solutionssb

www.nyzsb.com.cn  时间:2021-02-14  阅读:()
Anti-PhishingSecurityStrategyAngeloP.
E.
RosielloAgenda1.
Briefintroductiontophishing2.
Strategicdefensetechniques3.
Anewclientbasedsolution:DOMAntiPhish4.
ConclusionsNatureofPhishing3.
8daysAveragetimeonlineforsiteU.
S.
Countryhostingthemostphishingwebsites149Numberofbrandshijackedbyphishingcampaigns37438Numberofuniquesites23415NumberofuniquereportsFinancialServicescontinuetobethemosttargetedindustrysectorat96.
9%ofallattacksinthemonthofMay-ListofthemainhighlightsreportedforMay2007-StatisticsfromtheAntiPhishingWorkingGroup(AWPG)confirmtheglobalnatureofphishingwhoseprimarytargetarefinancialinstitutionsGrowingEffectivenessandEfficiencyofPhishingOverthelastmonthsphishingattackshavebecomemoreeffectiveandcomplextotrackandchallengeUSChina-Thetop5listofbreaches-InformationWeekResearch&Accenture–InformationSecuritySurvey2007Phishingrepresentsthethirdtypeofsuccessfulattackagainstenterprises(mainlybanks)SymantechasdetectedanumberofphishingsitesthathavebeenhostedongovernmentURLsoverrecentmonths.
InJunealone(2007),fraudulentsiteswereidentifiedonsitesrunbythegovernmentsofThailand,Indonesia,Hungary,Bangladesh,Argentina,SriLanka,theUkraine,China,Brazil,BosniaandHerzegovina,Colombia,andMalaysia.
"HostingaphishingWebpageonagovernmentsitehasanumberofadvantagesforaphisher.
GovernmentWebsitesoftenreceiveahighvolumeoftraffic,sotheirserverscanhandletheextratrafficgeneratedbyaphishingsite"writesSymantecresearcherNickSullivan.
"Thisextratrafficmightnotbenoticedimmediately,givingthephishingsitealongerlifespanbeforeitisdetectedandshutdown.
Perhapsmostimportantly,hostingaphishingsiteonanactualgovernmentURLgivesthephishingsiteasenseofauthenticitythat'shardtobeat.
"-ImprovingPhishingqualityattacks-TaxonomyofPhishingAttacksPhishingattackscanbeclassifiedaccordingtotheirnatureEmail,IMPhishingAttacksE-mailIM,IRC,etc.
-Description-Spoofede-mailaresenttoasetofvictimsaskingthem(usually)toupgradetheirpasswords,dataaccount,etc.
MSN,ICQ,AOLandotherIMchannelsareusedtoreachthevictims.
Socialengineeringtechniquesareusedtogainvictim'ssensitiveinformationCallingthevictimsonthephone,classicsocialengineeringtechniquesareusedbyphishersAnotherkindofattackisbasedontheinternetbrowservulnerabilities.
ThisapproachisusuallyadoptedtoautomaticallyinstalldialersPhone,mail,etc.
Exploitbased-ClassificationoftheAttacks-AProcessofPhishingAttacksInatypicalattack,thephishersendsalargenumberofspoofed(i.
e.
fake)e-mailstorandomInternetusersthatseemtobecomingfromalegitimateandwell-knownbusinessorganization(e.
g.
financialinstitutions,creditcardcompanies,etc)Thee-mailurgesthevictimtoupdatehispersonalinformationasaconditiontoavoidloosingaccessrightstospecificservices(e.
g.
accesstoonlinebankaccount,etc).
Byclickingonthelinkprovided,thevictimisdirectedtoaboguswebsiteimplementedbytheattackerThephishingwebsiteisstructuredasacloneoftheoriginalwebsitesothatthevictimisnotabletodistinguishitfromthatoftheservicehe/shehasaccessto.
Lotsofe-mailsaresenttoasetofrandomvictimsThevictimchangesherdataE-mailurgesthevictimtoupdateherdataviaweb(aspoofedone)Phisher!
!
!
AFRUDNewPhishersSkillsToconfusethevictim,phishersaredevisingnewtricksPhishinge-mailembedhyperlinksfromtheoriginalwebsitesothattheusersmainlysurfontherealwebserverexecutingonlyasmallnumberofconnectionstothefakewebserver.
WebsiteURLareencodedorobfuscatedtonotraisesuspicious.
IDNspoofing,forexample,usesUnicodeURLsthatrenderURLsinbrowsersinawaythattheaddresslooksliketheoriginalwebsiteaddressbutactuallylinktoafakewebsitewithadifferentaddress.
VictimsareredirectedtoaphishingwebsitebyfirstusingmalwarestoinstallamaliciousBrowserHelperObject(BHO).
BHOsareDLLsthatallowsdeveloperstocustomizeandcontrolInternetExplorerbutalsophisherstocompromiseconnections.
Thehostsfileonthevictim'smachineiscorrupted,forexampleusingamalware.
ThehostfilesmaintainslocalmappingsbetweenDNSnamesandIPaddresses.
ByinsertingafakeDNSentryintotheuser'shostsfile,itwillappearthattheirwebbrowserisconnectingtoalegitimatewebsitewheninfactitisconnectingtoaphishingwebsite.
Agenda1.
Briefintroductiontophishing2.
Strategicdefensetechniques3.
Anewclientbasedsolution:DOMAntiPhish4.
ConclusionsStrategicDefenseTechniquesAntiphisingdefensescanbeserverandclientbasedsolutionsServer-basedAnti-PhishingClient-basedBehaviourDetectionBrandMonitoringSecurityEventsE-mailAnalysisBlackListsInformationFlowSimilarityofLayoutsFocusofthispresentation!
Server-basedSolutionsServerbasedtechniquesareimplementedbyserviceproviders(e.
g.
ISP,e-commercestores,financialinstitutions,etc…)Crawlingon-linewebsitestoidentify"clones"(lookingforlegitimatebrands),whichareconsideredphishingpages.
Suspectedwebsitesareaddedtoacentralized"black-list".
Foreachcustomeraprofileisidentified(afteratrainingperiod)whichisusedtodetectanomaliesinthebehaviourofusersSecurityeventanalysisandcorrelationusingregisteredeventsprovidedbyseveralsources(OS,application,networkdevice)toidentifyanomalousactivityorforpostmortemanalysisfollowinganattackorafraudUsingmorethanoneidentificationfactoriscalledstrongauthentication.
Therearethreeuniversallyrecognizedfactorsforauthenticatingindividuals:somethingyouknow(e.
g.
password);somethingyouhave(e.
g.
hwsecuritytoken);somethingyouare(e.
g.
fingerprint)Newtechniquesofauthenticationareunderreasearch,suchasusinganimageduringtheregistrationphasewhichisshownduringeveryloginprocessBrandMonitoringBehaviourDetectionSecurityEventMonitoringStrongAuthenticationNewAuthenticationTechniquesClient-basedSolutionsClient-basedtechniquesareimplementedonusers'endpointthroughbrowserplug-insore-mailclientsE-mail-basedapproachestypicallyusefiltersandcontentanalysis.
IftrainedregularlyBayesianfiltersareactuallyquiteeffectiveininterceptingbothspammingandphishinge-mails.
BlacklistsarecollectionsofURLsidentifiedasmalicious.
Theblacklistisqueriedbythebrowserrun-timewheneverapageisloaded.
IfthecurrentlyvisitedURLisincludedintheblacklist,theuserisadvisedofthedanger,otherwisethepageisconsideredlegitimate.
InformationflowsolutionsarebasedonthepremisethatwhileausermaybeeasilyfooledbyURLobfuscationorafakedomainname,aprogramwillnot.
AntiPhishisanexampleofthistypeofdefensetechniquewhichkeepstrackofthesensitiveinformationthattheuserentersintowebforms,raisinganalertifsomethingisconsideredunsafeMostadvancedtechniquestrytodistinguishaphishingwebpagefromthelegitimateonecomparingtheirvisualsimilarity[[Wenyin,Huang,Xiaoyue,Min,Deng],[Rosiello,Kirda,Kruegel,Ferrandi]E-mailAnalysisBlack-ListsInformationFlowSimilarityofLayoutsTrendsonclient-basedMarketSolutionsInOctober2006,aMicrosoft-commissionedreportonvariousanti-phishingsolutionswasreleased.
ThetestersfoundthatMicrosoftInternetExplorer(IE)7.
0hasbetteranti-phishingtechnologythancompetingsolutions.
TheproductstestedincludedIE7.
0Beta3,EarthLinkScamBlocker,eBayToolbarwithAccountGuard,GeoTrustTrustWatch,GoogleToolbarforFirefoxwithSafeBrowsing,McAfeeSiteAdvisorPlus,NetcraftToolbar,andNetscapeBrowserwithbuilt-inantiphishingtechnologyTheMozillaFoundationcommissioneditsownstudytogaugetheeffectivenessofMozillaFirefox2.
0'santi-phishingtechnologyascomparedwithIE7.
0's.
ThisstudyfoundthatFirefox'santi-phishingtechnologywasbetterthanIE'sbyaconsiderablemarginItseemsevidentthatwecannottrustbothabovestudiesandforthisreasonweconsiderathirdindependentevaluationrealizedbytheSecurityLaboftheTechnicalUniversityofViennaInthelastmonthsthemajorbrowsers(e.
g.
IE7andMozillaFirefox)haveintegratedspecificanti-phishingfunctionalities(black-listsandstaticpageanalysis)AnalysisoftheBlack-ListsOveraperiodofthreeweekstheTechnicalUniversityofVienna(TUWIEN)hascollected10,000URLstobenchmarkMicrosoftandGoogle'sblack-lists.
Basedonthreeindicators,theresearchshowsthatGoogleperformsbetterthanMicrosoftCoverage:percentageofphishingURLsalreadyincludedinthelistQuality:percentageoflegitimateURLsincorrectlyincludedinthelistAverageResponseTime(ART):averagetimerequiredtoinsertnotinitiallyincludedURLs-KPI-2,413(67.
18%)3,241(90.
23%)BLTotal6.
4h9.
3hART2,139(59.
55%)274(7.
63%)3,157(87.
89%)84(2.
34%)BLinitallyBLdelayed3,592(100%)3,595(100%)SitesMicrosoftGoogle-ExperimentalResults-StaticPageAnalysisTUWIENhasdemonstratedthatasetofpagepropertiesactuallyallowstodifferentiatebetweenmalicious(phishing)andlegitimate(benign)onesSelectasetofpagepropertiesCollectwebpagestobeanalyzed18propertiesareconsideredmainlyextractedfromtheHTMLsourcecode(e.
g.
forms,inputfields,links,scripttags,etc.
)ExtracttheclassificationmodelInferaboutphishingAsetoflegitimateandphishingwebpagesarecollectedtoextracttheclassificationmodelTheC4.
2algorithmisexecutedtoidentifytheclassificationmodel(i.
e.
thedecion-tree)AnautomatictoolthatusestheextractedclassificationmodelcandistinguishphishingfromlegitimatewebpagesStaticPageAnalysis:ExperimentalResultsThedecision-treeisextractedusingtheWekapackage(algorithmJ48)onasetof4,829webpages-ReducedDecision-TreeextractedusingtheWekapackage-565115PhishingPages184,131LegitimatePagesClassifiedasPhishingClassifiedasLegitimate-ConfusionMatrix-Thequalifierisquitesuccessfulinidentifyingphishingpages(morethan80%arecorrectlyrecognized),raisingonlyaverysmallnumberoffalsealerts(18outof4,149pagesareincorrectlyclassifiedasphishing)StaticPageAnalysis:DemoStartingfromthetrainingdata-set,arealtimedemonstrationisprovidedInstalltheWekaPackageLoadtheinput".
arf"or".
csv"fileSelecttheJ48algorithmRuntheapplicationChecktheextractedtree-Stepstobeexecuted-InformationFlowSolutions:AntiPhish(1/2)Alimitednumberofinformationflowbasedsolutionswererealized.
TheobjectiveistoprotectusersbycheckingwheretheinformationissenttoAntiPhishisanapplicationthatisintegratedintothebrowserasanexternalplug-inAfterAntiPhishisinstalled,thebrowserpromptsarequestforanewmasterpasswordwhentheuserentersinputintoaformforthefirsttimeThemasterpasswordisusedtoencryptthesensitiveinformationbeforeitisstored(usingDES)Aftertheuserenterssensitiveinformationsuchasapassword,theAntiPhishmenuisusedtoscanthepageandtocaptureandstorethisinformationwiththedomainofthewebsite,too-Howdoesitlooklike--Generaldescription-InformationFlowSolutions:AntiPhish(2/2)TheexecutionflowchartofAntiPhishindicateshowthistoolallowtoprotectpotentialvictimsUserpresseskeyorpastestextintoformfieldCheckiftheinformationenteredisinthe"watch-list"Istheinfointhe"watch-list"DoesthedomaincorrespondThewebsiteistrusted.
ContinuenormallyUntrustedwebsite.
GenerateanalertNOYESNOYESAntiPhishdetectsthatsensitiveinformationhasbeentypedintoaformofanuntrusteddomainandcancelstheoperation.
Everytimeinformationisenteredintoaformelement(e.
g.
,textfield,textarea,etc.
),AntiPhishgoesthroughitslistofcaptured/cachedinformation.
Interactioneventstheusergenerateswithinthebrowser(keypresses,submissions,mouseclicks&focus)areinterceptedbeforeinformationcanflowtountrustedwebsite.
AntiPhishinActionWhenthevictiminsertshisusernameandpasswordtoanuntrustedwebsite,analertisraisedbeforesensitiveinformationaresenttothephisherAgenda1.
Briefintroductiontophishing2.
Strategicdefensetechniques3.
Anewclientbasedsolution:DOMAntiPhish4.
ConclusionsLayout-Similarity-basedSolutions(1/2)Layout-similarity-basedapproachesclassifyawebpageasaphishingpageifits"visual"similarityvalueisaboveapredefinedthreshold-Wenyinetal.
Approach-Thewebpageisdecomposedintosalientblocksaccordingto"visualcues".
Thevisualsimilaritybetweentwowebpagesismeasured.
Awebpageisconsideredaphishingpageifthesimilaritytothelegitimatewebpageishigherthanathreshold.
Layout-Similarity-basedSolutions(2/2)DOMAntiPhish[Rosiello,Kirda,Kruegel,Ferrandi]computesthesimilarityvalueextractingtheDOM-Treeoftheconsideredwebpages-DOMAntiPhishdescription-Whenapasswordassociatedwithacertaindomainisreusedonanotherdomainthesystemcomparesthelayoutofthecurrentpagewiththepagewherethesensitiveinformationwasoriginallyentered.
ForthecomparisontheDOM-Treeoftheoriginalwebpageandthenewonearechecked.
Ifthesystemdeterminesthatthesepageshaveasimilarappearance,aphishingattackisassumed-DOMAntiPhishFlowchart-DOMAntiPhish:DOM-TreeExtractionTheDocumentObjectModel(DOM)-Treeisaninternalrepresentationusedbybrowserstorepresentawebpage-HTMLsourcecode-ShadyGroveAeolianOvertheriverAlbert-DOM-Treerepresentation-DOMAntiPhish:SimilarityComputationDOM-TreesreducetheproblemofcomputingthelayoutsimilarityoftwowebpagestotheproblemofestablishingiftwotreesareisomorphicINPUTS:vertexv,vertexu,firstSubTreeФ,secondSubTreeФWHILEcontinue_whileexistsequivalent_subTrees_branchesDOfirstSubTree=getSubTree(u,firstSubTree);secondSubTree=getSubTree(v,secondSubTree);IFaresimilar(firstSubTree,secondSubTree)THENfloatpenalty=compute_similarity_penalty();storesubTrees(u,v,firstSubTree,secondSubTree,penalty);ENDIFENDWHILE-Templatescomputationalgorithm-Equaltemplatesextractedbythealgorithm.
Tocoverthetrees,thebestsetoftemplatesareselected(minimizingthesimilaritypenalties)-PhishingExample-DOMAntiPhish:ImplementationProcessDOMAntiPhishprototypeisimplementedasaJavascriptplug-inforMozillaFirefox2.
0whichinvokesaJavasoftwaretocomputethelayoutsimilarityDOM-TreeExtractionJavaSoftwareCallTheJavascriptplug-inforMozillaFirefox2.
0extractstheDOM-TreerepresentationofeachstoredwebpageandbrowsingoneTheJavascriptplug-inwritesdowntwotextfilesthatcontaintheextractedDOM-TreesTheJavascriptplug-ininvokestheJavasoftwareSimilarityLayoutCalculationTheJavasoftwarecalculatesthesimilarityoftheanalyzedDOM-TreeschoosingthesetoftemplateswhichminimizethesimilaritypenaltyandmaximizethecoveragePhishingReportTheJavascriptplug-inreadsthesimilarityvaluefromatextfileandreturnsthephishingreporttotheuserDOMAntiPhish:ExperimentalResultsDOMAntiPhishwastestedonasetofover200websitesprovingthatourapproachisfeasibleinpractice-Experimentalresultsdescription-Duringthesimilaritycomputationprocess,fortheisomorphicsubtreesidentificationalgorithm,weaddedapenaltyof0.
3iftwocorrespondingtagshaddifferenttypesorifatagdidnothavechildrenanditsmatchedcounterpartdid.
Iftwoattributesofmatchedtagsweredifferent,apenaltyof0.
1wasadded.
Moreover,iftheattributeshaddifferentvalues,thenapenaltyof0.
05wasadded,too.
Thepenaltyvaluesweredeterminedempiricallybyhavingasobjectivefunctiontheminimizationoffalsepositiveandnegativeresultsforlowandhighthresholdvaluesrespectively.
DOMAntiPhish:LimitationsAseverysecuritysolution,alsoDOMAntiPhishisnotperfectandwecanidentifythefollowingmainlimitations:Itcouldbepossibleforattackerstouseacombinationofimagestocreateaspoofedwebpagethatlooksvisuallysimilartoalegitimatewebpage.
Hence,theDOMofthespoofedwebpagewouldbedifferentanddetectionwouldbeevaded.
Onepossibilityofdealingwiththislimitationcouldbetotakeaconservativeapproachandtotagwebpagesasbeingsuspiciousthatcontainalargenumberofimagesorthatmainlyconsistofimages.
AnotherpossibleproblemcouldbeDOMobfuscationattemptsthatwouldmakethevisuallooksimilartothelegitimatewebpagewhileatthesametimeevadingdetection.
Ourapproachraisesthedifficultybarforcreatingphishingpages.
Furthermore,onecanalwaystakeamoreconservativeapproachbyreducingthephishingalertthreshold.
Also,ifphishersareforcedtoalterthelookandfeeloftheirphishingpages,thesepageswillbecomelessconvincingandmoresuspicioustothevictims.
-Potentialattacks--Defensivesolutions-DOMAntiPhish:DemoBrowsingsomewebpagesweshowhowDOMAntiPhishworksagainstphishingattacksInstallDOMAntiPhishplug-inLogintoatrustedwebsiteTrytologintoaphishingwebsiteCheckthephishingreport-Stepstobeexecuted-Agenda1.
Briefintroductiontophishing2.
Strategicdefensetechniques3.
Anewclientbasedsolution:DOMAntiPhish4.
ConclusionsConclusionsAsforeveryITattack,phishingcanbeprevented,detectedandmitigatedthroughserver-basedandclient-basedapproaches,supportedbyeducationandawarenessPeopleClient-basedtechniquestrytoprotectusersimplementinglocalsolutions,suchasbrowserplug-insore-mailclientsServerbasedtechniquesareappliedonserversorprovidersthatofferservicestocustomersReferencesAngeloP.
E.
Rosiello,EnginKirda,ChristopherKruegel,andFabrizioFerrandi.
"ALayout-Similarity-BasedApproachforDetectingPhishingPages".
IEEEInternationalConferenceonSecurityandPrivacyinCommunicationNetworks(SecureComm),Nice,France,September2007ChristianLudl,SeanMcAllister,EnginKirda,andChristopherKruegel.
"OntheEffectivenessofTechniquestoDetectPhishingSites".
DetectionofIntrusionsandMalwareandVulnerabilityAssessment(DIMVA)2007Conference,Lucerne,Switzerland,July2007EnginKirdaandChristopherKruegel.
"ProtectingUsersagainstPhishingAttacks".
TheComputerJournal,2006.
NeilChou,RobertLedesma,YukaTeraguchi,DanBoneh,andJohnMitchell.
"Client-sidedefenseagainstweb-basedidentitytheft".
In11thAnnualNetworkandDistributedSystemSecuritySymposium(NDSS'04),SanDiego,2005.
Anti-PhishingWorkingGroup(APWG).
APWGHomepage.
http://www.
antiphishing.
org/,2007.
InformationSecuritySurvey2007–InformationWeekResearch&AccentureGoogle.
GoogleWhitelist.
http://sb.
google.
com/safebrowsing/updateversion=goog-white-domain:1:-1,2007.
Mozilla.
Firefox2PhishingProtectionEffectivenessTesting.
http://www.
mozilla.
org/security/phishing-test.
html,2006.
Verisign.
Anti-PhishingSolution.
http://www.
verisign.
com/verisign-business-solutions/anti-phishing-solutions/,2005.
YueZhang,SergeEgelman,LorrieCranor,andJasonHong.
PhindingPhish:EvaluatingAnti-PhishingTools.
InNetworkandITSecurityConference:NDSS2007,SanDiego,California,2007.
Weka.
http://www.
cs.
waikato.
ac.
nz/ml/weka/

spinservers($89/月),圣何塞10Gbps带宽服务器,达拉斯10Gbps服务器

spinservers是Majestic Hosting Solutions LLC旗下站点,主要提供国外服务器租用和Hybrid Dedicated等产品的商家,数据中心包括美国达拉斯和圣何塞机房,机器一般10Gbps端口带宽,高配置硬件,支持使用PayPal、信用卡、支付宝或者微信等付款方式。目前,商家针对部分服务器提供优惠码,优惠后达拉斯机房服务器最低每月89美元起,圣何塞机房服务器最低每月...

RAKsmart秒杀服务器$30/月,洛杉矶/圣何塞/香港/日本站群特价

RAKsmart发布了9月份优惠促销活动,从9月1日~9月30日期间,爆款美国服务器每日限量抢购最低$30.62-$46/月起,洛杉矶/圣何塞/香港/日本站群大量补货特价销售,美国1-10Gbps大带宽不限流量服务器低价热卖等。RAKsmart是一家华人运营的国外主机商,提供的产品包括独立服务器租用和VPS等,可选数据中心包括美国加州圣何塞、洛杉矶、中国香港、韩国、日本、荷兰等国家和地区数据中心(...

Virtono:圣何塞VPS七五折月付2.2欧元起,免费双倍内存

Virtono是一家成立于2014年的国外VPS主机商,提供VPS和服务器租用等产品,商家支持PayPal、信用卡、支付宝等国内外付款方式,可选数据中心共7个:罗马尼亚2个,美国3个(圣何塞、达拉斯、迈阿密),英国和德国各1个。目前,商家针对美国圣何塞机房VPS提供75折优惠码,同时,下单后在LET回复订单号还能获得双倍内存的升级。下面以圣何塞为例,分享几款VPS主机配置信息。Cloud VPSC...

www.nyzsb.com.cn为你推荐
参数winrar5青岛市建设工程电子交易系统supplementedroute支持ipad支持ipad地址163css3圆角怎样用css实现圆角矩形?itunes备份itunes 里面的资料如何备份?win7如何关闭445端口如何判断445端口是否关闭chromeframechrome需要frame吗
华众虚拟主机管理系统 域名主机空间 naning9韩国官网 腾讯云盘 paypal认证 gateone 线路工具 网通ip 创梦 天互数据 跟踪路由命令 路由跟踪 免费asp空间 百度云空间 photobucket iki 徐州电信 阿里云邮箱申请 国外代理服务器 asp空间 更多