A multi-modal neuro-physiological study of phishing detection and malware warnings

Ajaya Neupane, Md Lutfor Rahman, Nitesh Saxena, Leanne M Hirshfield

Research output: Chapter in Book/Report/Conference proceedingConference contribution

17 Citations (Scopus)

Abstract

Detecting phishing attacks (identifying fake vs. real websites) and heeding security warnings represent classical user-centered security tasks subjected to a series of prior investigations. However, our understanding of user behavior underlying these tasks is still not fully mature, motivating further work concentrating at the neurophysiological level governing the human processing of such tasks. We pursue a comprehensive three-dimensional study of phishing detection and malware warnings, focusing not only on what users' task performance is but also on how users process these tasks based on: (1) neural activity captured using Electroencephalogram (EEG) cognitive metrics, and (2) eye gaze patterns captured using an eyetracker. Our primary novelty lies in employing multi-modal neurophysiological measures in a single study and providing a near realistic set-up (in contrast to a recent neuro-study conducted inside an fMRI scanner). Our work serves to advance, extend and support prior knowledge in several significant ways. Specifically, in the context of phishing detection, we show that users do not spend enough time analyzing key phishing indicators and often fail at detecting these attacks, although they may be mentally engaged in the task and subconsciously processing real sites differently from fake sites. In the malware warning tasks, in contrast, we show that users are frequently reading, possibly comprehending, and eventually heeding the message embedded in the warning. Our study provides an initial foundation for building future mechanisms based on the studied real-time neural and eye gaze features, that can automatically infer a user's "alertness" state, and determine whether or not the user's response should be relied upon.

Original languageEnglish (US)
Title of host publicationProceedings of the ACM Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages479-491
Number of pages13
Volume2015-October
ISBN (Print)9781450338325
DOIs
StatePublished - Oct 12 2015
Event22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015 - Denver, United States
Duration: Oct 12 2015Oct 16 2015

Other

Other22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015
CountryUnited States
CityDenver
Period10/12/1510/16/15

Fingerprint

Processing
Electroencephalography
Websites
Malware
Magnetic Resonance Imaging

Keywords

  • EEG
  • Eye tracking
  • Malware warnings
  • Neuroscience
  • Phishing detection

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Neupane, A., Rahman, M. L., Saxena, N., & Hirshfield, L. M. (2015). A multi-modal neuro-physiological study of phishing detection and malware warnings. In Proceedings of the ACM Conference on Computer and Communications Security (Vol. 2015-October, pp. 479-491). Association for Computing Machinery. https://doi.org/10.1145/2810103.2813660

A multi-modal neuro-physiological study of phishing detection and malware warnings. / Neupane, Ajaya; Rahman, Md Lutfor; Saxena, Nitesh; Hirshfield, Leanne M.

Proceedings of the ACM Conference on Computer and Communications Security. Vol. 2015-October Association for Computing Machinery, 2015. p. 479-491.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Neupane, A, Rahman, ML, Saxena, N & Hirshfield, LM 2015, A multi-modal neuro-physiological study of phishing detection and malware warnings. in Proceedings of the ACM Conference on Computer and Communications Security. vol. 2015-October, Association for Computing Machinery, pp. 479-491, 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, Denver, United States, 10/12/15. https://doi.org/10.1145/2810103.2813660
Neupane A, Rahman ML, Saxena N, Hirshfield LM. A multi-modal neuro-physiological study of phishing detection and malware warnings. In Proceedings of the ACM Conference on Computer and Communications Security. Vol. 2015-October. Association for Computing Machinery. 2015. p. 479-491 https://doi.org/10.1145/2810103.2813660
Neupane, Ajaya ; Rahman, Md Lutfor ; Saxena, Nitesh ; Hirshfield, Leanne M. / A multi-modal neuro-physiological study of phishing detection and malware warnings. Proceedings of the ACM Conference on Computer and Communications Security. Vol. 2015-October Association for Computing Machinery, 2015. pp. 479-491
@inproceedings{c0ee12337155466db0fb5de59eb65b7a,
title = "A multi-modal neuro-physiological study of phishing detection and malware warnings",
abstract = "Detecting phishing attacks (identifying fake vs. real websites) and heeding security warnings represent classical user-centered security tasks subjected to a series of prior investigations. However, our understanding of user behavior underlying these tasks is still not fully mature, motivating further work concentrating at the neurophysiological level governing the human processing of such tasks. We pursue a comprehensive three-dimensional study of phishing detection and malware warnings, focusing not only on what users' task performance is but also on how users process these tasks based on: (1) neural activity captured using Electroencephalogram (EEG) cognitive metrics, and (2) eye gaze patterns captured using an eyetracker. Our primary novelty lies in employing multi-modal neurophysiological measures in a single study and providing a near realistic set-up (in contrast to a recent neuro-study conducted inside an fMRI scanner). Our work serves to advance, extend and support prior knowledge in several significant ways. Specifically, in the context of phishing detection, we show that users do not spend enough time analyzing key phishing indicators and often fail at detecting these attacks, although they may be mentally engaged in the task and subconsciously processing real sites differently from fake sites. In the malware warning tasks, in contrast, we show that users are frequently reading, possibly comprehending, and eventually heeding the message embedded in the warning. Our study provides an initial foundation for building future mechanisms based on the studied real-time neural and eye gaze features, that can automatically infer a user's {"}alertness{"} state, and determine whether or not the user's response should be relied upon.",
keywords = "EEG, Eye tracking, Malware warnings, Neuroscience, Phishing detection",
author = "Ajaya Neupane and Rahman, {Md Lutfor} and Nitesh Saxena and Hirshfield, {Leanne M}",
year = "2015",
month = "10",
day = "12",
doi = "10.1145/2810103.2813660",
language = "English (US)",
isbn = "9781450338325",
volume = "2015-October",
pages = "479--491",
booktitle = "Proceedings of the ACM Conference on Computer and Communications Security",
publisher = "Association for Computing Machinery",

}

TY - GEN

T1 - A multi-modal neuro-physiological study of phishing detection and malware warnings

AU - Neupane, Ajaya

AU - Rahman, Md Lutfor

AU - Saxena, Nitesh

AU - Hirshfield, Leanne M

PY - 2015/10/12

Y1 - 2015/10/12

N2 - Detecting phishing attacks (identifying fake vs. real websites) and heeding security warnings represent classical user-centered security tasks subjected to a series of prior investigations. However, our understanding of user behavior underlying these tasks is still not fully mature, motivating further work concentrating at the neurophysiological level governing the human processing of such tasks. We pursue a comprehensive three-dimensional study of phishing detection and malware warnings, focusing not only on what users' task performance is but also on how users process these tasks based on: (1) neural activity captured using Electroencephalogram (EEG) cognitive metrics, and (2) eye gaze patterns captured using an eyetracker. Our primary novelty lies in employing multi-modal neurophysiological measures in a single study and providing a near realistic set-up (in contrast to a recent neuro-study conducted inside an fMRI scanner). Our work serves to advance, extend and support prior knowledge in several significant ways. Specifically, in the context of phishing detection, we show that users do not spend enough time analyzing key phishing indicators and often fail at detecting these attacks, although they may be mentally engaged in the task and subconsciously processing real sites differently from fake sites. In the malware warning tasks, in contrast, we show that users are frequently reading, possibly comprehending, and eventually heeding the message embedded in the warning. Our study provides an initial foundation for building future mechanisms based on the studied real-time neural and eye gaze features, that can automatically infer a user's "alertness" state, and determine whether or not the user's response should be relied upon.

AB - Detecting phishing attacks (identifying fake vs. real websites) and heeding security warnings represent classical user-centered security tasks subjected to a series of prior investigations. However, our understanding of user behavior underlying these tasks is still not fully mature, motivating further work concentrating at the neurophysiological level governing the human processing of such tasks. We pursue a comprehensive three-dimensional study of phishing detection and malware warnings, focusing not only on what users' task performance is but also on how users process these tasks based on: (1) neural activity captured using Electroencephalogram (EEG) cognitive metrics, and (2) eye gaze patterns captured using an eyetracker. Our primary novelty lies in employing multi-modal neurophysiological measures in a single study and providing a near realistic set-up (in contrast to a recent neuro-study conducted inside an fMRI scanner). Our work serves to advance, extend and support prior knowledge in several significant ways. Specifically, in the context of phishing detection, we show that users do not spend enough time analyzing key phishing indicators and often fail at detecting these attacks, although they may be mentally engaged in the task and subconsciously processing real sites differently from fake sites. In the malware warning tasks, in contrast, we show that users are frequently reading, possibly comprehending, and eventually heeding the message embedded in the warning. Our study provides an initial foundation for building future mechanisms based on the studied real-time neural and eye gaze features, that can automatically infer a user's "alertness" state, and determine whether or not the user's response should be relied upon.

KW - EEG

KW - Eye tracking

KW - Malware warnings

KW - Neuroscience

KW - Phishing detection

UR - http://www.scopus.com/inward/record.url?scp=84954148974&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84954148974&partnerID=8YFLogxK

U2 - 10.1145/2810103.2813660

DO - 10.1145/2810103.2813660

M3 - Conference contribution

AN - SCOPUS:84954148974

SN - 9781450338325

VL - 2015-October

SP - 479

EP - 491

BT - Proceedings of the ACM Conference on Computer and Communications Security

PB - Association for Computing Machinery

ER -