Social Engineering Attack Graph for Security Risk Assessment: Social Engineering Attack Graph framework(SEAG) (보안 위험 평가를 위한 사회공학 공격 그래프 : Social Engineering Attack Graph framework(SEAG))

Kim Jun Seok (김준석); Hyunjae Kang (강현재); Jinsoo Kim (김진수); Huy-Kang Kim (김휘강)

doi:10.9708/jksci.2018.23.11.075

Social Engineering Attack Graph for Security Risk Assessment: Social Engineering Attack Graph framework(SEAG)

Journal of The Korea Society of Computer and Information
Abbr : JKSCI
2018, 23(11), pp.75-84
DOI : 10.9708/jksci.2018.23.11.075
Publisher : The Korean Society Of Computer And Information
Research Area : Engineering > Computer Science
Received : August 30, 2018
Accepted : October 22, 2018
Published : November 30, 2018

Kim Jun Seok ¹, Hyunjae Kang ¹, Jinsoo Kim ², Huy-Kang Kim ¹

¹고려대학교
²국방과학연구소

Accredited

ABSTRACT

Social engineering attack means to get information of Social engineering attack means to get information of opponent without technical attack or to induce opponent to provide information directly. In particular, social engineering does not approach opponents through technical attacks, so it is difficult to prevent all attacks with high-tech security equipment. Each company plans employee education and social training as a countermeasure to prevent social engineering. However, it is difficult for a security officer to obtain a practical education(training) effect, and it is also difficult to measure it visually. Therefore, to measure the social engineering threat, we use the results of social engineering training result to calculate the risk by system asset and propose a attack graph based probability. The security officer uses the results of social engineering training to analyze the security threats by asset and suggests a framework for quick security response. Through the framework presented in this paper, we measure the qualitative social engineering threats, collect system asset information, and calculate the asset risk to generate probability based attack graphs. As a result, the security officer can graphically monitor the degree of vulnerability of the asset's authority system, asset information and preferences along with social engineering training results. It aims to make it practical for companies to utilize as a key indicator for establishing a systematic security strategy in the enterprise.

KEYWORDS

Attack graph, Social engineering, Risk assessment, Network security, APT attack

Citation status

* References for papers published after 2023 are currently being built.

[book] Mitnick, Kevin D. / 2011 / The art of deception: Controlling the human element of security / John Wiley & Sons

[book] Hadnagy, Christopher / 2010 / Social engineering: The art of human hacking / John Wiley & Sons

[thesis] Artz, Michael Lyle / 2002 / Netspa: A network security planning architecture / Massachusetts Institute of Technology

[confproc] Ou, Xinming / 2005 / MulVAL: A Logic-based Network Security Analyzer / USENIX Security Symposium 8

[confproc] Ou, Xinming / 2006 / A scalable approach to attack graph generation / Proceedings of the 13th ACM conference on Computer and communications security. ACM

[confproc] Ingols, Kyle / 2006 / Practical attack graph generation for network defense / Computer Security Applications Conference, 2006. ACSAC'06. 22nd Annual. IEEE

[journal] Poolsappasit, Nayot / 2012 / Dynamic security risk management using bayesian attack graphs / IEEE Transactions on Dependable and Secure Computing 9(1) : 61~74

[confproc] Wang, Lingyu / 2008 / An attack graph-based probabilistic security metric / IFIP Annual Conference on Data and Applications Security and Privacy. Springer

[confproc] Keramati, Marjan / 2013 / CVSS-based security metrics for quantitative analysis of attack graphs / Computer and Knowledge Engineering (ICCKE), 2013 3th International eConference on. IEEE

[journal] Wang, Lingyu / 2014 / k-zero day safety: A network security metric for measuring the risk of unknown vulnerabilities / IEEE Transactions on Dependable and Secure Computing 11(1) : 30~44

[confproc] Yusuf, Simon Enoch / 2016 / Security Modelling and Analysis of Dynamic Enterprise Networks / Computer and Information Technology (CIT), 2016 IEEE International Conference on. IEEE

[confproc] Moon, Young Hoon / 2016 / Hybrid Attack Path Enumeration System Based on Reputation Scores / Computer and Information Technology (CIT), 2016IEEE International Conference on. IEEE

[confproc] Ge, Mengmeng / 2017 / Evaluating Security and Availability of Multiple Redundancy Designs when Applying Security Patches / Dependable Systems and Networks Workshop (DSN-W), 2017 47th Annual IEEE/IFIP International Conference on. IEEE

[confproc] Dimkov, Trajce / 2010 / Two methodologies for physical penetration testing using social engineering / Proceedings of the 26th annual computer security applications conference. ACM

[confproc] Ivaturi, Koteswara / 2011 / A taxonomy for social engineering attacks / International Conference on Information Resources Management. Centre for Information Technology, Organizations, and People

[confproc] Pavković, Nikola / 2011 / Social Engineering Toolkit—A systematic approach to social engineering / MIPRO, 2011 Proceedings of the 34th International Convention. IEEE

[confproc] Algarni, Abdullah / 2013 / Social engineering in social networking sites: Affect-based model / Internet technology and secured transactions (icitst), 2013 8th international conference for. IEEE

[confproc] Mouton, Francois / 2014 / Social engineering attack framework / Information Security for South Africa (ISSA), 2014. IEEE

[book] Beckers, Kristian / 2015 / Data privacy management, autonomous spontaneous security, and security assurance / Springer : 216~232

[journal] 문주연 / 2018 / An Attack Graph Model for Dynamic Network Environment / 정보보호학회논문지 / 한국정보보호학회 28(2) : 485~500

KJCKorea
Journal Central

Journal of The Korea Society of Computer and Information 2023 KCI Impact Factor : 0.65

Social Engineering Attack Graph for Security Risk Assessment: Social Engineering Attack Graph framework(SEAG)

ABSTRACT

KEYWORDS

Citation status

* References for papers published after 2023 are currently being built.

Journal of The Korea Society of Computer and Information 2023 KCI Impact Factor : 0.65

Social Engineering Attack Graph for Security Risk Assessment: Social Engineering Attack Graph framework(SEAG)

ABSTRACT

KEYWORDS

Statistics

Tools

Issue List

Citation status

KCI Citation Counts (0)

REFERENCES (20) * References for papers published after 2023 are currently being built.

Search PDF

Citation

* References for papers published after 2023 are currently being built.