[KSCI] Korea Science Citation Index Service

http://dx.doi.org/10.9708/jksci.2018.23.11.075

Social Engineering Attack Graph for Security Risk Assessment: Social Engineering Attack Graph framework(SEAG)

Kim, Jun Seok (Graduate School of Information Security, Korea University)
Kang, Hyunjae (Graduate School of Information Security, Korea University)
Kim, Jinsoo (Agency for Defense Development)
Kim, Huy Kang (Graduate School of Information Security, Korea University)

Publication Information

Journal of the Korea Society of Computer and Information / v.23, no.11, 2018 , pp. 75-84 More about this Journal

Abstract

Social engineering attack means to get information of Social engineering attack means to get information of opponent without technical attack or to induce opponent to provide information directly. In particular, social engineering does not approach opponents through technical attacks, so it is difficult to prevent all attacks with high-tech security equipment. Each company plans employee education and social training as a countermeasure to prevent social engineering. However, it is difficult for a security officer to obtain a practical education(training) effect, and it is also difficult to measure it visually. Therefore, to measure the social engineering threat, we use the results of social engineering training result to calculate the risk by system asset and propose a attack graph based probability. The security officer uses the results of social engineering training to analyze the security threats by asset and suggests a framework for quick security response. Through the framework presented in this paper, we measure the qualitative social engineering threats, collect system asset information, and calculate the asset risk to generate probability based attack graphs. As a result, the security officer can graphically monitor the degree of vulnerability of the asset's authority system, asset information and preferences along with social engineering training results. It aims to make it practical for companies to utilize as a key indicator for establishing a systematic security strategy in the enterprise.

Keywords

Attack graph; Social engineering; Risk assessment; Network security; APT attack;

Citations & Related Records

Times Cited By KSCI : 1 (Citation Analysis)

Reference
Cited By KSCI

1	Beckers, Kristian, Leanid Krautsevich, and Artsiom Yautsiukhin. "Analysis of social engineering threats with attack graphs." Data privacy management, autonomous spontaneous security, and security assurance. Springer, Cham, 2015. 216-232.
2	Moon, Joo Yeon, et al. "An Attack Graph Model for Dynamic Network Environment" Journal of The Korea Institue of Information Security & Cryptology 28.2 (2018): 485-500.
3	Mitnick, Kevin D. and William L. Simon. The art of deception: Controlling the human element of security. John Wiley & Sons, 2011.
4	Hadnagy, Christopher. Social engineering: The art of human hacking. John Wiley & Sons, 2010.
5	Artz, Michael Lyle. Netspa: A network security planning architecture. Diss. Massachusetts Institute of Technology, 2002.
6	Ou, Xinming, Sudhakar Govindavajhala, and Andrew W. Appel. "MulVAL: A Logic-based Network Security Analyzer." USENIX Security Symposium. Vol. 8. 2005.
7	Ou, Xinming, Wayne F. Boyer, and Miles A. McQueen. "A scalable approach to attack graph generation." Proceedings of the 13th ACM conference on Computer and communications security. ACM, 2006.
8	Ingols, Kyle, Richard Lippmann, and Keith Piwowarski. "Practical attack graph generation for network defense." Computer Security Applications Conference, 2006. ACSAC'06. 22nd Annual. IEEE, 2006.
9	Poolsappasit, Nayot, Rinku Dewri, and Indrajit Ray. "Dynamic security risk management using bayesian attack graphs." IEEE Transactions on Dependable and Secure Computing 9.1 (2012): 61-74. DOI
10	Wang, Lingyu, et al. "An attack graph-based probabilistic security metric." IFIP Annual Conference on Data and Applications Security and Privacy. Springer, Berlin, Heidelberg, 2008.
11	Keramati, Marjan, Ahmad Akbari, and Mahsa Keramati. "CVSS-based security metrics for quantitative analysis of attack graphs." Computer and Knowledge Engineering (ICCKE), 2013 3th International eConference on. IEEE, 2013.
12	Ge, Mengmeng, et al. "Evaluating Security and Availability of Multiple Redundancy Designs when Applying Security Patches." Dependable Systems and Networks Workshop (DSN-W), 2017 47th Annual IEEE/IFIP International Conference on. IEEE, 2017.
13	Wang, Lingyu, et al. "k-zero day safety: A network security metric for measuring the risk of unknown vulnerabilities." IEEE Transactions on Dependable and Secure Computing 11.1 (2014): 30-44. DOI
14	Yusuf, Simon Enoch, et al. "Security Modelling and Analysis of Dynamic Enterprise Networks." Computer and Information Technology (CIT), 2016 IEEE International Conference on. IEEE, 2016.
15	Moon, Young Hoon, et al. "Hybrid Attack Path Enumeration System Based on Reputation Scores." Computer and Information Technology (CIT), 2016 IEEE International Conference on. IEEE, 2016.
16	Dimkov, Trajce, et al. "Two methodologies for physical penetration testing using social engineering." Proceedings of the 26th annual computer security applications conference. ACM, 2010.
17	Ivaturi, Koteswara, and Lech Janczewski. "A taxonomy for social engineering attacks." International Conference on Information Resources Management. Centre for Information Technology, Organizations, and People, 2011.
18	Pavkovic, Nikola, and Luka Perkov. "Social Engineering Toolkit-A systematic approach to social engineering." MIPRO, 2011 Proceedings of the 34th International Convention. IEEE, 2011.
19	Algarni, Abdullah, et al. "Social engineering in social networking sites: Affect-based model." Internet technology and secured transactions (icitst), 2013 8th international conference for. IEEE, 2013.
20	Mouton, Francois, et al. "Social engineering attack framework." Information Security for South Africa (ISSA), 2014. IEEE, 2014.