Detecting semantic social engineering attacks with the weakest link: Implementation and empirical evaluation of a human-as-a-security-sensor framework

Abstract The notion that the human user is the weakest link in information security has been strongly, and, we argue, rightly contested in recent years. Here, we take a step further showing that the human user can in fact be the strongest link for detecting attacks that involve deception, such as application masquerading, spearphishing, WiFi evil twin and other types of semantic social engineering. Towards this direction, we have developed a human-as-a-security-sensor framework and a practical implementation in the form of Cogni-Sense, a Microsoft Windows prototype application, designed to allow and encourage users to actively detect and report semantic social engineering attacks against them. Experimental evaluation with 26 users of different profiles running Cogni-Sense on their personal computers for a period of 45 days has shown that human sensors can consistently outperform technical security systems. Making use of a machine learning based approach, we also show that the reliability of each report, and consequently the performance of each human sensor, can be predicted in a meaningful and practical manner. In an organisation that employs a human-as-a-security-sensor implementation, such as Cogni-Sense, an attack is considered to have been detected if at least one user has reported it. In our evaluation, a small organisation consisting only of the 26 participants of the experiment would have exhibited a missed detection rate below 10%, down from 81% if only technical security systems had been used. The results strongly point towards the need to actively involve the user not only in prevention through cyber hygiene and user-centric security design, but also in active cyber threat detection and reporting.

[1]  George Loukas,et al.  An eye for deception: A case study in utilizing the human-as-a-security-sensor paradigm to detect zero-day semantic social engineering attacks , 2017, 2017 IEEE 15th International Conference on Software Engineering Research, Management and Applications (SERA).

[2]  Andrew McGregor,et al.  AutoMan: a platform for integrating human-based and digital computation , 2012, OOPSLA '12.

[3]  Matthew Smith,et al.  Debunking Security-Usability Tradeoff Myths , 2016, IEEE Security & Privacy.

[4]  Rob Jenkins,et al.  Face Recognition by Metropolitan Police Super-Recognisers , 2016, PloS one.

[5]  Alexander I. Rudnicky,et al.  Using the Amazon Mechanical Turk for transcription of spoken language , 2010, 2010 IEEE International Conference on Acoustics, Speech and Signal Processing.

[6]  Andrea Marchetti,et al.  A framework for detecting unfolding emergencies using humans as sensors , 2016, SpringerPlus.

[7]  Sunil Choenni,et al.  A Study of Preventing Email (Spear) Phishing by Enabling Human Intelligence , 2015, 2015 European Intelligence and Security Informatics Conference.

[8]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[9]  Daniel Gildea,et al.  Scribe: deep integration of human and machine intelligence to caption speech in real time , 2017, Commun. ACM.

[10]  George Loukas,et al.  Assessing the cyber-trustworthiness of human-as-a-sensor reports from mobile devices , 2017, 2017 IEEE 15th International Conference on Software Engineering Research, Management and Applications (SERA).

[11]  George Loukas,et al.  You Are Probably Not the Weakest Link: Towards Practical Prediction of Susceptibility to Semantic Social Engineering Attacks , 2016, IEEE Access.

[12]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[13]  Christopher Hadnagy,et al.  Unmasking the Social Engineer: The Human Element of Security , 2014 .

[14]  Kat Krol,et al.  Towards Robust Experimental Design for User Studies in Security and Privacy , 2016 .

[15]  Charu C. Aggarwal,et al.  Using humans as sensors: An estimation-theoretic perspective , 2014, IPSN-14 Proceedings of the 13th International Symposium on Information Processing in Sensor Networks.

[16]  Srdjan Capkun,et al.  Detecting Mobile Application Spoofing Attacks by Leveraging User Visual Similarity Perception , 2017, IACR Cryptol. ePrint Arch..

[17]  Markus Jakobsson,et al.  Helping You Protect You , 2014, IEEE Secur. Priv..

[19]  D. Pinto Secrets and Lies: Digital Security in a Networked World , 2003 .

[20]  RYAN HEARTFIELD,et al.  A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks , 2015, ACM Comput. Surv..

[21]  Milton Halem,et al.  Human Sensor Networks for Improved Modeling of Natural Disasters , 2012, Proceedings of the IEEE.

[22]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[23]  Robert L. Williams,et al.  Augmenting Situational Awareness for First Responders Using Social Media As a Sensor , 2013, IFAC HMS.

[24]  Eui-Nam Huh,et al.  Harness Human Sensor Networks for Situational Awareness in Disaster Reliefs: A Survey , 2013 .

[25]  Yanchi Liu,et al.  Diagnosing New York city's noises with ubiquitous data , 2014, UbiComp.

[26]  Cyrus Shahabi,et al.  Crowd sensing of traffic anomalies based on human mobility and social media , 2013, SIGSPATIAL/GIS.

[27]  Bill Tomlinson,et al.  Who are the crowdworkers?: shifting demographics in mechanical turk , 2010, CHI Extended Abstracts.

[28]  Simon Jirka,et al.  A human sensor web for water availability monitoring , 2009 .