In this repository, we build a system to automatically decide the maliciousness of a phishing webpage through its behaviors.
This repository includes partial code for our paper "Knowledge Expansion and Counterfactual Interaction for Reference-Based Phishing Detection". Published in USENIX Security 2023.
The main repository is here: https://github.com/code-philia/Dynaphish
Supported functionalities:
- ✅ Locate all inputs, submission buttons, etc.
- ✅ Decide the semantics of inputs and fill in faked credentials
- ✅ Submit forms
- ✅ Track webpage state changes
- ✅ Detect the presence of reCaptcha
- ✅ Detect the presence of error messages
- ✅ HTML obfuscation
- ✅ Observe the suspicious behaviors during login action
- 🏁 Let users proceed without verification on fake credentials
- 🏁 Redirect to third-party webpage after form submission
We build an interaction webdriver (Selenium-based) to automatically perform form filling, form submission, and webpage transition detection.
Our main goal is to report suspicious behaviors during the login process, such as (1) no verification of fake account details and (2) evasive redirection to third-party websites upon form submission.
- [2023-09-23] ❗❗❗ Somehow the model downloading in setup.sh does not always work because of the git lfs limit 😢 , alternatively, you can download the model_final.pth from this link.
- [2023-09-12] 🍋🍋🍋🍋🍋🍋🍋 If you want to speed up, you can switch to the "simple" branch. 🍋🍋🍋🍋🍋🍋🍋🍋
Implemented and tested on Ubuntu 16.04 and 20.04 with Python 3.8. Should work on other Debian-based systems as well.
1.
Clone this MyXDriver_pub repo and cd into it
git clone https://github.com/lindsey98/MyXdriver_pub.git
cd MyXdriver_pub
- Manually download chromedriver executable (https://chromedriver.chromium.org/), and put it under config/webdrivers.
- Make sure the webdriver's version is compatible with the corresponding browsers' version
- run
./setup.sh
-
Automatic form filling: See test script testing/formfill.py
- Locate all inputs: xutils.forms.Form.Form._get_input_elements
- Locate the submission button xutils.forms.Form.Form._get_button_elements
- Decide the semantics of inputs: xutils.forms.FormElement.FormElement._decide_rule_inputs
- Fill in all inputs: xutils.forms.Form.Form.fill_all_inputs
- Form submission: xutils.forms.Form.Form.submit
-
Track webpage state
- Check whether the webpage is empty: xutils.state.StateClass StateClass.empty_page
- Check whether the webpage is a credential-requiring page or not: xutils.state.StateClass.StateClass.is_CRP
- Check whether the webpage has been redirected to a different domain: xutils.state.StateClass.StateClass.does_redirection
- Detect the presence of reCaptcha: xutils.state.StateClass.StateClass.recaptcha_displayed
- Detect the presence of error messages: xutils.state.StateClass.StateClass.has_error_message_displayed
-
Phishing detection based on suspicious behaviors during login: See testing/webinteraction.py
- Redirection to third-party websites: xutils.WebInteraction.WebInteraction.get_benign
- No verification on fake credentials: xutils.WebInteraction.WebInteraction.get_benign
-
Miscellaneous: For other utilities, please refer to XDriver.py
- Get DOM path for an element: XDriver.XDriver.get_dompath
- Get the coordinate for an element: XDriver.XDriver.get_location
- Retrieve the elements given a list of coordinates: XDriver.XDriver.get_all_elements_from_coordinate_list
- Get all potential clickable elements: XDriver.XDriver.get_all_clickable_elements
- Obfuscate buttons as images: XDriver.XDriver.obfuscate_page
If you find our tool helpful, please consider citing our paper
@inproceedings {291106,
author = {Ruofan Liu and Yun Lin and Yifan Zhang and Penn Han Lee and Jin Song Dong},
title = {Knowledge Expansion and Counterfactual Interaction for {Reference-Based} Phishing Detection},
booktitle = {32nd USENIX Security Symposium (USENIX Security 23)},
year = {2023},
isbn = {978-1-939133-37-3},
address = {Anaheim, CA},
pages = {4139--4156},
url = {https://www.usenix.org/conference/usenixsecurity23/presentation/liu-ruofan},
publisher = {USENIX Association},
month = aug,
}