#907 - USENIX Security '24 Winter

Ee-Chien Chang
Guoxing Chen
Haojin Zhu
Jun Han
Yan Meng
Yu Yu
Yun Lin
Yuncong Hu

R2 Accept on Shepherd Approval -> Accept

Final version (2.1MB) Jun 5, 2024, 3:57:11 PM AoE · ade0ae72586e3119d45f3a5b3fee836ae8fc58be6985bb864723a5c84c44ca15ade0ae72

Submission version

Phishing, a pervasive form of social engineering attack that compromises user credentials, has led to significant financial losses and undermined public trust. Modern phishing detection has gravitated to reference-based methods for their explainability and robustness against zero-day phishing attacks. These methods maintain and update predefined reference lists to specify domain-brand relationships, alarming phishing websites by the inconsistencies between their domain (e.g., payp0l.com) and intended brand (e.g., PayPal). However, the curated lists are largely limited by their lack of comprehensiveness and high maintenance costs in practice. In this work, we present PhishLLM as a novel reference-based phishing detector that operates without an explicit pre-defined reference list. Our rationale lies in that modern LLMs have encoded far more extensive brand-domain information than any predefined list. Further, the detection of many webpage semantics such as credential-taking intention analysis is more like a linguistic problem, but they are processed as a vision problem now. Thus, we design PhishLLM to decode (or retrieve) the domain-brand relationships from LLM and effectively parse the credential-taking intention of a webpage, without the cost of maintaining and updating an explicit reference list. Moreover, to control the hallucination of LLMs, we introduce a search-engine-based validation mechanism to remove the misinformation. Our extensive experiments show that PhishLLM significantly outperforms state-of-the-art solutions such as Phishpedia and PhishIntention, improving the recall by 21% to 66%, at the cost of negligible precision. Our field studies show that PhishLLM discovers (1) 6 times more zero-day phishing webpages compared to existing approaches such as PhishIntention and (2) close to 2 times more zero-day phishing webpages even if it is enhanced by DynaPhish. Our code is available at https://github.com/code-philia/PhishLLM/.

R. Liu, Y. Lin, X. Teoh, G. Liu, Z. Huang, J. Dong

Ruofan Liu (Shanghai Jiao Tong University/National University of Singapore) <liu.ruofan16@u.nus.edu>
Yun Lin (Shanghai Jiao Tong University) <lin_yun@sjtu.edu.cn>
Xiwen Teoh (National University of Singapore) <teoh6g@gmail.com>
Gongshen Liu (Shanghai Jiao Tong University) <lgshen@sjtu.edu.cn>
Zhiyong Huang (National University of Singapore) <huangzy@comp.nus.edu.sg>
Jin Song Dong (National University of Singapore) <dcsdjs@nus.edu.sg>

To edit this submission, sign in using your email and password.

	EthCon.2	RecDec	WriQua	ConRecDec
Review #907A	1	2	2	3
Review #907B	1	3	3	3
Review #907C	3	3	4	3
Review #907D	1	4	4	2

19 Comments: AuthorFeedback Response (Y. Lin); Reviewer B, Metareviewer, R. Liu (7), Y. Lin (4), Shepherd (5)

Reviews and comments in plain text

PC conflicts

Other conflicts

Abstract

Authors (anonymous)

Topics and optionsTopics