Deep Phishing
Lead Research Organisation:
University of Oxford
Department Name: Computer Science
Abstract
While advances in security and software engineering processes have greatly increased the robustness and resilience of software to cyber attacks, comparable advances in cyber security resilience have not been made at the human level. This shortcoming can be effectively observed across a spectrum of successful human-centric cyber crime campaigns, such as: social engineering, phishing and psychological operations (PsyOps). Recent developments in the field of artificial intelligence (AI) and increased data collation capabilities facilitated by methods drawn from social engineering, threaten to increase the effectiveness of these attacks. Providing adversaries with the extended capability of scaling their capacity to both act and sound human, underpinned by the information necessary to inform attempted mimicry. Two such advancements include the introduction of deep fake technologies, which have enabled the hijacking of trusted personas at will, by means of impersonation; and the development of open-source intelligence (OSINT) tools, capable of mining publicly accessible information, such as that on social media sites. Understanding the threats these technologies pose in the context of cyber security, especially in the context of enabling targeted social engineering, remains an under-researched area. To these ends, we plan to evaluate existing attack frameworks across each of the aforementioned criminal domains, identifying key aspects which may be automated or enhanced through the assumption of AI. In particular, we aim to explore potential capability extensions within targeted spear phishing campaigns, enabled by the introduction of deep fake technologies into the kill chain; in what we refer to as a Deep Phishing attack. Deep Phishing can best be defined as the AI-facilitated impersonation of an individual, for the purpose of extracting information from a target with which they have sufficient social proximity.
The primary intended outcomes of our research are threefold. First, we aim to extrapolate future attack models given the observable advances in deep fake generation capabilities, and how that might impact more traditional social engineering attack models.
Second, we plan to gain an understanding of the identified emerging threats, through the prototyping of software capable of performing the proposed attacks.
Finally, we intend to explore potential mitigation strategies, including improving target resilience through automated, AI-based red-teaming against individuals.
Beyond this, we wish to analyse how accessible information on an individual (via sources such as social media and data leaks) can be indicative of one's exposure to attack, through data correlation; with the goal of informing future personal information publishing decisions, and next generation user authentication protocols. To these ends, we hope to understand whether fundamental knowledge gaps across users could be addressed using intelligent tutoring (ITS) approaches to personalise and tailor representations with detail appropriate to the user's understanding.
The primary intended outcomes of our research are threefold. First, we aim to extrapolate future attack models given the observable advances in deep fake generation capabilities, and how that might impact more traditional social engineering attack models.
Second, we plan to gain an understanding of the identified emerging threats, through the prototyping of software capable of performing the proposed attacks.
Finally, we intend to explore potential mitigation strategies, including improving target resilience through automated, AI-based red-teaming against individuals.
Beyond this, we wish to analyse how accessible information on an individual (via sources such as social media and data leaks) can be indicative of one's exposure to attack, through data correlation; with the goal of informing future personal information publishing decisions, and next generation user authentication protocols. To these ends, we hope to understand whether fundamental knowledge gaps across users could be addressed using intelligent tutoring (ITS) approaches to personalise and tailor representations with detail appropriate to the user's understanding.
Planned Impact
It is part of the nature of Cyber Security - and a key reason for the urgency in developing new research approaches - that it now is a concern of every section of society, and so the successful CDT will have a very broad impact indeed. We will ensure impact for:
* The IT industry; vendors of hardware and software, and within this the IT Security industry;
* High value/high assurance sectors such as banking, bio-medical domains, and critical infrastructure, and more generally the CISO community across many industries;
* The mobile systems community, mobile service providers, handset and platform manufacturers, those developing the technologies of the internet of things, and smart cities;
* Defence sector, MoD/DSTL in particular, defence contractors, and the intelligence community;
* The public sector more generally, in its own activities and in increasingly important electronic engagement with the citizen;
* The not-for-profit sector, education, charities, and NGOs - many of whom work in highly contended contexts, but do not always have access to high-grade cyber defensive skills.
Impact in each of these will be achieved in fresh elaborations of threat and risk models; by developing new fundamental design approaches; through new methods of evaluation, incorporating usability criteria, privacy, and other societal concerns; and by developing prototype and proof-of-concept solutions exhibiting these characteristics. These impacts will retain focus through the way that the educational and research programme is structured - so that the academic and theoretical components are directed towards practical and anticipated problems motivated by the sectors listed here.
* The IT industry; vendors of hardware and software, and within this the IT Security industry;
* High value/high assurance sectors such as banking, bio-medical domains, and critical infrastructure, and more generally the CISO community across many industries;
* The mobile systems community, mobile service providers, handset and platform manufacturers, those developing the technologies of the internet of things, and smart cities;
* Defence sector, MoD/DSTL in particular, defence contractors, and the intelligence community;
* The public sector more generally, in its own activities and in increasingly important electronic engagement with the citizen;
* The not-for-profit sector, education, charities, and NGOs - many of whom work in highly contended contexts, but do not always have access to high-grade cyber defensive skills.
Impact in each of these will be achieved in fresh elaborations of threat and risk models; by developing new fundamental design approaches; through new methods of evaluation, incorporating usability criteria, privacy, and other societal concerns; and by developing prototype and proof-of-concept solutions exhibiting these characteristics. These impacts will retain focus through the way that the educational and research programme is structured - so that the academic and theoretical components are directed towards practical and anticipated problems motivated by the sectors listed here.
Organisations
People |
ORCID iD |
| Joss Wright (Primary Supervisor) | |
| Jack Jackson (Student) |
Studentship Projects
| Project Reference | Relationship | Related To | Start | End | Student Name |
|---|---|---|---|---|---|
| EP/P00881X/1 | 01/10/2016 | 31/03/2023 | |||
| 2068338 | Studentship | EP/P00881X/1 | 01/10/2018 | 30/09/2022 | Jack Jackson |