Identifying phishing websites using DOM characteristics

摘要

Embodiments of the present invention are directed to identifying phishing websites by rendering and analyzing document object model (DOM) objects associated with a website for features that indicate phishing behavior. Embodiments analyze the full scope and functionality associated with a website by executing functions embedded in a DOM object before analyzing the website for phishing activity. Accordingly, embodiments render and analyze a fully executed DOM object for phishing behavior. Embodiments may then perform steps to mediate a website that is classified as performing phishing. Thus, embodiments are configured to (1) collect website information from a variety of websites and web servers connected to the internet, (2) analyze the collected data to determine whether the website information is performing phishing, and (3) mediate websites and other actors that are determined to be performing phishing based on the results of the phishing analysis.

主权项

1. A method of identifying phishing websites, the method comprising, at a computer system:
receiving website information from a first server computer corresponding to a website; rendering a document object model (DOM) object of the website using the website information; extracting a plurality of features from the DOM object; identifying a subset of features in the plurality of features; applying a phishing model to the subset of features to determine an indication of whether the website is performing phishing, wherein the phishing model includes a hierarchical decision logic defined by a plurality of nodes, each of the plurality of nodes having a different one of a plurality of phishing rules, wherein each of the plurality of phishing rules is a conditional statement for assessing one or more of the subset of features, and wherein applying the phishing model to the subset of features includes:
identifying a subset of nodes in the plurality of nodes, the subset of nodes defining a decision path in the hierarchical decision logic, wherein the subset of nodes are identified by traversing the hierarchical decision logic based on an outcome of assessing a phishing rule of each of the subset of nodes, wherein the subset of nodes includes an initial node and a final node, and wherein after the initial node is identified, each subsequent node of the subset of nodes is identified based on the outcome of assessing a phishing rule of a node that is a parent of the subsequent node in the decision path; anddetermining a final phishing rule of the final node of the subset of nodes of the decision path, the final phishing rule being one of the plurality of phishing rules, wherein the indication of whether the website is performing phishing is determined based on an outcome of assessing the final phishing rule; determining a classification about whether the website is performing phishing based on the indication determined by the applying of the phishing model to the subset of features; and reporting a phishing occurrence based on determining that the classification specifies the website is performing phishing.