Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SENet: Visual Detection of Online Social Engineering Attack Campaigns

Irfan Ozen, Karthika Subramani, Phani Vadrevu, Roberto Perdisci

TL;DR

SESHIELD presents an in-browser defense against generic web-based social engineering attacks by combining SECrawler for data collection, SENet for visual detection, and SEGuard for real-time browser alerts. The SENet model, adapted to handle arbitrary webpage sizes and trained via localized federated learning, achieves up to 99.6% recall at 1% false positives and generalizes across unseen screen sizes and campaigns. The framework is validated with an extensive dataset of 7,484 SE-attack images across 74 campaigns and demonstrates practical deployment via a MobileNetV2-based SEGuard with sub-second latency. The work advances defense against diverse SE techniques beyond phishing and provides open-source components and datasets to catalyze future research.

Abstract

Social engineering (SE) aims at deceiving users into performing actions that may compromise their security and privacy. These threats exploit weaknesses in human's decision making processes by using tactics such as pretext, baiting, impersonation, etc. On the web, SE attacks include attack classes such as scareware, tech support scams, survey scams, sweepstakes, etc., which can result in sensitive data leaks, malware infections, and monetary loss. For instance, US consumers lose billions of dollars annually due to various SE attacks. Unfortunately, generic social engineering attacks remain understudied, compared to other important threats, such as software vulnerabilities and exploitation, network intrusions, malicious software, and phishing. The few existing technical studies that focus on social engineering are limited in scope and mostly focus on measurements rather than developing a generic defense. To fill this gap, we present SEShield, a framework for in-browser detection of social engineering attacks. SEShield consists of three main components: (i) a custom security crawler, called SECrawler, that is dedicated to scouting the web to collect examples of in-the-wild SE attacks; (ii) SENet, a deep learning-based image classifier trained on data collected by SECrawler that aims to detect the often glaring visual traits of SE attack pages; and (iii) SEGuard, a proof-of-concept extension that embeds SENet into the web browser and enables real-time SE attack detection. We perform an extensive evaluation of our system and show that SENet is able to detect new instances of SE attacks with a detection rate of up to 99.6% at 1% false positive, thus providing an effective first defense against SE attacks on the web.

SENet: Visual Detection of Online Social Engineering Attack Campaigns

TL;DR

SESHIELD presents an in-browser defense against generic web-based social engineering attacks by combining SECrawler for data collection, SENet for visual detection, and SEGuard for real-time browser alerts. The SENet model, adapted to handle arbitrary webpage sizes and trained via localized federated learning, achieves up to 99.6% recall at 1% false positives and generalizes across unseen screen sizes and campaigns. The framework is validated with an extensive dataset of 7,484 SE-attack images across 74 campaigns and demonstrates practical deployment via a MobileNetV2-based SEGuard with sub-second latency. The work advances defense against diverse SE techniques beyond phishing and provides open-source components and datasets to catalyze future research.

Abstract

Social engineering (SE) aims at deceiving users into performing actions that may compromise their security and privacy. These threats exploit weaknesses in human's decision making processes by using tactics such as pretext, baiting, impersonation, etc. On the web, SE attacks include attack classes such as scareware, tech support scams, survey scams, sweepstakes, etc., which can result in sensitive data leaks, malware infections, and monetary loss. For instance, US consumers lose billions of dollars annually due to various SE attacks. Unfortunately, generic social engineering attacks remain understudied, compared to other important threats, such as software vulnerabilities and exploitation, network intrusions, malicious software, and phishing. The few existing technical studies that focus on social engineering are limited in scope and mostly focus on measurements rather than developing a generic defense. To fill this gap, we present SEShield, a framework for in-browser detection of social engineering attacks. SEShield consists of three main components: (i) a custom security crawler, called SECrawler, that is dedicated to scouting the web to collect examples of in-the-wild SE attacks; (ii) SENet, a deep learning-based image classifier trained on data collected by SECrawler that aims to detect the often glaring visual traits of SE attack pages; and (iii) SEGuard, a proof-of-concept extension that embeds SENet into the web browser and enables real-time SE attack detection. We perform an extensive evaluation of our system and show that SENet is able to detect new instances of SE attacks with a detection rate of up to 99.6% at 1% false positive, thus providing an effective first defense against SE attacks on the web.
Paper Structure (23 sections, 9 figures, 12 tables, 1 algorithm)

This paper contains 23 sections, 9 figures, 12 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Framework Overview
  3. Approach Motivation
  4. Framework Components
  5. Framework Details
  6. SECrawler
  7. SENet
  8. SEGuard
  9. Experimental Setup
  10. SECrawler Setup
  11. SENet Setup
  12. Hyperparameter Tuning
  13. Data Augmentation
  14. SEGuard Setup
  15. Experimental Results
  16. ...and 8 more sections

Figures (9)

  • Figure 1: SEShield framework overview. SENet represents the primary contribution and main research focus of this paper. SECrawler and SEGuard are implemented as early prototypes that we use for training data collection and to demonstrate the viability of SENet and of the entire SEShield defense framework to enable a practical in-browser defense against SE attacks.
  • Figure 2: Original vs. adapted VGG19 architecture.
  • Figure 3: ROC curve for the VGG-19-based SENet model.
  • Figure 4: ROC curve for the generalization to new screen sizes. Notice that false positives are represented in logarithmic scale, to highlight the classifier's performance at low false positive rates.
  • Figure 5: Examples of screenshots from each of the 10 randomly selected test campaigns.
  • ...and 4 more figures