Fishing for Phishing from the Network Stream

Phishing is an increasingly prevalent social-engineering attack that attempts identity theft using spoofed Web pages of legitimate organizations. Unfortunately, current phishing detection methods are neither complete nor responsive because they rely on user reports, and many also require clientside software. Anti-phishing techniques could be more effective if they (1) could detect phishing attacks automatically from the network traffic; (2) could operate without cooperation from end-users. This paper performs a preliminary study to determine the feasibility of detecting phishing attacks in real-time, from the network traffic stream itself. We develop a model to identify the stages where in-network phishing detection is feasible and the data sources that can be analyzed to provide relevant information at each stage. Based on this model, we develop and evaluate a detection method based on features that exist in the network traffic it- self and are correlated with confirmed phishing attacks.