Detecting Asks in SE attacks: Impact of Linguistic and Structural Knowledge

TL;DR

This paper presents a method combining linguistic and structural cues to detect social engineering asks and framing in messages, improving accuracy for identifying malicious intent and informing users about risks.

Contribution

It introduces a novel approach integrating linguistic resources and structural clues for ask detection and framing analysis in social engineering attacks.

Findings

Linguistic and structural features improve ask detection accuracy.

Structural clues like links enhance confidence in identifying malicious asks.

The system effectively informs users about social engineering risks.

Abstract

Social engineers attempt to manipulate users into undertaking actions such as downloading malware by clicking links or providing access to money or sensitive information. Natural language processing, computational sociolinguistics, and media-specific structural clues provide a means for detecting both the ask (e.g., buy gift card) and the risk/reward implied by the ask, which we call framing (e.g., lose your job, get a raise). We apply linguistic resources such as Lexical Conceptual Structure to tackle ask detection and also leverage structural clues such as links and their proximity to identified asks to improve confidence in our results. Our experiments indicate that the performance of ask detection, framing detection, and identification of the top ask is improved by linguistically motivated classes coupled with structural clues such as links. Our approach is implemented in a system that informs users about social engineering risk situations.