RAIDER: Reinforcement-aided Spear Phishing Detector

Evans, Keelan; Abuadbba, Alsharif; Wu, Tingmin; Moore, Kristen; Ahmed, Mohiuddin; Pogrebna, Ganna; Nepal, Surya; Johnstone, Mike

doi:10.48550/arxiv.2105.07582

Cited by 2 publications

(2 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Non-technical anti-phishing solutions include security training and education programs, while technical solutions include blacklisting, whitelisting, and feature-based detection. To handling zero-day phishing attacks, (deep) RL has been used both to detect phishing emails [97], phishing websites [98], spear phishing [99], and social bots [100] in Online Social Networks (OSN).…”

Section: Human-related Vulnerabilitymentioning

confidence: 99%

Reinforcement Learning for Feedback-Enabled Cyber Resilience

Huang¹,

Huang²,

Zhu³

2021

Preprint

View full text Add to dashboard Cite

The rapid growth in the number of devices and their connectivity has enlarged the attack surface and made cyber systems more vulnerable. As attackers become increasingly sophisticated and resourceful, mere reliance on traditional cyber protection, such as intrusion detection, firewalls, and encryption, is insufficient to secure the cyber systems. Cyber resilience provides a new security paradigm that complements inadequate protection with resilience mechanisms. A Cyber-Resilient Mechanism (CRM) adapts to the known or zero-day threats and uncertainties in real-time and strategically responds to them to maintain the critical functions of the cyber systems in the event of successful attacks. Feedback architectures play a pivotal role in enabling the online sensing, reasoning, and actuation process of the CRM. Reinforcement Learning (RL) is an important class of algorithms that epitomize the feedback architectures for cyber resiliency. It allows the CRM to provide dynamic and sequential responses to attacks with limited or without prior knowledge of the environment and the attacker. In this work, we review the literature on RL for cyber resiliency and discuss the cyber-resilient defenses against three major types of vulnerabilities, i.e., posture-related, information-related, and human-related vulnerabilities. We introduce moving target defense, defensive cyber deception, and assistive human security technologies as three application domains of CRMs to elaborate on their designs. The RL algorithms also have vulnerabilities themselves. We explain the major vulnerabilities of RL and present works that develop several attack models, in which the attacks target the rewards, the state observations, and the action commands. We show that the attacker can trick the RL agent into learning a nefarious policy with minimum attacking effort. We discuss the potential defense methods to secure them and find that there is a lack of works focusing on the defensive mechanisms for RL-enabled systems. Finally, we discuss the future challenges of RL for cyber security and resiliency and emerging applications of RL-based CRMs.

show abstract

Section: Human-related Vulnerabilitymentioning

confidence: 99%

Reinforcement Learning for Feedback-Enabled Cyber Resilience

Huang¹,

Huang²,

Zhu³

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Thus, machine learning solutions were developed to target certain forms of email phishing or specific aspects of the email phishing flow. Some examples of existing machine learning methods include natural language processing on the text within an email [8][9][10][11], URL analysis [12], HTML [13,14], and visual analysis [15] of web pages which could be linked via email.…”

Section: Introductionmentioning

confidence: 99%

Profiler: Profile-Based Model to Detect Phishing Emails

Shmalko¹,

Abuadbba²,

Gaire³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Due to the popularity of email as a form of communication, email phishing has become more prevalent and grows more sophisticated over time. To combat this rise, many machine learning algorithms for detecting phishing emails have been developed and deployed in the real world. However, due to the limited email data sets on which these algorithms train, they are not adept at recognising varied attacks and, thus, suffer from concept drift; attackers can introduce small changes in the statistical characteristics of their emails or websites to successfully bypass detection. Over time, a gap develops between the reported accuracy from literature and the algorithm's actual effectiveness in the real world [1]. This realises itself in frequent false positive and false negative classifications.To this end, we propose a multidimensional risk assessment of emails to reduce the feasibility of an attacker adapting their email and avoiding detection. This horizontal approach to email phishing detection profiles an incoming email on its main features. We develop a risk assessment framework that includes three models which analyse an email's (1) threat level, (2) cognitive manipulation, and (3) email type, which we combine to return the final risk assessment score. The Profiler does not require large data sets to train on to be effective and its analysis of varied email features reduces the impact of concept drift. The Profiler's output can be used as a detection system to flag emails that are assessed as high risk at an early stage. Our Profiler can also be used in conjunction with machine learning approaches, to reduce their misclassifications or as a labeller for large email data sets in the training stage.We evaluate the efficacy of the Profiler against a machine learning ensemble using state-of-the-art machine learning algorithms on a data set of 9000 legitimate and 900 phishing emails from a large Australian research organisation. Our results indicate that the Profiler's horizontal approach delivers 30% less false positive and 25% less false negative email classifications over the machine learning ensemble's approach. We show that the Profiler mitigates the impact of concept drift by applying it to a new form of phishing. To do this, we use a selected data set of 3300 file sharing phishing emails which we run against our machine learning ensemble baseline and the Profiler. We also discuss the implications of our results for future email phishing detection.

show abstract

RAIDER: Reinforcement-aided Spear Phishing Detector

Cited by 2 publications

References 19 publications

Reinforcement Learning for Feedback-Enabled Cyber Resilience

Reinforcement Learning for Feedback-Enabled Cyber Resilience

Profiler: Profile-Based Model to Detect Phishing Emails

Contact Info

Product

Resources

About