Conceptual Model of the Social Engineering Attack Cycle: Modern Approaches and Software Prototype Architecture
Abstract
Social engineering attacks are one of the key problems of our time. Every year, their number and efficiency continue to grow. This paper provides an overview of existing studies devoted to the problem of protecting users from social engineering attacks. On the basis of the review, a conceptual model of the social engineering attack cycle and the architecture of a prototype software are proposed, the advantage of which over existing analogues is the account of the malefactor’s profile and a set of existing attack tools. The practical significance lies in creating a basis for developing a software solution for simulating the social engineering attacks and subsequent identification the most vulnerable employees of an organization to social engineering attacks, taking into account information about a potential target of an attack.
References
Federal Bureau of Investigation “IC3 Logs 6 Million Complaints. Record Increase in Reporting Brings IC3 to New Milestone,” in fbi.gov, [News], 14 May 2021. [Online]. Available: https://www.fbi.gov/news/stories/ic3-logs-6-million-complaints-051721
D. Snyman and H. Kruger, “External Contextual Factors in Information Security Behaviour,” in Proc. of the 6th Int. Conf. on Information Systems Security and Privacy — ICISSP, Valletta, Malta, 2020, 2020, pp. 185–194; doi: 10.5220/0009142201850194
Z. Wang, L. Sun, and H. Zhu, “Defining social engineering in cybersecurity,” IEEE Access, vol. 8, pp. 85094– 85115, 2002; doi: 10.1109/ACCESS.2020.2992807
F. Salahdine, N. Kaabouch, “Social engineering attacks: A survey,” Future Internet, vol. 11, no. 4, pp. 89, 2019; doi: 10.3390/fi11040089
M. V. Abramov, T. V. Tulupyeva, A. L. Tulupyev, Sotsioinzhenernye ataki: sotsial’nye seti i otsenki zashchishchennosti pol’zovatelei [Social engineering attacks: social networks and user security assessments], St. Petersburg: GUAP, 2018 (in Russian).
The National Cyber Security Centre, “Weekly Threat Report 30th July 2021,” in ncsc.gov.uk, [Report], 30 Jul. 2021. [Online]. Available:https://www.ncsc.gov.uk/report/weekly-threat-report-30th-july-2021
K. Zheng, T. Wu, X. Wang, B. Wu, and C. Wu, “A Session and Dialogue-Based Social Engineering Framework,” IEEE Access, vol. 7, pp. 67781–67794, 2019; doi: 10.1109/ACCESS.2019.2919150
F. Mouton, L. Leenen, and H. S. Venter, “Social engineering attack examples, templates and scenarios,” Computers & Security, vol. 59, pp. 186–209, 2016; doi: 10.1016/j.cose.2016.03.004
M. Hijji and G. Alam, “A Multivocal Literature Review on Growing Social Engineering Based Cyber-Attacks/Threats During the COVID-19 Pandemic: Challenges and Prospective Solutions,” IEEE Access, vol. 9, pp. 7152–7169, 2021; doi: 10.1109/ACCESS.2020.3048839
A. Gryszczynska, “The impact of the COVID-19 pandemic on cybercrime” Bulletin of the Polish Academy of Sciences. Technical Sciences, vol. 69, no. 4, p. e137933, 2021; doi: 10.24425/bpasts.2021.137933
R. Naidoo, “A multi-level influence model of COVID-19 themed cybercrime,” European Journal of Information Systems, vol. 29, no. 3, pp. 306–321, 2020; doi: 10.1080/0960085X.2020.1771222
Z. Wang, H. Zhu, P. Liu, and L. Sun, “Social engineering in cybersecurity: a domain ontology and knowledge graph application examples,” Cybersecurity, vol. 4, no. 1, 2021; doi: 10.1186/s42400-021-00094-6
J.-W. Bullee and M. Junger, “How effective are social engineering interventions? A meta-analysis,” Information & Computer Security, vol. 28, no. 5, pp. 801–830, 2020; doi: 10.1108/ICS-07-2019-0078
K. F. Steinmetz, A. Pimentel, and W. R. Goe, “Performing social engineering: A qualitative study of information security deceptions,” Computers in Human Behavior, vol. 124, p. 106930, 2021; doi: 10.1016/j.chb.2021.106930
Z. Wang, H. Zhu, and L. Sun, “Social Engineering in Cybersecurity: Effect Mechanisms, Human Vulnerabilities and Attack Methods,” IEEE Access, vol. 9, pp. 11895–11910, 2021; doi: 10.1109/ACCESS.2021.3051633
K. D. Mitnick and W. L. Simon, The art of deception: Controlling the human element of security, Indianapolis, IN, USA: John Wiley & Sons, 2003.
A. Yasin, R. Fatima, L. Liu, J. Wang, R. Ali, and Z. Wei, “Understanding and deciphering of social engineering attack scenarios,” Security and Privacy, vol. 4, no. 4, pp. e161, 2021; doi: 10.1002/spy2.161
H. Aldawood and G. Skinner, “An academic review of current industrial and commercial cyber security social engineering solutions,” in Proc. of the 3rd International Conference on Cryptography, Security and Privacy — ICCSP’19, 2019. pp. 110–115; doi: 10.1145/3309074.3309083
M. Lansley, F. Mouton, S. Kapetanakis, and N. Polatidis, “SEADer++: social engineering attack detection in online environments using machine learning,” Journal of Information and Telecommunication, vol. 4, no. 3, pp. 346–362, 2020; doi: 10.1080/24751839.2020.1747001
N. Tsinganos, G. Sakellariou, P. Fouliras, and I. Mavridis, “Towards an Automated Recognition System for Chatbased Social Engineering Attacks in Enterprise Environments,” in Proc. of the 13th International Conference on Availability, Reliability and Security, Aug. 2018, 2018, pp. 1–10; doi: 10.1145/3230833.3233277
S. Barth, M. D. T. de Jong, M. Junger, P. H. Hartel, and J. C. Roppelt, “Putting the privacy paradox to the test: Online privacy and security behaviors among users with technical knowledge, privacy awareness, and financial
resources,” Telematics and Informatics, vol. 41, pp. 55–69, 2019; doi: 10.1016/j.tele.2019.03.003
S. Barth, M. D. T. de Jong, M. Junger, P. H. Hartel, and J. C. Roppelt, “Putting the privacy paradox to the test: Online privacy and security behaviors among users with technical knowledge, privacy awareness, and financial resources,” Telematics and Informatics, vol. 41, pp. 55–69, 2019; doi: 10.3390/electronics9091382
Z. Ye, Y. Guo, A. Ju, F. Wei, R. Zhang, and J. Ma, “A Risk Analysis Framework for Social Engineering Attack Based on User Profiling,” Journal of Organizational and End User Computing, vol. 32, no. 3, pp. 37–49, 2020; doi: 10.4018/JOEUC.2020070104
A. A. Moustafa, A. Bello, and A. Maurushat, “The Role of User Behaviour in Improving Cyber Security Management,” Frontiers in Psychology, vol. 12, article 561011, 2021; doi: 10.3389/fpsyg.2021.561011
S. M. Albladi and G. R. S. Weir, “User characteristics that influence judgment of social engineering attacks in social networks,” Human-centric Computing and Information Sciences, vol. 8, no. 1, pp. 1–24, 2018; doi: 10.1186/s13673-018-0128-7
M. Edwards, R. Larson, B. Green, A. Rashid, and A. Baron, “Panning for gold: Automatically analysing online social engineering attack surfaces,” Computers & Security, vol. 69, pp. 18–34, 2017; doi: 10.1016/j.cose.2016.12.013
A. Toropova and T. Tulupyeva, “Comparison of Behavior Rate Models Based on Bayesian Belief Network,” in Recent Research in Control Engineering and Decision Making. ICIT 2020. Studies in Systems, Decision and Control, vol. 337, pp. 510–521, 2020; doi: 10.1007/978-3-030-65283-8_42
J. Wang, X. Wang, H. Zhang, B. Fang, Y. Yang, and J. Liu, “Information Classification and Extraction on Official Web Pages of Organizations,” Computers, Materials & Continua, vol. 64, no. 3, pp. 2057–2073, 2020; doi: 10.32604/cmc.2020.011158
I. Nurgaliev, Q. Qu, S. M. H. Bamakan, and M. Muzammal, “Matching user identities across social networks with limited profile data,” Frontiers of Computer Science, vol. 14, no. 6, pp. 1–14, 2020; doi: 10.1007/s11704-019-8235-9
D. K. Srivastava and B. Roychoudhury, “Words are important: A textual content based identity resolution scheme across multiple online social networks,” Knowledge-Based Systems, vol. 195, p. 105624, 2020; doi:
1016/j.knosys.2020.105624
L. Wang, K. Hu, Y. Zhang, and S. Cao, “Factor Graph Model Based User Profile Matching Across Social Networks,” IEEE Access, vol. 7, pp. 152429–152442, 2019; doi: 10.1109/ACCESS.2019.2948073
Y. Li, Z. Zhang, Y. Peng, H. Yin, and Q. Xu, “Matching user accounts based on user generated content across social networks,” Future Generation Computer Systems, vol. 83, pp. 104–115, 2018; doi: 10.1016/j.future.2018.01.041
V. D. Oliseenko and T. V. Tulupyeva, “Neural Network Approach in the Task of Multi-label Classification of User Posts in Online Social Networks,” in Proc. of XXIV Int. Conf. on Soft Computing and Measurements (SCM), May 2021, 2021, pp. 46–48; doi: 10.1109/SCM52931.2021.9507148
V. Oliseenko and A. Korepanova, “How old users are? Community analysis,” in CEUR Workshop Proc. RWTH Aahen University, vol. 2782, 2020, pp. 246–251.
This work is licensed under a Creative Commons Attribution 4.0 International License.