Deakin University
Browse

File(s) under permanent embargo

Profiling phishing activity based on hyperlinks extracted from phishing emails

journal contribution
posted on 2012-03-01, 00:00 authored by John YearwoodJohn Yearwood, Musa MammadovMusa Mammadov, D Webb
Phishing activity has recently been focused on social networking sites as a more effective way of exploiting not only the technology but also the trust that may exist between members in a social network. In this paper, a novel method for profiling phishing activity from an analysis of phishing emails is proposed. Profiling is useful in determining the activity of an individual or a particular group of phishers. Work in the area of phishing is usually aimed at detection of phishing emails. In this paper, we concentrate on profiling as distinct from detection of phishing emails. We formulate the profiling problem as a multi-label classification problem using the hyperlinks in the phishing emails as features and structural properties of emails along with whois (i.e. DNS) information on hyperlinks as profile classes. Further, we generate profiles based on the classifier predictions. Thus, classes become elements of profiles. We employ a boosting algorithm (AdaBoost) as well as SVM to generate multi-label class predictions on three different datasets created from hyperlink information in phishing emails. These predictions are further utilized to generate complete profiles of these emails. Results show that profiling can be done with quite high accuracy using hyperlink information.

History

Journal

Social network analysis and mining

Volume

2

Pagination

5-16

Location

Berlin, Germany

ISSN

1869-5450

eISSN

1869-5469

Language

eng

Publication classification

C Journal article, C1.1 Refereed article in a scholarly journal

Copyright notice

2011, Springer-Verlag

Issue

1

Publisher

Springer Verlag