ONTOLOGY-BASED FORMAL SPECIFICATIONS FOR SOCIAL ENGINEERING

(1)

35

ONTOLOGY-BASED FORMAL SPECIFICATIONS FOR SOCIAL ENGINEERING

Issam Alshanfari¹, Roesnita Ismail^2*, Nurzi Juana Mohd Zaizi³ and Fauziah Abdul Wahid⁴

1 Faculty of Information and Communication Technology, Universiti Teknikal Malaysia, Melaka, MALAYSIA

2 3 4 Faculty of Science and Technology, Universiti Sains Islam Malaysia, Negeri Sembilan, MALAYSIA

*Corresponding author: [email protected] Accepted: 12 February 2020 | Published: 6 March 2020

Abstract: One of the most rapidly growing fields in information security is the study of the social engineering. Social engineering is a technique of exploiting the human behaviour to achieve a malicious objective. A social engineering attack can elicit unsuspected individuals to disclose confidential information by using various manipulation techniques. Therefore, the effectiveness of security measures to protect sensitive information against social engineering attacks needs to be increased. An explicit knowledge representation of social engineering can contribute towards the understanding on social engineering attacks. Nevertheless, the field of social engineering is still lacking a formal specification of concepts that define the structure of knowledge within the context of social engineering domain. An ontology or knowledge representation is composed of objects and conceptual relations between the objects. However, developing appropriate semantic representations, including designing social engineering ontologies, remains difficult and challenging. This paper proposed a social engineering ontology to conceptualize knowledge used in social engineering techniques, human and technical-based attacks and the countermeasures.

The novel contribution of this study is the key terms extraction from relevant publications, which allow one to distinguish between the different types of objects and their relationships, dependencies, and properties in social engineering domain. The ontology can be used not only for querying and integrating social engineering information on the Web, but it also can be expanded to other similar domains.

Keywords: information security, ontology, social engineering

1. Introduction

Ontology is one of the components for knowledge retrieval efficiency and knowledge sharing. Its ability to access required information and knowledge through varieties of relationship between concepts in a world rich of information more efficiently and comprehensively (Gruber, 1993).

Currently, knowledge sharing between entities is achieved in a very ad-hoc fashion, lacking appropriate understanding of the meaning of the data. Ontologies can potentially solve these problems by facilitating knowledge sharing and reuse.

(2)

36

An ontology defines what exists in a domain and how they relate to each other to form the common vocabulary for researchers who need to share information in a similar domain. Social engineering is the act of deceiving people to gain access to their personal confidential data. Social engineering attacks are more challenging to manage since they depend on human behavior and involve taking advantage of vulnerable employees and organizations (Anthony and Ziduan, 2013).

2. Literature Review

There are not many recent studies on ontology in the social engineering domain. Raskin et al.

(2010) studied on the computational system to detect intentional reasons in casual verbal output of individuals who are responsible to leak sensitive information for unauthorized access. They describe the protection methods of sensitive information from insider threats affected by social engineering. They also emphasize the use of ontological semantic technology to make this process as a computational system. Feresa, et al. (2011) provides a detailed review on the managerial and technical aspects of social engineering attacks, with a particular focus on producing a generic taxonomy composed of human and technical-based social engineering attacks. The study concludes that detecting social engineering is difficult without knowing how to manage the secure sources and sensitive information based on human and technical threats.

Anthony and Ziduan (2013) presented psychological conceptual frameworks and concepts applied in social engineering attacks. The meta-analysis was used in this study to identify the common patterns and different concepts and approaches amongst the findings from the eight chosen studies in social engineering. Their findings help researchers to understand the social engineering aspect in psychological perspective and create measures to defend against these attacks. The understanding of the psychological concepts and frameworks set out by the social engineers, together with the use of technology solutions and user awareness can be an effective measure to protect the sensitive information. Similarly, Mouton, Leenen, Malan and Venter (2014)) developed an ontological model for a social engineering attack based on the analysis of existing definitions and taxonomies. Their study provides concrete definitions for social engineering, social engineering attack and social engineer.

Carnegie Mellon University (2014) has conducted an initial research work served to inform government and industry stakeholders about the problem and its potential causes and to guide research and development investments toward the highest priority requirements for countering the UIT (Unintentional Insider Threat). The research team has analyzed the UIT cases to identify possible behavioral and technical patterns and precursors, with a particular focus on social engineering cases. The findings revealed that academic research has identified human factors that may underlie UIT social engineering susceptibility, but the lack of reporting on relevant human factors in real-world cases have hampered validation of potential human factors. Previous studies on the ontology focused more on the social engineering attacks rather than focusing on the techniques (Raskin, et al., 2010; Feresa, et al., 2011; Anthony and Ziduan, 2013; Carnegie Mellon University, 2014). Therefore, this study aims to develop a social engineering ontology which covers the social engineering types, human and technical-based attacks or techniques as well as the measures taken to counter the attacks.

(3)

37

3. Problem Statement

Although social engineering is an important branch of information security, the discipline is not well defined (Mouton, Leenen, Malan and Venter, 2014). This paper aims to compile related publications on social engineering from Google Scholar, published in 2015 to 2018, classify a collection of related terms (Taxonomy) and develop the ontology on social engineering by using Protégé. The social engineering ontology includes the social engineering types, human and technical-based attacks and the countermeasures.

4. Method

In this study, the ontology was developed based on the eight stages as suggested by Noy and McGuinness (2000):

A. Determine the Domain and Scope of the Ontology

The ontology was based on 30 publications on social engineering, published from 2015 to 2018 that were retrieved from Google Scholar. The extraction of key and related terms are mainly related on social engineering i) types, ii) threats (human-based social engineering attacks, iii) technical- based social engineering attacks) and iv) countermeasures.

B. Consider Reuse

This study developed the ontology from scratch, however, if there is an ontology available from a third party, the researchers can use it as a useful starting point.

C. List Key Terms

All the terms that are likely to appear in the ontology can be listed out. The relations among the classes and the properties of the classes and instances in the ontology are also to be listed out.

D. Define Taxonomy

After the identification of key terms, these terms must be organized in a taxonomic hierarchy. This social engineering ontology used the top-down approach. Social engineering is the main root class.

Subclasses of this root are the types, threats and countermeasures.

E. Define the Properties of the Classes.

Properties define the relationships between two objects. For example, different object properties and data properties are used in the ontology.

F. Define the Facets of A Class

Facets of a property describe the value type. For example, consider the property

‘Has_Direct_Interaction’.

(4)

38

G. Define Instances

Individual instances of the classes are created in the ontology.

H. Implementation in Protégé.

Protégé is an open source and ontology editors, which supports modeling ontologies for web client and desktop user in different formats including OWL, XML schema and RDF. It is Java-based, allows plug and plays and flexible for extensible, prototyping or application development.

5. Results

This section describes the steps involved in the formation of the social engineering taxonomy and ontology.

A. Compilation of Publications on Social Engineering

The first step involved compiling a total of 30 relevant studies on social engineering which have been published from 2015 to 2018 through Google Scholar. Different keywords were applied to include relevant publications on social engineering types, techniques and countermeasures.

Despite the scarcity of open access articles on social engineering, some articles required some fees for full text access and downloads. However, there is no obstacle to collect the comprehensive articles on social engineering categories and subcategory, because the same publications can be obtained from open access sites.

B. Taxonomy Formation on Social Engineering

This section describes the process of developing a social engineering taxonomy in terms of terminology analysis and to classify the terminologies according to the hierarchal relationship between the main class and subclasses as depicted in Figure 1.

Figure 1: Main and Subclasses of Social Engineering Taxonomy

(5)

39

The main class is "Social Engineering" and the sub-classes are the types of social engineering techniques; the countermeasures to avoid social engineering attacks; and the potential threats that threaten humans and sensitive information. Human-based attacks and technical-based attacks reflect the techniques of social engineering attacks which have been implemented by social engineers to directly or indirectly attack the victims, or to gather information about them with the aim to discover their vulnerabilities. Table 1 depicts the 46 terms (taxonomy) in social engineering human-based attacks found during the literature review. It is clear that direct communication by phone or electronic media are the most techniques used to manipulate the victims.

Table 1: List of Terms in Social Engineering Human-Based Attacks Social engineering human-based attacks

1. By phone 24. In person

2. Dumpster Diving 25. Shoulder surfing 3. On-Line Social Engineering 26. Familiarity exploit 4. Persuasion 27. Creating a hostile situation 5. Impersonation 28. Gather and use Information 6. Conformity 29. Get a job there

7. Spying and eavesdropping 30. Reading body language 8. Questionnaire/ Surveys 31. Sex sells

9. Tech Support 32. Reverse social engineering 10. Support staff 33. Guilt

11. The voice of authority 34. Piggyback rides 12. Chance of ingratiation 35. Personal stake- phishing

13. Important User 36. Use of Neuro-linguistic programming (NLP) techniques 14. Third-party authorization 37. Get smashed

15. Mail-outs 38. Tailgating 16. Forensic analyse 39. Theft 17. Helpless user 40. Fear

18. Asking for favours 41. Diffusion of responsibilities 19. Cold calling 42. Pharming

20. Contriving situations 43. Pretexting 21. Free software – Reward 44. Reconnaissance 22. Overloading 45. Simple requests 23. Photography 46. Surveys

(6)

40

Table 2 depicts a comprehensive list of terms (taxonomy) within the domain of social engineering technical-based attacks. The 11 terms (taxonomy) in social engineering technical-based attacks found during the literature review. The terms include spam, chain letters, fake mail, phishing, bogus surveys, spyware and malicious software.

Table 2: List of Terms in Social Engineering Technical-Based Attacks Social engineering technical-based attacks

1. Spam, chain letters and hoaxes 7. SMS cell phone

2. Popup window 8. Phishing

3. Fake mail and attachments 9. Bogus surveys

4. Trojan horse 10. KeyGhost

5. Websites 11. Spyware & malicious software 6. Social (Engineer) networking

Table 3 depicts the 26 types of social engineering threats affected by direct or indirect social engineering attacks. These threats vary depending on the target of social engineers, which include sensitive information, data security organization, ID and password, access permission, access control, unauthorized access and viruses-worms-malicious code.

Table 3: List of Terms in Social Engineering Threats Social engineering threats

1. Sensitive information 14. Bypassing physical security control 2. Organization data security 15. Bank-account & passwords 3. Harvest passwords 16. Trade secrets

4. Individual settings 17. Individual/organization information 5. ID and password 18. Organization's systems

6. Sabotage a network 19. Unauthorized access 7. Database security 20. Data files

8. Valuable-information – confidential-file

21. Physical access

9. Stealing confidential data 22. Workstations & network 10. Phone-card numbers 23. Viruses-worms-malicious code 11. Bypassing secure area

control

24. Loss of productivity & network resources

12. Access control 25. E-mail address 13. Financial & personal

information

26. Credit cards

Table 4 depicts a total of 20 countermeasure examples to defend against the social engineering attacks, which primarily aim at human weaknesses. Previous studies (Ghafir, et al., 2018; Ki-Aries and Faily, 2017) suggested that social engineering threats can be prevented through human awareness, documented security policy, training on security policy, frequent password change policy, physical security solutions, system security solutions, operating procedures and security culture.

(7)

41

Social engineering countermeasures

1. Human awareness 11. Physical security

2 Employee Training 12. System level security 3. Keep all trash in secured, monitored areas 13. Shred important and

sensitive data.

4. Don’t repeat the use of one simple password

14. Documents security policy 5. Require all guests to be escorted 15. Training on security policy 6. Don't type in passwords with anyone else

looking

16. - Password never spoken over phone

7. - Identity management policy 17. Physical technical solutions 8. Caller ID technology 18. Operating procedures 9. Enhance/ Train-on / Follow security policy 19. Always update scanners 10. Educate employees 20. Security culture

6. Ontology Development

This section presents the development of the proposed social engineering ontology.

A. Implementation in Protégé 4.2

This study used Protégé 4.2 as a tool in developing the ontology. Figure 2 shows the Social_Engineering as the main class in the ontology, whereas the Types (Human-Based_Attacks and Technical-Based_Attacks), Countermeasures and Threats are listed as the middle level or the sub-classes in the ontology. The classes are abstract groups, sets or collections of objects. The human-based attacks contain all instances that target and represent direct interaction with victims.

Whereas, the technical-based attacks contain all instances that target computer systems and their users. The threats class was created to involve instances of potential threats and vulnerabilities that caused by social engineering attacks. The countermeasures class involves instances that represent methods and techniques to avoid social engineering attacks.

Figure 2: The Main Class and the Sub-Classes of the Proposed Social Engineering Ontology

(8)

42

Figure 3 shows all individuals under Human-Based_Attacks and Technical-Based_Attacks, which are grouped under the sub-class of the Types. Individuals or instances are the basic ground level components of an ontology. The description of ‘individual’ is clear if it is listed as the 'same individual as' another terms. For example, the member Impersonation is considered as the same category of ‘individual as’ the Support_staff, Tech_Support, The_voice_of_Authority, and Third- party_Authorization. Figure 4 depicts the visual representation of the sub-class and its individuals.

Figure 3: Sample Description of Individuals

Figure 4: An Example of a Class and Its Individuals

(9)

43

Figure 5 shows the list of object property in the social engineering ontology. The object properties describe how classes can relate to one another based on their instances in the ontology. For example, Affect_Organization represent the relationship between the threat of Physical Access affect organization by Reconnaissance and Get-smashed attacks.

Figure 5: The Main Class and the Sub-Classes of the Proposed Social Engineering Ontology

The DL Query tab in the Protégé provides an easy feature to search for a class, property, or individual into a single construct, called a frame referring. Figure 6 displays the query result by using the DL Query tab. For example, querying for the counter measures_to_People_Attacks relationship for Dumpster_Diving instance will provide the suggestion to "Keep trash in secure and monitored area" as the result.

Figure 6: Sample of DL Query

The final social engineering ontological hierarchy view is shown in Figure 7. Hierarchy is like a tree branch, organized into orders or ranks each subordinate to the one above it. The relationships can be used to describe either the relation between instances of two classes or instances of classes

(10)

44

and resource description framework schema (RDF). The relationships in this ontology were divided into six types of relations: i) Affect_Individual represents relationship between Threats instances that affect individuals and Types class; ii) Affect_Organization represents relationship between Threats instances that affect organization facilities and Types class; iii) Countermeasures_to_People_Attacks: represents relationship between instances of Human- Based_Attacks and Countermeasures classes.; iv) Countermeasures_to_Tech_Attacks: represents relationship between instances of Technical-Based_Attacks and Countermeasures classes; v) Has_Direct_Interaction: represents relationship between instances of Human-Based_Attacks class and other instances in Types class; and vi) Has_Indirect_Interaction: represents relationship between instances of Technical-Based_Attacks class and other instances in Types class. The need of these relations is to associate one individual with one another among ontology classes. For example, Countermeasures_to_Tech_Attacks relationship can be associated with the individuals Security_culture of Countermeasures class and Phishing of Technical-Based_Attacks class.

Figure 7: The Final Social Engineering Ontological Hierarchy View

(11)

45

7. Conclusion

This study provides a detailed review and analysis on publications within the domain of social engineering from Google Scholar published in 2015 until 2018. The concepts and relations of the terms were listed to develop the taxonomy. The taxonomy gives some ideas on how to identify the social engineering types and how to categorize the attacks based on the types and the countermeasures. The main challenges in developing the ontology involved in extracting the knowledge from the publications and determining the classes, entities, relationships between the terms and the properties of things in the Protégé environment. In the future, this ontology can be reused as a starting point to expand the existing domain or it can be merged with other ontologies.

The additional works can also focus on adding the latest social engineering countermeasures that commensurate with the evolution of the current social engineering attacks, as well as, adding more relationships between classes and instances to classify a large range of social engineering attacks.

References

Anthony, K.A. and Ziduan, X. (2013). Review and Meta: Analysis Psychological Conceptual Frameworks and Concepts Applied in Social Engineering. Independent thesis Advanced level (Degree of Master). Luleå University of Technology: p.65. Available at http://ltu.diva- portal.org/smash/get/diva2:1018376/FULLTEXT02.pdf

Carnegie Mellon University. (2014). Unintentional Insider Threats: Social Engineering.

Department of Homeland Security, Federal Network Resilience Cybersecurity Assurance Branch. Available at https://resources.sei.cmu.edu/asset_files/Technical Note/

201400400177459. pdf.

Feresa Mohd Foozy, Rabiah Ahmad, Mohd Faizal Abdollah, Robiah Yusof and Mohd Zaki Mas’ud. (2011). Generic Taxonomy of Social Engineering Attack. In: Malaysian Technical Universities International Conference on Engineering & Technology (MUiCET 2011), 13- 15 November 2011, UTHM, Batu Pahat, Johor. Available at http://eprints.utem.edu.my/191/.

Ghafir, I., Saleem, J., Hammoudeh, M., Faour, H., Prenosil, V., Jaf1, S., Jabbar, S. and Baker, T.

(2018). Security Threats to Critical Infrastructure: The Human Factor. J Supercomput.

Available at https://doi.org/10.1007/s11227-018-2337-2.

Gruber, T.R. (1993). A translation approach to portable ontology speciﬁcations. Knowledge Acquisition, vol. 5 (2): 199-220. Available at https://doi.org/10.1006/knac.1993.1008 Ki-Aries, D. and Faily, S. (2017). Persona-Centred Information Security Awareness. Computers

& Security. Vol. 70: 663-674. Available at https://doi.org/10.1016/ j. cose.2017.08.001 Mouton, F., Leenen L., Malan, M.M. and Venter, H.S. (2014). Towards an OntologicalModel

Defining the Social Engineering Domain. In: Kimppa K., Whitehouse D., Kuusela T., Phahlamohlaka J. (eds) ICT and Society. HCC 2014. IFIP Advances in Information and Communication Technology, vol. 431. Springer, Berlin, Heidelberg. Available at https://doi.org/10.1007/978-3-662-44208-1_22.

Raskin, V, Taylor, J.M. and Hempelmann, C. F. (2010). Ontological semantic technology for detecting insider threat and social engineering, Proceedings of the 2010 workshop on New security paradigms, September 21-23, 2010, Concord, Massachusetts, USA. Available at doi>10.1145/1900546.1900563.

(12)

46

Noy, N. F. and D. L. McGuinness. (2001). Ontology Development 101: A Guide to Creating Your First Ontology. Stanford Knowledge Systems Laboratory Technical Report KSL01-05 and Stanford Medical Informatics Technical Report SMI-2001-0880. Stanford University.