SNIPE: Signature Generation for Phishing Emails
Project Members
Jeff Avery, Christopher Gutierrez, Paul Wood, Raffaele Della Corte, Jon Fulkerson Gaspar Modelo-Howard, Brian Berndt, Keith McDermott, Saurabh Bagchi, Dan Goldwasser, Marcello Cinque
Jeff Avery, Christopher Gutierrez, Paul Wood, Raffaele Della Corte, Jon Fulkerson Gaspar Modelo-Howard, Brian Berndt, Keith McDermott, Saurabh Bagchi, Dan Goldwasser, Marcello Cinque
Abstract
Phishing attacks continue to pose a major headache for defenders of computing systems, often forming the first step in a multi-stage attacks. There have been great strides made in phishing detection and email servers have gotten good at flagging potentially phishing messages. However, some insidious kinds of phishing messages appear to pass through filters by making seemingly simple structural and semantic changes to the messages. We tackle this problem in this paper, through the use of machine learning algorithms operating on a large corpus of phishing messages and legitimate messages. By understanding common phishing features, we design a system to extract features and extrapolate out values of such features. The algorithms are specialized for phishing detection, such as, the use of synonyms or change in sentence structure. The insights and algorithms are instantiated in a system called SNIPE (Signature geNeratIon for Phishing Emails). To evaluate SNIPE, we collect the largest known corpus of phishing messages (used in any publicly known study) from the central IT organization at a tier-1 research university. We run SNIPE on the dataset and it exposes some hitherto unknown insights about phishing campaigns directed at university users. SNIPE is able to detect 100% of phishing messages that had eluded our production deployment of Sophos, a state-ofthe-art email filtering tool today.