社交网络中社会工程学威胁定量评估
|
摘要
针对社交网络中社会工程学威胁难以定量评估的问题,提出基于属性攻击图和贝叶斯网络的社会工程学威胁评估方法.基于社交网络社会工程学攻击过程,定义社会工程学的可利用的脆弱性语义和攻击节点语义,提出相应的脆弱性可利用概率计算方法.通过分析社交网络中社会工程学攻击模式,模拟钓鱼攻击和跨站身份克隆攻击,根据属性攻击图生成算法构建社会工程学攻击图,采用贝叶斯网络模型对每种攻击路径造成的社会工程学威胁进行量化评估,得到社交网络中个人账号的隐私威胁风险.通过在Facebook数据集上的实验验证所提出方法的有效性.
An assessment method for social engineering threat based on attribute attack graph and Bayesian network was proposed, aiming at the problem that social engineering threats in social networks were difficult to evaluate quantitatively. The semantics of vulnerability and attack node in social engineering were defined, and the corresponding method for calculating available probability of vulnerability was proposed, according to the process of social engineering attack in social network. Phishing attacks and cross-station identity cloning attacks were simulated by analyzing the attack patterns of social engineering in social network. Social engineering attack maps were constructed based on the attribute attack graph generation algorithm. Bayesian network model was applied to assess quantitatively the social engineering threats caused by each attack path, and the privacy threat risk value of personal account in social network was obtained. Experiments on the Facebook dataset verified the effectiveness of the proposed method.
An assessment method for social engineering threat based on attribute attack graph and Bayesian network was proposed, aiming at the problem that social engineering threats in social networks were difficult to evaluate quantitatively. The semantics of vulnerability and attack node in social engineering were defined, and the corresponding method for calculating available probability of vulnerability was proposed, according to the process of social engineering attack in social network. Phishing attacks and cross-station identity cloning attacks were simulated by analyzing the attack patterns of social engineering in social network. Social engineering attack maps were constructed based on the attribute attack graph generation algorithm. Bayesian network model was applied to assess quantitatively the social engineering threats caused by each attack path, and the privacy threat risk value of personal account in social network was obtained. Experiments on the Facebook dataset verified the effectiveness of the proposed method.
引文
[1]ALGARNI A,XU Y,CHAN T,et al.Social engineering in social networking sites:affect-based model[C]//Internet Technology and Secured Transactions.London:IEEE,2014:508-515.
[2]SHARMA S,SODHI J S,GULATI S.Bang of social engineering in social networking sites[C]//Proceedings of the International Congress on Information and Communication Technology.Singapore:Springer,2016.
[3]WILCOX H,BHATTACHARYA M.Countering social engineering through social media:an enterprise security perspective[M]//Computational collective intelligence.Madrid:Springer,2015:54-64.
[4]EDWARDS M,LARSON R,GREEN B,et al.Panning for gold:automatically analysing online social engineering attack surfaces[J].Computers and Security,2017,69:18-34.
[5]ALGARNI A,XU Y,CHAN T.Social engineering in social networking sites:the art of impersonation[C]//IEEE International Conference on Services Computing.Washington:IEEE,2014:797-804.
[6]康海燕,孟祥.基于社会工程学的漏洞分析与渗透攻击研究[J].信息安全研究,2017,3(2):116-122.KANG Hai-yan,MENG Xiang.Research on vulnerability analysis and penetration attack based on social engineering[J].Information Security Research,2017,3(2):116-122.
[7]ALGARNI A,XU Y,CHAN T.An empirical study on the susceptibility to social engineering in social networking sites:the case of Facebook[J].European Journal of Information Systems,2017,26(6):661-687.
[8]BAKHSHI T.Social engineering:revisiting end-user awareness and susceptibility to classic attack vectors[C]//International Conference on Emerging Technologies.Islamabad:IEEE,2018.
[9]ABRAMOV M V,AZAROY A A.Social engineering attack modeling with the use of Bayesian networks[C]//XIX IEEE International Conference on Soft Computing and Measurements.St.Petersburg:IEEE,2016:58-60.
[10]GUPTA S,SINGHAL A,KAPOOR A.A literature survey on social engineering attacks:phishing attack[C]//International Conference on Computing,Communication and Automation.Greater Noida:IEEE,2017:537-540.
[11]BECKERS K,KRAUTSEVICH L,YAUTSIUKHINA.Analysis of social engineering threats with attack graphs[C]//International Workshop on Quantitative Aspects in Security Assurance.Vienna:Springer,2015:67-73.
[12]JAAFOR O,BIRREGAH B.Social engineering threat assessment using a multi-layered graph-based model[M]//Trends in Social Network Analysis.Cham:Springer,2017:107-133.
[13]ZHANG X,ZHANG L,GU C.Security risk estimation of social network privacy issue[C]//The International Conference on Communication and Network Security.Tokyo:ACM,2017:81-85.
[14]VISHWANATH A.Getting phished on social media[J].Decision Support Systems,2017,103:70-81.
[15]闫峰.基于攻击图的网络安全风险评估技术研究[D].吉林:吉林大学,2014.YAN Feng.Research on network security risk assessment technology based on attack graph[D].Jilin:Jilin University,2014.
[2]SHARMA S,SODHI J S,GULATI S.Bang of social engineering in social networking sites[C]//Proceedings of the International Congress on Information and Communication Technology.Singapore:Springer,2016.
[3]WILCOX H,BHATTACHARYA M.Countering social engineering through social media:an enterprise security perspective[M]//Computational collective intelligence.Madrid:Springer,2015:54-64.
[4]EDWARDS M,LARSON R,GREEN B,et al.Panning for gold:automatically analysing online social engineering attack surfaces[J].Computers and Security,2017,69:18-34.
[5]ALGARNI A,XU Y,CHAN T.Social engineering in social networking sites:the art of impersonation[C]//IEEE International Conference on Services Computing.Washington:IEEE,2014:797-804.
[6]康海燕,孟祥.基于社会工程学的漏洞分析与渗透攻击研究[J].信息安全研究,2017,3(2):116-122.KANG Hai-yan,MENG Xiang.Research on vulnerability analysis and penetration attack based on social engineering[J].Information Security Research,2017,3(2):116-122.
[7]ALGARNI A,XU Y,CHAN T.An empirical study on the susceptibility to social engineering in social networking sites:the case of Facebook[J].European Journal of Information Systems,2017,26(6):661-687.
[8]BAKHSHI T.Social engineering:revisiting end-user awareness and susceptibility to classic attack vectors[C]//International Conference on Emerging Technologies.Islamabad:IEEE,2018.
[9]ABRAMOV M V,AZAROY A A.Social engineering attack modeling with the use of Bayesian networks[C]//XIX IEEE International Conference on Soft Computing and Measurements.St.Petersburg:IEEE,2016:58-60.
[10]GUPTA S,SINGHAL A,KAPOOR A.A literature survey on social engineering attacks:phishing attack[C]//International Conference on Computing,Communication and Automation.Greater Noida:IEEE,2017:537-540.
[11]BECKERS K,KRAUTSEVICH L,YAUTSIUKHINA.Analysis of social engineering threats with attack graphs[C]//International Workshop on Quantitative Aspects in Security Assurance.Vienna:Springer,2015:67-73.
[12]JAAFOR O,BIRREGAH B.Social engineering threat assessment using a multi-layered graph-based model[M]//Trends in Social Network Analysis.Cham:Springer,2017:107-133.
[13]ZHANG X,ZHANG L,GU C.Security risk estimation of social network privacy issue[C]//The International Conference on Communication and Network Security.Tokyo:ACM,2017:81-85.
[14]VISHWANATH A.Getting phished on social media[J].Decision Support Systems,2017,103:70-81.
[15]闫峰.基于攻击图的网络安全风险评估技术研究[D].吉林:吉林大学,2014.YAN Feng.Research on network security risk assessment technology based on attack graph[D].Jilin:Jilin University,2014.