3 research outputs found
RAIDER: Reinforcement-aided Spear Phishing Detector
Spear Phishing is a harmful cyber-attack facing business and individuals
worldwide. Considerable research has been conducted recently into the use of
Machine Learning (ML) techniques to detect spear-phishing emails. ML-based
solutions may suffer from zero-day attacks; unseen attacks unaccounted for in
the training data. As new attacks emerge, classifiers trained on older data are
unable to detect these new varieties of attacks resulting in increasingly
inaccurate predictions. Spear Phishing detection also faces scalability
challenges due to the growth of the required features which is proportional to
the number of the senders within a receiver mailbox. This differs from
traditional phishing attacks which typically perform only a binary
classification between phishing and benign emails. Therefore, we devise a
possible solution to these problems, named RAIDER: Reinforcement AIded Spear
Phishing DEtectoR. A reinforcement-learning based feature evaluation system
that can automatically find the optimum features for detecting different types
of attacks. By leveraging a reward and penalty system, RAIDER allows for
autonomous features selection. RAIDER also keeps the number of features to a
minimum by selecting only the significant features to represent phishing emails
and detect spear-phishing attacks. After extensive evaluation of RAIDER over
11,000 emails and across 3 attack scenarios, our results suggest that using
reinforcement learning to automatically identify the significant features could
reduce the dimensions of the required features by 55% in comparison to existing
ML-based systems. It also improves the accuracy of detecting spoofing attacks
by 4% from 90% to 94%. In addition, RAIDER demonstrates reasonable detection
accuracy even against a sophisticated attack named Known Sender in which
spear-phishing emails greatly resemble those of the impersonated sender.Comment: 16 page
"It may take ages":understanding human-centred lateral phishing attack detection in organisations
Smartphones are a central part of modern life and contain vast amounts of personal and professional data as well as access to sensitive features such as banking and financial apps. As such protecting our smartphones from unauthorised access is of great importance, and users prioritise this over protecting their devices against digital security threats. Previous research has explored user experiences of unauthorised access to their smartphone – though the vast majority of these cases involve an attacker who is known to the user and knows an unlock code for the device. We presented 374 participants with a scenario concerning the loss of their smartphone in a public place. Participants were allocated to one of 3 scenario groups where a different unknown individual with malicious intentions finds the device and attempts to gain access to its contents. After exposure, we ask participants to envision a case where someone they know has a similar opportunity to attempt to gain access to their smartphone. We compare these instances with respect to differences in the motivations of the attacker, their skills and their knowledge of the user. We find that participants underestimate how commonly people who know them may be able to guess their PIN and overestimate the extent to which smartphones can be ‘hacked into’. We discuss how concerns over the severity of an attack may cloud perceptions of its likelihood of success, potentially leading users to underestimate the likelihood of unauthorised access occurring from known attackers who can utilize personal knowledge to guess unlock codes
Nuevas perspectivas en el estudio de amenazas persistentes avanzadas
[ES] Una amenaza persistente avanzada es un ataque sofisticado, dirigido, selectivo y
personalizado, que representa un riesgo para todas las organizaciones, especialmente
aquellas que gestionan datos confidenciales o son infraestructuras críticas.
En los últimos años, el análisis de estas amenazas ha llamado la atención de la
comunidad científica; los investigadores han estudiado el comportamiento de esta
amenaza para crear modelos y herramientas que permitan la detección temprana de
estos ataques.
El uso de la inteligencia artificial y el aprendizaje automático pueden ayudar a
detectar, alertar y predecir automáticamente este tipo de amenazas y reducir el tiempo
que el atacante puede permanecer en la red de la organización.
El objetivo de esta tesis es desarrollar un modelo teórico que permita detectarlas
amenazas persistentes avanzadas de manera temprana, basado en el ciclo de vida del
ataque y utilizando métodos y técnicas de aprendizaje automático.
La metodología que se ha seguido para la realización de este trabajo comenzó con
una revisión bibliográfica de los conceptos de amenaza persistente avanzada y de las
aplicaciones de detección en el contexto de la ciberseguridad. Además, se analizaron
los ciclos de vida existentes que explican el proceso que siguen estas amenazas durante
su ejecución.
Posteriormente, se desarrolló un modelo para la detección temprana de las amenazas
persistentes avanzadas basado en un ciclo de vida de 6 etapas, que han sido divididas en
etapas activas, pasivas y recurrentes; además, se han utilizado técnicas de aprendizaje
automático para la detección de URL maliciosas, phishing y anomalías en la red.
En conclusión, los ataques de amenazas persistentes avanzadas son difíciles de
detectar debido a la capacidad y los recursos con los que cuentan los grupos que las
desarrollan. El objetivo de estos ataques es permanecer activos el mayor tiempo posible
durante la ejecución de la intrusión.
Uno de los problemas detectados durante la realización de este trabajo ha sido que
no se encuentran disponibles conjuntos de datos reales que permitan el entrenamiento
de los algoritmos de aprendizaje automático de forma eficiente, por lo que ha sido
necesario crear conjuntos de datos semi reales a partir de muestras de malware.
Finalmente, como trabajo futuro, se recomienda que el modelo que ha sido propuesto
en este trabajo sea probado en un entorno informático controlado, para evitar ocasionar
perjuicios