Please wait a minute...
浙江大学学报(工学版)
浙江大学学报(工学版)  2019, Vol. 53 Issue (5): 837-842    DOI: 10.3785/j.issn.1008-973X.2019.05.003
计算机与控制工程     
社交网络中社会工程学威胁定量评估
张雪芹(),张立,顾春华
华东理工大学 信息科学与工程学院,上海 200237
Quantitative assessment of social engineering threat in social network
Xue-qin ZHANG(),Li ZHANG,Chun-hua GU
School of Information Science and Engineering, East China University of Science and Technology, Shanghai 200237, China
 全文: PDF(693 KB)   HTML
摘要:

针对社交网络中社会工程学威胁难以定量评估的问题,提出基于属性攻击图和贝叶斯网络的社会工程学威胁评估方法. 基于社交网络社会工程学攻击过程,定义社会工程学的可利用的脆弱性语义和攻击节点语义,提出相应的脆弱性可利用概率计算方法. 通过分析社交网络中社会工程学攻击模式,模拟钓鱼攻击和跨站身份克隆攻击,根据属性攻击图生成算法构建社会工程学攻击图,采用贝叶斯网络模型对每种攻击路径造成的社会工程学威胁进行量化评估,得到社交网络中个人账号的隐私威胁风险. 通过在Facebook数据集上的实验验证所提出方法的有效性.
关键词: 威胁评估社会工程学攻击脆弱性语义攻击图贝叶斯网络    
Abstract:

An assessment method for social engineering threat based on attribute attack graph and Bayesian network was proposed, aiming at the problem that social engineering threats in social networks were difficult to evaluate quantitatively. The semantics of vulnerability and attack node in social engineering were defined, and the corresponding method for calculating available probability of vulnerability was proposed, according to the process of social engineering attack in social network. Phishing attacks and cross-station identity cloning attacks were simulated by analyzing the attack patterns of social engineering in social network. Social engineering attack maps were constructed based on the attribute attack graph generation algorithm. Bayesian network model was applied to assess quantitatively the social engineering threats caused by each attack path, and the privacy threat risk value of personal account in social network was obtained. Experiments on the Facebook dataset verified the effectiveness of the proposed method.
Key words: threat assessment    social engineering attack    semantics of vulnerability    attack graph    Bayesian network
收稿日期: 2018-04-10 出版日期: 2019-05-17
CLC:  TN 929  
作者简介: 张雪芹(1972—),女,副教授,从事信息安全相关技术研究. orcid.org/0000-0001-7020-1033. E-mail: zxq@ecust.edu.com
服务  
把本文推荐给朋友
加入引用管理器
E-mail Alert
作者相关文章  
张雪芹
张立
顾春华

引用本文:

张雪芹,张立,顾春华. 社交网络中社会工程学威胁定量评估[J]. 浙江大学学报(工学版), 2019, 53(5): 837-842.

Xue-qin ZHANG,Li ZHANG,Chun-hua GU. Quantitative assessment of social engineering threat in social network. Journal of ZheJiang University (Engineering Science), 2019, 53(5): 837-842.

链接本文:

http://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2019.05.003        http://www.zjujournals.com/eng/CN/Y2019/V53/I5/837

图 1  属性攻击图示例
图 2  贝叶斯网络示意图
攻击类型 目标认证 信息收集 攻击准备 发展关系 利用关系
跨站身份克隆攻击[12] 确定目标用户以及攻击目标 收集目标用户在社交网络Net1上的认证信息 伪装成目标用户身份在社交网站Net2上建立虚假账号 与目标用户好友建立好友关系 利用关系进一步窃取隐私信息,或恐吓、欺诈目标用户及其好友家人等
社交网络钓鱼攻击[14] 确定目标用户以及攻击目标 获取目标用户公开信息(邮箱,电话号码,家庭情况等) 根据目标用户习惯或者兴趣爱好建立虚假账号,向目标用户发送好友请求 与目标用户或其好友建立好友关系
表 1  社会工程学攻击过程
节点编号 节点语义
C1 目标用户账号属性信息公开度
C2 目标用户好友列表信息公开度
C3 目标用户好友账号属性信息公开度
C4 目标用户好友的好友列表信息公开度
C5 目标用户接受好友申请的脆弱性
C6 目标用户好友接受好友申请的脆弱性
C7 目标用户与好友交互行为脆弱性
表 2  可利用脆弱性语义
接受添加好友请求情况 脆弱性等级 可利用概率
不接受或忽视所有添加好友请求Q1 1 0.35
只接受好友的好友的添加好友请求Q2 2 0.61
接受任何人的添加好友请求Q3 3 0.71
表 3  C5或C6的可利用概率
节点编号 节点语义
T1 收集目标用户账号属性信息
T2 利用目标用户好友列表信息跨站创建虚假账号
T3 收集目标用户好友列表信息
T4 为了引起目标用户兴趣,创建恶意账号
T5 收集目标用户好友账号属性信息
T6 添加目标用户为好友
T7 请求访问目标用户隐私信息
T8 添加目标用户好友为好友
T9 请求访问目标用户好友隐私信息
表 4  攻击节点语义
图 3  社会工程学攻击图
图 4  社交网络用户关系拓扑图
用户编号 满足Q1人数 满足Q2人数 满足Q3人数
1 15 3 8
2 17 4 13
3 15 23 4
4 32 13 7
5 10 6 25
6 17 8 23
7 5 4 11
8 17 6 2
9 23 6 29
10 16 15 26
总计 167 88 148
表 5  钓鱼攻击反馈表
用户编号 PC1 PC2 PC3 PC5 PC6 PC7 R4
1 0.75 0.90 0.65 0.61 0.61 0.32 0.58
2 0.68 0.90 0.48 0.61 0.61 0.27 0.49
3 0.65 0.90 0.38 0.61 0.71 0.34 0.49
4 0.83 0.90 0.43 0.71 0.61 0.25 0.65
5 0.57 0.90 0.56 0.61 0.61 0.47 0.49
6 0.78 0.90 0.45 0.61 0.61 0.52 0.60
7 0.73 0.90 0.68 0.61 0.71 0.32 0.60
8 0.33 0.90 0.73 0.61 0.61 0.44 0.38
9 0.45 0.90 0.47 0.71 0.61 0.62 0.48
10 0.50 0.90 0.28 0.71 0.71 0.25 0.41
表 6  脆弱性可利用概率表
1 ALGARNI A, XU Y, CHAN T, et al. Social engineering in social networking sites: affect-based model [C]// Internet Technology and Secured Transactions. London: IEEE, 2014: 508-515.
2 SHARMA S, SODHI J S, GULATI S. Bang of social engineering in social networking sites [C]// Proceedings of the International Congress on Information and Communication Technology. Singapore: Springer, 2016.
3 WILCOX H, BHATTACHARYA M. Countering social engineering through social media: an enterprise security perspective [M]// Computational collective intelligence. Madrid: Springer, 2015: 54-64.
4 EDWARDS M, LARSON R, GREEN B, et al Panning for gold: automatically analysing online social engineering attack surfaces[J]. Computers and Security, 2017, 69: 18- 34
5 ALGARNI A, XU Y, CHAN T. Social engineering in social networking sites: the art of impersonation [C]// IEEE International Conference on Services Computing. Washington: IEEE, 2014: 797-804.
6 康海燕, 孟祥 基于社会工程学的漏洞分析与渗透攻击研究[J]. 信息安全研究, 2017, 3 (2): 116- 122
KANG Hai-yan, MENG Xiang. Research on vulnerability analysis and penetration attack based on social engineering[J]. Information Security Research, 2017, 3 (2): 116- 122
7 ALGARNI A, XU Y, CHAN T An empirical study on the susceptibility to social engineering in social networking sites: the case of Facebook[J]. European Journal of Information Systems, 2017, 26 (6): 661- 687
doi: 10.1057/s41303-017-0057-y
8 BAKHSHI T. Social engineering: revisiting end-user awareness and susceptibility to classic attack vectors [C]// International Conference on Emerging Technologies. Islamabad: IEEE, 2018.
9 ABRAMOV M V, AZAROY A A. Social engineering attack modeling with the use of Bayesian networks [C]// XIX IEEE International Conference on Soft Computing and Measurements. St. Petersburg: IEEE, 2016: 58-60.
10 GUPTA S, SINGHAL A, KAPOOR A. A literature survey on social engineering attacks: phishing attack [C]// International Conference on Computing, Communication and Automation. Greater Noida: IEEE, 2017: 537-540.
11 BECKERS K, KRAUTSEVICH L, YAUTSIUKHIN A. Analysis of social engineering threats with attack graphs [C]// International Workshop on Quantitative Aspects in Security Assurance. Vienna: Springer, 2015: 67-73.
12 JAAFOR O, BIRREGAH B. Social engineering threat assessment using a multi-layered graph-based model [M]// Trends in Social Network Analysis. Cham: Springer, 2017: 107-133.
13 ZHANG X, ZHANG L, GU C. Security risk estimation of social network privacy issue [C]// The International Conference on Communication and Network Security. Tokyo: ACM, 2017: 81-85.
14 VISHWANATH A Getting phished on social media[J]. Decision Support Systems, 2017, 103: 70- 81
doi: 10.1016/j.dss.2017.09.004
15 闫峰. 基于攻击图的网络安全风险评估技术研究[D]. 吉林: 吉林大学, 2014.
YAN Feng. Research on network security risk assessment technology based on attack graph [D]. Jilin: Jilin University, 2014.
[1] 王泓晖,房鑫,李德江,刘贵杰. 基于动态贝叶斯网络的变幅载荷下疲劳裂纹扩展预测方法[J]. 浙江大学学报(工学版), 2021, 55(2): 280-288.
[2] 傅蔚阳, 刘以安, 薛松. 基于灰狼算法与小波神经网络的目标威胁评估[J]. 浙江大学学报(工学版), 2018, 52(4): 680-686.
[3] 余洋, 夏春和, 胡潇云. 采用混和路径攻击图的防御方案生成方法[J]. 浙江大学学报(工学版), 2017, 51(9): 1745-1759.
[4] 徐哲, 熊晓锋, 洪嘉鸣, 何必仕, 陈云. 数据驱动的城市供水管网异常事件侦测方法[J]. 浙江大学学报(工学版), 2017, 51(11): 2222-2231.
[5] 赵建军,王毅,杨利斌. 基于时间序列预测的威胁估计方法[J]. J4, 2014, 48(3): 398-403.
[6] 高梦州, 冯冬芹, 凌从礼, 褚健. 基于攻击图的工业控制系统脆弱性分析[J]. 浙江大学学报(工学版), 2014, 48(12): 2123-2131.
[7] 郭童,林峰. 基于混合遗传鱼群算法的贝叶斯网络结构学习[J]. J4, 2014, 48(1): 130-135.
[8] 王学伟 瞿海斌 刘雪松 程翼宇. 贝叶斯网络杂交学习算法及其在中医中的应用[J]. J4, 2005, 39(7): 948-952.