The CASTLE Project

Summary

Phishing is a major problem on internet. The major goal of phishing attacks is to steal valuable information such as credit card number, passwords. Once the attackers gain such information, they can use this information to their own benefit by taking control of online account.

The number of phishing attack is increasing rapidly. Recently this form of attack has also started targeting financial institution. In June 2008, Anti Phishing Working Group received about 28,151 unique phishing email reports.

The number of anti phishing techniques have been developed or proposed. For instance browser-based toolbars check centrally maintained database to determine if a particular website is phishing. If a site is blacklisted, then the toolbar prevents the user from visiting it. Few repositories cannot handle complaints for whole namespace because namespace is vast. It is also susceptible to zero day attack. Moreover these repositories also do not share information about phishing URL with each other even though such sharing may improve the effectiveness in countering phishing sites.

Bank deals with phishing attacks by taking down phishing websites. Usually this 'take down approach' is contracted to specialist companies. These specialist companies do not cooperate with each other even though cooperation would improve their effectiveness and allow them to share phishing URLs.

We propose a decentralized framework called CASTLE that allows a collaborative approach for building anti-phishing databases. Such anti-phishing databases are at the core of browser-based toolbars, plugins, and extensions that prevent users from falling prey to phishing attacks. CASTLE is scalable to any number of nodes because response time does not depend on total number of nodes.

The advantage of CASTLE approach is that it can provide a substrate for integrating many different anti-phishing strategies. For example, the PVCs that are part of the P2P network can employ diverse techniques for making the local decisions. Some PVCs can be using a manual examination. based approach while others could be using a combination of automated analysis and classification and manual examination. The use of diverse techniques increases the scalability of the anti-phishing effort.

In CASTLE, the namespace is partitioned based on URL prefixes; so that decision can be made by repositories familiar with URL. CASTLE allow different brands to take ownership of their namespace. CASTLE will also address pharming

We implemented a prototype of CASTLE and then tested it on Planet-lab. The experiments indicate the viability of CASTLE framework

People

  • Muthucumaru Maheswaran
  • Arash Nourian
  • Sameer Ishtiaq

Description

The main feature of CASTLE is that it uses multiple phishing verification servers (PVC) to determine if a URL is phishing. All PVC are assumed to be trusted and are socially connected via peer-to-peer (P2P) network. A PVC is responsible for a certain domain or domain prefixes. For instance a certain PVC could be responsible for domain name cnn.com or cn*.com, that is, it will handle all URL with prefix cn and with TLD com.

Whenever we want to determine if a particular URL is phishing, we will do following in order:

  1. We extract the IP address of the queried URL.
  2. We check whether we perform the content analysis on the same URL before.
  3. If yes, then we extract the trusted URL whose content is similar to the one hosted at this queried URL. If no, then we perform content analysis on URL in order to find if its content is similar to the one hosted at trusted URL.
  4. We route to the PVC handling the trusted URL.
  5. We check if the queried URL is present in the white list, black or gray list.
  6. If URL is present in white list, then we check if the IP address of the queried URL is same as the corresponding IP address of queried URL stored in the white list. If both IP address are same, then URL is a legitimate. If both IP address are not the same, then that mean pharming is being done.
  7. If URL is present in black list or gray list, we return the URL as phishing or suspected phishing respectively
  8. If the URL is not present in any of the lists, then we store the URL in gray list and we inform the administrators of that PVC.

We use only domain name and top level domain (tld) part of URL for routing. In each routing step, PVC forwards the message either (1) to a PVC which handled domain with different tld than the tld of domain handled by present PVC, or (2) to PVC that handled domains, which share a prefix with a queried URL that is at least 1 letter longer than the prefix that queried URL shared with domain handled by present PVC. Content analysis module will be used to perform content analysis on a URL in order to find out if the textual content of a given URL is similar to the one hosted at trusted URL. The flow chart for content analysis module is shown below

Publications

 
castle.txt · Last modified: 2009/10/06 17:20 (external edit) · [Old revisions]