Detecting phishing webpages via homology analysis of webpage structure

DOM structural characteristics

The DOM represents an HTML document as a tree structure with tags, attributes, and text nodes. In order to simplify the calculation, only the DOM tag tree is used to represent the HTML document, and attributes, text and comment nodes are ignored.

In order to highlight the hierarchical information of the tag tree, a structure table is constructed, which stores the hierarchy and tag sequence of the DOM tree in order, and the traversal strategy is depth first. Since the information is mainly within the element <body>, the part under <head> is not extracted. Figure 3 converts an HTML document into a corresponding DOM tag tree and stores it in the structure table. The resulting hierarchy tag sequence is [html1, body2, div3, nav4, div5, li5, li5, div3, img4, div4, p4], shown as Fig. 3.

Class attribute characteristics

CSS rules are used to formulate layout of webpages, which contain selectors and declaration information, as shown in Fig. 4. The declaration contains attributes and corresponding values.

Figures 5 and 6 show the CSS styles in the DOM of a certain webpage and the page after the corresponding styles are set. Because values of the attributes often change a lot, only the attributes are extracted as structural features. As shown in Fig. 5, the Class attribute set extracted is [intro, important].

Hierarchical tag vector

In order to reduce the complexity of DOM tree comparison, it is necessary to simplify the representation of the tree-level tag sequence, and at the same time express the hierarchical characteristics of the webpage and distinguish the differences in the structural elements of the webpage, so as to improve the effect of feature expression. TF-IDF (Term Frequency-Inverse Document Frequency) is a statistical document representation method widely used in the field of information retrieval (Khan et al., 2010), in which the word vector is determined according to TF, and IDF is used to adjust the weight. But IDF cannot effectively express the importance of tags and their distribution. Therefore, we assign weights through the role of tags, and use improved TF-IDF to vectorize the DOM hierarchical tag sequence.

Suppose there are m types of hierarchical tags in a webpage set, this is TagType = [tag₁,tag₂,…,tag_m], using TF and IDF to determine the frequency and importance of tags with hierarchical information as follows:

(1) $$T{F}_{ij}={\displaystyle \frac{|ta{g}_j{|}^{p_i}}{\sum _{a=1}^m|ta{g}_a{|}^{p_i}}}$$

(2) $$ID{F}_{ij}=\log \left({\displaystyle \frac{n}{1+|p_i,ta{g}_j\in p_i|}}\right)$$where in TF_ij represents the ratio of the number of occurrences $|ta{g}_j{|}^{p_i}$ of tag_j in webpage p_i to the total number of occurrences ${\sum }_{a=1}^m|ta{g}_a{|}^{p_i}$ of all tags, namely, frequency; $ID{F}_{ij}$ is the importance of tag_j. Among them, n represents the total number of webpages, and |p_i,tag_j ∈ p_i| represents the number of webpages containing tag_j.

There are 117 commonly used HTML tags, can be roughly divided into three categories: layout-related tags, text-related tags, and other tags. Different tags have different effects on webpages. For example, layout-related tags have larger effects on the page layout, and text-related tags only affect the text display. The existing similarity comparison methods for DOMs ignore this observation, but in our opinion, the use frequencies of tags can reflect the importance of the tag categories. Through the statistics of DOM trees from benign webpages collected, it is found that the use frequency of layout-related tags such as div, span, li, option, etc. is 7/3 times than that of text-related tags, showed in Fig. 7, so we set the weights for each category: layout-related tags are 7/3, text-related tags are 1, and other cases are 0.

After weighting, the hierarchical tag vector of p_i is:

(3) $$V_T^{p_i}=[z_{i1},z_{i2},...,z_{im}]$$where z_ij = TF_ij * IDF_ij * weight.

Class attribute vector

Class attribute is set type, and each set contains multiple attribute strings. Therefore, the sets of webpages with similar styles and layouts will have some common elements, so they can be directly embedded.

(4) $$V_C^{p_i}=[s{s}_{i1},s{s}_{i2},...,s{s}_{iq}]$$

In the Eq. (4), the attribute vector of webpage p_i contains q attributes.

FGμ stage

The tag sequence is read sequentially, and the initial fingerprint is generated using the LZ78 compression algorithm (Barua et al., 2017). That is, if a certain HTML tag has not appeared, the code is 0; if it has appeared, the longest prefix record of the tag is searched, and the code is value of the longest prefix index. A code table is constructed to record the above information.

By analysing DOM trees, it is found that the shallow nodes of the trees have greater impact on the webpage structure. If two webpages are not similar, the shallow tags will be quite different; but if two webpages are similar, the shallow tags are similar, but the deeper the level, the difference bigger. That is to say, the in-depth information of the DOMs will interfere with the expression of the structures, so exact comparison between DOMs is not desirable. Set threshold l for the length of fingerprint to limit the length of the output fingerprint and weaken the influence of the deep nodes of the DOM structure.

FGη stage

Perform second compression based on the initial fingerprint, that is, convert the repetitive codes in the initial fingerprint into codewords and the number of occurrences to form the final webpage fingerprint sequence newFP = FGη(FinP). Specifically, the rules are as follows:

• If there is no continuous repetition of the code: only the code is added in newFP;

• If the number of consecutive occurrences of the code ≥ 2: add the code and the corresponding number of repetitions to newFP.

Here is an example of the above fingerprint generation process. Assume that the tag sequence of a webpage is shown in Fig. 9.

According to the tag sequence, give serial number to the tags, shown in Fig. 10. Read the label in sequence, if a tag is appeared for the first time, give it a serial number; otherwise, if an existing tag occurs, continue to read the next tag for combination judgment. If the combination did not appear before, connect the tag below the existing one and number it.

After all tags are numbered, the code table will be constructed, shown in Fig. 11.

According to FG algorithm, after the FGμ stage, use the code table to output the number of the longest prefix index, FGμ(Seq) = FinP = [0, 0, 0, 0, 4, 0, 6, 0, 0, 4, 0, 11, 11, 9, 0, 8]. Then, after the FGη stage, the longest prefix index column is further converted, so FGη(FinP) = newFP = [0, 4, 4, 0, 6, 0, 2, 4, 0, 11, 2, 9, 0, 8], this is the final fingerprint generated after twice compressions.

To improve the comparison efficiency, unlike the modelling stage, the Class attribute is not considered in the fingerprint generation process.

In some special circumstances, the fingerprints may be the same even facing different webpages. Because in FGμ stage, only partial front DOMs are taken to generate l bytes fingerprint. If two webpages have same part of their DOMs, the fingerprints will be the same. FGη stage only convert repetitive codes into codewords and there is no information loss, so the same fingerprints created in FGμ stage will keep same after that. But for two different clusters, the fingerprints will be different because centre points of two clusters have different low lever DOMs, or they will be in one cluster. This is what we need: to simplify the comparison of webpages, remove the redundancy of internal information while realize the fuzzy and fast detection.

Parameter setting for SPHDM

In order to select suitable parameters, the experiment adjusts the two parameters α and β in Eq. (8), shown in Table 4, and selects the best set of parameters.

From Table 4, as α decreases and β increases, TPR fluctuates between 89.36%–91.78%. When α ≤ 0.9 and β ≥ 0.1, FPR gradually increases, while Precision gradually decreases. Since the results are better when TPR and Precision take high values and FPR takes low values, it is obvious that α = 0.9 and β = 0.1 are appropriate. Therefore, the experiment finally chooses the tag coefficient α = 0.9 and the Class coefficient β = 0.1. This is in line with the actual situation. In webpages, the DOM reflects the global information of the webpage structure, while the Class attribute only reflects the detailed information, and the amount of the Class attribute is relatively small compared to the DOM, so the effect of the DOM tree is far greater on structure than the Class attribute.

The key to clustering is to find the optimal threshold θ. The larger the value of θ, the looser the clustering restriction, so the FPR will increase; on the contrary, the stricter the clustering restriction, the lower the FPR will be. The results under different θ are shown in Table 5.

It can be concluded from Table 5 that as the threshold gradually increases, both TPR and FPR are increasing. Especially when the threshold is greater than 0.3, the value of FPR rises rapidly. When θ is 0.1, TPR and FPR reach a good compromise. Therefore, set θ to 0.1.

Detection effect

Table 6 shows the number of clusters and effects after the execution of each method under the above parameters.

It can be seen from Table 6 that SPHDM has the best effect. ED is based on edit distance. In the case of complex webpage layout, it causes more mismatches, so the effect is worse than other methods. On the other hand, TC is based on tag frequency. When the webpage layout is complex, the similarity calculation result is better; but for the webpage with simple structure, because the total number of tags is small, the discrimination ability of tag frequency is low. TF-IDF weights the word frequency, which weakens the less influential tags to a certain extent, so the TPR is improved. HD not only compares the tags, but also considers the level of tags, so the overall performance is better. However, for webpages with strong homology, in order to improve the comparison efficiency, HD only extracts shallow tags for calculation, which has caused certain misjudgements. SPHDM combines tags and style attribute in the page structure, comprehensively considers the tag frequency, tag category and weight, and can better reflect the structural characteristics of webpages. Therefore, TPR and FPR have reached the optimal results.

From the perspective of the number of clusters, ED has the largest number of clusters due to its strict matching mode. SPHDM has the least number of clusters because it focuses on expressing homology and can better classify webpages with similar overall structures but small differences into one category. When more webpages are collected and used, the detection effect will be more accurate, because more cluster will be found.

In addition, the clustering of ED takes the longest time because it requires bitwise comparisons between sequences, while others are all based on statistical methods. TC and HD are simpler statistical method than TF-IDF. Comparing to TF-IDF, SPHDM considers both structure and semantics, and takes the CSS information into account, so needs longer clustering time.

Cluster analysis

By observing the clustering results, we find that phishing webpages mostly target at the mailboxes of some famous websites. The title information of the phishing webpages is extracted and listed in Table 7 together with the imitation targets.

It can be seen that the title of the phishing webpage basically corresponds to the target brand, which is easy to be confused in visual effect. It is worth noting that the same target brand often has many corresponding phishing webpages, but these phishing webpages are different in structure and created by different toolkits, so they belong to different clusters.

Parameter setting

Table 8 shows the detection effect of webpage fingerprints with different lengths.

It can be observed from Table 8 that when the length of the fingerprint is increased to a certain extent, the effect becomes not very significant, but on the contrary, it will increase the comparison time. When l = 35, the result of is better than other values, so set l = 35. Notice that FG is basically a data compression algorithm, when the original data is long enough, the compressed result will be valid. In general, the DOM tree of a webpage is composed of a large number of tag sequences, which is enough to generate a 35-byte fingerprint.

Table 9 shows the influence of the fingerprint difference threshold φ on the detection result. This parameter is the classification condition of the unknown webpage. It can be seen from Table 9 that FPR increases with the increase of the threshold. Therefore, considering TPR and FPR, set φ = 0.2.

Detection effect

When detecting the webpage to be tested, Table 10 shows the effect of combining SPHDM with different compression methods.

Observing Table 10, it can be seen that in the prediction phase, directly using the features of the modelling phase, the detection effect is the best. SPHDM+FG adopts FG to collect fingerprints and compare fingerprints during prediction. Although the effect is slightly reduced, but the gap is very small. The problem of using LZ78 after clustering is that the information in front of the coding table has no index for reference at first, and most of it will be 0, which causes the number of identical elements to be increased when comparing fingerprints, which affects the similarity. Twice compression of FG weakens the influence of such situations, so the result is slightly better. TPR of Simhash is quite ideal because it uses the MD5 algorithm to hash webpages, which can achieve a high degree of similarity for similar webpages. But at the same time, Simhash is very sensitive to differences in webpages, and can distinguish slightly different hash values, so fuzzy comparison cannot be achieved well. Huffman only considers the feature frequency, so the discrimination effect is poor.

Detection efficiency

FG is proposed to improve the prediction efficiency. Figure 12 shows the average webpage classification time under different methods, which refers to the average time, including fingerprint generation time.

It can be seen from Fig. 12 that Simhash takes the longest time and FG takes the shortest time, that is, the efficiency is the highest. This is because fingerprint generation process of Simhash is more complicated. It needs to perform pre-processing operations such as word segmentation on the tag sequence, and then perform operations such as hash calculation, feature weighting, accumulation and merging, and fingerprint dimensionality reduction. On the other hand, FG can accelerate the comparison process due to the simple calculation but fixed-length fingerprint.

Notice the SPHDM only needs to cluster once to capture the basic structure information and represent a phishing family. The newly generated phishing webpages still have high structural similarity with some existing phishing webpages over a period of time if they belong to the same family. But for the classification methods, because feature evolution may make feature learning invalid, adjustments for classification model are required, which increases the time required for training and the difficulty of deployment, so SPHDM could be more efficient from this perspective.

Through the above two sets of experiments, it can be seen that from the perspective of homology, SPHDM is feasible to extract the structural features of webpages for family tracing, and FG can effectively improve the detection efficiency.