Please wait a minute...
浙江大学学报(工学版)
Journal of ZheJiang University (Engineering Science)  2019, Vol. 53 Issue (5): 837-842    DOI: 10.3785/j.issn.1008-973X.2019.05.003
    
Quantitative assessment of social engineering threat in social network
Xue-qin ZHANG(),Li ZHANG,Chun-hua GU
School of Information Science and Engineering, East China University of Science and Technology, Shanghai 200237, China
Download: HTML     PDF(693KB) HTML
Export: BibTeX | EndNote (RIS)      

Abstract  

An assessment method for social engineering threat based on attribute attack graph and Bayesian network was proposed, aiming at the problem that social engineering threats in social networks were difficult to evaluate quantitatively. The semantics of vulnerability and attack node in social engineering were defined, and the corresponding method for calculating available probability of vulnerability was proposed, according to the process of social engineering attack in social network. Phishing attacks and cross-station identity cloning attacks were simulated by analyzing the attack patterns of social engineering in social network. Social engineering attack maps were constructed based on the attribute attack graph generation algorithm. Bayesian network model was applied to assess quantitatively the social engineering threats caused by each attack path, and the privacy threat risk value of personal account in social network was obtained. Experiments on the Facebook dataset verified the effectiveness of the proposed method.

Key wordsthreat assessment      social engineering attack      semantics of vulnerability      attack graph      Bayesian network     
Received: 10 April 2018      Published: 17 May 2019
CLC:  TN 929  
Service
E-mail this article
Add to my bookshelf
Add to citation manager
E-mail Alert
RSS
Articles by authors
Xue-qin ZHANG
Li ZHANG
Chun-hua GU
Cite this article:

Xue-qin ZHANG,Li ZHANG,Chun-hua GU. Quantitative assessment of social engineering threat in social network. Journal of ZheJiang University (Engineering Science), 2019, 53(5): 837-842.

URL:

http://www.zjujournals.com/eng/10.3785/j.issn.1008-973X.2019.05.003     OR     http://www.zjujournals.com/eng/Y2019/V53/I5/837


社交网络中社会工程学威胁定量评估

针对社交网络中社会工程学威胁难以定量评估的问题,提出基于属性攻击图和贝叶斯网络的社会工程学威胁评估方法. 基于社交网络社会工程学攻击过程,定义社会工程学的可利用的脆弱性语义和攻击节点语义,提出相应的脆弱性可利用概率计算方法. 通过分析社交网络中社会工程学攻击模式,模拟钓鱼攻击和跨站身份克隆攻击,根据属性攻击图生成算法构建社会工程学攻击图,采用贝叶斯网络模型对每种攻击路径造成的社会工程学威胁进行量化评估,得到社交网络中个人账号的隐私威胁风险. 通过在Facebook数据集上的实验验证所提出方法的有效性.


关键词: 威胁评估,  社会工程学攻击,  脆弱性语义,  攻击图,  贝叶斯网络 
Fig.1 Example of attribute attack graph
Fig.2 Schematic diagram of Bayesian network
攻击类型 目标认证 信息收集 攻击准备 发展关系 利用关系
跨站身份克隆攻击[12] 确定目标用户以及攻击目标 收集目标用户在社交网络Net1上的认证信息 伪装成目标用户身份在社交网站Net2上建立虚假账号 与目标用户好友建立好友关系 利用关系进一步窃取隐私信息,或恐吓、欺诈目标用户及其好友家人等
社交网络钓鱼攻击[14] 确定目标用户以及攻击目标 获取目标用户公开信息(邮箱,电话号码,家庭情况等) 根据目标用户习惯或者兴趣爱好建立虚假账号,向目标用户发送好友请求 与目标用户或其好友建立好友关系
Tab.1 Process of social engineering attack
节点编号 节点语义
C1 目标用户账号属性信息公开度
C2 目标用户好友列表信息公开度
C3 目标用户好友账号属性信息公开度
C4 目标用户好友的好友列表信息公开度
C5 目标用户接受好友申请的脆弱性
C6 目标用户好友接受好友申请的脆弱性
C7 目标用户与好友交互行为脆弱性
Tab.2 Semantics of available vulnerability
接受添加好友请求情况 脆弱性等级 可利用概率
不接受或忽视所有添加好友请求Q1 1 0.35
只接受好友的好友的添加好友请求Q2 2 0.61
接受任何人的添加好友请求Q3 3 0.71
Tab.3 Available probability of C5 or C6
节点编号 节点语义
T1 收集目标用户账号属性信息
T2 利用目标用户好友列表信息跨站创建虚假账号
T3 收集目标用户好友列表信息
T4 为了引起目标用户兴趣,创建恶意账号
T5 收集目标用户好友账号属性信息
T6 添加目标用户为好友
T7 请求访问目标用户隐私信息
T8 添加目标用户好友为好友
T9 请求访问目标用户好友隐私信息
Tab.4 Semantics of attack nodes
Fig.3 Attack diagram of social engineering
Fig.4 Topological graph of relationship between social network users
用户编号 满足Q1人数 满足Q2人数 满足Q3人数
1 15 3 8
2 17 4 13
3 15 23 4
4 32 13 7
5 10 6 25
6 17 8 23
7 5 4 11
8 17 6 2
9 23 6 29
10 16 15 26
总计 167 88 148
Tab.5 Feedback form of phishing attack
用户编号 PC1 PC2 PC3 PC5 PC6 PC7 R4
1 0.75 0.90 0.65 0.61 0.61 0.32 0.58
2 0.68 0.90 0.48 0.61 0.61 0.27 0.49
3 0.65 0.90 0.38 0.61 0.71 0.34 0.49
4 0.83 0.90 0.43 0.71 0.61 0.25 0.65
5 0.57 0.90 0.56 0.61 0.61 0.47 0.49
6 0.78 0.90 0.45 0.61 0.61 0.52 0.60
7 0.73 0.90 0.68 0.61 0.71 0.32 0.60
8 0.33 0.90 0.73 0.61 0.61 0.44 0.38
9 0.45 0.90 0.47 0.71 0.61 0.62 0.48
10 0.50 0.90 0.28 0.71 0.71 0.25 0.41
Tab.6 Available probability of vulnerability
[1]   ALGARNI A, XU Y, CHAN T, et al. Social engineering in social networking sites: affect-based model [C]// Internet Technology and Secured Transactions. London: IEEE, 2014: 508-515.
[2]   SHARMA S, SODHI J S, GULATI S. Bang of social engineering in social networking sites [C]// Proceedings of the International Congress on Information and Communication Technology. Singapore: Springer, 2016.
[3]   WILCOX H, BHATTACHARYA M. Countering social engineering through social media: an enterprise security perspective [M]// Computational collective intelligence. Madrid: Springer, 2015: 54-64.
[4]   EDWARDS M, LARSON R, GREEN B, et al Panning for gold: automatically analysing online social engineering attack surfaces[J]. Computers and Security, 2017, 69: 18- 34
[5]   ALGARNI A, XU Y, CHAN T. Social engineering in social networking sites: the art of impersonation [C]// IEEE International Conference on Services Computing. Washington: IEEE, 2014: 797-804.
[6]   康海燕, 孟祥 基于社会工程学的漏洞分析与渗透攻击研究[J]. 信息安全研究, 2017, 3 (2): 116- 122
KANG Hai-yan, MENG Xiang. Research on vulnerability analysis and penetration attack based on social engineering[J]. Information Security Research, 2017, 3 (2): 116- 122
[7]   ALGARNI A, XU Y, CHAN T An empirical study on the susceptibility to social engineering in social networking sites: the case of Facebook[J]. European Journal of Information Systems, 2017, 26 (6): 661- 687
doi: 10.1057/s41303-017-0057-y
[8]   BAKHSHI T. Social engineering: revisiting end-user awareness and susceptibility to classic attack vectors [C]// International Conference on Emerging Technologies. Islamabad: IEEE, 2018.
[9]   ABRAMOV M V, AZAROY A A. Social engineering attack modeling with the use of Bayesian networks [C]// XIX IEEE International Conference on Soft Computing and Measurements. St. Petersburg: IEEE, 2016: 58-60.
[10]   GUPTA S, SINGHAL A, KAPOOR A. A literature survey on social engineering attacks: phishing attack [C]// International Conference on Computing, Communication and Automation. Greater Noida: IEEE, 2017: 537-540.
[11]   BECKERS K, KRAUTSEVICH L, YAUTSIUKHIN A. Analysis of social engineering threats with attack graphs [C]// International Workshop on Quantitative Aspects in Security Assurance. Vienna: Springer, 2015: 67-73.
[12]   JAAFOR O, BIRREGAH B. Social engineering threat assessment using a multi-layered graph-based model [M]// Trends in Social Network Analysis. Cham: Springer, 2017: 107-133.
[13]   ZHANG X, ZHANG L, GU C. Security risk estimation of social network privacy issue [C]// The International Conference on Communication and Network Security. Tokyo: ACM, 2017: 81-85.
[14]   VISHWANATH A Getting phished on social media[J]. Decision Support Systems, 2017, 103: 70- 81
doi: 10.1016/j.dss.2017.09.004
[15]   闫峰. 基于攻击图的网络安全风险评估技术研究[D]. 吉林: 吉林大学, 2014.
YAN Feng. Research on network security risk assessment technology based on attack graph [D]. Jilin: Jilin University, 2014.
[1] Hong-hui WANG,Xin FANG,De-jiang LI,Gui-jie LIU. Fatigue crack growth prediction method under variable amplitude load based on dynamic Bayesian network[J]. Journal of ZheJiang University (Engineering Science), 2021, 55(2): 280-288.
[2] Zi-long JI,Jun-zhong JI. Learning effective connectivity network structure based on parallel searching of double firefly populations[J]. Journal of ZheJiang University (Engineering Science), 2020, 54(4): 694-703.
[3] FU Wei-yang, LIU Yi-an, XUE Song. Target threat assessment using grey wolf optimization and wavelet neural network[J]. Journal of ZheJiang University (Engineering Science), 2018, 52(4): 680-686.
[4] YU Yang, XIA Chun-he, HU Xiao-yun. Defense scheme generation method using mixed path attack graph[J]. Journal of ZheJiang University (Engineering Science), 2017, 51(9): 1745-1759.
[5] XU Zhe, XIONG Xiao-feng, HONG Jia-ming, HE Bi-shi, CHEN Yun. Data-driven abnormal event detection method for urban water supply network[J]. Journal of ZheJiang University (Engineering Science), 2017, 51(11): 2222-2231.
[6] ZHAO Jian-jun, WANG Yi, YANG Li-bin. Threat assessment method based on time series forecast[J]. Journal of ZheJiang University (Engineering Science), 2014, 48(3): 398-403.
[7] GAO Meng-zhou, FENG Dong-qin, LING Cong-li, CHU Jian. Vulnerability analysis of industrial control system based on attack graph[J]. Journal of ZheJiang University (Engineering Science), 2014, 48(12): 2123-2131.
[8] GUO Tong,LIN Feng. Bayesian network structure learning based on hybrid genetic
and fish swarm algorithm[J]. Journal of ZheJiang University (Engineering Science), 2014, 48(1): 130-135.