A Game Theoretical Multi-layered Defense Approach Against Phishing Attacks

Oluwatoyin Gloria Ake-Johnson, Pavol Zavarsky, Ron Ruhl, Dale Lindskog, Collins Umana
Information Systems Security Department
Concordia University College of Alberta
7128 Ada Boulevard, Edmonton, AB T5B 4E4, Canada
Phone: 1.866.479.5200
{oakejohn, cumana}@csa.concordia.ab.ca, {pavol.zavarsky, ron.ruhl, dale.lindskog}@concordia.ab.ca

Abstract -The battle against phishers can be compared to a
game, in that phishers have continuously adapted their attack
techniques to sidestep countermeasures. There are three layers
of protection against a phishing attack - client, server and
managerial layer. It is known and further shown in this
research that a phishing attack is not a completely successful
hit unless all the layers involved in the attack are
circumvented. So far, no one approach or methodology has
sufficiently countered phishing attacks; they either err on the
client side, server side or managerial layer. This paper is an
attempt to rectify this with a multilayered protection
framework based on game theory and anti-phishing
protection at each layer. Game theory offers a way to take
advantage of the social interaction evident in the perpetration
of phishing attacks as a means to combat it. The paper first
provides an analysis of typical phishing attacks in a use case in
terms of all the major actors and the roles they play. Then,
models, flow charts and algorithms to determine the optimum
multilayered protection strategy are introduced. The proposed
novel technique to combat phishing is based on the interaction
between phishers and anti-phishers in a game scenario - the
game approach handles the dynamic and transient nature of
phishing attacks both reactively and proactively as the
multilayered defense prevents a single point of failure using
the gaming strategy to strategically calculate and pre-empt the
moves of the attacker.
Keywords -
Phishing; Game theory; Multilayered Framework; Attacker,
Phisher.
I. INTRODUCTION
Phishing is a variety of online identity theft, which
combines social engineering and technical maneuver. It is a
major threat to information security and privacy (of
financial institutions, retail companies, online stores, social
networks, national tax agencies and individuals). The
common objective regardless of the attack medium or setup
is to steal confidential information. For example, through
social engineering, unsuspecting users browse sham web
sites via spoofed emails that lure them with security
urgencies or lawful sounding statements, and more often
than not, users are easily convinced that counterfeit pages
with hijacked brand names are genuine. Subsequently,
phishers may plant malware on the victims‟ computer
through which they can steal users‟ private information.
Phishing has become more threatening and costly for
both organizations and consumers as technology evolves.
According to the Anti Phishing Work Group, brand domain
pairs increased up to a record of 92% from the beginning of
2009 and the number of unique phishing web sites detected
in June 2009 was 49,084, the highest record in history since
2007. These targeted mostly payment services and
financial institutions. Phishing proliferates because phishers
continuously research anti-phishing countermeasures and
adjust their attack methods, either to exploit weaknesses in
the countermeasures, or absolutely outsmart them.
Moreover, it is known, and further shown in this work
that a phishing attack is not a completely successful hit
unless all the layers involved in the attack are
circumvented. So far, no one approach or methodology has
holistically countered phishing attacks; they either err on
the client side, server side or managerial layer. The
sophistication of the more recent phishing scams shows that
an efficient solution to phishing requires a multi-layered
defense approach that prevents a single point of failure and
ultimately thwarts phishing attempts.
A multilayered approach would employ anti-phishing
strategies at different layers of an attack; this is crucial in
effectively combating phishing attacks. This paper presents
a theoretical framework for combating phishing using game
theory. Game theory attempts to mathematically capture
behaviour in strategic situations, in which the success of an
individual's choices depends on the choices of others. This
theory has led to revolutionary changes in economics and
in recent times has found diverse applications in computers
and information security, where useful results have been
obtained.
Constructing a model of an attack using game theory
provides valuable insight into a phisher‟s methodology.
This suggests a blueprint for devising a defense-in-depth
strategy that predicts and responds to the moves of the
attacker. This paper is focused on highlighting the
inadequacies of independent client side, server side and
enterprise layer phishing countermeasures, showcasing the
most successful phishing attacks and developing a
multilayered framework to be used in the game scenario in
order to combat phishing attacks.
A. Background on Phishing
There have been laudable efforts by researchers in
developing anti-phishing solutions, some of which are
incorporated in our proposed multilayered framework.
However, for a better understanding of the reasons for our
Figure 1. Use Case diagram for a phishing attack
Figure
The major actors are depicted as the stick1.figures anddiagramalso
Use Case
the action/process they are responsible for or take part in as
the case may be are shown in the oval shapes.
From the use case diagram, the phisher first registers a
domain or compromises an existing brand
institution/server. Then he sends out the snare to the victim
in the form of emails, instant messages or other means
shown in the case. In the long run, if the victim falls for the
snare, then the victim supplies sensitive details – social
insurance numbers, pin numbers, passwords, user name and
so on, which are harvested by the phisher. At this point,
the phisher either sells these details to third party criminals
or uses it personally at the brand institution server. The
most common of the several techniques used to ensnare the
victims is via spoofed emails. Most times, with thousands
of mails sent out there are only a few hits, but that is
sufficient for a successful phishing attack. Alternative
means of getting the snare out to the victims includes IRC,
IM, phone, and mail. Another notable means used is DNS
poisoning of legitimate web sites, which ultimately diverts
the information that users enter to the phisher's server and
in some cases the site is redirected to the legitimate site
[16]. Subsequently, the attacker tries to exploit the sensitive
information gathered at the server end to divert funds, make
transactions or in some cases sell to third parties.
The consequence of the successful phishing attack is
usually a loss to the victim or the brand institution. To the
victim, the loss could be identity or financial, while to the
brand institution, the loss could be brand identity, consumer
trust, or cost of remediation.
Now, the focal points from the use case diagram where
anti-phishing solutions are being deployed include: The
framework component selection, we depict a typical
phishing attack in the use case diagram shown in Figure 1.
Registrar, Victim, and Brand institution/Server ends, (see
for Figure 2). These
a phishing attack are hitherto and henceforth referred to
in this paper as enterprise, client side and server side layers
respectively. In our proposed game theoretical model, a
combination of these three makes Player_1, while the
phisher makes Player-2. Also, for the purpose of this
research and our approach, „attackers‟ and „phishers‟ are
used interchangeably.
B. Related Research
Previous research has successfully integrated
independent solutions together as a multi layered strategy
in mitigating other security threats but none has featured its
application in fighting phishing attacks. In recent times
game theoretical approaches have also proven very
effective in approaching security related issues involving
human interactions. A few of these are referred to below.
Meharouech et al [1] proposed a security infrastructure
that encompassed multiple security devices to form an
inclusive security layer. Each security component was
defined with respect to the others; choice of the best
solution to combat a malicious attack was carried out
dynamically and automatically by interactions among the
security components. Also, Marshal [2] combined a
number of proven best of anti-spam techniques applied in
successive layers to achieve true defense-in-depth against a
range of spam, phishing and other email-borne threats.
While their approach handled a good portion of the client
side attacks and some server side attacks, a notable
limitation to their work was the absence of a layer that
properly handles the enterprise layer of the defense,
including ISPs and domain registrars.
Furthermore, as a result of its imperative function in
decision-making, control and study of interactions among
interdependent rational players, game theory has
increasingly drawn researchers‟ attention. Miura-Ko et al
[3] used the game theoretic model to investigate the
interdependent nature of security investments, representing
the additional costs or benefit incurred by one player due to
the other players‟ actions. Hamilton S.N et al [4] also noted
three major advantages derived from utilizing game theory
in information warfare. These advantages include
suggestion of several potential courses of actions with
predicted outcomes as well as their efficacy in analyzing
what-if scenarios, allowing detailed analysis of important
chains of events used at a later period. Lye et al [5]
presented a game theoretic method for viewing interactions
between an attacker and the administrator as a two-player
stochastic game; using a nonlinear program assuming state
transition probabilities, Nash equilibra/best response
strategies for the players were computed.
Wei He and Sallhammar k. [6], [7] presented a game
theoretical attack-defense model which computes risk
(according to the cost benefit analysis) of the system based
on the predicted behaviours of the attackers. To the best of
our knowledge, there has been no multilayered game
theoretical approach for solving phishing problems as
explored in this research. However, this research is based
on a similar idea to Meharouech et al's [1] and Miura-Ko et
al [3] game theoretic approaches. In this approach, the
multilayered anti-phishing solutions player would
systematically decide among the complementing options,
the best strategy to defeat the phishers‟ move.
II. COMPONENTS OF THE PROPOSED MULTI-
LAYERED FRAMEWORK
In this framework the multi-layer defense approach is
used: if there is a vulnerability that can be exploited,
employ control strategies to increase the attacker‟s cost.
The multilayered framework leverages existing effective
anti-phishing solutions. This section highlights the selected
anti-phishing solutions for the different layers in the
framework, the desired attributes in the components and
some justification for the selection of these tools.
A. Client Side Layer
This layer involves the use of automated tools to make
up for lack of, or inadequate user education and awareness
as a good human component in detecting and avoiding
phishing attacks. The automated tools considered for the
proposed framework includes: B-APT and BogusBiter.
They are as discussed below, with justification for their
relevance in our proposed multilayered framework.
i. Analysis of B-APT: the Bayesian anti-phishing toolbar
has recorded more success in recognizing phishing sites
than counterpart toolbars because it is based on the
Bayesian filter, a popular classification method in spam
filtering. This success in recognizing phishing sites is
attributed to its efficiency in flagging unregistered spam
emails, a feature that makes it very effective, as many
phishing sites are transient with zero day life span and new
ones surface day by day [9], [10]. This is unlike a
conventional signature based method that filters based on a
trained or predetermined set that may overlook unknown or
new phishing sites.
B-Apt has been experimentally proven to detect 100%
of phishing sites while its other anti-phishing counterparts –
IE, Firefox, Netcraft and SpoofGuard – detected 42%, 55%,
88%, and 63% respectively [11], [12]. It relies on a list of
known legitimate URLs – a white list – in order recognize
legitimate login sites and reduce the odds of producing too
many false positives. The white list is a comprehensive list
of financial institutions, e-commerce sites, service
providers, and major sites with login pages, which are
stored together as tuples. The stored login tuples aids the
user‟s decision when a phishing site is detected and asks
the user if he wants to be redirected to the legitimate site
[11], [13]. However, this tool depends on the users‟
decision to be directed to the legitimate site or not.
ii. Justification for the selection of B-APT with regards
to other anti-phishing tools: Several other anti-phishing
techniques, tools and algorithms depend on black listing,
users‟ history of URLs, heuristic based schemes and hybrid
approaches. These have been deficient because, firstly, the
blacklist involves the use of known phishing sites. A major
drawback of black listing techniques is the delay in keeping
the list up to date, as several phishing sites are short lived;
while for the history of URLs visited, sites that are not
visited are omitted in the list. Another challenge this poses
is that the history of URLs might not be a large enough set
as the whitelist, which is a reasonably updated list of
legitimate sites. The heuristics based approach is basically
dependent on educated guesses and experiences featuring
details such as images, URLs, passwords and links as
proposed in [14] and can be likened to a trial and error
approach. The hybrid schemes are blends of any of the
whitelist, blacklist, history of URLs or heuristic, and are
accompanied by their respective drawbacks as well. Other
notable anti-phishing techniques rely on the users to detect
visual similarities between legitimate and illegitimate sites,
training the users to recognize or look out for legitimate
security features on sites. These have not proven effective
on a large scale because of the sophistication of most recent
phishing kits, and ignorance on the part of users [15]. So
far B-Apt has been proven to be more effective in making
up for each of the highlighted drawbacks as it uses
Bayesian analysis with its B-Apt engine and user interface
[11].
iii. Analysis of BogusBiter: BogusBiter is a client side
anti-phishing tool that uses obfuscation in an attempt to go
beyond the preventive approaches highlighted earlier in this
paper. The researchers‟ idea is aimed at protecting the
users‟ sensitive information even if they fall for the
phishers‟ snare, by obfuscating the user‟s sensitive details
entered in the phishing site with other gibberish details,
thus, increasing the phisher's cost of accessing the sensitive
details. Accordingly, even though the user has the sensitive
details hidden among others, he has no way of testing the
credentials for validity, as financial institutions, brand
institution sites and so on; don‟t make their databases
publicly available [16].
iv. Justification for the selection of BogusBiter with
regards to other anti-phishing tools: This component of
defense is necessary because other existing anti-phishing
techniques are preventive in nature and depending on them
alone is not enough to thwart a phishing attack. One of the
desirable traits in BogusBiter for this multilayered
framework is that the phishing site, is given “bogus bites”,
which are either a combination of the users sensitive details
concealed among other gibberish, or which renders the
users sensitive details indistinct from the gibberish. Among
other desired characteristics for this multilayered
framework is the independence of BogusBiter from other
detection techniques. When anti-phishing tool bars are
enabled, the most commonly observed user behavior
towards phishing sites is that users ignore detection
warnings or make uninformed responses to prompts or
security features and signals [17], [18], [19]. Therefore, a
desirable feature for this multilayered framework is a major
role played by BogusBiter; that is, even if users ignore
security warnings from the detection tool and fall prey by
supplying their sensitive details to the phishers, their
sensitive details should still be protected to a reasonable
extent. When bogus biter intercepts the users‟ sensitive
details and conceals them with the bogus bite, the process
is transparent to the user and still leverages the economics
of security, i.e., to increase the cost of the attack above the
value of the asset attacked.
B. Server Side Layer
At this layer we use brand institution and server
interchangeably as well as incorporate the justification for
our selection of anti-phishing mechanisms into the
discussions rather than explicitly.
The major server side component of our framework is
an extension of the obfuscation scheme used by the
BogusBiter discussed above. We consider this essential
because merely concealing the users‟ sensitive information
among other gibberish details could be viewed as security
through obscurity. This form of security is only good as
long as we do not rely on it completely. For instance, if the
phisher tries to carry out a dictionary attack to get a user‟s
sensitive details – trying the exhaustive possibilities in the
bogus bite – then the server end algorithm of BogusBiter
triggers stolen credential identification to the brand
institution server in a timely fashion. Therefore, even if
eventually the phisher tries the correct credential and the
authentication process succeeds, the brand institution
would have been notified and the transaction is blocked
[16]. Our multilayered framework incorporates this also
because the algorithm works seamlessly with the existing
effective authentication schemes used by servers some of
which are discussed next.
Commonly used authentication schemes that have been
somewhat effective on the server end involve the use of a
shared secret between the server and the client. Again this
is only as good as long as the shared secret remains secret.
Thus, for our framework, another desirable feature for the
server side layer is strong authentication, employing a
combination of what the user knows, has or is. The other
components of the server side layer that enhance the
validity of strong authentication, when used are: finger
printing and password hashing as discussed below.
i. Finger Printing: Challenge/response as well as the
PKI-based authentication has also been proven to be very
effective in preventing phishing attacks, by sternly
matching each response to a specific authentication
attempt. In the case of the PKI-based authentication, we
can regard, as a response, the server‟s challenge‟s digital
signature. We consider this a very vital component for our
framework because the fingerprints generated through these
authentication schemes would ensure that a person is who
he claims to be [20].
ii. Password Hashing: Also, for our multilayered
framework, we deem password hashing a very essential
protection mechanism both at the client side and the server
side layers. This way, all outgoing passwords entered from
a user‟s end is hashed with the salt of the legitimate domain
name. Therefore, even if the sensitive details were entered
onto the phishers site, the authentication process at the
server end would fail because the salt to the hash is the
domain of the legitimate site [21], [13].
C. Enterprise Layer
The enterprise layer required in this framework is
approached from two perspectives: 1) Systems based and 2)
Process based. This is because indicators show that
phishing attacks can‟t be curbed only through technological
methods, but also through frequently occurring global
punitive actions that would significantly diminish the space
in which phishers operate [20], [23].
i. System Based Enterprise Layer: The major
characteristic feature of the systems based anti-phishing
enterprise layer is to trigger the alerts that would be sent to
the ISPs, registries and registrars to respond accordingly.
The response could be suspending or taking down the
domain, or to initiate the litigation of the criminals
involved. Once a phishing attack is detected, the domain
WHOIS is also activated to confirm the root source of the
domain. At this point, we stress the necessity for
cooperation among ISPs, registrars and registries in
thwarting phishers and decreasing the number of phishing
victims. If ISPs responsively take sites down and there is
no corresponding action from the registrars, then the site
could be brought back up again by another ISP or moved to
another domain, as has been observed in the past. Phishers
work around the clock to gather their “phishes”; thus ISPs
and domain registrars should endeavour to work around the
clock, in shifts if possible, to ensure that legitimate requests
for sites or domain take-downs are treated with a sense of
urgency. Time plays an important role in the phishing
game.
 ii. Process Based Enterprise Layer: This aspect of the
enterprise layer is meant to function in a twofold fashion as
well: detective and proactive.
Meting out disciplinary actions against phishers by law
enforcement agents has been hampered by a number of
factors, which include tracking and identifying the real
source of domains, as well as construing international laws
in attempts to prosecute. Consequently, phishing is fast
becoming a crime committed by criminals immune to
international laws [22]. This suggests that there is a dire
need for global response and collaboration from all
countries to combat phishers adequately. To add credence
to this, statistics show that drastic global actions yield
effective results, and a good example of this is the US
based McColo server shutdown in November 11th 2008,
which resulted in significant drop in phishing attacks
emanating from the US, and other countries (such as China)
known for spam and phishing attacks [25]. A most recent
laudable effort according to ComputerWorld- Security, is
the “Operation Phish Phry” by the FBI, with a record of
about 100 arrests in the US and Egypt. Conversely, the sad
trend is that the volume of these attacks did not reduce: the
phishers only moved their bases to other countries. They
see these countries as safe havens for operation partly
because the regulations in these countries create an
environment for them to thrive through weakly
implemented regulatory policies, delay in punitive actions
or in the worst case, nonexistent regulatory policies. This
suggests that the most effective action against these attacks
require a joint global effort in order to eradicate the spaces
considered safe enough for these malicious domains to
thrive.
To this end, we recognize the need for speedy and
drastic action required to curb phishing attacks or forestall
the spread of the phishers net because, over time the
observable trend is that; to avoid detection, phishers put up
their sites for just a short period and bring it back up again
at a later period. Therefore, any effective approach would
be active enough to either prevent those sites from being up
in the first place or detect them at first sight.
All that has been discussed above are inclined towards
detective and corrective actions in the enterprise layer. For
the proposed framework to be truly effective and holistic in
its defense it also emphasizes the need for a proactive
measure.
We propose that just as business name registration is
being tightly controlled through background checks, the
Internet space in terms of domain name registration and
governance should be treated in the same light. There
should be adequate checks of what the site/domain is to be
used for, a close audit of the activities that take place on the
site or domain, and focused web crawling activities to
detect duplicate sites and stolen brands.
As soon as suspicious activities or URL naming are
noticed, there must be penalties for non-compliance to the
domain usage agreement, starting with the suspension and
ultimate take down of the domain.
Domains that do not meet regulations should either not
be registered in the first place or be shut down as soon as
they are detected. There should also be enforced penalties
for registrars or ISPs who do not comply. We propose that
there should be regulations to clamp down on free web
hosting sites that offer web spaces to anyone without
proper checks, because these web spaces have been
breeding grounds for phishers as well.
D. Framework: Integration of Components in the three
layers
The sole aim of this framework is to ultimately prevent
phishing attacks or, in the worst case, thwart phishers‟
attempts by optimization of the interoperation among anti-
phishing solutions.
i. Underlying Assumption for the integration, and its
implication: This proposed multilayered framework is put
forward based on the assumption that each of the anti-
phishing solutions analyzed above in the previous sections
is in itself sufficient to handle the area for which it was
designed, i.e. client side, server side or enterprise layer.
Therefore, integrating them as a single unit would give a
complementing and coalition effect, thus, prevent a single
point of entry for the attacker.
Besides, each layer has been conceptualized differently
with the various anti-phishing solutions handling the
areas/layers for which they were designed. Our question
therefore is: what happens to the layer unattended in the
feat to curb phishing? Since the phisher has to succeed in
all three layers involved because phishing is not completely
successful without success at each of the layers as a whole,
i.e., without the sites being registered or brand institution
domains being compromised, the attack cannot proceed to
the next phase in its life cycle – luring the victims to the
snares.
ii. Attack/Defense Prompter Algorithm and Flow Chart:
The flow chart shown in Figure 2 below is based on the
algorithm that follows:
For any Attack x
Where x=0, 1, 2, …, n
If x targets client layer,
Call CS()
Else
If x targets server layer,
Call SS()
Else
If x targets enterprise layer,
Call EL()
Else
Process packet
End if
End if
End if
End For
Where: CS= Client Side Layer, SS= Server Side Layer,
EL= Enterprise Layer, Tx= Target CS, Ty= Target SS,
Figure 2. Attack/defense prompter flow chart
The flow chart and the algorithm show the decision
process that takes place within the multilayered framework
when any phishing attack x is launched with any of the
phishers‟ techniques. It begins with the assumption that all
traffic received by a client (see Figure 1) is first treated as a
phishing snare. Hence, for all attacks Tx, targeting client
side, Ty, targeting server side, and Tz targeting enterprise
layer, the game theoretic model GTM is activated. A
simultaneous process ensues afterwards among the various
components to determine the appropriate routines – CSR
and or SSR and or ELR that can best counter any given
attack otherwise the client proceeds with the traffic to as a
legitimate one depicted as the connector A in the flowchart.
A further detail of how the optimum strategy is selected
through the GTM is explained in section three.
III. GAME THEORETICAL DEFENSE
Game theory is a mathematical structure for exploring
what choices rational individuals will make, when the
payoffs depend on the possible combination of all player's
strategies and moves.
Some research has been done to develop game theoretic
approaches for modelling intelligent and rational actors,
especially with regards to attacker defender scenarios. In
general terms, a game consists of three major components:
 Players- actors with motivations, which determine
decisions they make.
Tz=Target EL, x= 0,1,2, …,N, y=0,1,2, …,M, z=0,1,2,…,P.
 Strategies- choices and combinations of moves the
players can make.
 Payoffs- profit or utility derived from the choice of
strategies.
Our game is a two player game – our multilayered
framework (Player_1) and the phishers (Player_2). On the
one hand, Player_1 can choose among the three broad
categories of strategies: client side, server side and
enterprise layer strategies. On the other hand, we can also
categorize the phishers‟ techniques and strategies into three
broad categories: client layer, server layer, and enterprise
layer strategies.
At this point, to describe the payoffs we would use the
following notations: let v be the value of the sensitive
details being protected and let d be the defence strategies
employed by Player_1 at the various layers to increase
Player_2‟s cost or reduce the payoff.
A. The Game Scenario
The game theoretic model in Figure 3 helps us to
capture the scenario in which attacker and defender value
the same asset. In this case, the user‟s sensitive details or
confidential data is the asset, the attacker is the phishers‟
techniques and the defender is our multilayered framework.
On the whole, the game is an incomplete information game
as we assume that both players are not aware of the
strategies and resources at each other‟s disposal. The game
is also described in the form of a non-cooperative zero-sum
game between the two players. The initial position of the
game could be either on Player_1‟s side or Player_2‟s side.
For example, on players 1‟s side it could be by a proactive
defense strategy and on Player_2‟s side it could be the
launch of a phishing attack. In this model, CS() ( Client
Side Function) SS() (Server Side Function), EL()
(Enterprise layer Function), CSR (Client Side Routine),
Figure 3. Multilayered defense model based on game theory
B. Game Theoretical Model (GTM) Mechanism
It is assumed that each player in this game is rational
and the multilayered defense framework (Player_1) would
be adaptive to calculate the moves of the attack towards
winning the game, thus, an unsuccessful hit for the phisher
(Player_2). Also, in this zero sum game, the payoff for
Player_1 would be a gain if Player_2‟s profit is
significantly reduced or null.
For every given attack Tx, Ty or Tz, the algorithm with
the most appropriate functions is called up to counter the
launched attack. The process in which the functions are
called up can be likened to following through a decision
tree for their strategic moves. For example, in the enterprise
Table 1. A matrix of possible strategies of Player_1 and Player_2
SSR (Server Side Routine), and ELR (Enterprise Layer
Routine), are called up when necessary as GTM (Game
Theoretic Model) (see section IIIB) is activated at the
launch of attacks Tx= Targets CS, Ty= Targets SS,
Tz=Targets EL, where x= 0,1,2, …, n, y=0,1,2,…,m,
z=0,1,2…,p., and P is the Multilayered
(prevention/detection/response) defense strategy.
layer of the framework, once the phishing site has been
confirmed to be such, and while other counter routines are
also called from the server and client side layers, a
corresponding action is triggered in the systems based
enterprise layer. This leads to an alert being sent to the
ISPs, domain registrars, registries and domain owners to
take down the site; or in the case of hijacked brand, domain
owners are duly informed to protect their legitimate
customers. At this point, accessing the domain WHOIS
information in real time plays a very vital function in
making the shutdown process by registrars or registries,
and takedown services act within the shortest space of time.
 The matrix shown in table 1 represents the possible
combinations of strategies and techniques used by both
players in the game. Cv, Sv, Ev are the values placed by the
multi-layered defense on the asset- sensitive details with
respect to each layer, and Cd, Sd, Ed are the defence
strategies placed by the multi-layered defense on the assets-
sensitive information. An unprotected state in the game for
Player_1 would be when Cd, Sd, or Ed is zero or does not
exist.
Based on assumptions made in Section III for the
payoffs, if Player_2 succeeds at client side, then Player_2
gets a payoff of pCv, and pSv, pEv at the server side and
enterprise side respectively.
Players 1 and 2 use either a strategy or combination of
strategies to maximize their payoffs or minimize their
losses as shown in Table 1. We presume that a phishing
attack would not be a successful hit until the phisher
succeeds at the client side, i.e. first getting the client‟s
sensitive details (thus getting Cv) and finally authenticating
at the server end to get the asset of concern (getting Sv).
Also, another possible way of accessing the asset Cv could
be at the server side, when the brand server is
compromised. Thus Player_2 not only has a likelihood of
getting Sv at server side but also Cv. Therefore, it is
imperative that Sd be strong enough to limit Player_2‟s
chances of a high payoff. For example, from Table 1, it
follows through that a phisher‟s gain with a technique
combination of C|S facing a defense strategy Cd|Sd would
be dependent on ((Cv + Sv) - (Cd + Sd)), i.e. the cost of the
defense. The cost for the other possible combinations is as
shown in the table as well.
The Utility of Player_2 would therefore be: U2= p( Cv +
Sv ±Ev), while for Player_1 U1= U2→0 (since our goal is to
reduce or eliminate Player_1‟s utility completely). We
surmise that for U2 to tend towards zero, the defence
strategy at the right most bottom cell -((Cv + Sv + Ev) - (Cd
+ Sd + Ed)) would yield a higher payoff for Player_1 if at
every point in time Player_1‟s defence strategies P 1Ms (our
multilayered framework components) is a superset of
Player_2‟s techniques P2Pt – i.e. P2Pt ⊆ P1Ms .
C. Limitations
The scope of this work is mostly theoretical. Also, it is
worth noting that game theoretic approaches to defence
strategies against intelligent and dynamic attackers such as
phishers are based on a wide range of assumptions whose
accuracy and implications have not been fully explored.
Extensively exploring their implications and accuracy
would no doubt make them yield real time benefits in the
space they are being deployed.
IV. CONCLUSIONS
In order to give a holistic approach to combating
phishing attacks putting into account the rationality of the
key actors, this paper introduces game theory to model the
attack and defence activities. We analyze a typical phishing
attack with a use case diagram. Consequently, we present
the need for a multilayered defence in-depth framework
with characteristic features of what effective components
should be.
Saying with absolute confidence that we know our
attackers‟ strategies completely would be to undermine the
phishers but we do know for sure the characteristics of their
attack strategies and the major categories for which to
classify, identify and detect them.
The expected contributions to knowledge of this paper
include the following:
• Facilitate the understanding of and proffer effective
measures to combat phishing attacks through a
multilayered defense approach, achieved primarily by
preventive, early detection and reaction, as well as
management schemes.
• As phishing is perpetrated through social engineering,
we use the game theory to depict, explain and forecast the
possibility of success for the multilayered framework
(Player_1) over the phishers (Player_2). This illustrates the
interaction between phishing attacks and anti-phishing
solutions from a social perspective. Hence, this could be
used as a basis for designing better anti-phishing solutions.
• We conjecture that the approach proposed in this
paper will significantly advance the knowledge and tools
required to enhance secure online transactions and increase
the associated users‟ level of confidence.
Finally, including other tested and proven anti-phishing
solutions at each of the layers involved might further
enhance our proposed multilayered framework. This might
help improve the strategy space of the defense game.
Suggestions for future work include design questions
based on the framework, the known characteristic set of
phisher behaviour and the expected non-exhaustive
combination and permutation of strategies that could be
derived from the multilayered Player_1. Exploring the
multilayered framework as a cooperative game with
coalition among the interoperable components is
recommended for further work as well as deriving Nash
equilibrium for the most optimum defence strategy used by
Player_1.
V. AKNOWLEDGEMENTS
The research was supported by the Concordia Faculty of
Professional Education and Faculty of Graduate Studies.
The first author is heartily thankful to her supervisors,
Pavol Zavarsky, Ron Ruhl and Dale Lindskog whose
encouragement, guidance and support from the initial to the
final level, enhanced significantly both the quality of the
content and clarity of the presentation of this work.
REFERENCES
[1] M. Sourour, B. Adel, and A. Tarek,”Ensuring security in
depth based on heterogeneous network security
technologies” Regular Contribution on computer security ,
Springer-Verlag 2009.
[2] Marshal, “Marshal‟s Malware defense-in-depth anti spam
engine” January 2008.
[3] R. A. Miura-Ko, B. Yolken, J. Mitchell, and N. Bambos,
”Security decision-making among interdependent
organizations”, 21st IEEE computer security foundations
symposium 2008.
[4] S. N. Hamilton, W. L. Miller, and A. Ott, “The Role of game
theory in information warfare”, 4th Information survivability
workshop (ISW-2001/2002), www. cyberdefenseagency.com
[5] K. Lye, J.M. Wing, “Game strategies in network security”,
International Journal of Information Security, Preface to the
special issue of selected papers from CS/VERIFY 2002, Vol.
4, Numbers 1-2, Springer Berlin / Heidelberg, Feb. 2005, pp.
71-86
[6] W. He, C. Xia, H. Wang, C. Zhang, Y. Ji, “A game
theoretical attack-defense model oriented to network security
risk assessment” Beihang University, Interntional conference
on computer science and software engineering, 2008
[7] K. Sallhammar, “Stochastic Models for Combined Security
and Dependability evaluation” [Ph.d], Norwegian University
of Science and Technology, Trondheim, June 2007.
[8] Anti-Phishing Working Group. “Phishing Activity Trends
Report. 1st Half 2009” : http://www.anti-
phishing.org/reports/apwg_report_h1_2009.pdf
[9] C. V. Zhou, C. Leckie, S. Karunasekera and T. Peng, "A
Self-healing, Self-protecting Collaborative Intrusion
Detection Architecture to Trace-back Fast-flux Phishing
Domains", The 2nd IEEE Workshop on Autonomic
Communication and Network Management (ACNM 2008),
Brazil, April 2008.
[10] P. Likarish, E. Jung, D. Dunbar and T.E. Hansen, “B-APT:
Bayesian anti-phishing toolbar”, IEEE Conference on
Communications, 2008. ICC'08, 2008 - mnet.skku.ac.kr
[11] W. Yerazunis. “The spam-filtering accuracy plateau at 99.9
percent accuracy and how to get past it”, In MIT Spam
Conference 2004, December 2004.
[12] M. Blaisi, “Techniques for detecting zero day phishing
websites”, Iowa State University. 2009
[13] N. Chou, R. Ledesma, Y. Teraguchi, D. Boneh, and J. C.
Mitchell. “Client-side defense against web-based identity
theft”,. In NDSS ‟04, 2004.
[14] C. Yue and H. Wang, “Anti-Phishing on offense and
Defense”, http://www.cs.wm.edu/~hnw/paper/anti-phishing
pdf
[15] J. S. Downs, M. B. Holbrook, and L. F. Cranor. “Decision
strategies and susceptibility to phishing.” In Proceedings of
the SOUPS, pages 79–90, 2006.
[16] R. Dhamija and J.D. Tygar and M. Hearst. “Why phishing
works.” In Proceedings of the CHI, pp. 581–590, 2006.
[17] T. Whalen and K. M. Inkpen. “Gathering evidence: use of
visual security cues in web browsers.” In Proceedings of the
conference on Graphics interface, pages 137–144, 2005.
[18] T. Weigold, T. Kramp and M. Baentsch, “Secure
Authentication: Remote Client Authentication”, IEE
Computer Society, Security & Privacy, 2008.
[19] B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. Mitchell,
“Stronger password authentication using browser
extensions.” In Proceedings of the 14th Conference on
USE_IX Security Symposium - Volume 14 Baltimore, MD,
July 31 - August 05, 2005.
[20] J. Lance, “Phishing Exposed” Rockland, mass: Syngress
Pub., c2005, ISBN: 159749030x
[21] E. Mendelson, “Introducing game theory and its
Applications”, Chapman & Hall/CRC, ISBN 1-58488-300-6
[22] V.M. Bier, M.N. Azaiez, “Game Theoretic Risk analysis of
Security Threats”, Springer, ISSN: 0884-8289
[23] IBM Global Technology Services, IBM Internet Security
systems X-Force 2008 Trend & Risk report.