Upload
lauren-barnett
View
217
Download
1
Embed Size (px)
Citation preview
Copyright 2010 Florida State University. All Rights Reserved
MDMap: Assisting Users in Identifying Phishing EmailsPatrick Dwyer
Department of Computer ScienceFlorida State University
Copyright 2010 Florida State University. All Rights Reserved
Agenda Motivation and Background
MDMap Design and Implementation
Performance Evaluation
Summary
Copyright 2010 Florida State University. All Rights Reserved
Motivation Motivation
Increase in Phishing emails/spam Spam filters Suspicious information in phishing emails Non-expert users Intuitive/Sensible method
Suspicious information Sender location information
Copyright 2010 Florida State University. All Rights Reserved
Internet Email System MUAs and MTAs
Copyright 2010 Florida State University. All Rights Reserved
Message Format Email envelope/content
Message header/body Headers related to sender
From: <[email protected]> Reply-To: <[email protected]> Return-Path: <[email protected]> Received:
Copyright 2010 Florida State University. All Rights Reserved
Received: Header FieldReceived: from almostcosmic.com (n226-
h110.gw-net.metromax.ru [83.234.226.110]) by smtpin.cs.fsu.edu with SMTP id o24DvD3r010823
from-from: almostcosmic.com from-domain: n226-h110.gw-net.metromax.ru from-address: 83.234.226.110 by-domain: smtpin.cs.fsu.edu
Copyright 2010 Florida State University. All Rights Reserved
Email Forgery From:/Reply-To:
Cannot be both faked for certain type of phishing emails
Received: Header First external MTA cannot be faked
Faked headers often contain conflicting information when examined collectively
Copyright 2010 Florida State University. All Rights Reserved
MDMap Design Revealing suspicious or conflicting
information in intuitive and sensible manner Sender location information
Message delivery path Return-Path: From: Reply-To: URL links
Copyright 2010 Florida State University. All Rights Reserved
Parsing Email Message
MDMap Workflow
Retrieving related header information (and URL)
Get geographical location information
Obtaining map showing sender location information
Copyright 2010 Florida State University. All Rights Reserved
Message Delivery Path Shows how message delivered hop-by-hop at
MTA level Construction of path from header fields
List of MTAs/MUAs from Received: headers Private address Localhost IP address
Copyright 2010 Florida State University. All Rights Reserved
Example Received: HeaderReceived: from smtpin.cs.fsu.edu (smtpin.cs.fsu.edu [128.186.120.196])
by mail.cs.fsu.edu (Postfix) with ESMTP id 217D5F2D32for <[email protected]>; Fri, 22 Jan 2010 17:48:30 -0500 (EST)
Received: from advanced62.inmotionhosting.com (advanced62.inmotionhosting.com [216.193.219.137])by smtpin.cs.fsu.edu (8.13.1/8.13.1) with SMTP id o0MMlbag016308for <[email protected]>; Fri, 22 Jan 2010 17:47:40 -0500
Received: from hsit (86.59.210.51)by advanced62.inmotionhosting.com; Fri, 22 Jan 2010 14:47:34 -0800
Copyright 2010 Florida State University. All Rights Reserved
Map IP address to Geographic location GeoLiteCity API
ls = new LookupService("GeoLiteCity.dat", LookupService.GEOIP_MEMORY_CACHE);
loc = ls.getLocation(domain_name);
loc=ls.getLocation(InetAddress.getByName (IP_address));
Copyright 2010 Florida State University. All Rights Reserved
Obtaining Map from Geographic Information Google Maps API
imageFile.createNewFile();HttpURLConnection httpConn = (HttpURLConnection)
url.openConnection();BufferedInputStream urlStream = new BufferedInputStream(
httpConn.getInputStream());FileOutputStream imageStream = new FileOutputStream(
ImageFile);while ((byteRead = urlStream.read()) != -1){ imageStream.write(byteRead); } Input = URL, output = Image file
Bing Maps API, Yahoo Maps API
Copyright 2010 Florida State University. All Rights Reserved
A Snaphot of MDMap
Copyright 2010 Florida State University. All Rights Reserved
Performance Evaluation Data set
100 Phishing (spam) emails From mid November 09 – March 10 Randomly Selected
Heuristics H1: MTAs along message delivery path H2: Reply-To:, From:, Return-Path: H3: URLs
Copyright 2010 Florida State University. All Rights Reserved
Performance
H1 H2 H3 Flagged Total
70 47 19 82 100
Copyright 2010 Florida State University. All Rights Reserved
Summary MDMap: simple and effective system
assisting users in identifying phishing emails Standalone Java program
Web-based email systems Mobile phones
Demo