Detecting hidden propagation structure and its application to analyzing phishing

In this paper we study the problem of how to detect and extract a particular type of propagation structure that arises in phishing activities. One of the most interesting phenomena induced by phishing is fast-flux, whereby a single malicious domain is mapped to a constantly changing IP address in order to evade capture and shut-down. This leads to malicious activities observed to be propagating through different networks, even though they originate from the same phishing campaign. To be able to detect and extract such a propagation is of significant importance as it can help us understand and analyze phishing activities. To achieve this goal, we propose a multi-layered propagation model, where layers correspond to different delay stages in the propagation and each is given by an adjacency matrix called the propagation matrix which models pairwise propagation relationships. A regression problem is then formulated to estimate this set of matrices so that the model prediction best fits the data; a Gibbs sampling based randomized algorithm is developed to efficiently find solutions with guaranteed performance. We evaluate our method using both simulation and Internet measurement data.