Freitag, 16. Juni 2023, 9:00 Uhr

Phishing Prevention: A Multi-Layered Approach

  • Vincent Drury M.Sc. - Lehr- und Forschungsgebiet Informatik IT-Sicherheit
  • Ort: UMIC_025 (2165|025), Mies-van-der-Rohe-Str. 15, EG



Phishing attacks have been a relevant and ongoing threat for several decades, resulting in monetary loss for private users and serving as a first step in attacks on larger organizations. Despite decades of research into automated detection, education, and design interventions to prevent phishing attacks, current solutions fall short of providing adequate and general protection to users and businesses against the evolving threat. In particular, we identify research gaps for anti-phishing learning games, which currently lack personalization and mainly offer rather simple game mechanics, the presentation of URLs in browsers, where attackers can easily insert malicious information to confuse untrained users, and automated phishing website classification, where the focus is on detection after the attack was executed, instead of aiming to disrupt attacks before they reach potential victims. This dissertation addresses these gaps and showcases the effectiveness of human-centered and technical phishing-prevention techniques based on a categorization of phishing URLs and a kill chain model, thus contributing to a multi-layered defense strategy where each layer addresses different attacks.

Our main contributions in the research area of anti-phishing education are the evaluation of baseline detection capabilities for a new categorization of phishing URLs, as well as the comparative evaluation of four new learning games in two user studies. The result of these user studies motivate, which categories of URLs to focus on to optimize future educational interventions, and give insights into the effect of different game mechanics and personalization on the classification capabilities of users who played the learning games. We further demonstrate, that accurately reflecting the diversity of phishing attacks and measuring service familiarity in user studies is essential to ensure representative results.

In the area of design interventions, we evaluate the effect of using Reverse Domain Name (RDN) notation for URLs on the classification performance of untrained users. The study reveals advantages of the proposed changes over the baseline and motivates further studies of the intervention’s effect on awareness outside of a lab setting. For automated phishing detection, we evaluate the detection of phishing websites on certificate transparency (CT) logs, which are publicly available stores of certificates. We show, how data cleaning and class imbalance during training, and the inclusion of additional certificate information in the classification task can have an effect on classification performance, resulting in classifiers that approach acceptable levels of false positives to be practical in the real world.

In all, our results exemplify the advantages and disadvantages of several broader approaches to phishing prevention, and demonstrate how combining these approaches can provide a more comprehensive defense than each of its parts taken by itself.

The computer science lecturers invite interested people to join.