Phishlimiter: A Phishing Detection and Mitigation Approach Using Software-Defined Networking

Phishing is one of the most harmful social engineering techniques to subdue end users where threat actors find a chance to gain access to critical information systems. A common approach in phishing is through the use of e-mail communication with an embedded hyperlink. The detection and mitigation of phishing attacks are a grand challenge due to the complexity of current phishing attacks. Existing techniques are often too time consuming to be used in the real world in terms of detection and mitigation time. Likewise, they employ static detection rules that are not effective in the real world due to the dynamics of phishing attacks. In this paper, we present PhishLimiter, a new detection and mitigation approach, where we first propose a new technique for deep packet inspection (DPI) and then leverage it with software-defined networking (SDN) to identify phishing activities through e-mail and web-based communication. The proposed DPI approach consists of two components: phishing signature classification and real-time DPI. Based on the programmability of SDN, we develop the store and forward mode and the forward and inspect mode to the direct network traffic by using an artificial neural network model to classify phishing attack signatures and design the real-time DPI so that PhishLimiter can flexibly address the dynamics of phishing attacks in the real world. PhishLimiter also provides better network traffic management for containing phishing attacks since it has the global view of a network through SDN. Furthermore, we evaluate PhishLimiter using a real-world testbed environment and data sets consisting of real-world email with embedded links. Our extensive experimental study shows that PhishLimiter provides an effective and efficient solution to deter malicious activities.