On the Feasibility of Automated Semantic Attacks in the Cloud

Heartfield, Ryan; Loukas, George

doi:10.1007/978-1-4471-4594-3_35

Cited by 4 publications

(4 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…On any system, the user interface is always vulnerable to abuse by authorised users, with or without their knowledge. Traditional deception-based attacks, such as phishing emails, spoofed websites and drive-by downloads, have shifted to new and emerging platforms in social media [2], cloud applications [3] and near field communications [4]. Efforts towards technical defence against semantic attacks have lead to the development of solutions that are typically specific in design.…”

Section: Introductionmentioning

confidence: 99%

You Are Probably Not the Weakest Link: Towards Practical Prediction of Susceptibility to Semantic Social Engineering Attacks

2016

Self Cite

View full text Add to dashboard Cite

Semantic social engineering attacks are a pervasive threat to computer and communication systems. By employing deception rather than by exploiting technical vulnerabilities, spear-phishing, obfuscated URLs, drive-by downloads, spoofed websites, scareware, and other attacks are able to circumvent traditional technical security controls and target the user directly. Our aim is to explore the feasibility of predicting user susceptibility to deception-based attacks through attributes that can be measured, preferably in real-time and in an automated manner. Toward this goal, we have conducted two experiments, the first on 4333 users recruited on the Internet, allowing us to identify useful high-level features through association rule mining, and the second on a smaller group of 315 users, allowing us to study these features in more detail. In both experiments, participants were presented with attack and non-attack exhibits and were tested in terms of their ability to distinguish between the two. Using the data collected, we have determined practical predictors of users' susceptibility against semantic attacks to produce and evaluate a logistic regression and a random forest prediction model, with the accuracy rates of .68 and .71, respectively. We have observed that security training makes a noticeable difference in a user's ability to detect deception attempts, with one of the most important features being the time since last self-study, while formal security education through lectures appears to be much less useful as a predictor. Other important features were computer literacy, familiarity, and frequency of access to a specific platform. Depending on an organisation's preferences, the models learned can be configured to minimise false positives or false negatives or maximise accuracy, based on a probability threshold. For both models, a threshold choice of 0.55 would keep both false positives and false negatives below 0.2.INDEX TERMS Security, cyber crime, social engineering, semantic attacks. 6910 2169-3536

show abstract

Section: Introductionmentioning

confidence: 99%

You Are Probably Not the Weakest Link: Towards Practical Prediction of Susceptibility to Semantic Social Engineering Attacks

2016

Self Cite

View full text Add to dashboard Cite

show abstract

“…The next stage in this work will involve the development of a technical system that can operate in both a corporate environment and external independent platform. Future research in this field can also investigate the feasibility of using human sensors for deception-based attacks in different environments, such as in the context of cloud computing (R. Heartfield and G. Loukas, 2013), the Internet of Things and cyber-physical systems (G. Loukas, 2015).…”

Section: Resultsmentioning

confidence: 99%

Predicting the performance of users as human sensors of security threats in social media

Heartfield¹,

Loukas²

2016

IJCSA

Self Cite

View full text Add to dashboard Cite

While the human as a sensor concept has been utilised extensively for the detection of threats to safety and security in physical space, especially in emergency response and crime reporting, the concept is largely unexplored in the area of cyber security. Here, we evaluate the potential of utilising users as human sensors for the detection of cyber threats, specifically on social media. For this, we have conducted an online test and accompanying questionnairebased survey, which was taken by 4,457 users. The test included eight realistic social media scenarios (four attack and four non-attack) in the form of screenshots, which the participants were asked to categorise as "likely attack" or "likely not attack". We present the overall performance of human sensors in our experiment for each exhibit, and also apply logistic regression and Random Forest classifiers to evaluate the feasibility of predicting that performance based on different characteristics of the participants. Such prediction would be useful where accuracy of human sensors in detecting and reporting social media security threats is important. We identify features that are good predictors of a human sensor's performance and evaluate them in both a theoretical ideal case and two more realistic cases, the latter corresponding to limited access to a user's characteristics Keyword: -Social media, computer security, semantic attacks, phishing, social engineering, human as a sensor.

show abstract

“…For example, a malicious URL may be presented via an email system on the Internet [Drake et al 2004] or an instant messaging program [Leavitt 2005;Lauinger et al 2010]. Malicious files can be served via synchronised cloud storage [Heartfield and Loukas 2013], malvertisements embedded in compromised web pages [Li et al 2012], automated bots in social network sites [Boshmaf et al 2011;Coburn and Marra 2008] or a stolen online gaming avatar used to gather information on a computer gaming system [Podhradsky et al 2013].…”

Section: Md1-lmentioning

confidence: 99%

“…For example, ".exe" is a well known executable extension and thus threat to the user's system if the file is malicious. However, the same caution is not exercised for other executable types, such as ".bat", ".ini", ".lnk", or ".scr" [Heartfield and Loukas 2013]. Moreoever, in Microsoft Windows, the file type and appropriate icon to be displayed are determined by extension.…”

Section: Dv: Deception Vectormentioning

confidence: 99%

A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks

2015

Self Cite

View full text Add to dashboard Cite

Social engineering is used as an umbrella term for a broad spectrum of computer exploitations that employ a variety of attack vectors and strategies to psychologically manipulate a user. Semantic attacks are the specific type of social engineering attacks that bypass technical defences by actively manipulating object characteristics, such as platform or system applications, to deceive rather than directly attack the user. Commonly observed examples include obfuscated URLs, phishing emails, drive-by downloads, spoofed websites and scareware to name a few. This paper presents a taxonomy of semantic attacks, as well as a survey of applicable defences. By contrasting the threat landscape and the associated mitigation techniques in a single comparative matrix, we identify the areas where further research can be particularly beneficial.

show abstract

On the Feasibility of Automated Semantic Attacks in the Cloud

Cited by 4 publications

References 4 publications

You Are Probably Not the Weakest Link: Towards Practical Prediction of Susceptibility to Semantic Social Engineering Attacks

You Are Probably Not the Weakest Link: Towards Practical Prediction of Susceptibility to Semantic Social Engineering Attacks

Predicting the performance of users as human sensors of security threats in social media

A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks

Contact Info

Product

Resources

About