隨著時代的演進，網路釣魚的技術也與日俱新。礙於靜態黑名單的更新機制與比對方法，只使用靜態的黑名單來偵測網路釣魚，不但無法及時保護網路使用者，許多新興的網路釣魚手法，也無法使用一般靜態的黑名單進行偵測。因此我們須要更快、更有效率的方法來更新黑名單，以偵測變型的網路釣魚手法，並提供網路使用者更有效、更即時的保護。
Prakash et al (2010) 提出了 PhishNet 系統，透過事先對已知的 Phishing URL 集合進行叢集分析，提出五種 Heuristic 方法對 Phishing URL 進行 TLD、Hostname、Target Page、Query String 與 Brand Name 的替換，用以找出更多未知的 Phishing URL，並更新黑名單以提升保護範圍。本研究根據該論文實作 PhishNet的五種 Heuristic 元件，並提出兩種以 Phishing 行為為基礎的新元件，組成本論文提出的 PhishTrack 系統。
雖然網路釣魚技術在 1987 年已經問世，並於 1996 年開始被重視並使用 Phishing 一詞代表此類攻擊，但其本質是欺騙使用者個資的特徵並沒有改變。本研究觀察大量從 PhishTank 黑名單而來的 Phishing URL，發現將近 46% 的 Phishing具有網址重定向的行為，而在變更路徑中所觀察到的其他 URL，有很高的比率是屬於 Phishing 的行為，藉以躲避黑名單的比對機制。此外， Phishing 存在的最終目的就是要詐欺使用者的個資，因此頁面上一定會有表格提供使用者提交個人資料，根據前期的分析，這些表格提交後有很高的比率會將使用者帶到另一個 Phishing 頁面藉以提供更詳細的使用者資料。
透過上述觀察到的 Phishing 行為，我們提供有別於 PhishNet 的另外兩個動態元件J1~J2。根據實驗的結果，我們觀察到此兩個動態元件除了省掉了前期叢集分析所需的時間成本外，在偵測未知 Phishing URL 的效能也優於 PhishTank 提出的H1~H5。

With time moving on, the technologies used in Phishing area is evolved as well. Owing to the updating mechanism and matching process used in static blacklist, it is hard to protect network users in time with only static blacklist approach. Many rising Phishing use toolkit to change the appearance of URLs to escape the detection from static blacklist with exactly matching. So we need more quickly and efficient ways to update the blacklist to adapt the evolution of Phishing and provide network users more powerful and prompt protection.
Pawan Prakash et al. (2010) propose a PhishNet system. It does cluster training on known Phishing URL set in advance and propose five Heuristic approaches to replace TLD, Hostname, Target Page, Query String and Brand Name of Phishing URLs to discover more unknown Phishing URLs. Therefore the blacklist can be updated and enlarge the protection scope. In our research, we implement the five Heuristic approaches proposed in PhishNet as five components in our system, and proposed two more components originated in the observation of Phishing behaviors to form PhishTrack system proposed in this thesis.
Phishing history started in early 1987 and the word "Phishing" is used in 1996 to address the focus on Phishing attacks, but the behavior and the nature of luring network users for their privacy information are not changed. From our research, we observe large quantity of Phishing URLs from blacklist of PhishTank and find out that 46% of them have URL redirection. From one point of view, that avoids the detection the Phishing''s behavior from blacklist. From another point of view, the ultimate goal of Phishing is to cheat the personal information of network users. Therefore, it must provide a form to users for them to fill in and submit information. According to our analysis, the submission will bring users to another page which requires more detail information to fill in.
From the above discussion, we develop another two dynamic components J1-J2. Based on our experiments, J1-J2 can save the time required in H1-H5 for early stage on Cluster training. In addition，J1-J2 perform well on discovering more unknown Phishing URLs than H1-H5。

摘要 i
Abstract ii
誌謝 iv
目錄 v
第一章 緒論 1
1.1 研究背景 1
1.2 研究動機與目的 2
1.3 論文架構 2
第二章 相關研究 4
2.1 偵測類型 4
2.2 系統類型 5
第三章 資料集的來源與格式 8
3.1 PhishTank 投票機制 8
3.2 PhishTank 黑名單分析 11
第四章 PhishNet 實作 14
4.1 H1 之 TLD 替換 14
4.2 H2 之 Hostname 替換 16
4.3 H3 之 路徑叢集 (一) 19
4.4 H4 之 路徑叢集 (二) 22
第五章 系統架構與動態特徵分析 28
5.1 Phishing Page 分類器 28
5.2 J1 之 Redirection Tracking 32
5.3 J2 之 Form Tracking 35
5.4 實驗系統架構與設計 37
第六章　實驗與效能評估 40
6.1 系統效能 40
6.2 元件效能 43
第七章　結論及未來研究方向 52
7.1 結論 52
7.2 未來研究方向 52
參考文獻 56

Anti-Phishing Work Group, available online at www.antiphishing.org/
Saeed Abu-Nimeh 1, Dario Nappa, Xinlei Wang, and Suku Nair “A Comparison of Machine Learning Techniques for Phishing Detection” , eCrime ''07, pages 1-10.
R. Dhamija, J. D. Tygar. and M. Hearst. (2005). “Why Phishing Works”, CHI Proceedings of the SIGCHI conference on Human Factors in computing systems, pages 581-590
R. E. Fan, K. W. Chang, C. J. Hsieh, X. R. Wang and C. J. Lin. LIBLINEAR: A Library for Large Linear Classi&;#64257;cation. http://www.csie.ntu.edu.tw/ cjlin/liblinear
Mark Felegyhazi, Christian Kreibich,Vern Paxson “On the Potential of Proactive Domain Blacklisting” , LEET''10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats, pages 1-8.
Lung-Hao Lee, Yen-Cheng Juan, Kuei-Ching Lee, Wei-Lin Tseng, Hsin-Hsi Chen and Yuen-Hsien Tseng “Context-Aware Web Security Threat Prevention” , CCS ''12, pages 1-3.
Justin Ma, Lawrence K. Saul, Stefan Savage and Geoffrey M. Voelker “Beyond Blacklists: Learning to Detect Malicious Web Sites from Suspicious URLs” , KDD’09, pages 1-9.
Pawan Prakash, Manish Kumar, Ramana Rao Kompella and Minaxi Gupta. “PhishNet: Predictive Blacklisting to Detect Phishing Attacks”, Mini-Conference at IEEE INFOCOM 2010
PhishTank, available online at http://www.phishtank.com/, pages 1-5.
Fergus Toolan and Joe Carthy. “Feature Selection for Spam and Phishing Detection”, eCrime Researchers Summit (eCrime), 2010, pages 1-12.