feature-Rich Machine Learning Framework for Detecting Phishing Web Sites , 2011, TSEC.

[5] Fabio Roli,et al. DeltaPhish: Detecting Phishing Webpages in Compromised Websites , 2017, ESORICS.

[6] Kaizhong Zhang,et al. Simple Fast Algorithms for the Editing Distance Between Trees and Related Problems , 1989, SIAM J. Comput..

[7] Weimin Chen,et al. New Algorithm for Ordered Tree-to-Tree Correction Problem , 2001, J. Algorithms.

[8] Nikolaus Augsten,et al. A New Perspective on the Tree Edit Distance , 2017, SISAP.