Title: Gone Phishin': An investigation of node classification in graphical models with applications to domain abuse detection
Overview
- Date:Starts 13 June 2023, 14:15Ends 13 June 2023, 15:15
- Location:FL41, Physics building Origo campus Johanneberg
- Language:English
Abstract: In today's digital era, cyber attacks pose a constant threat as attackers attempt to access proprietary data and disrupt operations on a daily basis. Phishing remains their number one attack method where users are tricked into entering sensitive information which attackers later will use or sell. The use of domain abuse detection algorithms restricts the range of attack possibilities. Furthermore, since an attack may begin as soon as a domain goes live, finding and evaluating domains quickly is a must when countering cyber threat actors. As of now, several feature based classifiers exist and are showing good results in detecting domain abuse. However, the results are dependent on a large set of features, complicated to interpret, and struggles to generalize as attack patterns change. In this paper we aim to compare feature based classifiers with our implementation of belief propagation to evaluate if the use of structural information and less domain specific features can create a more interpretable and general solution. By constructing a bidirectional graph connecting AS numbers, CIDR blocks, IP addresses, domains, tokens, a high connectivity between nodes to propagate inference is achieved. By experimenting with various techniques when initiating the graph, the optimal setup is proposed. The final implementation of our belief propagation achieves an accuracy of 91% on the entire dataset which is worse than random forest having an accuracy of 94%, however with a smaller sample of false positives. With an AUC of 0.95 the classes are well distinguishable and when optimizing thresholds and allowing nodes to be classified as "unknown", the accuracy increases to 96%. Overall, our findings demonstrate the potential of utilizing belief propagation for accurately identifying suspicious domains at scale, providing a valuable tool in the fight against cyber threats.
Password: 437885
Supervisor: Anders Hanson
Examiner: Mats Granath
Opponents: Oscar Birging, Emil Grimheden
Examiner
- Full Professor, Institution of physics at Gothenburg University