Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

KnowPhish: Large Language Models Meet Multimodal Knowledge Graphs for Enhancing Reference-Based Phishing Detection

Yuexin Li, Chengyu Huang, Shumin Deng, Mei Lin Lock, Tri Cao, Nay Oo, Hoon Wei Lim, Bryan Hooi

TL;DR

An automated knowledge collection pipeline is proposed, using which a large-scale multimodal brand knowledge base, KnowPhish, containing 20k brands with rich information about each brand is collected, which can be used to boost the performance of existing RBPDs in a plug-and-play manner.

Abstract

Phishing attacks have inflicted substantial losses on individuals and businesses alike, necessitating the development of robust and efficient automated phishing detection approaches. Reference-based phishing detectors (RBPDs), which compare the logos on a target webpage to a known set of logos, have emerged as the state-of-the-art approach. However, a major limitation of existing RBPDs is that they rely on a manually constructed brand knowledge base, making it infeasible to scale to a large number of brands, which results in false negative errors due to the insufficient brand coverage of the knowledge base. To address this issue, we propose an automated knowledge collection pipeline, using which we collect a large-scale multimodal brand knowledge base, KnowPhish, containing 20k brands with rich information about each brand. KnowPhish can be used to boost the performance of existing RBPDs in a plug-and-play manner. A second limitation of existing RBPDs is that they solely rely on the image modality, ignoring useful textual information present in the webpage HTML. To utilize this textual information, we propose a Large Language Model (LLM)-based approach to extract brand information of webpages from text. Our resulting multimodal phishing detection approach, KnowPhish Detector (KPD), can detect phishing webpages with or without logos. We evaluate KnowPhish and KPD on a manually validated dataset, and a field study under Singapore's local context, showing substantial improvements in effectiveness and efficiency compared to state-of-the-art baselines.

KnowPhish: Large Language Models Meet Multimodal Knowledge Graphs for Enhancing Reference-Based Phishing Detection

TL;DR

An automated knowledge collection pipeline is proposed, using which a large-scale multimodal brand knowledge base, KnowPhish, containing 20k brands with rich information about each brand is collected, which can be used to boost the performance of existing RBPDs in a plug-and-play manner.

Abstract

Phishing attacks have inflicted substantial losses on individuals and businesses alike, necessitating the development of robust and efficient automated phishing detection approaches. Reference-based phishing detectors (RBPDs), which compare the logos on a target webpage to a known set of logos, have emerged as the state-of-the-art approach. However, a major limitation of existing RBPDs is that they rely on a manually constructed brand knowledge base, making it infeasible to scale to a large number of brands, which results in false negative errors due to the insufficient brand coverage of the knowledge base. To address this issue, we propose an automated knowledge collection pipeline, using which we collect a large-scale multimodal brand knowledge base, KnowPhish, containing 20k brands with rich information about each brand. KnowPhish can be used to boost the performance of existing RBPDs in a plug-and-play manner. A second limitation of existing RBPDs is that they solely rely on the image modality, ignoring useful textual information present in the webpage HTML. To utilize this textual information, we propose a Large Language Model (LLM)-based approach to extract brand information of webpages from text. Our resulting multimodal phishing detection approach, KnowPhish Detector (KPD), can detect phishing webpages with or without logos. We evaluate KnowPhish and KPD on a manually validated dataset, and a field study under Singapore's local context, showing substantial improvements in effectiveness and efficiency compared to state-of-the-art baselines.
Paper Structure (45 sections, 8 equations, 11 figures, 6 tables, 1 algorithm)

This paper contains 45 sections, 8 equations, 11 figures, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Motivating Examples
  3. Formalization
  4. KnowPhish Construction
  5. Empirical Motivation
  6. Data
  7. Analysis
  8. Connection to Wikidata Knowledge Graph
  9. Approach Overview
  10. Brand Search
  11. Category-based Brand Search
  12. Popularity-based Brand Search
  13. Knowledge Acquisition and Augmentation
  14. Knowledge Acquisition
  15. Knowledge Augmentation
  16. ...and 30 more sections

Figures (11)

  • Figure 1: Comparison of the workflow between DynaPhish and KnowPhish to identify the brand intention of the two phishing page examples.
  • Figure 2: Phishing targets change substantially. The Venn diagram shows the disparities in the phishing targets from the two phishing datasets, with a few phishing target examples provided for illustration.
  • Figure 3: Industries of phishing target brands are relatively consistent. The chart shows the distribution of industries of the phishing targets from the two datasets.
  • Figure 4: Distribution of the top 30 Wikidata categories of the phishing targets in $D_2$.
  • Figure 5: An overview of our automated pipeline for constructing our large-scale multimodal BKB, KnowPhish. We first collect (a) all brands from certain high-value industries, and (b) only popular brands from general categories. Then, the knowledge acquisition and augmentation steps collect logos, domains, and aliases for these brands.
  • ...and 6 more figures