Detecting DNS-poisoning-based phishing attacks from their network performance characteristics

Most of the existing phishing detection techniques are weak against domain name system (DNS)-poisoning-based phishing attacks. Proposed is a highly effective method for detecting such attacks: the network performance characteristics of websites are used for classification. To demonstrate how useful the approach is, the performance of four classification algorithms are explored: linear discriminant analysis, naïve Bayesian, K-nearest neighbour, and support vector machine. Over 10 000 real-world items of routing information have been observed during a one-week period. The experimental results show that the best-performing classification method - which uses the K-nearest neighbour algorithm - is capable of achieving a true positive rate of 99.4% and a false positive rate of 0.7%.