Skip navigation

Utilising the concept of human-as-a-security-sensor for detecting semantic social engineering attacks

Utilising the concept of human-as-a-security-sensor for detecting semantic social engineering attacks

Heartfield, Ryan John (2017) Utilising the concept of human-as-a-security-sensor for detecting semantic social engineering attacks. PhD thesis, University of Greenwich.

[img]
Preview
PDF
Ryan John Heartfield 2017.pdf - Published Version
Available under License Creative Commons Attribution Non-commercial No Derivatives.

Download (16MB) | Preview

Abstract

Social engineering is used as an umbrella term for a broad spectrum of computer exploitations that employ a variety of attack vectors and strategies to psychologically manipulate a user. Semantic attacks are the specific type of social engineering attacks that bypass technical defences by actively manipulating object characteristics, such as platform or system applications, to deceive rather than directly attack the user. Semantic social engineering attacks are a pervasive threat to computer and communication systems. By employing deception rather than by exploiting technical vulnerabilities, spear-phishing, obfuscated URLs, drive-by downloads, spoofed websites, scareware and other attacks are able to circumvent traditional technical security controls and target the user directly. In this thesis, we begin by defining the terminology of a semantic attack, introducing a historic time-line of attack incidents over the last 17 years to illustrate what is an existential relationship with the user-computer interface and it's ever expanding landscape. We then highlight the scale of the semantic attack threat by identifying different individual attacks and discussing recent statistics. Recognising the complexity in understanding the many facets that may form an attack, as well as the depth and breadth of the threat landscape, we construct a taxonomy of semantic attacks which encapsulates attack characteristics into a fixed, parametrised classification criteria that span all stages of a semantic attack. We then supplement the taxonomy of attacks with a survey of applicable defences and contrast the threat landscape and the associated mitigation techniques in a single comparative matrix; identifying the areas where further research can be particularly beneficial. Armed with this knowledge, we then explore the feasibility of predicting user susceptibility to deception-based attacks through attributes that can be measured, ethically, preferably in real-time and in an automated manner. We conduct two experiments, the first on 4333 users recruited on the Internet, allowing us to identify useful high-level features through association rule mining, and the second on a smaller group of 315 users, allowing us to study these features in more detail. In both experiments, participants were presented with attack and non-attack exhibits and were tested in terms of their ability to distinguish between the two. Using the data collected, we determine predictors of users' susceptibility to different deception vectors. With these, we have produced and evaluated a generalised model for training a dynamic system for proactive user security. Using the model as a baseline, we propose a technical framework that aims to utilise the concept of Human-as-a-Security-Sensor as a dynamic defence mechanism against semantic attacks. To test the viability of our framework and to demonstrate the concept of the Human-as-a-Security-Sensor in an empirical context, we employ the framework to develop a prototype Human-as-a-Security-
Sensor platform called Cogni-Sense; evaluating its utility in a real-world experiment. Lastly, we conclude with a review of the problem space, summarising our novel contributions towards a dynamic, user-driven defence against semantic attacks and identify open problems in our work to discuss future plans and motivation for continuing the development of Human-as-a-Security-Sensor.

Item Type: Thesis (PhD)
Uncontrolled Keywords: Social engineering attacks; computer security; semantic attacks; Human-as-a-Security-Sensor;
Subjects: Q Science > QA Mathematics
Faculty / School / Research Centre / Research Group: Faculty of Engineering & Science > School of Computing & Mathematical Sciences (CMS)
Faculty of Engineering & Science
Last Modified: 04 Mar 2022 13:07
URI: http://gala.gre.ac.uk/id/eprint/23420

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year

View more statistics