|
|
 | Social Engineering | | As an attack surface, social engineering is often
overlooked in the design phase of information systems. This has left a
privileged component of these systems --the user -- vulnerable to attack and
coercion by outside parties. The traditional method of reducing risk due to
social engineering attacks (training and awareness) has only been shown to
reduce the success of the simplest phone-based social engineering attack to
30 percent. This thesis proposes several methods for automating the
detection of social engineering attacks as they occur over the phone. We
propose and perform an unbiased experiment in which phone-based social
engineering takes place. The calls are then collected to form the first
corpus of recorded and marked phone-based social engineering attacks.
Automated methods of classification (social engineering or non-social
engineering classification) are then explored using voice feature analysis,
Bayesian categorization of call transcripts, and emotional state measurement
using an affect dictionary. We analyze the results of these methods and
propose potential improvements. Finally, a system design is proposed which
incorporates the methods presented.
Participants: Mike Aiello
Nasir Memon
Back to Projects |
|
|
|
