Insights into user behavior in dealing with common Internet attacks
Author(s)
Advisor
Date
2011Publisher
Bilkent University
Language
English
Type
ThesisItem Usage Stats
266
views
views
119
downloads
downloads
Abstract
The Internet’s immense popularity has made it an attractive medium for attackers.
Today, criminals often make illegal profits by targeting Internet users. Most
common Internet attacks require some form of user interaction such as clicking
on an exploit link, or dismissing a security warning dialogue. Hence, the security
problem at hand is not only a technical one, but it also has a strong human
aspect. Although the security community has proposed many technical solutions
to mitigate common Internet attacks, the behavior of users when they face these
attacks remains a largely unexplored area.
In this work, we describe an online experiment platform we built for testing
the behavior of users when they are confronted with common, concrete attack
scenarios such as reflected cross-site scripting, session fixation, scareware and
file sharing scams. We conducted experiments with more than 160 Internet users
with diverse backgrounds. Our findings show that non-technical users can exhibit
comparable performance to knowledgeable users at averting relatively simple and
well-known threats (e.g., email scams). While doing so, they do not consciously
perceive the risk, but solely depend on their intuition and past experience (i.e.,
there is a training effect). However, in more sophisticated attacks, these nontechnical
users often rely on misleading cues such as the “size” and “length” of
artifacts (e.g., URLs), and fail to protect themselves. Our findings also show that
trick banners that are common in file sharing websites and shortened URLs have
high success rates of deceiving non-technical users, thus posing a severe security
risk.