Encountering social engineering activities with a novel honeypot mechanism

ABSTRACT


INTRODUCTION
Information and communication technology (ICT) simplified everything through virtual networks and allowed people to perform tasks that were previously impossible due to national boundaries.Literally, everything can be performed easily, quickly, and most importantly, anonymously if needed.The investigation of computer network security defensive mechanisms had become vital to make the users feel safer and more protected when using the network.ICT can be used to commit crime in a variety of ways [1], [2].It can be a target for crime where the attackers attempt to compromise the confidentiality, integrity, and availability of data, a.k.a. the confidentiality, integrity, and availability (CIA) triads, or in some cases the attacker attempts to use ICT as a method of operation to enable the crime such as: harassment and bullying.or it may hold and share terrorism content within the ICT component.Whatever the used approach, the attacker will always try to cause harm or get a financial gain or to satisfy his malicious instinct [3].
Most of these attacks, particularly the harmful ones, are carried out from outside and frequently from countries that have not signed international cooperation agreements, so law enforcement agencies face a variety of challenges in responding to such attacks, due to the difficulty of subjecting countries to these agreements and the impact of these crimes on people's lives, which has led many people and children Encountering social engineering activities with a novel honeypot mechanism (Mwaffaq Abualhija) 7057 specially to commit or attempt suicide.In this period, the safest way is to strive to limit these attacks and raise user awareness about them [1], [4], [5].Popular preventative mechanisms include system hardening measures, which include establishing several barriers to avoid future attacks and mitigate the severity of those that do occur.These measures, however, are less effective in preventing cybercrimes perpetrated through social engineering mechanisms, in which the attacker exploited weaknesses in victim personalities to carry out his crime, either by having personal information about the victim or simply targeting a large group of people and attempting to deceive them.In the year 2020, statistics indicated that 80% of cybercrimes started with social engineering, and because people's knowledge and age groups vary and hacking tactics are renewed, this approach remains the most difficult to control [6]- [8].
Compared to traditional crimes, perpetrators of cybercrimes feel safe in an environment of greater anonymity, where there is a perceived barrier between them and victims [9].This study threatens the safety principle offered by cyberspace which facilitates the process of concealing the identity of the perpetrator by demonstrating to the attacker that you are no longer anonymous.Moreover, the victim can be kept safe and protected by blocking the malicious channels, through presenting a unique technique for dealing with social engineering attacks to fill a research gap in this field.The proposed architecture suggests a model for blocking the malicious sessions and adding them to the intrusion prevention system (IPS) blacklist policy to threaten internet users who seeks to conduct a cybercrime utilizing a social engineering approach.The research builds on the findings of previous studies in this field, which focus on the detection and response to hacking and malware threats.
The proposed architecture is based on the honeypot concept, where the honeypot feedback is used to build a dataset to learn both intrusion prevention systems (IPS) and firewalls (FWs).The proposed infrastructure has several tiers, allowing the connections to be conducted in a controlled environment with only restricted access.The paper begins by discussing the concept of honeypots and describing how it assists with cyber defense.Following that, a brief overview on social engineering approaches will be provided, along with some applied prevention techniques.Furthermore, the research will provide the proposed architecture for encountering these threats using a honeypot integrated system in the method section.
Honeypots principles origin just before internet became a hotbed of cybercrime, one astute American citizen saw its terrible potential.Armed with solid evidence of electronic espionage, he began on a deeply personal mission to unmask a hidden network of spies jeopardizing national security.Cliff Stoll discovered an intruder accessing United States computer networks to steal high-value assets related to critical military and security information by spying on the attacker, which resulted in the hacker's arrest and prosecution for crimes of betraying national security, making it the first case in which digital evidence was presented as proven criminal evidence.As a result, Stoll released "The cuckoo's egg: tracking a spy through the maze of computer espionage," which included a proposal for a honeypot [10], [11].
A honeypot is a cybersecurity approach that uses deception to divert the attacker's attention away from legitimate targets or to understand contemporary hacking processes and safeguard networks from them.It operates by presenting itself on the internet as a potential target for attackers, usually a server or other highvalue asset, then collecting data and alerting defenders when an unauthorized person attempts to access the honeypot.Honeypots can be considered as a distinct from and alternative methods of defense that are frequently employed in the production environment as a preventative measure [10]- [13].Honeypots operation consist of: computer (acts as s server full of vulnerabilities like opened ports), application (acts as common services like web, dynamic host configuration protocol) and data (spoofed high value assets and unencrypted data).All these characteristics mislead the attacker into targeting this network, which is simply a monitored entity.There is a lot of classifications for honeypots depending on the infrastructure of the honeypot [14], [15] as shown in Table 1.

Infrastructure Features Pure honeypot
Production systems that track the honeypot's network connection.They are the most complicated and difficult to maintain, but also the most convincing to attackers, replete with simulated confidential files and user information High-interaction honeypots These replicate the operations of production systems, hosting a range of services and collecting a big amount of data.The purpose of a high-interaction honeypot is to lure an attacker into gaining root access to the server and then monitor the attacker's actions.

Low-interaction honeypots
They simulate the most common network attack vectors, making them less hazardous and easier to manage.The disadvantage of this form of honeypot is that it is more likely to appear to an attacker as forgery.
In our proposed solution, we will adapt the high-interaction honeypot scheme for social honeypot, where it can be connected to production network and still appear legitimate for attackers.Honeypots are  ISSN: 2088-8708 Int J Elec & Comp Eng, Vol. 13, No. 6, December 2023: 7056-7064 7058 considered a beneficial security entity in providing the security experts with real data about the behaviors and techniques for attackers, in addition to preventing network exploitation by providing the network admin with sufficient time to counter the attack and stop it.Even though there is a great security efficiency for honeypots, honeypots can put the production system under risk.This is since honeypots are not isolated networks and there is a connection enabling the administrator to collect information.Moreover, the experienced attacker can detect the honeypot system and then use it as jumping hop instead of stopping stone.Hence, it professionals need extra security measures to prevent honeypot exploitation [11], [12].
Social engineering attacks emerged as a result of internet and social engineering wide spread, socialization has become more accessible and immediate since digital communication technologies had developed.Personal and sensitive information could be available online through social networks.Telecommunication systems are vulnerable and can be effortlessly breached by malicious actors using social engineering techniques [16].These cyberattacks are designed to deceive individuals or businesses into doing actions that benefit the attackers or reveal sensitive data such as social security numbers, health records, and passwords.Social engineering is one of the most challenging difficulties in network security regardless the robustness of the security scheme, because it takes advantage of the inherent human desire to trust, as they are the weakest link in security domain [17], [18].According to the cyber security hub mid-year market for year of 2022, it is reported that 75% of respondents defined social engineering/phishing tactics as the biggest danger to cyber security at their business [19].Although there are several methods and targets for conducting this form of penetration, they all have a common framework for the stages to be performed, which is illustrated in the Figure 1.

Figure 1. Social engineering attack stages
Depending on the perspective, social engineering assaults may be categorized into different types, and there many classification techniques depending on the categorized perspective.This research considered both direct and indirect approaches.Depending on the way the attacker follows to gather information about victim, whether through physical direct contact with him or using ICT networks where the existence of the attacker is not necessary, this operation may be carried out remotely using malicious software delivered via email attachments, short message services (SMS) or any form of online social engineering, and reverse social engineering [20]- [22].The commonly used techniques are summarized in Table 2.
Prevention techniques are vital as social engineering attacks pose significant security threats.Hence, mitigating them should be a company's or institution's top priority, as well as being explicitly specified in their risk management plan.Companies should strive to foster safety awareness among their employees by properly training them and forcing them to sign the company policy, which contains all known techniques to mitigate social engineering attacks, as well as transfer responsibility for some attacks that occur due to unaware employees, keeping in mind that the highest level of awareness cannot mitigate this type of attack.Recently, much software is applied to avoid certain types of phishing attacks.Some proposed software used to ban blacklisted websites, because now the researcher is confident that a technological solution is needed.Combining multiple security systems together helps the network administrator to harden their security by Encountering social engineering activities with a novel honeypot mechanism (Mwaffaq Abualhija) 7059 reaching a proactive defense measure.There are some techniques accredited in defense in depth approach, such as intrusion detection system (IDS) and FWs, that are a proactive protective mechanism as they can notify the administrator of upcoming occurrences or respond to them in real time by restricting traffic access.Moreover, data encryption is essential to assure data confidentiality.Furthermore, other techniques are used to increase the cost of attack by adapting multi-layer security [23]- [25].Yet, all the combined techniques cannot limit the extend of social engineering attacks [26], [27].Deceiving internet users (through fraudulent email messages or websites) into disclosing personal or private information.For example, in whale phishing, the attacker targets high-profile professionals to gain valuable company information, relying on psychological aspects of humans.These categories of people desire to succeed and accomplish achievement, and this is exactly what the notion adopts in social engineering, by analyzing each target's desire to make it easy to deceive them [28]- [30].

Pretexting attacks
Attempting to create bogus and convincing circumstances to obtain a victim's confidential information.These depend on false premises to convince the victim to believe and trust the perpetrator [20].

Baiting attacks
Type of phishing attempts that entice users to click on a link to receive free products, usually ending up with downloading malicious software [20].

Ransomware attacks
Disclose or restrict access to data or a computer system, often by encrypting it, unless the victim pays a ransom cost to the attacker [31]- [34].

Reverse social Engineering attacks
Takes an entirely different technique.It is a person-to-person operation in which the attacker makes direct contact with the victim to persuade them to provide sensitive information.In most situations, the hacker contacts the target via emails and social media platforms, employing numerous methods and masquerading as a benefactor or competent security staff to persuade them to grant access to their system/network [35].

PROPOSED SOLUTION AND METHOD
Currently there are four mitigating of social engineering attacks.These approaches depending on technology used widely to encounter some forms of social engineering attacks such as biometrics, sensors, artificial intelligence and social honeypots [26].These approaches and their description are illustrated in Table 3.
This study proposed a novel approach to encountering social engineering attempts, in which social honeypot data is summarized in data sets and used to learn IPS to recognize this content and deny it.In addition, the attacker is notified and threatened by proving that they are no longer anonymous.Consequently, combining two mitigation techniques to ensure protection.This can be considered as automation for prevention mechanism.Honeypots acquire a significant interest from their potential to deceive lawbreakers by ability to attack legitimate network.As a result, the honeypots used in this research were more than simply basic internet sites that were established and posted online for to be view at arbitrary.A framework was built to guarantee that they were realistic in design and setup to provide users with a realistic exploration experience.We suggest adding social honeypots to track malicious behavior.Social honeypots are described as information system resources that monitor attackers' activities and log their data, while these logs can be classified in datasets in a predefined structure to be used as a source material to learn the IPS associated with this network.The outcome expected is having an automated security system encountering social engineering attacks.

Approach Description Biometrics
Aims to verify the identity of user, to avoid the physical attack, usually it is recommended to use more than one technique to verify the legitimate user.

Sensors
A way to verify the persons using sensor-based methods and might take benefit of inner body communication.Artificial intelligence Tries to improve and automate the security action, by adding new layer of security adapting the circumstances though adding, modifying, and updating some parameters.Social honeypots An information system resources that monitor malicious activities and log their information.

The proposed architecture
The proposed solution accomplishes the following tasks.Upon receiving malicious traffic from internet, traffic will be forwarded to firewall and then to IPS.Since they do not have the ability to detect social engineering behavior, traffic will be forwarded to internal network, but simultaneously a mirror for web traffic data forwarded to the honeypot.The Honeypot attempts to analyze the traffic by analyzing: the target of traffic, the content of messages (common message structure) used in phishing, and other configurable parameters.If a suspicious activity is observed, the honeypot immediately sends a threat message to the source and update the dataset information upon it the IPS will be updated to block the If the attacker's identity is hidden, the session traffic will be handled by a honeypot to provide enough time to uncover the attacker's identity.The flow of these steps is illustrated in Figure 2. Figure 3 provides a high-level architecture for the proposed solution.It also shows how the entities are connected to perform the requested task.

RESULT AND DISCUSSION
Threatened attackers can minimize the amount of social engineering attacks, which is the ideal situation for risk management.However, risk avoidance cannot be guaranteed, that is why preventing attacks once they occur and mitigating the harm that may be done is a good aspect that we strive for.Through the above proposed architecture, the traffic will be passed as per the Figure 2.
Neither FW, IPS or IDS has the ability on its own to detect or capture social engineering attacks.A customized honeypot is configured to check pre-defined testing scenario, which is common between all phishing schemes, where it occurs on suspicious connection part of the above flow chart.A suspicious session is used to determine if this session is legitimate or fraudulent.Based on common indicators of phishing attempts defined by cybersecurity and infrastructure security agency (CISA), cybercriminal uses many forms to perform social engineering attacks such as: e-mail, short message service (SMS), instant chat and posts on social media, which typically looks to be from a reputable, well-known business, bank, or other organization.Furthermore, these suspicious forms usually include one or more recognized indicators of fraud [36].Table 4 illustrates on the searching characteristics configured on honeypot for several indicators of fraud.A generalized salutation, such as "Dear valued customer" or "Sir/Ma'am," and the absence of contact details in the signature -This scam integrated with scenario 2 and 3, and mainly this message is broadcast, to deceive as many victims as possible.6 Spread the need of immediate response Attacker spread fear, threaten, panic, love and wealth in multiple form to induce victim response -This scam integrated with scenario 2 and 3, and mainly this message is broadcast, to deceive as many victims as possible.
These testing procedures may be changed in response to the discovery of new social engineering techniques, allowing them to accommodate for any scenario.Upon receiving the traffic and performing the checking steps mentioned in Table 4 and detecting a suspicious traffic, honeypot will open a session to detect attacker location and threaten him by sending SMS to this entity that this action is illegal, and you will be prosecuted by law.Simultaneously, the honeypot will update the IPS, IDS, and FW to block the session.By this way, we are not relaying on user awareness 100%, still there is a system can perform this action based on artificial intelligence (AI) and machine learning (ML).The expected control from this proposed solution is very high in terms of common attacks such as whaling, cat phishing, and advanced fee scam.Nonetheless, it still needs attention to be compatible with new attacks [37], [38].

CONCLUSION
Organizations are investing money and effort into developing viable anti-social engineering measures.Nevertheless, present detection systems have fundamental limitations, and solutions are ineffectual in dealing with the rising number of social engineering attacks, approaches to innovation might also be limited since technical vulnerabilities can be exploited.Using this solution almost any type of social engineering attacks can be handled automatically, and incase new technique appeared simply we can update the honeypot configuration to monitor it.Detection systems have fundamental limitations, and solutions are ineffectual in dealing with the rising number of social engineering attacks, approaches to innovation might also be limited since technical vulnerabilities can be exploited.
Lack of researches on the use of automation security mechanisms to counter social engineering was also a big challenge in this study, because mostly all researchers are convinced that, regardless of the robustness of security systems, social engineering attacks can easily bypass them and that the only way to reduce harm is to raise user awareness.The researcher proposed a novel method in this study, however this solution should be tested, confirmed, and updated in a production network, therefore evaluating this technique in a production network is strongly encouraged for future work.
This research presents an overview of social engineering attacks, available detection technologies, and current countermeasure tactics in this study.Therefore, because of the nature of this attack, whatever the strength of system security is, it can be easily bypassed.Additionally, regardless of the amount of knowledge the users have, there is always a method to deceive them.That is why a new technical security model is required to overcome these vulnerabilities, which cost countries millions of dollars and contribute to the suicide of many people.
The research presents a novel technique in this study which merge AI and honeypot with IPS to detect these attacks, threaten the attacker, and restrict his session to keep users away from these manipulation tactics.This is the best technical approach that security experts can afford to counter attacks.However, this does not mean that user awareness is not crucial.User awareness comes first, particularly when considering that many social engineering attacks still begin by obtaining the information physically, which is outside of the security expert control area.As a result, users should be always aware to achieve the optimal security level.

Table 2 .
Social engineering attacks

Table 4 .
Checking mechanism to determine suspicious traffic based on common characteristics