deepphish simulating malicious ai - black hat briefings · •phishing url detection using machine...
TRANSCRIPT
![Page 1: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/1.jpg)
DeepPhish Simulating Malicious AI
Alejandro Correa Bahnsen, PhD
VP, AI & Research –Cyxtera Technologies
![Page 2: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/2.jpg)
About Me
• Industrial Engineer
• PhD in Machine Learning
• Passionate about open-source
• Scikit-Learn contributor
• Organizer of Data Science Meetups
![Page 3: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/3.jpg)
Who I’ve worked with
![Page 4: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/4.jpg)
Agenda
• Phishing URL Detection using Machine Learning
• Malicious Cert Detection using Deep Learning
• DeepPhish: Simulating Malicious AI
• Demo
![Page 5: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/5.jpg)
Typical Phishing Example
![Page 6: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/6.jpg)
![Page 7: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/7.jpg)
Why Phishing Detection is Hard?Original Website Only Using Images Subtle Changes
![Page 8: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/8.jpg)
Ideal Phishing Detection System
Is It Phishing?
Machine Learning
Algorithm
![Page 9: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/9.jpg)
Ideal Phishing Detection System
Issues with full content analysis:• Time consuming
• Impractical to process millions of websites per day
• Hard to implement for small devices
![Page 10: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/10.jpg)
There is always the need for an URL
![Page 11: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/11.jpg)
Database of URLs
http://moviesjingle.com/auto/163.com/index.php
1,000,000 Legitimate URLs from Common Crawl
http://paypal.com.update.account.toughbook.cl/8a30e847925afc5975161aeabe8930f1/?cmd=\_home\&dispatch=d09b78f5812945a73610edf38
http://msystemtech.ru/components/com\_users/Italy/zz/Login.php?run=\_login-submit\&session=68bbd43c854147324d77872062349924
https://www.sanfordhealth.org/ChildrensHealth/Article/73980
http://www.grahamleader.com/ci\_25029538/these-are-5-worst-super-bowl-halftime-shows\&defid=1634182
http://www.carolinaguesthouse.co.uk/onlinebooking/?industrytype=1\&startdate=2013-09-05\&nights=2\&location\&productid=25d47a24-6b74
1,000,000 Phishing URLs from Phish Tank
![Page 12: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/12.jpg)
Recurrent Neural Networks RNN
![Page 13: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/13.jpg)
Recurrent Neural Networks RNN
URL
h
t
t
p
:
/
/
w
w
w
.
p
a
p
a
y
a
.
c
o
m
One hot Encoding
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
Embedding3.2 1.2 … 1.7
6.4 2.3 … 2.6
6.4 3.0 … 1.7
3.4 2.6 … 3.4
2.6 3.8 … 2.6
3.5 3.2 … 6.4
1.7 4.2 … 6.4
8.6 2.4 … 6.4
4.3 2.9 … 6.4
2.2 3.4 … 3.4
3.2 2.6 … 2.6
4.2 2.2 … 3.5
2.4 3.2 … 1.7
2.9 1.7 … 8.6
3.0 6.4 … 2.6
2.6 6.4 … 3.8
3.8 3.4 … 3.2
3.3 2.6 … 2.2
3.1 2.2 … 2.9
1.8 3.2 … 3.0
2.5 6.4 … 2.6
LSTM
LSTM
LSTM
LSTM
Sigmoid…
![Page 14: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/14.jpg)
URL Classification Results
3-Fold CV Accuracy Recall Precision
Average 98.76% 98.93% 98.60%
Deviation 0.04% 0.02% 0.02%
![Page 15: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/15.jpg)
URL Classification Results
3-Fold CV Accuracy Recall Precision
Average 98.76% 98.93% 98.60%
Deviation 0.04% 0.02% 0.02%
![Page 16: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/16.jpg)
Detecting Malicious URLs Is Not Enough!!
![Page 17: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/17.jpg)
![Page 18: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/18.jpg)
Images from: https://info.phishlabs.com/blog/quarter-phishing-attacks-hosted-https-domains
![Page 19: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/19.jpg)
What is a Web Certificate?
![Page 20: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/20.jpg)
Secure | https://ultrabank.com
http://ultrabank.com
![Page 21: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/21.jpg)
Forrester survey asked users: “Some websites receive the following browser user interface security indicator in the browser. What do you think the security indicator is intended to tell users?”
The website is safe: 82%
The website is encrypted: 75%
The website is trustworthy: 66%
The website is private: 32%
Secure | https://ultrabank.com
![Page 22: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/22.jpg)
Forrester survey asked users: “Some websites receive the following browser user interface security indicator in the browser. What do you think the security indicator is intended to tell users?”
The website is safe: 82%
The website is encrypted: 75%
The website is trustworthy: 66%
The website is private: 32%
Secure | https://ultrabank.com
![Page 23: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/23.jpg)
Hunting Malicious TLS Certificates with Deep Neural Networks
![Page 24: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/24.jpg)
Database of TLS Certificates
1,000,000 Legitimate Certificates from Common Crawl
5,000 Phishing Certificates
CN = *.stackexchange.com, O = Stack Exchange, Inc., L = New York, S = NY, C = US
CN = localhost, L = Springfield
CN = slack.com, O = Slack Technologies, Inc., L = San Francisco, S = CA, C = US
CN = *.trello.com, O = Trello Inc., L = New York, S = New York, C = US
CN = localhost.localdomain
CN = example.com, L = Springfield
![Page 25: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/25.jpg)
Deep Learning Algorithm
MIIDwTCCAqmgAwIBAgIJAK1oh1Kz5c91MA0GCS
qGSIb3DQEBCwUAMHcxCzAJBgNVBAYTAkdCMQ
8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkx
vbmRvbjEYMBYGA1UECgwPR2xvYmFsIFNlY3Vya
XR5MRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50
MRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0xO
DA0MTYwODMwMDBaFw0xOTA0MTYwODMwMD
BaHcxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZ
Mb25kb24xDzANBgNVBAcMBkxvbmRvbjEYMBYG
A1UECgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDV
QQLDA1JVCBEZXBhcnRtZW50MRQwEgYDVQQD
DAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQE
BBQADggEPADCCAQoCggEBAObk0iX0qa/zAdNd
D70TR5xj2qbg7JnAEAi8x4Hn0tJh2FYXHPdN8+mC
yCDEA0zBcYs+…
MIIDwTCCAqmgAwIBAgIJAK1oh1Kz5c91MA0GCS
qGSIb3DQEBCwUAMHcxCzAJBgNVBAYTAkdCMQ
8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkx
vbmRvbjEYMBYGA1UECgwPR2xvYmFsIFNlY3Vya
XR5MRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50
MRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0xO
DA0MTYwODMwMDBaFw0xOTA0MTYwODMwMD
BaHcxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZ
Mb25kb24xDzANBgNVBAcMBkxvbmRvbjEYMBYG
A1UECgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDV
QQLDA1JVCBEZXBhcnRtZW50MRQwEgYDVQQD
DAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQE
BBQADggEPADCCAQoCggEBAObk0iX0qa/zAdNd
D70TR5xj2qbg7JnAEAi8x4Hn0tJh2FYXHPdN8+mC
yCDEA0zBcYs+…
MIIDwTCCAqmgAwIBAgIJAK1oh1Kz5c91MA0GCS
qGSIb3DQEBCwUAMHcxCzAJBgNVBAYTAkdCMQ
8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkx
vbmRvbjEYMBYGA1UECgwPR2xvYmFsIFNlY3Vya
XR5MRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50
MRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0xO
DA0MTYwODMwMDBaFw0xOTA0MTYwODMwMD
BaHcxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZ
Mb25kb24xDzANBgNVBAcMBkxvbmRvbjEYMBYG
A1UECgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDV
QQLDA1JVCBEZXBhcnRtZW50MRQwEgYDVQQD
DAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQE
BBQADggEPADCCAQoCggEBAObk0iX0qa/zAdNd
D70TR5xj2qbg7JnAEAi8x4Hn0tJh2FYXHPdN8+mC
yCDEA0zBcYs+…
MIIDwTCCAqmgAwIBAgIJAK1oh1Kz5c91MA0GCS
qGSIb3DQEBCwUAMHcxCzAJBgNVBAYTAkdCMQ
8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkx
vbmRvbjEYMBYGA1UECgwPR2xvYmFsIFNlY3Vya
XR5MRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50
MRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0xO
DA0MTYwODMwMDBaFw0xOTA0MTYwODMwMD
BaHcxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZ
Mb25kb24xDzANBgNVBAcMBkxvbmRvbjEYMBYG
A1UECgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDV
QQLDA1JVCBEZXBhcnRtZW50MRQwEgYDVQQD
DAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQE
BBQADggEPADCCAQoCggEBAObk0iX0qa/zAdNd
D70TR5xj2qbg7JnAEAi8x4Hn0tJh2FYXHPdN8+mC
yCDEA0zBcYs+…
MIIDwTCCAqmgAwIBAgIJAK1oh1Kz5c91MA0GCS
qGSIb3DQEBCwUAMHcxCzAJBgNVBAYTAkdCMQ
8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkx
vbmRvbjEYMBYGA1UECgwPR2xvYmFsIFNlY3Vya
XR5MRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50
MRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0xO
DA0MTYwODMwMDBaFw0xOTA0MTYwODMwMD
BaHcxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZ
Mb25kb24xDzANBgNVBAcMBkxvbmRvbjEYMBYG
A1UECgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDV
QQLDA1JVCBEZXBhcnRtZW50MRQwEgYDVQQD
DAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQE
BBQADggEPADCCAQoCggEBAObk0iX0qa/zAdNd
D70TR5xj2qbg7JnAEAi8x4Hn0tJh2FYXHPdN8+mC
yCDEA0zBcYs+…
MIIDwTCCAqmgAwIBAgIJAK1oh1Kz5c91MA0GCS
qGSIb3DQEBCwUAMHcxCzAJBgNVBAYTAkdCMQ
8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkx
vbmRvbjEYMBYGA1UECgwPR2xvYmFsIFNlY3Vya
XR5MRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50
MRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0xO
DA0MTYwODMwMDBaFw0xOTA0MTYwODMwMD
BaHcxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZ
Mb25kb24xDzANBgNVBAcMBkxvbmRvbjEYMBYG
A1UECgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDV
QQLDA1JVCBEZXBhcnRtZW50MRQwEgYDVQQD
DAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQE
BBQADggEPADCCAQoCggEBAObk0iX0qa/zAdNd
D70TR5xj2qbg7JnAEAi8x4Hn0tJh2FYXHPdN8+mC
yCDEA0zBcYs+…
MIIDwTCCAqmgAwIBAgIJAK1oh1Kz5c91MA0GCS
qGSIb3DQEBCwUAMHcxCzAJBgNVBAYTAkdCMQ
8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkx
vbmRvbjEYMBYGA1UECgwPR2xvYmFsIFNlY3Vya
XR5MRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50
MRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0xO
DA0MTYwODMwMDBaFw0xOTA0MTYwODMwMD
BaHcxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZ
Mb25kb24xDzANBgNVBAcMBkxvbmRvbjEYMBYG
A1UECgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDV
QQLDA1JVCBEZXBhcnRtZW50MRQwEgYDVQQD
DAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQE
BBQADggEPADCCAQoCggEBAObk0iX0qa/zAdNd
D70TR5xj2qbg7JnAEAi8x4Hn0tJh2FYXHPdN8+mC
yCDEA0zBcYs+…
MIIDwTCCAqmgAwIBAgIJAK1oh1Kz5c91MA0GCS
qGSIb3DQEBCwUAMHcxCzAJBgNVBAYTAkdCMQ
8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkx
vbmRvbjEYMBYGA1UECgwPR2xvYmFsIFNlY3Vya
XR5MRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50
MRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0xO
DA0MTYwODMwMDBaFw0xOTA0MTYwODMwMD
BaHcxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZ
Mb25kb24xDzANBgNVBAcMBkxvbmRvbjEYMBYG
A1UECgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDV
QQLDA1JVCBEZXBhcnRtZW50MRQwEgYDVQQD
DAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQE
BBQADggEPADCCAQoCggEBAObk0iX0qa/zAdNd
D70TR5xj2qbg7JnAEAi8x4Hn0tJh2FYXHPdN8+mC
yCDEA0zBcYs+… Pre-Processing Hidden Layers Output
![Page 26: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/26.jpg)
Deep Learning Algorithm
One hot encoding One hot encoding
Embedding Embedding
LSTM LSTM Dense/ReLu
Dropout Dropout Dropout
Concatenate
Dense/ReLu
Dropout
Dense/Logit
score
Subject Principal Issuer Principal Extracted Features
![Page 27: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/27.jpg)
Malicious Cert Classification Results
5-Fold CV Accuracy Recall Precision
Average 86.41% 83.20% 88.86%
Deviation 1.22% 3.29% 1.04%
![Page 28: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/28.jpg)
![Page 29: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/29.jpg)
![Page 30: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/30.jpg)
DeepPhish Simulating Malicious AI
![Page 31: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/31.jpg)
The Experiment: Simulating Malicious AI
Identifyindividual threat actors
Run them throughour own AI detection system
Improve theirattacks usingAI
![Page 32: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/32.jpg)
Uncovering Threat Actors
• Objective: We want to understand effective patterns ofeach attacker to improve them through a AI model
• As we can not know attackers directly, we must learn fromthem through their attacks
• Database with 1.1M confirm phishing URLs collected fromPhishtank
![Page 33: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/33.jpg)
Threat Actor 1naylorantiques.com
406 URLshttp://naylorantiques.com/components/com_contact/views/c
ontact/tmpl/62
http://naylorantiques.com/docs/Auto/Atendimento/5BBROPI6S3
http://naylorantiques.com/Atualizacao Segura/pictures/XG61YYMT_FXW0PWR8_5P2O7T2U_P9HND
PQR/
http://naylorantiques.com/zifn3p72bsifn9hx9ldecd8jzl2f0xlwf8f
http://www.naylorantiques.com/JavaScript/charset=iso-8859-1/http-equiv/margin-bottom
Keywordsatendimento, jsf, identificacao, ponents, views, TV, mail, SHOW,
COMPLETO, VILLA, MIX, ufi, pnref, story, tryy2ilr, Autentico
106 domainsnaylorantiques.com, netshelldemos.com, debbiebright.co.z,
waldronfamilygppractice.co.uk , avea-vacances.com , psncodes2013.com uni5.net , 67.228.96.204, classificadosmaster.com.br, ibjjf.org
Visual Check
Check in database
Visual Check
![Page 34: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/34.jpg)
Threat Actor 2Vopus.org
13 URLshttp://www.vopus.org/es/images/cursos/thumbs/tdcanadatr
ust
http://www.vopus.org/ru/media/tdcanadatrust/index.html
http://vopus.org/common/index.htm
http://www.vopus.org/es/images/cursos/thumbs/tdcanadatrust/index.html
http://vopus.org/descargas/otros/tdcanadatrust/index.html
Keywordstdcanadatrust/index.html
19 domainsfriooptimo.com, kramerelementary.org, kalblue.com, vopus.org,
artwood.co.kr, stephenpizzuti.com, heatherthinks.com, corvusseo.com, natikor.by, optioglobal.com, backfire.se, fncl.ma, greenant.de,
mersintenisakademisi.com, cavtel.net
Check in database
Visual Check
Visual Check
![Page 35: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/35.jpg)
The Experiment: Simulating Malicious AI
Identifyindividual threat actors
Run them throughour own AI detection system
Improve theirattacks usingAI
![Page 36: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/36.jpg)
DEMO!!!
![Page 37: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/37.jpg)
Threat Actors Effectiveness
0.24% 0.69%
4.91%
All Attacks (1,146,441) Threat Actor 1 (1,009) Threat Actor 2 (102)
![Page 38: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/38.jpg)
The Experiment: Simulating Malicious AI
Identifyindividual threat actors
Run them throughour own AI detection system
Improve theirattacks usingAI
![Page 39: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/39.jpg)
DeepPhish Algorithm - Training
Non Effective URLs
Effective URLs
Encoding…
…
…
…
…
Model
Az Rolling Window
Co
nca
ten
ate
and
cre
ate
Tran
sfo
rm
Trai
n
http://www.naylorantiques.com/content/centrais/fon
e_facil
http://kisanart.com/arendivento/menu-opcoes-fone-
facil/
http://naylorantiques.com/atendimento/menu-
opcoes-fone-facil/3
http://www.naylorantiques.com/con
tent/centrais/fone_facilhttp://kisana
rt.com/arendivento/menu-opcoes-
fone-
facil/http://naylorantiques.com/aten
dimento/menu-opcoes-fone-facil/3
![Page 40: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/40.jpg)
DeepPhish LSTM NetworkURL
h
t
t
p
:
/
/
w
w
w
.
p
a
p
a
y
a
.
c
o
m
One hot Encoding
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
…
LSTM
LSTM
LSTM
LSTM
Softmax…
tanH
tanH
tanH
tanH
…
![Page 41: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/41.jpg)
DeepPhish Algorithm - Prediction
Compromised Domains
AllowedPaths
+Model
Filt
er
pat
hs
Pre
dic
t Next Character Iteratively
SyntheticURLs
/arendipemto/nenu-
opcines-fone-facilvfone/faci/
Atondime
http:// + www.naylorantiques.com +
/arendipemto/nenu-opcines-fone-
facilvone/facil/Atondime
Cre
ate
![Page 42: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/42.jpg)
Traditional Attacks vs. AI-Driven Attacks
0.69%
Traditional DeepPhish
4.91%
Traditional DeepPhish
Threat Actor 1 Threat Actor 2
20.90%
36.28%
![Page 43: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/43.jpg)
Traditional Attacks vs. AI-Driven Attacks
0.69%
Traditional DeepPhish
4.91%
Traditional DeepPhish
Threat Actor 1 Threat Actor 2
20.90%
36.28%
![Page 44: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/44.jpg)
What’s Next??
![Page 45: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/45.jpg)
What’s Next??
AI powered Attacks are real, as we probed with Deep Phish experiment.We need to enhance our own AI detection systems to account for the possibility of attackers using AI.
![Page 46: DeepPhish Simulating Malicious AI - Black Hat Briefings · •Phishing URL Detection using Machine Learning •Malicious Cert Detection using Deep Learning •DeepPhish: Simulating](https://reader034.vdocuments.us/reader034/viewer/2022042621/5f51544ee5f918157102bdb4/html5/thumbnails/46.jpg)