Insights into user behavior in dealing with common Internet attacks

Date

2011

Editor(s)

Advisor

Selçuk, Ali Aydın

Supervisor

Co-Advisor

Co-Supervisor

Instructor

Source Title

Print ISSN

Electronic ISSN

Publisher

Volume

Issue

Pages

Language

English

Journal Title

Journal ISSN

Volume Title

Series

Abstract

The Internet’s immense popularity has made it an attractive medium for attackers. Today, criminals often make illegal profits by targeting Internet users. Most common Internet attacks require some form of user interaction such as clicking on an exploit link, or dismissing a security warning dialogue. Hence, the security problem at hand is not only a technical one, but it also has a strong human aspect. Although the security community has proposed many technical solutions to mitigate common Internet attacks, the behavior of users when they face these attacks remains a largely unexplored area. In this work, we describe an online experiment platform we built for testing the behavior of users when they are confronted with common, concrete attack scenarios such as reflected cross-site scripting, session fixation, scareware and file sharing scams. We conducted experiments with more than 160 Internet users with diverse backgrounds. Our findings show that non-technical users can exhibit comparable performance to knowledgeable users at averting relatively simple and well-known threats (e.g., email scams). While doing so, they do not consciously perceive the risk, but solely depend on their intuition and past experience (i.e., there is a training effect). However, in more sophisticated attacks, these nontechnical users often rely on misleading cues such as the “size” and “length” of artifacts (e.g., URLs), and fail to protect themselves. Our findings also show that trick banners that are common in file sharing websites and shortened URLs have high success rates of deceiving non-technical users, thus posing a severe security risk.

Course

Other identifiers

Book Title

Degree Discipline

Computer Engineering

Degree Level

Master's

Degree Name

MS (Master of Science)

Citation

Published Version (Please cite this version)