한국컴퓨터정보학회논문지 (Journal of the Korea Society of Computer and Information)

한국컴퓨터정보학회 (Korean Society of Computer Information)
권호 표지
DOI QR코드

DOI QR Code

Social Engineering Attack Graph for Security Risk Assessment: Social Engineering Attack Graph framework(SEAG)

  • Kim, Jun Seok (Graduate School of Information Security, Korea University) ;
  • Kang, Hyunjae (Graduate School of Information Security, Korea University) ;
  • Kim, Jinsoo (Agency for Defense Development) ;
  • Kim, Huy Kang (Graduate School of Information Security, Korea University)
  • 투고 : 2018.08.30
  • 심사 : 2018.10.22
  • 발행 : 2018.11.30
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

Social engineering attack means to get information of Social engineering attack means to get information of opponent without technical attack or to induce opponent to provide information directly. In particular, social engineering does not approach opponents through technical attacks, so it is difficult to prevent all attacks with high-tech security equipment. Each company plans employee education and social training as a countermeasure to prevent social engineering. However, it is difficult for a security officer to obtain a practical education(training) effect, and it is also difficult to measure it visually. Therefore, to measure the social engineering threat, we use the results of social engineering training result to calculate the risk by system asset and propose a attack graph based probability. The security officer uses the results of social engineering training to analyze the security threats by asset and suggests a framework for quick security response. Through the framework presented in this paper, we measure the qualitative social engineering threats, collect system asset information, and calculate the asset risk to generate probability based attack graphs. As a result, the security officer can graphically monitor the degree of vulnerability of the asset's authority system, asset information and preferences along with social engineering training results. It aims to make it practical for companies to utilize as a key indicator for establishing a systematic security strategy in the enterprise.

키워드

CPTSCQ_2018_v23n11_75_f0001.png 이미지

Fig. 1. The communication model of social engineering

CPTSCQ_2018_v23n11_75_f0002.png 이미지

Fig. 2. The procedure of social engineering attack response training

CPTSCQ_2018_v23n11_75_f0003.png 이미지

Fig. 3. Generation of the attack graph

CPTSCQ_2018_v23n11_75_f0004.png 이미지

Fig. 4. Overview of the Social Engineering Attack Graph framework(SEAG)

CPTSCQ_2018_v23n11_75_f0005.png 이미지

Fig. 5. Example of network topology

CPTSCQ_2018_v23n11_75_f0006.png 이미지

Fig. 6. Example of attack graph generation

Table 1. Overview of related work

CPTSCQ_2018_v23n11_75_t0001.png 이미지

Table 2. Classification of social engineering attack

CPTSCQ_2018_v23n11_75_t0002.png 이미지

Table 3. Social engineering scenario

CPTSCQ_2018_v23n11_75_t0003.png 이미지

Table 4. Social engineering vulnerability

CPTSCQ_2018_v23n11_75_t0004.png 이미지

Table 5. Example of social engineering training results and risks

CPTSCQ_2018_v23n11_75_t0005.png 이미지

참고문헌

  1. Mitnick, Kevin D. and William L. Simon. The art of deception: Controlling the human element of security. John Wiley & Sons, 2011.
  2. Hadnagy, Christopher. Social engineering: The art of human hacking. John Wiley & Sons, 2010.
  3. Artz, Michael Lyle. Netspa: A network security planning architecture. Diss. Massachusetts Institute of Technology, 2002.
  4. Ou, Xinming, Sudhakar Govindavajhala, and Andrew W. Appel. "MulVAL: A Logic-based Network Security Analyzer." USENIX Security Symposium. Vol. 8. 2005.
  5. Ou, Xinming, Wayne F. Boyer, and Miles A. McQueen. "A scalable approach to attack graph generation." Proceedings of the 13th ACM conference on Computer and communications security. ACM, 2006.
  6. Ingols, Kyle, Richard Lippmann, and Keith Piwowarski. "Practical attack graph generation for network defense." Computer Security Applications Conference, 2006. ACSAC'06. 22nd Annual. IEEE, 2006.
  7. Poolsappasit, Nayot, Rinku Dewri, and Indrajit Ray. "Dynamic security risk management using bayesian attack graphs." IEEE Transactions on Dependable and Secure Computing 9.1 (2012): 61-74. https://doi.org/10.1109/TDSC.2011.34
  8. Wang, Lingyu, et al. "An attack graph-based probabilistic security metric." IFIP Annual Conference on Data and Applications Security and Privacy. Springer, Berlin, Heidelberg, 2008.
  9. Keramati, Marjan, Ahmad Akbari, and Mahsa Keramati. "CVSS-based security metrics for quantitative analysis of attack graphs." Computer and Knowledge Engineering (ICCKE), 2013 3th International eConference on. IEEE, 2013.
  10. Wang, Lingyu, et al. "k-zero day safety: A network security metric for measuring the risk of unknown vulnerabilities." IEEE Transactions on Dependable and Secure Computing 11.1 (2014): 30-44. https://doi.org/10.1109/TDSC.2013.24
  11. Yusuf, Simon Enoch, et al. "Security Modelling and Analysis of Dynamic Enterprise Networks." Computer and Information Technology (CIT), 2016 IEEE International Conference on. IEEE, 2016.
  12. Moon, Young Hoon, et al. "Hybrid Attack Path Enumeration System Based on Reputation Scores." Computer and Information Technology (CIT), 2016 IEEE International Conference on. IEEE, 2016.
  13. Ge, Mengmeng, et al. "Evaluating Security and Availability of Multiple Redundancy Designs when Applying Security Patches." Dependable Systems and Networks Workshop (DSN-W), 2017 47th Annual IEEE/IFIP International Conference on. IEEE, 2017.
  14. Dimkov, Trajce, et al. "Two methodologies for physical penetration testing using social engineering." Proceedings of the 26th annual computer security applications conference. ACM, 2010.
  15. Ivaturi, Koteswara, and Lech Janczewski. "A taxonomy for social engineering attacks." International Conference on Information Resources Management. Centre for Information Technology, Organizations, and People, 2011.
  16. Pavkovic, Nikola, and Luka Perkov. "Social Engineering Toolkit-A systematic approach to social engineering." MIPRO, 2011 Proceedings of the 34th International Convention. IEEE, 2011.
  17. Algarni, Abdullah, et al. "Social engineering in social networking sites: Affect-based model." Internet technology and secured transactions (icitst), 2013 8th international conference for. IEEE, 2013.
  18. Mouton, Francois, et al. "Social engineering attack framework." Information Security for South Africa (ISSA), 2014. IEEE, 2014.
  19. Beckers, Kristian, Leanid Krautsevich, and Artsiom Yautsiukhin. "Analysis of social engineering threats with attack graphs." Data privacy management, autonomous spontaneous security, and security assurance. Springer, Cham, 2015. 216-232.
  20. Moon, Joo Yeon, et al. "An Attack Graph Model for Dynamic Network Environment" Journal of The Korea Institue of Information Security & Cryptology 28.2 (2018): 485-500.