Name
Abstract | ||
|---|---|---|
Online scan engines such as VirusTotal are heavily used by researchers to label malicious URLs and files. Unfortunately, it is not well understood how the labels are generated and how reliable the scanning results are. In this paper, we focus on VirusTotal and its 68 third-party vendors to examine their labeling process on phishing URLs. We perform a series of measurements by setting up our own phishing websites (mimicking PayPal and IRS) and submitting the URLs for scanning. By analyzing the incoming network traffic and the dynamic label changes at VirusTotal, we reveal new insights into how VirusTotal works and the quality of their labels. Among other things, we show that vendors have trouble flagging all phishing sites, and even the best vendors missed 30% of our phishing sites. In addition, the scanning results are not immediately updated to VirusTotal after the scanning, and there are inconsistent results between VirusTotal scan and some vendors' own scanners. Our results reveal the need for developing more rigorous methodologies to assess and make use of the labels obtained from VirusTotal.
|
Year | DOI | Venue |
|---|---|---|
2019 | 10.1145/3355369.3355585 | Proceedings of the Internet Measurement Conference |
Field | DocType | ISBN |
World Wide Web,Phishing,Computer science,Computer network | Conference | 978-1-4503-6948-0 |
Citations | PageRank | References |
5 | 0.42 | 0 |
Authors | ||
4 | ||
Name | Order | Citations | PageRank |
|---|---|---|---|
| Peng Peng | 1 | 17 | 4.78 |
| Limin Yang | 2 | 8 | 1.82 |
| Linhai Song | 3 | 300 | 13.98 |
| Gang Wang | 4 | 18 | 6.03 |