Detecting Ambiguous Phishing Certificates using Machine Learning

Kaspar Hageman; Sajad Homayoun; Sam Afzal-Houshmand; Christian D. Jensen; Jens M. Pedersen

Detecting Ambiguous Phishing Certificates using Machine Learning

Kaspar Hageman, Sajad Homayoun, Sam Afzal-Houshmand, Christian D. Jensen, Jens M. Pedersen

Department of Applied Mathematics and Computer Science

Aalborg University

Research output: Chapter in Book/Report/Conference proceeding › Article in proceedings › Research › peer-review

910 Downloads (Pure)

Abstract

Recent phishing attacks have started to migrate to HTTP over TLS (HTTPS), making a phishing web page appear safe to the user’s browser despite its malicious purpose. This paper proposes new data features as well as machine learning-based solutions to predict digital certificates involved in HTTPS as phishing or benign certificates. In contrast to previous
works that consider this a binary classification problem, we take into account that a certificate can be partially benign and phishy simultaneously. We propose a multi-class classifier and a regressor to classify these ambiguous certificates, in addition to benign and phishing certificates, where the ‘phishyness’ of a certificate is expressed as a value between 0 and 1 for the regressor. We apply our method to a set of certificates obtained from certificate transparency logs and show that we can classify them with high performance. We extend our validation by evaluating the performance of the model over time, showing that our model generalizes over time on our training data set.

Original language	English
Title of host publication	Proceedings of 36^th International Conference on Information Networking
Number of pages	6
Publisher	IEEE
Publication date	2022
Publication status	Published - 2022
Event	36^th International Conference on Information Networking - Jeju Island, Korea, Republic of Duration: 12 Jan 2022 → 15 Jan 2022 http://icoin.org

Conference

Conference	36^th International Conference on Information Networking
Country/Territory	Korea, Republic of
City	Jeju Island
Period	12/01/2022 → 15/01/2022
Internet address	http://icoin.org

Keywords

Digital Certificate
Phishing
Machine Learning
Feature Extraction

Access to Document

FulltextAccepted author manuscript, 313 KB

OpenUrl availability

Full text

Cite this

@inproceedings{48b8a9a94b6b48988af51db91c449090,

title = "Detecting Ambiguous Phishing Certificates using Machine Learning",

abstract = "Recent phishing attacks have started to migrate to HTTP over TLS (HTTPS), making a phishing web page appear safe to the user{\textquoteright}s browser despite its malicious purpose. This paper proposes new data features as well as machine learning-based solutions to predict digital certificates involved in HTTPS as phishing or benign certificates. In contrast to previousworks that consider this a binary classification problem, we take into account that a certificate can be partially benign and phishy simultaneously. We propose a multi-class classifier and a regressor to classify these ambiguous certificates, in addition to benign and phishing certificates, where the {\textquoteleft}phishyness{\textquoteright} of a certificate is expressed as a value between 0 and 1 for the regressor. We apply our method to a set of certificates obtained from certificate transparency logs and show that we can classify them with high performance. We extend our validation by evaluating the performance of the model over time, showing that our model generalizes over time on our training data set.",

keywords = "Digital Certificate, Phishing, Machine Learning, Feature Extraction",

author = "Kaspar Hageman and Sajad Homayoun and Sam Afzal-Houshmand and Jensen, {Christian D.} and Pedersen, {Jens M.}",

year = "2022",

language = "English",

booktitle = "Proceedings of 36th International Conference on Information Networking",

publisher = "IEEE",

address = "United States",

note = "36<sup>th</sup> International Conference on Information Networking, ICOIN 2022 ; Conference date: 12-01-2022 Through 15-01-2022",

url = "http://icoin.org",

}

TY - GEN

T1 - Detecting Ambiguous Phishing Certificates using Machine Learning

AU - Hageman, Kaspar

AU - Homayoun, Sajad

AU - Afzal-Houshmand, Sam

AU - Jensen, Christian D.

AU - Pedersen, Jens M.

PY - 2022

Y1 - 2022

N2 - Recent phishing attacks have started to migrate to HTTP over TLS (HTTPS), making a phishing web page appear safe to the user’s browser despite its malicious purpose. This paper proposes new data features as well as machine learning-based solutions to predict digital certificates involved in HTTPS as phishing or benign certificates. In contrast to previousworks that consider this a binary classification problem, we take into account that a certificate can be partially benign and phishy simultaneously. We propose a multi-class classifier and a regressor to classify these ambiguous certificates, in addition to benign and phishing certificates, where the ‘phishyness’ of a certificate is expressed as a value between 0 and 1 for the regressor. We apply our method to a set of certificates obtained from certificate transparency logs and show that we can classify them with high performance. We extend our validation by evaluating the performance of the model over time, showing that our model generalizes over time on our training data set.

AB - Recent phishing attacks have started to migrate to HTTP over TLS (HTTPS), making a phishing web page appear safe to the user’s browser despite its malicious purpose. This paper proposes new data features as well as machine learning-based solutions to predict digital certificates involved in HTTPS as phishing or benign certificates. In contrast to previousworks that consider this a binary classification problem, we take into account that a certificate can be partially benign and phishy simultaneously. We propose a multi-class classifier and a regressor to classify these ambiguous certificates, in addition to benign and phishing certificates, where the ‘phishyness’ of a certificate is expressed as a value between 0 and 1 for the regressor. We apply our method to a set of certificates obtained from certificate transparency logs and show that we can classify them with high performance. We extend our validation by evaluating the performance of the model over time, showing that our model generalizes over time on our training data set.

KW - Digital Certificate

KW - Phishing

KW - Machine Learning

KW - Feature Extraction

M3 - Article in proceedings

BT - Proceedings of 36th International Conference on Information Networking

PB - IEEE

T2 - 36<sup>th</sup> International Conference on Information Networking

Y2 - 12 January 2022 through 15 January 2022

ER -

Detecting Ambiguous Phishing Certificates using Machine Learning

Abstract

Conference

Keywords

Access to Document

OpenUrl availability

Fingerprint

Cite this