Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

PhishIntel: Toward Practical Deployment of Reference-Based Phishing Detection

Yuexin Li, Hiok Kuek Tan, Qiaoran Meng, Mei Lin Lock, Tri Cao, Shumin Deng, Nay Oo, Hoon Wei Lim, Bryan Hooi

TL;DR

PhishIntel tackles the latency and efficiency challenges of reference-based phishing detectors by introducing a fast-slow task architecture that uses a Fast Task Worker with local blacklists and a result cache, and a Slow Task Worker that performs online blacklist checks, webpage crawling, and RBPD analysis. The system preserves the accuracy of RBPDs for zero-day phishing while delivering near real-time results by offloading heavy analysis to the STW and caching results. It is validated through two applications: a phishing intelligence platform and an Outlook phishing-detection plugin, along with performance evaluations showing reduced latency and effective blacklist filtering. The work advances deployment-ready phishing detection, with scalability considerations for larger-scale deployments.

Abstract

Phishing is a critical cyber threat, exploiting deceptive tactics to compromise victims and cause significant financial losses. While reference-based phishing detectors (RBPDs) have achieved notable advancements in detection accuracy, their real-world deployment is hindered by challenges such as high latency and inefficiency in URL analysis. To address these limitations, we present PhishIntel, an end-to-end phishing detection system for real-world deployment. PhishIntel intelligently determines whether a URL can be processed immediately or not, segmenting the detection process into two distinct tasks: a fast task that checks against local blacklists and result cache, and a slow task that conducts online blacklist verification, URL crawling, and webpage analysis using an RBPD. This fast-slow task system architecture ensures low response latency while retaining the robust detection capabilities of RBPDs for zero-day phishing threats. Furthermore, we develop two downstream applications based on PhishIntel: a phishing intelligence platform and a phishing email detection plugin for Microsoft Outlook, demonstrating its practical efficacy and utility.

PhishIntel: Toward Practical Deployment of Reference-Based Phishing Detection

TL;DR

PhishIntel tackles the latency and efficiency challenges of reference-based phishing detectors by introducing a fast-slow task architecture that uses a Fast Task Worker with local blacklists and a result cache, and a Slow Task Worker that performs online blacklist checks, webpage crawling, and RBPD analysis. The system preserves the accuracy of RBPDs for zero-day phishing while delivering near real-time results by offloading heavy analysis to the STW and caching results. It is validated through two applications: a phishing intelligence platform and an Outlook phishing-detection plugin, along with performance evaluations showing reduced latency and effective blacklist filtering. The work advances deployment-ready phishing detection, with scalability considerations for larger-scale deployments.

Abstract

Phishing is a critical cyber threat, exploiting deceptive tactics to compromise victims and cause significant financial losses. While reference-based phishing detectors (RBPDs) have achieved notable advancements in detection accuracy, their real-world deployment is hindered by challenges such as high latency and inefficiency in URL analysis. To address these limitations, we present PhishIntel, an end-to-end phishing detection system for real-world deployment. PhishIntel intelligently determines whether a URL can be processed immediately or not, segmenting the detection process into two distinct tasks: a fast task that checks against local blacklists and result cache, and a slow task that conducts online blacklist verification, URL crawling, and webpage analysis using an RBPD. This fast-slow task system architecture ensures low response latency while retaining the robust detection capabilities of RBPDs for zero-day phishing threats. Furthermore, we develop two downstream applications based on PhishIntel: a phishing intelligence platform and a phishing email detection plugin for Microsoft Outlook, demonstrating its practical efficacy and utility.

Paper Structure

This paper contains 13 sections, 3 figures.

Table of Contents

  1. Introduction
  2. Methodology
  3. Problem Statement
  4. Overview
  5. Fast Task Worker
  6. Slow Task Worker
  7. Implementation Details
  8. Demonstrations
  9. Phishing Intelligence Platform
  10. Phishing Email Detection
  11. Performance Evaluation
  12. Related Work
  13. Conclusion

Figures (3)

  • Figure 1: An overview of PhishIntel: URLs are first processed through FTW, with those failing to obtain results forwarding to the slow task queue for pending STW analysis.
  • Figure 2: Illustration of two downstream applications built upon PhishIntel: (a) is a phishing intelligence platform, and (b) is a phishing email detection plugin in Outlook.
  • Figure 3: Performance evaluation of PhishIntel.