![Page 1: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/1.jpg)
•Surachai CHITPINITYON•Kasom KOHT-ARSA•Surasak SANGUANPONG•Anan Phonphoem
•Office of Computer Services•Kasetsart University•E-mail: [email protected]
Automatic Phishing Site Automatic Phishing Site Detection and BlockingDetection and Blocking
•APAN 2008, Haweii 23 January 2008This work is partially supported by Commission of Higher Education (CHE), UniNET, Thailand
![Page 2: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/2.jpg)
2Network Operation Center Kasetsart University Office of Computer Services
Agenda
What is Phishing ? Why Phishing Site Detection and Blocking
are needed? Phishing Site Detection Techniques Proposed Solution: Detection and
Blocking Techniques Current Deployment Future Work
![Page 3: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/3.jpg)
3Network Operation Center Kasetsart University Office of Computer Services
Agenda
What is Phishing ? Why Phishing Site Detection and Blocking Why Phishing Site Detection and Blocking
are needed?are needed? Phishing Site Detection TechniquesPhishing Site Detection Techniques Proposed Solution: Detection and Proposed Solution: Detection and
Blocking TechniquesBlocking Techniques Current DeploymentCurrent Deployment Future WorkFuture Work
![Page 4: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/4.jpg)
4Network Operation Center Kasetsart University Office of Computer Services
What is Phishing ?Attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details
We concentrate only Detection and Blocking phishing site inside campus network
![Page 5: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/5.jpg)
5Network Operation Center Kasetsart University Office of Computer Services
Agenda
What is Phishing ?What is Phishing ? Why Phishing Site Detection and
Blocking are needed? Phishing Site Detection TechniquesPhishing Site Detection Techniques Proposed Solution :Blocking TechniquesProposed Solution :Blocking Techniques Current DeploymentCurrent Deployment Future WorkFuture Work
![Page 6: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/6.jpg)
6Network Operation Center Kasetsart University Office of Computer Services
Why Phishing Site Detection and Blocking are needed?
Steal consumer’personal identity data Financial account credentials
![Page 7: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/7.jpg)
7Network Operation Center Kasetsart University Office of Computer Services
Agenda
What is Phishing ?What is Phishing ? Why Phishing Site Detection and Blocking Why Phishing Site Detection and Blocking
are needed?are needed? Phishing Site Detection Techniques Proposed Solution: Detection and Proposed Solution: Detection and
Blocking TechniquesBlocking Techniques Current DeploymentCurrent Deployment Future WorkFuture Work
![Page 8: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/8.jpg)
8Network Operation Center Kasetsart University Office of Computer Services
Phishing Site Detection Techniques
E-mail Detection at Mail GatewayE-mail Detection at Mail Gateway
https://signin.ebay.com
![Page 9: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/9.jpg)
9Network Operation Center Kasetsart University Office of Computer Services
Agenda
What is Phishing ?What is Phishing ? Why Phishing Site Detection and Blocking Why Phishing Site Detection and Blocking
are needed?are needed? Phishing Site Detection TechniquesPhishing Site Detection Techniques Proposed Solution: Detection and
Blocking Techniques Current DeploymentCurrent Deployment Future WorkFuture Work
![Page 10: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/10.jpg)
10Network Operation Center Kasetsart University Office of Computer Services
Detection and Blocking Techniques
Solution 1:Detection: Phishing Site URLBlocking: URL filtering techniques
Solution 2: Detection: Phishing Site Content
BBlocking: Firewall
![Page 11: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/11.jpg)
11Network Operation Center Kasetsart University Office of Computer Services
Campus
Network
Gateway
Phishing Site
Solution 1: Traffic Flows
Phishing Site Detection and Blocking
Engine
Internet
![Page 12: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/12.jpg)
12Network Operation Center Kasetsart University Office of Computer Services
Solution 1: Structure
Communicator
URL Analyzer
Internet
Internet
mirror traffic (incoming)
URL pattern
Regular Expression URL matching
Session Controller
TCP Termination
Phishing site blocking
Phishing Site Detection and Blocking Engine
![Page 13: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/13.jpg)
13Network Operation Center Kasetsart University Office of Computer Services
Campus
Network
Solution 1: Procedure
Gateway
Phishing Site Detection and Blocking
Engine
Internet
Phishing Site
GET
3
1
GET
search
??
Matching
5
FIN2
GET
4
FIN
Phishing URL Lists
2
GET
![Page 14: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/14.jpg)
14Network Operation Center Kasetsart University Office of Computer Services
FilteringFiltering
Solution 1: Session Hijacking
SYN J
SYN K , ACK J+1
ACK K+1
FIN L
ClientClient ServerServer
Data (request)
Data
(reply)Packet will be ignoredPacket will be ignored
Faked FIN by Filtering EngineFaked FIN by Filtering Engine
![Page 15: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/15.jpg)
15Network Operation Center Kasetsart University Office of Computer Services
Solution 1: Session Hijacking
FIN L
ClientClient ServerServerFilteringFiltering
Data (request)
Data
(reply)
Successful filtering
ACK L+1Faked FINFaked FIN
FIN Mignoredignored
Unsuccessful filtering
ACK M+1
FIN L
Faked FINFaked FIN
![Page 16: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/16.jpg)
16Network Operation Center Kasetsart University Office of Computer Services
Solution 1: A Closure Look of Hijacking
tt33 < t < t44
tt3 3 - t- t00 < t < t4 4 -- tt00
tt3 3 - t- t11 < RTT < RTT
Success Condition
From our measurement, From our measurement, tt3 – 3 – tt1 is 1 is less than 0.6 milliseconds. The less than 0.6 milliseconds. The average of average of tt3 –3 – t t1 is about 1 is about 0.2*RTT.0.2*RTT.
![Page 17: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/17.jpg)
17Network Operation Center Kasetsart University Office of Computer Services
Campus
Network
Gateway
Phishing Site
Solution 2: Traffic Flows
Phishing Site Detection and Blocking
Engine
Internet 1 2
34
4
![Page 18: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/18.jpg)
18Network Operation Center Kasetsart University Office of Computer Services
Solution 2: Structure
Communicator
Content Analyzer
Internet
Internet
mirror traffic (outgoing)
Content pattern
Regular Expression
content matching
Firewall
Phishing site blocking
Phishing Site Detection and Blocking Engine
![Page 19: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/19.jpg)
19Network Operation Center Kasetsart University Office of Computer Services
Solution 2: Phishing site pattern
![Page 20: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/20.jpg)
20Network Operation Center Kasetsart University Office of Computer Services
Campus
Network
Solution 2: Procedure
Gateway
Firewall
Phishing Site Detection and Blocking
Engine
Internet
Phishing Site
1
GET
2
GET
2
GET
Phishing
Content Lists
3
Reply
4
Reply
4
Reply
Reply ??
Matching
search
block
5
ReplyX
![Page 21: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/21.jpg)
21Network Operation Center Kasetsart University Office of Computer Services
Agenda
What is Phishing ?What is Phishing ? Why Phishing Site Detection and Blocking Why Phishing Site Detection and Blocking
are needed?are needed? Phishing Site Detection TechniquesPhishing Site Detection Techniques Proposed Solution: Detection and Proposed Solution: Detection and
Blocking TechniquesBlocking Techniques Current Deployment Future WorkFuture Work
![Page 22: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/22.jpg)
22Network Operation Center Kasetsart University Office of Computer Services
Current Deployment: Structure
Uninet Thaisarn
OCS KU
firewall
Phishing Site Detection Engine
Ethernet 10 Gbps
CPU : 2xDual Core Xeon 3.0 GhzRAM : 1 GBHD : SATA 1 TB
WebScreen Agent
Ethernet 1 Gbps
![Page 23: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/23.jpg)
23Network Operation Center Kasetsart University Office of Computer Services
Current Deployment: TestingUninet Thaisarn
OCS KU
firewall Google phishing site detection Used “About Google” key word
![Page 24: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/24.jpg)
24Network Operation Center Kasetsart University Office of Computer Services
Agenda
What is Phishing ?What is Phishing ? Why Phishing Site Detection and Blocking Why Phishing Site Detection and Blocking
are needed?are needed? Phishing Site Detection TechniquesPhishing Site Detection Techniques Proposed Solution: Detection and Proposed Solution: Detection and
Blocking TechniquesBlocking Techniques Current DeploymentCurrent Deployment Future Work
![Page 25: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/25.jpg)
25Network Operation Center Kasetsart University Office of Computer Services
Future Work
Use picture, such as logo, for detection Use AI to classified phishing site
![Page 26: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/26.jpg)
26Network Operation Center Kasetsart University Office of Computer Services
Q&A
![Page 27: Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University E-mail: Surachai.Ch@ku.ac.th](https://reader035.vdocuments.mx/reader035/viewer/2022070409/56649e715503460f94b6f850/html5/thumbnails/27.jpg)
27Network Operation Center Kasetsart University Office of Computer Services
Thank You