Learning from the Ones that Got Away: Detecting New Forms of Phishing Attacks

Phishing attacks continue to pose a major headache for defenders of computing systems, often forming the first step in a multistage attack. There have been great strides made in phishing detection, however, some insidious kinds of phishing messages appear to pass through filters by making seemingly simple structural and semantic changes to the messages. We tackle this problem in this paper, through the use of a machine learning classifier operating on a large corpus of phishing and legitimate messages. By understanding common phishing features, we design a system to extract features and elevate some to higher level features that are meant to defeat common phishing mail construction strategies. The algorithms are instantiated in a usable system called SAFE-PC (Semi-Automated Feature generation for Phish Classification). To evaluate SAFE-PC, we collect the large corpus of phishing messages from the central IT organization at a tier-1 research university. The execution of SAFE-PC on the dataset exposes some hitherto unknown insights about phishing campaigns directed at university users. SAFE-PC can detect more than 70% of the emails that had eluded our production deployment of Sophos, a state-of-the-art email filtering tool today. It also performs better than SpamAssassin, a commonly used email filter. We also develop an online version of SAFEPC, that can be incrementally retrained with new samples. Its detection performance is found to improve with time as new samples are fed in, while the time to retrain it stays constant.