Social Engineering (SE) is an umbrella term for a series of methods and techniques where attackers are luring users into revealing sensitive, confidential and personal

information to be used in committing fraud and other illegal activities. This challenge is well acknowledged, however, there is no SE detection mechanism or methodology that can dynamically detect and adapt to SE approaches and “patterns” being developed constantly. Several research projects have been proposing the need for an automated system to recognize SE attacks based most commonly on Natural Language Processing (NLP) and Machine Learning (ML) techniques. Whilst these exist there has been little of the rate of success [ 1-4 ]. SE is based on human psychology and the method of persuasion relating to the 6 principles of Authority, Scarcity, Liking/Similarity, Reciprocation, Social Proof and Commitment/Consistency. Work in the area of Computer Science and SE is usually converting these principles to the stages of: Data-Preprocessing, Feature Extraction, Feature Scoring and Aggregation. To determine whether a dialog is a SE attack, certain criteria should be evaluated against a number of features. We select these features prior the three stages and we base them on the principles of persuasion, common SE tactics like malicious links and the history of the attacker. Further feature classification generates a ‘score’ in term of how possible the selected dialog is to match the SE criteria.

This work is based on the concept that a dialogue is taking place in an online chat environment where there are fair chances of SE taking place. Each implementation is designed to detect features by using a variety of classification techniques, such as: Case-based Reasoning, Fuzzy Logic, Topic Blacklists, Decision Trees, Random Forest and Deep Neural Networks depending on what needs to be extracted. An automated system requires the output of a clear decision, albeit a probabilistic decision. This can be done by aggregating the outputs from the Feature Extraction process. The results of each feature are weighted by importance, and at basic level can be averaged to give a Fuzzy logic prediction. By using more advanced techniques such as decision trees or neural networks, the weight of each feature can be calculated programmatically to determine which features carry the most importance regarding whether or not a social engineering attack is taking place.

The following contributions are delivered: 1. 2.

A method for detecting social engineering attack in online chat environments is proposed using CBR and Deep Learning The proposed method is evaluated using a real and a semi-synthetic dataset with the results validating our approach.

The rest of the paper is organized as follows: section 2 presents the related work, section 3 delivers the proposed method, section 4 contains the experimental evaluation and section 5 is the conclusions part. 2

An early implementation of SE detection in real-time telephone systems is SEDA (Social Engineering Defense Architecture) [ 7 ]. The researchers mainly focused on identifying repeat callers using their voice signatures. Later a proof of concept model of SEDA [ 8 ] was produced being able to correctly identify all attacks in their dataset. A method of detection used by [ 1 ] is to identify the questions requesting private information and commands requesting that the user perform tasks they are not authorized to perform. This technique uses a manually derived topic blacklist of verb-noun pairs for which they state should be built around security policies associated with a system. This work is taken further in [ 2 ] by identifying 4 main attack; the urgency of the dialog, negative commands and questions, whether the message is likely automated identified by a generic greeting. Finally, they use a reputable cyber security service, Netcraft, to check the safety of a URL. Instead of manual blacklist creation, they use a large corpus of phishing emails to generate a topic blacklist using a Naive Bayes classier. Some approaches like SEADMv2 [ 3 ] and MPMPA [ 9 ] use complex state machines in order to map out the pathways that can be followed as a checklist-type system to mitigate an attack. This proposal is suited where there are multiple authorization layers that might prevent a request from being carried out. These two separate machines provide some overlap, but the explicit state definition required could be limiting to where these can be applied. The nature of SE attacks is unpredictable meaning that new methods of attacks are always being introduced. The SEADM versions state machines still rely on the user input for changing state, which means the chance for user error and naivety is still present. The works of [ 4 ] covers an extensive overview of the existing systems and provide a comprehensive recognition of subsystems for their detection architecture; in influence, deception, personality, speech act and past experiences. The work of [ 10 ] provides a semantic based approach of dialogues to detect social engineering attacks. In [ 11 ] the authors show that the human factor is the weakest link in social engineering attacks and based on a human study the prove that. In [ 12 ] and [ 13 ] the authors provide a theoretical foundation that potentially could be used in real systems to detect attacks., In the works of [ 14 ] it is explained how social engineering attacks can potentially be detected, whereas in [ 15 ] and [ 16 ] different examples of attacks with scenarios are presented. In addition to the works mentioned, there are numerous other articles from relevant domains that can be useful such as the one in [ 17 ] where the authors performed an influence analysis of the number of members on the quality of knowledge in a collective, the work in [18] where a neural network is used along with harmony for searching, the one in [19] where nature inspired optimization algorithms for fuzzy control servo systems are discussed and the one found in [20] where an Island-based cuckoo search algorithm with highly disruptive polynomial mutation is proposed 3

A dialog in a social media engine, chat or web forum can reveal whether we do have a social engineering attempt or not. To evaluate our approach, we preprocess dialogs and convert them into a dataset for classification. A python pipeline has been created using SymSpellpy for spelling, a custom Case-based Reasoning system for link checking, Scikit learn for baseline classifiers and Keras for deep learning models. The score of each feature can be given by: Link score, !", Spelling score, !#$, and Intent score, !%. Each score is then normalized and the value range resides between 0 and 1. After the pre-processing of the dialogues (steps 1 – 11), the classification dataset has the following 4 labels: (1) Intent, (2) Spelling, (3) Link and (4) attack or no attack. The final steps use these as inputs for the classification mechanisms of an Convolutional Neural classifier.

The methodology is presented below in a concise way: 1. URLs are extracted from a dialog text using a URL regular expression pattern finder

2. If the text contains URLs, the URLs are send to a custom Case-based Reasoning system (CB-Ranker) to evaluate whether the web link is malicious or not 3. CB-Ranker classifies a link based in a set of features related both to its static structural attributes and attributes that pertain to its actual web content. Its features were inspired from Marchal et al. (2014) [21] and the concept of intra-URL relatedness that find “connections” between an investigated URL and text related to this URL. Table 1 shows the features that were considered: The final outcome of CB-Ranker is a “reputation score” for the website that scales between 0-10 followed by a Master Classification Tag (MCT). The MCT has 4 classes which can be Negative (the website is definitely malicious), Questionable (the website has elements of potentially malicious content e.g. ads/ popups), Neutral (various content but not necessarily malicious) and Positive (this pertains to reliable, nonmalicious websites) 4. If the returned category is of group Negative or Questionable, then SL=1. 5. Otherwise, divide the reputation by 100 and take it away from 1 as shown in equation 1.

!" = 1 − *+,-./.0123/4-+ 100 (1) 6. Check for spelling using the SymSpellpy library.

7. Using the best suggested spelling correction, determine the number of misspelled words, given by x. A score between 0 and 1 is then calculated based on Equation 2. The value of SSP represents the spelling quality, where higher values represents !67 = 1 − +89: 8. Correct dialog spelling is then compared to a set of blacklisted words, derived from 48 security policy style words. This can be easily populated with company or environment related words such as: credentials, passwords, database etc. The number of blacklist matched words is given by MB.

9. The algorithm at this step checks for intent verbs and adjectives such as need, must, urgent etc. This value is given by MI

10. To tune the results, values MB and MI are multiplied by the weights WB and WI, weighted at values of 2 and 1 retrospectively. This step has been added as an equation in case someone wants to change the weight of this step, if it is considered more important. The value x can hence be given by equation 3.

Then, the value of x is normalized in equation 4, using the same exponential function as equation 2. Where a=0.4 to give the best output. A higher value of SI indicates a higher concentration of blacklisted words in the text.

!% = 1 − +89: (4) 11. At this step the original dialogue dataset is being checked to identify which dialogue was indeed an attack and assign the true (1) or false (0) value to the new dataset used for classification.

The dataset is populated and a Convolutional Neural Network (CNN) network is applied. If the output is high, then it is considered an attack otherwise it is not considered an attack. The CNN network has been trained over a corpus of dialog cases that have been tagged as SE attacks or not. For its training 3 datasets were used as its base including the targetedemailattacks from tumbler11 , ADFA2 dataset, and a customcases one prepared for the purpose of this work. The network was trained using Keras python library. poor spelling. Equation 2 applies an exponential function to be able to penalize errors in more harsh way compared to a linear function 4

For the evaluation purposes two datasets were used. The first was based on real cyber social engineering attacks whereas a second one was created to test the robustness of 1 https://targetedemailattacks.tumblr.com/ 2 https://www.unsw.adfa.edu.au/ (2) (3) our proposed model classification as presented in section 3. Both datasets where relevant to specific SE patterns out of a population of 147 real entities. CBR was used to preprocess and classify our cases. The classification had four labels relating to (a) intent (b) spelling (c) link (d) is attack. The real dataset cases were obtained from [ 12 ], whereas the synthetic dataset was based on [ 12 ] plus 1200 entries from human support-based cases from the Twitter. All the extra cases were not classified as attacks from a human expert. In both datasets the corpus has been converted to embedding representation and it was associated with its classification labe with four entries each. Three labels for the respective data and one with a yes or no (1 or 0) value of a conversation being a social engineering attack or not. To both datasets a small number of links to websites have been added, with some being malicious.

The accuracy metric has been used for the evaluating the classification models. The metric calculates the fraction of the prediction that each model got right. Equation 10 represents the accuracy where TP stands for true positives, TN for true negatives, FP for false positives and FN for false negatives.

CDD-*/DE =

FG + FH FG + FH + IG + IH (5) The results of the evaluation as shown in tables 1, 2, 3, 4, 5, 6, and 7 are based on the standard and compound datasets respectively and a 5-fold cross-validation approach has been used. In tables 1 to 6 the MAX and MIN values represent the maximum and minimum values of the 5-fold returned after each time the algorithm ran and the MEAN is the median value. Each algorithm was executed 10 times and at the end of each table the value is the mean value of 10 iterations for each of the three table labels. Table 7 however, presents the average mean results for the standard and compound datasets respectively.

Two algorithms from the SciKit and one from Keras libraries have been used for comparison purposes: Decision Tree, Random Forest and Convolutional Neural Network. This paper presents a novel approach for SE attack detection in a web environment based on a combination of deep learning and case-based reasoning working at complementary levels of understanding natural language processing. Our approach processes dialogues, comprising our core for further classification purposes. We have presented an evaluation using both real and a semi-synthetic human dialog conversation whilst getting very high accuracy in social engineering attack detection. We have presented several baseline classification methods for comparison to show the effectiveness of our method. This work presents results of high accuracy; however, we believe that there is still room for improvement. In future work we will investigate adding more features to the dataset as well as applying more sophisticated deep neural network architectures for the classification process. We do aim to improve further the software performance as well as investigate the opportunity to use it at real time as a cybersecurity classification toolkit. 18. Javad, S., Moallem, P., Koofigar, Η. (2017) "Training echo state neural network using harmony search algorithm." Int. J. Artif. Intell 15.1 (2017): 163-179. 19. Precup, R. E., and Radu-Codrut D. (2019) Nature-Inspired Optimization Algorithms for

Fuzzy Controlled Servo Systems. Butterworth-Heinemann 20. Bilal H., Abedalguni. (2019) “Island-based Cuckoo Search with Highly Disruptive Polynomial Mutation”. Int. J. Artif. Intell 17.1 (2019): 57-82 21. Marchal, S., Franc Ãßois, J. State, R. , Engel, T. (2014), "Phishstorm: Detecting phishing with streaming analytics," IEEE Transactions on Network and Service Management, vol. 11, no. 4, pp. 458-471