Projects‎ > ‎Projects Archive‎ > ‎

Social Engineering

Social Engineering
As an attack surface, social engineering is often overlooked in the design phase of information systems. This has left a privileged component of these systems --the user -- vulnerable to attack and coercion by outside parties. The traditional method of reducing risk due to social engineering attacks (training and awareness) has only been shown to reduce the success of the simplest phone-based social engineering attack to 30 percent. This thesis proposes several methods for automating the detection of social engineering attacks as they occur over the phone. We propose and perform an unbiased experiment in which phone-based social engineering takes place. The calls are then collected to form the first corpus of recorded and marked phone-based social engineering attacks. Automated methods of classification (social engineering or non-social engineering classification) are then explored using voice feature analysis, Bayesian categorization of call transcripts, and emotional state measurement using an affect dictionary. We analyze the results of these methods and propose potential improvements. Finally, a system design is proposed which incorporates the methods presented.

Participants:

Mike Aiello
Nasir Memon