John Heidemann / Papers / AuntieTuna: Personalized Content-Based Phishing Detection

AuntieTuna: Personalized Content-Based Phishing Detection
Calvin Ardi and John Heidemann

Citation

Calvin Ardi and John Heidemann. AuntieTuna: Personalized Content-Based Phishing Detection. Proceedings of the NDSS Workshop on Usable Security (San Diego, California, USA, Feb. 2016), to appear. [PDF] [alt PDF] [Code]

Abstract

Phishing sites masquerade as copies of legitimate sites (“targets”) to fool people into sharing sensitive information that can then be used for fraud. Current phishing defenses can be ineffective, with training ignored, blacklists of discovered, bad sites too slow to pick up new threats, and whitelists of known-good sites too limiting. We have developed a new technique that automatically builds personalized lists of target sites (candidates that may be copied by phish) and then tests sites as a user browses them. Our approach uses cryptographic hashing of each page’s rendered Document Object Model (DOM), providing a zero false positive rate and identifying more than half of detectable phish in a controlled study. Since each user develops a customized list of target sites, our approach presents a diverse defense against phishers. We have prototyped our approach as a Chrome browser plugin called \emphAuntieTuna, emphasizing usability through automated and simple manual addition of target sites and clean reports of potential phish that include context about the targeted site. AuntieTuna does not slow web browsing time and presents alerts on phishing pages before users can divulge information. Our plugin is open-source and has been in use by a few users for months.

Bibtex Citation

@inproceedings{Ardi16a,
  author = {Ardi, Calvin and Heidemann, John},
  title = {AuntieTuna: Personalized Content-Based Phishing Detection},
  booktitle = {Proceedings of the  NDSS Workshop on Usable Security},
  year = {2016},
  sortdate = {2016-02-21},
  month = feb,
  project = {ant, retrofuture},
  jsubject = {www},
  pages = {to appear},
  publisher = {The Internet Society},
  address = {San Diego, California, USA},
  url = {http://www.isi.edu/%7ejohnh/PAPERS/Ardi16a.html},
  pdfurl = {http://www.isi.edu/%7ejohnh/PAPERS/Ardi16a.pdf},
  codeurl = {https://ant.isi.edu/software/antiphish/},
  keywords = {phishing}
}
Copyright © by John Heidemann