Professional Documents
Culture Documents
Oluwatoyin Gloria Ake-Johnson, Pavol Zavarsky, Ron Ruhl, Dale Lindskog, Collins Umana
Information Systems Security Department
Concordia University College of Alberta
7128 Ada Boulevard, Edmonton, AB T5B 4E4, Canada
Phone: 1.866.479.5200
{oakejohn, cumana}@csa.concordia.ab.ca, {pavol.zavarsky, ron.ruhl, dale.lindskog}@concordia.ab.ca
Abstract -The battle against phishers can be compared to a with hijacked brand names are genuine. Subsequently,
game, in that phishers have continuously adapted their attack phishers may plant malware on the victims‟ computer
techniques to sidestep countermeasures. There are three layers through which they can steal users‟ private information.
of protection against a phishing attack - client, server and Phishing has become more threatening and costly for
managerial layer. It is known and further shown in this both organizations and consumers as technology evolves.
research that a phishing attack is not a completely successful According to the Anti Phishing Work Group, brand domain
hit unless all the layers involved in the attack are pairs increased up to a record of 92% from the beginning of
circumvented. So far, no one approach or methodology has 2009 and the number of unique phishing web sites detected
sufficiently countered phishing attacks; they either err on the in June 2009 was 49,084, the highest record in history since
client side, server side or managerial layer. This paper is an 2007. These targeted mostly payment services and
attempt to rectify this with a multilayered protection financial institutions. Phishing proliferates because phishers
framework based on game theory and anti-phishing continuously research anti-phishing countermeasures and
protection at each layer. Game theory offers a way to take
adjust their attack methods, either to exploit weaknesses in
advantage of the social interaction evident in the perpetration
of phishing attacks as a means to combat it. The paper first
the countermeasures, or absolutely outsmart them.
provides an analysis of typical phishing attacks in a use case in Moreover, it is known, and further shown in this work
terms of all the major actors and the roles they play. Then, that a phishing attack is not a completely successful hit
models, flow charts and algorithms to determine the optimum unless all the layers involved in the attack are
multilayered protection strategy are introduced. The proposed circumvented. So far, no one approach or methodology has
novel technique to combat phishing is based on the interaction holistically countered phishing attacks; they either err on
between phishers and anti-phishers in a game scenario - the the client side, server side or managerial layer. The
game approach handles the dynamic and transient nature of sophistication of the more recent phishing scams shows that
phishing attacks both reactively and proactively as the an efficient solution to phishing requires a multi-layered
multilayered defense prevents a single point of failure using defense approach that prevents a single point of failure and
the gaming strategy to strategically calculate and pre-empt the ultimately thwarts phishing attempts.
moves of the attacker. A multilayered approach would employ anti-phishing
Keywords - strategies at different layers of an attack; this is crucial in
effectively combating phishing attacks. This paper presents
Phishing; Game theory; Multilayered Framework; Attacker, a theoretical framework for combating phishing using game
Phisher. theory. Game theory attempts to mathematically capture
I. INTRODUCTION behaviour in strategic situations, in which the success of an
Phishing is a variety of online identity theft, which individual's choices depends on the choices of others. This
combines social engineering and technical maneuver. It is a theory has led to revolutionary changes in economics and
major threat to information security and privacy (of in recent times has found diverse applications in computers
financial institutions, retail companies, online stores, social and information security, where useful results have been
networks, national tax agencies and individuals). The obtained.
common objective regardless of the attack medium or setup Constructing a model of an attack using game theory
is to steal confidential information. For example, through provides valuable insight into a phisher‟s methodology.
social engineering, unsuspecting users browse sham web This suggests a blueprint for devising a defense-in-depth
sites via spoofed emails that lure them with security strategy that predicts and responds to the moves of the
urgencies or lawful sounding statements, and more often attacker. This paper is focused on highlighting the
than not, users are easily convinced that counterfeit pages inadequacies of independent client side, server side and
enterprise layer phishing countermeasures, showcasing the
most successful phishing attacks and developing a
multilayered framework to be used in the game scenario in
order to combat phishing attacks.
A. Background on Phishing framework component selection, we depict a typical
There have been laudable efforts by researchers in phishing attack in the use case diagram shown in Figure 1.
developing anti-phishing solutions, some of which are
incorporated in our proposed multilayered framework.
However, for a better understanding of the reasons for our
The flow chart and the algorithm show the decision Strategies- choices and combinations of moves the
process that takes place within the multilayered framework players can make.
when any phishing attack x is launched with any of the Payoffs- profit or utility derived from the choice of
phishers‟ techniques. It begins with the assumption that all strategies.
traffic received by a client (see Figure 1) is first treated as a Our game is a two player game – our multilayered
phishing snare. Hence, for all attacks Tx, targeting client framework (Player_1) and the phishers (Player_2). On the
side, Ty, targeting server side, and Tz targeting enterprise one hand, Player_1 can choose among the three broad
layer, the game theoretic model GTM is activated. A categories of strategies: client side, server side and
simultaneous process ensues afterwards among the various enterprise layer strategies. On the other hand, we can also
components to determine the appropriate routines – CSR categorize the phishers‟ techniques and strategies into three
and or SSR and or ELR that can best counter any given broad categories: client layer, server layer, and enterprise
attack otherwise the client proceeds with the traffic to as a layer strategies.
legitimate one depicted as the connector A in the flowchart. At this point, to describe the payoffs we would use the
A further detail of how the optimum strategy is selected following notations: let v be the value of the sensitive
through the GTM is explained in section three. details being protected and let d be the defence strategies
employed by Player_1 at the various layers to increase
III. GAME THEORETICAL DEFENSE Player_2‟s cost or reduce the payoff.
Game theory is a mathematical structure for exploring
what choices rational individuals will make, when the A. The Game Scenario
payoffs depend on the possible combination of all player's The game theoretic model in Figure 3 helps us to
strategies and moves. capture the scenario in which attacker and defender value
Some research has been done to develop game theoretic the same asset. In this case, the user‟s sensitive details or
approaches for modelling intelligent and rational actors, confidential data is the asset, the attacker is the phishers‟
especially with regards to attacker defender scenarios. In techniques and the defender is our multilayered framework.
general terms, a game consists of three major components: On the whole, the game is an incomplete information game
Players- actors with motivations, which determine as we assume that both players are not aware of the
decisions they make. strategies and resources at each other‟s disposal. The game
is also described in the form of a non-cooperative zero-sum SSR (Server Side Routine), and ELR (Enterprise Layer
game between the two players. The initial position of the Routine), are called up when necessary as GTM (Game
game could be either on Player_1‟s side or Player_2‟s side. Theoretic Model) (see section IIIB) is activated at the
For example, on players 1‟s side it could be by a proactive launch of attacks Tx= Targets CS, Ty= Targets SS,
defense strategy and on Player_2‟s side it could be the Tz=Targets EL, where x= 0,1,2, …, n, y=0,1,2,…,m,
launch of a phishing attack. In this model, CS() ( Client z=0,1,2…,p., and P is the Multilayered
Side Function) SS() (Server Side Function), EL() (prevention/detection/response) defense strategy.
(Enterprise layer Function), CSR (Client Side Routine),
B. Game Theoretical Model (GTM) Mechanism layer of the framework, once the phishing site has been
It is assumed that each player in this game is rational confirmed to be such, and while other counter routines are
and the multilayered defense framework (Player_1) would also called from the server and client side layers, a
be adaptive to calculate the moves of the attack towards corresponding action is triggered in the systems based
winning the game, thus, an unsuccessful hit for the phisher enterprise layer. This leads to an alert being sent to the
(Player_2). Also, in this zero sum game, the payoff for ISPs, domain registrars, registries and domain owners to
Player_1 would be a gain if Player_2‟s profit is take down the site; or in the case of hijacked brand, domain
significantly reduced or null. owners are duly informed to protect their legitimate
For every given attack Tx, Ty or Tz, the algorithm with customers. At this point, accessing the domain WHOIS
the most appropriate functions is called up to counter the information in real time plays a very vital function in
launched attack. The process in which the functions are making the shutdown process by registrars or registries,
called up can be likened to following through a decision and takedown services act within the shortest space of time.
tree for their strategic moves. For example, in the enterprise
C. Limitations V. AKNOWLEDGEMENTS
The scope of this work is mostly theoretical. Also, it is
worth noting that game theoretic approaches to defence The research was supported by the Concordia Faculty of
strategies against intelligent and dynamic attackers such as Professional Education and Faculty of Graduate Studies.
phishers are based on a wide range of assumptions whose The first author is heartily thankful to her supervisors,
accuracy and implications have not been fully explored. Pavol Zavarsky, Ron Ruhl and Dale Lindskog whose
Extensively exploring their implications and accuracy encouragement, guidance and support from the initial to the
would no doubt make them yield real time benefits in the final level, enhanced significantly both the quality of the
space they are being deployed. content and clarity of the presentation of this work.
REFERENCES
IV. CONCLUSIONS [1] M. Sourour, B. Adel, and A. Tarek,”Ensuring security in
In order to give a holistic approach to combating depth based on heterogeneous network security
phishing attacks putting into account the rationality of the technologies” Regular Contribution on computer security ,
key actors, this paper introduces game theory to model the Springer-Verlag 2009.
attack and defence activities. We analyze a typical phishing [2] Marshal, “Marshal‟s Malware defense-in-depth anti spam
engine” January 2008.
[3] R. A. Miura-Ko, B. Yolken, J. Mitchell, and N. Bambos, [12] M. Blaisi, “Techniques for detecting zero day phishing
”Security decision-making among interdependent websites”, Iowa State University. 2009
organizations”, 21st IEEE computer security foundations [13] N. Chou, R. Ledesma, Y. Teraguchi, D. Boneh, and J. C.
symposium 2008. Mitchell. “Client-side defense against web-based identity
[4] S. N. Hamilton, W. L. Miller, and A. Ott, “The Role of game theft”,. In NDSS ‟04, 2004.
theory in information warfare”, 4th Information survivability [14] C. Yue and H. Wang, “Anti-Phishing on offense and
workshop (ISW-2001/2002), www. cyberdefenseagency.com Defense”, http://www.cs.wm.edu/~hnw/paper/anti-phishing
[5] K. Lye, J.M. Wing, “Game strategies in network security”, pdf
International Journal of Information Security, Preface to the [15] J. S. Downs, M. B. Holbrook, and L. F. Cranor. “Decision
special issue of selected papers from CS/VERIFY 2002, Vol. strategies and susceptibility to phishing.” In Proceedings of
4, Numbers 1-2, Springer Berlin / Heidelberg, Feb. 2005, pp. the SOUPS, pages 79–90, 2006.
71-86
[16] R. Dhamija and J.D. Tygar and M. Hearst. “Why phishing
[6] W. He, C. Xia, H. Wang, C. Zhang, Y. Ji, “A game works.” In Proceedings of the CHI, pp. 581–590, 2006.
theoretical attack-defense model oriented to network security
risk assessment” Beihang University, Interntional conference [17] T. Whalen and K. M. Inkpen. “Gathering evidence: use of
on computer science and software engineering, 2008 visual security cues in web browsers.” In Proceedings of the
conference on Graphics interface, pages 137–144, 2005.
[7] K. Sallhammar, “Stochastic Models for Combined Security
and Dependability evaluation” [Ph.d], Norwegian University [18] T. Weigold, T. Kramp and M. Baentsch, “Secure
of Science and Technology, Trondheim, June 2007. Authentication: Remote Client Authentication”, IEE
Computer Society, Security & Privacy, 2008.
[8] Anti-Phishing Working Group. “Phishing Activity Trends
Report. 1st Half 2009” : http://www.anti- [19] B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. Mitchell,
phishing.org/reports/apwg_report_h1_2009.pdf “Stronger password authentication using browser
extensions.” In Proceedings of the 14th Conference on
[9] C. V. Zhou, C. Leckie, S. Karunasekera and T. Peng, "A USE_IX Security Symposium - Volume 14 Baltimore, MD,
Self-healing, Self-protecting Collaborative Intrusion July 31 - August 05, 2005.
Detection Architecture to Trace-back Fast-flux Phishing
Domains", The 2nd IEEE Workshop on Autonomic [20] J. Lance, “Phishing Exposed” Rockland, mass: Syngress
Communication and Network Management (ACNM 2008), Pub., c2005, ISBN: 159749030x
Brazil, April 2008. [21] E. Mendelson, “Introducing game theory and its
[10] P. Likarish, E. Jung, D. Dunbar and T.E. Hansen, “B-APT: Applications”, Chapman & Hall/CRC, ISBN 1-58488-300-6
Bayesian anti-phishing toolbar”, IEEE Conference on [22] V.M. Bier, M.N. Azaiez, “Game Theoretic Risk analysis of
Communications, 2008. ICC'08, 2008 - mnet.skku.ac.kr Security Threats”, Springer, ISSN: 0884-8289
[11] W. Yerazunis. “The spam-filtering accuracy plateau at 99.9 [23] IBM Global Technology Services, IBM Internet Security
percent accuracy and how to get past it”, In MIT Spam systems X-Force 2008 Trend & Risk report.
Conference 2004, December 2004.