ERA

Download the full-sized PDF of Detecting Visually Similar Web Pages: Application to Phishing DetectionDownload the full-sized PDF

Analytics

Share

Permanent link (DOI): https://doi.org/10.7939/R3NT4J

Download

Export to: EndNote  |  Zotero  |  Mendeley

Communities

This file is in the following communities:

Graduate Studies and Research, Faculty of

Collections

This file is in the following collections:

Theses and Dissertations

Detecting Visually Similar Web Pages: Application to Phishing Detection Open Access

Descriptions

Other title
Subject/Keyword
Computer security
Phishing
Webpage similarity
Type of item
Thesis
Degree grantor
University of Alberta
Author or creator
Teh-Chung, Chen
Supervisor and department
Scott Dick (Electrical and Computer Engineering)
James Miller (Electrical and Computer Engineering)
Examining committee member and department
Jens Weber (Software Engineering, University of Victoria)
Osmar Zaiane (Computing Science)
Vicky Zhao (Electrical and Computer Engineering)
Department
Department of Electrical and Computer Engineering
Specialization

Date accepted
2011-01-06T19:25:06Z
Graduation date
2011-06
Degree
Doctor of Philosophy
Degree level
Doctoral
Abstract
We propose a novel approach for detecting visual similarity between two web pages. The proposed approach applies Gestalt theory and considers a webpage as a single indivisible entity. The concept of supersignals, as a realization of Gestalt principles, supports our contention that web pages must be treated as indivisible entities. We objectify, and directly compare, these indivisible supersignals using algorithmic complexity theory. We apply our new approach to the domain of anti-Phishing technologies, which at once gives us both a reasonable ground truth for the concept of “visually similar,” and a high-value application of our proposed approach. Phishing attacks involve sophisticated, fraudulent websites that are realistic enough to fool a significant number of victims into providing their account credentials. There is a constant tug-of-war between anti-Phishing researchers who create new schemes to detect Phishing scams, and Phishers who create countermeasures. Our approach to Phishing detection is based on one major signature of Phishing webpage which can not be easily changed by those con artists –Visual Similarity. The only way to fool this significant characteristic appears to be to make a visually dissimilar Phishing webpage, which also reduces the successful rate of the Phishing scams or their criminal profits dramatically. For this reason, our application appears to be quite robust against a variety of common countermeasures Phishers have employed. To verify the practicality of our proposed method, we perform a large-scale, real-world case study, based on “live” Phish captured from the Internet. Compression algorithms (as a practical operational realization of algorithmic complexity theory) are a critical component of our approach. Out of the vast number of compression techniques in the literature, we must determine which compression technique is best suited for our visual similarity problem. We therefore perform a comparison of nine compressors (including both 1-dimensional string compressors and 2-dimensional image compressors). We finally determine that the LZMA algorithm performs best for our problem. With this determination made, we test the LZMA-based similarity technique in a realistic anti-Phishing scenario. We construct a whitelist of protected sites, and compare the performance of our similarity technique when presented with a) some of the most popular legitimate sites, and b) live Phishing sites targeting the protected sites. We found that the accuracy of our technique is extremely high in this test; the true positive and false positive rates reached 100% and 0.8%, respectively. We finally undertake a more detailed investigation of the LZMA compression technique. Other authors have argued that compression techniques map objects to an implicit feature space consisting of the dictionary elements generated by the compressor. In testing this possibility on live Phishing data, we found that derived variables computed directly from the dictionary elements were indeed excellent predictors. In fact, by taking advantage of the specific characteristic of dictionary compression algorithm, we slightly improve on our accuracy when using a modified/refined LZMA algorithm for our already perfect NCD classification application.
Language
English
DOI
doi:10.7939/R3NT4J
Rights
Permission is hereby granted to the University of Alberta Libraries to reproduce single copies of this thesis and to lend or sell such copies for private, scholarly or scientific research purposes only. Where the thesis is converted to, or otherwise made available in digital form, the University of Alberta will advise potential users of the thesis of these terms. The author reserves all other publication and other rights in association with the copyright in the thesis and, except as herein before provided, neither the thesis nor any substantial portion thereof may be printed or otherwise reproduced in any material form whatsoever without the author's prior written permission.
Citation for previous publication

File Details

Date Uploaded
Date Modified
2014-04-29T15:57:17.820+00:00
Audit Status
Audits have not yet been run on this file.
Characterization
File format: pdf (Portable Document Format)
Mime type: application/pdf
File size: 3218303
Last modified: 2015:10:12 16:59:04-06:00
Filename: Teh-Chung_Chen_Spring2011.pdf
Original checksum: ceaa18634dc6d0adb51e2da008312bf9
Well formed: true
Valid: true
File title: Microsoft Word - 1224-ThesisRevision.doc
File author: Netsumi
Page count: 180
Activity of users you follow
User Activity Date