A systematic review and research challenges on phishing cyberattacks from an electroencephalography and gaze-based perspective

Personal Technologies
George A. Thomopoulos, Dimitrios P. Lyras, Christos Fidas

Tóm tắt

AbstractPhishing is one of the most important security threats in modern information systems causing different levels of damages to end-users and service providers such as financial and reputational losses. State-of-the-art anti-phishing research is highly fragmented and monolithic and does not address the problem from a pervasive computing perspective. In this survey, we aim to contribute to the existing literature by providing a systematic review of existing experimental phishing research that employs EEG and eye-tracking methods within multi-modal and multi-sensory interaction environments. The main research objective of this review is to examine articles that contain results of at least one EEG-based and/or eye-tracking-based experimental setup within a phishing context. The database search with specific search criteria yielded 651 articles from which, after the identification and the screening process, 42 articles were examined as per the execution of experiments using EEG or eye-tracking technologies in the context of phishing, resulting to a total of 18 distinct papers that were included in the analysis. This survey is approaching the subject across the following pillars: a) the experimental design practices with an emphasis on the applied EEG and eye-tracking acquisition protocols, b) the artificial intelligence and signal preprocessing techniques that were applied in those experiments, and finally, c) the phishing attack types examined. We also provide a roadmap for future research in the field by suggesting ideas on how to combine state-of-the-art gaze-based mechanisms with EEG technologies for advancing phishing research. This leads to a discussion on the best practices for designing EEG and gaze-based frameworks.

Từ khóa


Tài liệu tham khảo

Basit A, Zafar M, Liu X, Javed AR, Jalil Z, Kifayat K (2021) A comprehensive survey of AI-enabled phishing attacks detection techniques. Telecommun Syst 76(1):139–154. https://doi.org/10.1007/s11235-020-00733-2

Kaloudi N, Li J (2021) The AI-based cyber threat landscape: a survey. ACM Comput Surv 53(1):1–34. https://doi.org/10.1145/3372823

Montañez R, Golob E, Xu S (2020) Human cognition through the lens of social engineering cyberattacks. Front Psychol 11:1755. https://doi.org/10.3389/fpsyg.2020.01755

Hakim ZM et al (2021) The phishing email suspicion test (PEST) a lab-based task for evaluating the cognitive mechanisms of phishing detection. Behav Res 53(3):1342–1352. https://doi.org/10.3758/s13428-020-01495-0

Anti Phishing Working Group (APWG) (2022) Phishing activity trends report, 1st Quarter, https://www.docs.apwg.org/. Accessed 17 Jan 2023

Jari M (2022) An overview of phishing victimization: Human factors, training and the role of emotions. In: Computer science and information technology. 12th International Conference on Computer Science and Information Technology (CCSIT 2022). Academy and Industry Research Collaboration Center (AIRCC). https://doi.org/10.5121/csit.2022.121319

Almoqbil A, O’Connor B, Anderson R, Shittu J, McLeod P (2021) Modeling deception: A case study of email phishing. In: Proceedings from the Document Academy (Vol. 8, Issue 2). Document Academy. https://doi.org/10.35492/docam/8/2/8

Chan-Tin E, Stalans L, Johnston S, Reyes D,  Kennison S (2022) Predicting phishing victimization. In: Fifth international workshop on systems and network telemetry and analytics. HPDC ’22: The 31st International Symposium on High-Performance Parallel and Distributed Computing. ACM. https://doi.org/10.1145/3526064.3534107

Ge Y, Lu L, Cui X, Chen Z, Qu W (2021) How personal characteristics impact phishing susceptibility: the mediating role of mail processing. Appl Ergon 97:103526. https://doi.org/10.1016/j.apergo.2021.103526

Sabir B, Ullah F, Babar MA, Gaire R (2022) Machine learning for detecting data exfiltration: a review. ACM Comput Surv 54(3):1–47. https://doi.org/10.1145/3442181

Tomaselli J, Willoughby A, Amezcua JV, Delehanty E, Floyd K, Wright D, Lammers M,  Vetter R (2021) Verifying phishmon. In: Proceedings of the 2021 ACM Southeast Conference. ACM SE ’21: 2021 ACM Southeast Conference. ACM. https://doi.org/10.1145/3409334.3452082

Peng T, Harris I, Sawa Y (2018) Detecting phishing attacks using natural language processing and machine learning. In: 2018 IEEE 12th International Conference on Semantic Computing (ICSC). IEEE. https://doi.org/10.1109/icsc.2018.00056

Jain AK, Gupta BB (2018) PHISH-SAFE: URL Features-based phishing detection system using machine learning. In: Advances in Intelligent Systems and Computing. Springer Singapore. pp 467–474. https://doi.org/10.1007/978-981-10-8536-9_44

Lin T et al (2019) Susceptibility to spear-phishing emails: effects of internet user demographics and email content. ACM Trans Comput-Hum Interact 26(5):1–28. https://doi.org/10.1145/3336141

Fasllija E, Enişer HF, Prünster B (2019) Phish-Hook: Detecting phishing certificates using certificate transparency logs. In: Lecture notes of the institute for computer sciences, social informatics and telecommunications engineering. Springer International Publishing. pp 320–334. https://doi.org/10.1007/978-3-030-37231-6_18

Althobaiti K, Meng N, Vaniea K (2021) I don’t need an expert! making url phishing features human comprehensible. In: Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems. CHI ’21: CHI Conference on Human Factors in Computing Systems. ACM. https://doi.org/10.1145/3411764.3445574

Yang J, Yang P, Jin X, Ma Q (2017) Multi-classification for malicious url based on improved semi-supervised algorithm. In: 2017 IEEE International Conference on Computational Science and Engineering (CSE) and IEEE International Conference on Embedded and Ubiquitous Computing (EUC). https://doi.org/10.1109/cse-euc.2017.34

Althobaiti K, Vaniea K, Zheng S (2018) Faheem: Explaining URLs to people using a Slack bot. In: Symposium on Digital Behaviour Intervention for Cyber Security. pp 1–8 http://aisb2018.csc.liv.ac.uk/PROCEEDINGS%20AISB2018/Digital%20Behaviour%20Interventions%20for%20CyberSecurity%20-%20AISB2018.pdf#page=8

Volkamer M, Renaud K, Reinheimer B, Kunz A (2017) User experiences of TORPEDO: TOoltip-poweRed Phishing Email DetectiOn. Comput Secur 71:100–113. https://doi.org/10.1016/j.cose.2017.02.004

Neupane A, Saxena N, Maximo JO, Kana R (2016) Neural markers of cybersecurity: an fMRI study of phishing and malware warnings. IEEE Trans Inform Forensic Secur 11(9):1970–1983. https://doi.org/10.1109/TIFS.2016.2566265

Halevi T, Memon N, Nov O (2015) Spear-phishing in the wild: a real-world study of personality, phishing self-efficacy and vulnerability to spear-phishing attacks. SSRN J. https://doi.org/10.2139/ssrn.2544742

Iuga C, Nurse JRC, Erola A (2016) Baiting the hook: factors impacting susceptibility to phishing attacks. In: Human-centric Computing and Information Sciences (Vol. 6, Issue 1). Springer Science and Business Media LLC. https://doi.org/10.1186/s13673-016-0065-2

Jagatic TN, Johnson NA, Jakobsson M, Menczer F (2007) Social phishing. Commun ACM 50(10):94–100. https://doi.org/10.1145/1290958.1290968

Sheng S, Holbrook M, Kumaraguru P, Cranor LF, Downs J (2010) Who falls for phish? In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. CHI ’10: CHI Conference on Human Factors in Computing Systems. ACM. https://doi.org/10.1145/1753326.1753383

Robinson L, Schulz J, Blank G, Ragnedda M, Ono H, Hogan B, Mesch GS, Cotten SR, Kretchmer SB, Hale TM, Drabowicz T, Yan P, Wellman B, Harper M-G, Quan-Haase A, Dunn HS, Casilli AA, Tubaro P, Carvath R, Khilnani A (2020) Digital inequalities 2.0: Legacy inequalities in the information age. In: First Monday. University of Illinois Libraries. https://doi.org/10.5210/fm.v25i7.10842

Paper, Research & Liu, Zhihui & Zhou, Lina & Zhang, Dongsong. (2021). Effects of Demographic Factors on Phishing Victimization in the Workplace

Sun JC-Y, Yu S-J, Lin SSJ, Tseng S-S (2016) The mediating effect of anti-phishing self-efficacy between college students’ internet self-efficacy and anti-phishing behavior and gender difference. Comput Hum Behav 59:249–257. https://doi.org/10.1016/j.chb.2016.02.004

Butavicius, M.A., Parsons, K., Pattinson, M.R., McCormac, A., Calic, D., & Lillie, M. (2017). Understanding susceptibility to phishing emails: Assessing the impact of individual differences and culture. International Symposium on Human Aspects of Information Security and Assurance

Rocha Flores W, Holm H, Svensson G, Ericsson G (2014) Using phishing experiments and scenario-based surveys to understand security behaviours in practice. Inf Manag Comput Secur 22(4):393–406. https://doi.org/10.1108/IMCS-11-2013-0083

Mohebzada JG, Zarka AE, Bhojani AH, Darwish A (2012) Phishing in a university community: Two large scale phishing experiments. In: 2012 International Conference on Innovations in Information Technology (IIT). https://doi.org/10.1109/innovations.2012.6207742

Oliveira D, Rocha H, Yang H, Ellis D, Dommaraju S, Muradoglu M, Weir D, Soliman A, Lin T, Ebner N (2017) Dissecting Spear Phishing Emails for Older vs Young Adults. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems. CHI ’17: CHI Conference on Human Factors in Computing Systems. ACM. https://doi.org/10.1145/3025453.3025831

Diaz A, Sherman AT, Joshi A (2020) Phishing in an academic community: a study of user susceptibility and behavior. Cryptologia 44(1):53–67. https://doi.org/10.1080/01611194.2019.162334

Wash R (2020) How experts detect phishing scam emails. Proc ACM Hum -Comput Interact 4(CSCW2):1–28. https://doi.org/10.1145/3415231

Jones HS, Towse JN, Race N, Harrison T (2019) Email fraud: the search for psychological predictors of susceptibility. PLoS ONE 14(1):e0209684. https://doi.org/10.1371/journal.pone.0209684

Neupane A, Satvat K, Saxena N, Stavrinos D, Bishop, HJ (2018) Do social disorders facilitate social engineering? In: Proceedings of the 34th Annual Computer Security Applications Conference. ACSAC ’18: 2018 Annual Computer Security Applications Conference. ACM. https://doi.org/10.1145/3274694.3274730

Blythe M, Petrie H, Clark JA (2011) F for fake. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. CHI ’11: CHI Conference on Human Factors in Computing Systems. ACM. https://doi.org/10.1145/1978942.1979459

Canova G, Volkamer M, Bergmann C, Reinheimer B (2015) NoPhish App Evaluation: Lab and Retention Study. In: Proceedings 2015 Workshop on Usable Security. Workshop on Usable Security. Internet Society. https://doi.org/10.14722/usec.2015.23009

Siadati H, Palka, S, Siegel A, McCoy, D (2017) Measuring the effectiveness of embedded phishing exercises

Caputo DD, Pfleeger SL, Freeman JD, Johnson ME (2014) Going spear phishing: exploring embedded training and awareness. IEEE Secur Privacy 12(1):28–38. https://doi.org/10.1109/MSP.2013.106

Higashino M (2019) A design of an anti-phishing training system collaborated with multiple organizations. In: Proceedings of the 21st International Conference on Information Integration and Web-based Applications & Services. iiWAS2019: The 21st International Conference on Information Integration and Web-based Applications & Services. ACM. https://doi.org/10.1145/3366030.3366086

JalalyBidgoly A, JalalyBidgoly H, Arezoumand Z (2020) A survey on methods and challenges in EEG based authentication. Computers Sec 93:101788. https://doi.org/10.1016/j.cose.2020.101788

Katsini C, Abdrabou Y, Raptis GE, Khamis M, Alt F (2020) The role of eye gaze in security and privacy applications: Survey and future HCI Research Directions. In: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems. https://doi.org/10.1145/3313831.3376840

Hari Singh, Dr. Jaswinder Singh (2012) Human eye tracking and related issues: a review. Int J Scientific Res Pub 2(9)

Khonji M, Iraqi Y, Jones A (2013) Phishing detection: a literature survey. IEEE Commun Surv Tutorials 15(4):2091–2121. https://doi.org/10.1109/SURV.2013.032213.00009

Abdillah R, Shukur Z, Mohd M, Ts M, Murah Z (2022) Phishing classification techniques: a systematic literature review. IEEE Access 10:41574–41591. https://doi.org/10.1109/ACCESS.2022.3166474

Alabdan R (2020) Phishing attacks survey: types, vectors, and technical approaches. Future Internet 12(10):168. https://doi.org/10.3390/fi12100168

Aleroud A, Zhou L (2017) Phishing environments, techniques, and countermeasures: a survey. Comput Secur 68:160–196. https://doi.org/10.1016/j.cose.2017.04.006

Stavroulakis P, Stamp M, Eds. (2010) Handbook of information and communication security. Berlin, Heidelberg: Springer Berlin Heidelberg. https://doi.org/10.1007/978-3-642-04117-4

Das A, Baki S, El Aassal A, Verma R, Dunbar A (2020) SoK: a comprehensive reexamination of phishing research from the security perspective. IEEE Commun Surv Tutorials 22(1):671–708. https://doi.org/10.1109/COMST.2019.2957750

Rader MA, M. Rahman S. (Shawon) (2013) Phishing Techniques and Mitigating the Associated Security Risks. In International Journal of Network Security & Its Applications. Academy and Industry Research Collaboration Center (AIRCC). 5(4):23–41. https://doi.org/10.5121/ijnsa.2013.5402

Phishing.org. Phishing Organization, https://www.phishing.org/history-of-phishing, Accessed 17 Jan 2023

Verizon Com. Data Breach Investigation Report (2022) https://www.verizon.com/business/resources/Td4c/reports/dbir/2022-data-breach-investigations-report-dbir.pdf

Anti Phishing Working Group (APWG) Phishing activity trends report, 3rd quarter 2022, https://docs.apwg.org/, Accessed 17 Jan 2023

UK Government, https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022, Accessed 25 Jan 2023

Chiew KL, Yong KSC, Tan CL (2018) A survey of phishing attacks: their types, vectors and technical approaches. Expert Syst Appl 106:1–20. https://doi.org/10.1016/j.eswa.2018.03.050

İnce R, Adanır SS, Sevmez F (2021) The inventor of electroencephalography (EEG): Hans Berger (1873–1941). Childs Nerv Syst 37(9):2723–2724. https://doi.org/10.1007/s00381-020-04564-z

Bonci A, Fiori S, Higashi H, Tanaka T, Verdini F (2021) An introductory tutorial on brain–computer interfaces and their applications. Electronics 10(5):560. https://doi.org/10.3390/electronics10050560

Di Flumeri G, Aricò P, Borghini G, Sciaraffa N, Di Florio A, Babiloni F (2019) The dry revolution: evaluation of three different EEG dry electrode types in terms of signal spectral features, mental states classification and usability. Sensors 19(6):1365. https://doi.org/10.3390/s19061365

Mecarelli O (2019) Electrode placement systems and montages. In: Clinical Electroencephalography. Springer International Publishing. pp 35–52. https://doi.org/10.1007/978-3-030-04573-9_4

Oostenveld R, Praamstra P (2001) The five percent electrode system for high-resolution EEG and ERP measurements. Clin Neurophysiol 112(4):713–719. https://doi.org/10.1016/S1388-2457(00)00527-7

Hu L, Zhang Z (2020) Evolving EEG signal processing techniques in the age of artificial intelligence. Brain Science Adv 6(3):159–161. https://doi.org/10.26599/BSA.2020.9050027

Wan X et al (2019) A review on electroencephalogram based brain computer interface for elderly disabled. IEEE Access 7:36380–36387. https://doi.org/10.1109/ACCESS.2019.2903235

Klaib AF, Alsrehin NO, Melhem WY, Bashtawi HO, Magableh AA (2021) Eye tracking algorithms, techniques, tools, and applications with an emphasis on machine learning and Internet of Things technologies. Expert Syst Appl 166:114037. https://doi.org/10.1016/j.eswa.2020.114037

Carter BT, Luke SG (2020) Best practices in eye tracking research. Int J Psychophysiol 155:49–62. https://doi.org/10.1016/j.ijpsycho.2020.05.010

Punde PA, Jadhav ME, Manza RR (2017) A study of eye tracking technology and its applications. In: 2017 1st International Conference on Intelligent Systems and Information Management (ICISIM). IEEE. https://doi.org/10.1109/icisim.2017.8122153

Sarkar A, Sanyal G, Majumder S (2017) Performance evaluation of an eye tracking system under varying conditions. IJCSNS 17(4):182–191

Joseph AW, Murugesh R (2020) Potential Eye Tracking Metrics and Indicators to Measure Cognitive Load in Human-Computer Interaction Research. In Journal of scientific research. Banaras Hindu University. 64(1):168–175. https://doi.org/10.37398/jsr.2020.640137

Moher D, Liberati A, Tetzlaff J, Altman DG (2010) Preferred reporting items for systematic reviews and meta-analyses: the PRISMA statement. Int J Surg 8(5):336–341. https://doi.org/10.1016/j.ijsu.2010.02.007

Neupane A, Rahman Md. L, Saxena N, Hirshfield L (2015) A Multi-Modal Neuro-Physiological Study of Phishing Detection and Malware Warnings. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. CCS’15: The 22nd ACM Conference on Computer and Communications Security. ACM. https://doi.org/10.1145/2810103.2813660

Rahman Md. L, Bardhan S, Neupane A, Papalexakis E, Song C (2019) Learning tensor-based representations from brain-computer interface data for cybersecurity. In: Machine learning and knowledge discovery in databases. Springer International Publishing. pp 389–404. https://doi.org/10.1007/978-3-030-10997-4_24

Valecha R, Gonzalez A, Mock J, Golob EJ, Raghav Rao H (2019) Investigating Phishing Susceptibility—An Analysis of Neural Measures. In: Information Systems and Neuroscience. Springer International Publishing. pp 111–119. https://doi.org/10.1007/978-3-030-28144-1_12

Sun JC-Y, Yeh KP-C (2017) The effects of attention monitoring with EEG biofeedback on university students’ attention and self-efficacy: the case of anti-phishing instructional materials. Comput Educ 106:73–82. https://doi.org/10.1016/j.compedu.2016.12.003

Hashem Y, Takabi H, Dantu R, Nielsen R (2017) A Multi-Modal Neuro-Physiological Study of Malicious Insider Threats. In: Proceedings of the 2017 International Workshop on Managing Insider Security Threats. CCS ’17: 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM. https://doi.org/10.1145/3139923.3139930

Ramkumar N, Kothari V, Mills C, Koppel R, Blythe J, Smith S, Kun AL (2020) Eyes on URLs: Relating Visual Behavior to Safety Decisions. In: ACM Symposium on Eye Tracking Research and Applications. ETRA ’20: 2020 Symposium on Eye Tracking Research and Applications. ACM. https://doi.org/10.1145/3379155.3391328

Alsharnouby M, Alaca F, Chiasson S (2015) Why phishing still works: user strategies for combating phishing attacks. Int J Hum Comput Stud 82:69–82. https://doi.org/10.1016/j.ijhcs.2015.05.005

Miyamoto D, Blanc G, Kadobayashi Y (2015) Eye Can Tell: On the correlation between eye movement and phishing identification. International Conference on Neural Information Processing

Darwish A, Bataineh E (2012) Eye tracking analysis of browser security indicators. In: 2012 International Conference on Computer Systems and Industrial Informatics. 2012 International Conference on Computer Systems and Industrial Informatics (ICCSII). IEEE. https://doi.org/10.1109/iccsii.2012.6454330

Pfeffel K, Ulsamer P, Müller NH (2019) Where the user does look when reading phishing mails – An Eye-Tracking Study. In: Learning and collaboration technologies. Designing learning experiences. Springer International Publishing. pp 277–287. https://doi.org/10.1007/978-3-030-21814-0_21

Miyamoto D, Iimura T, Blanc G, Tazaki H, Kadobayashi Y (2014) EyeBit: Eye-tracking approach for enforcing phishing prevention habits. In: 2014 third international workshop on building analysis datasets and gathering experience returns for security (BADGERS). https://doi.org/10.1109/badgers.2014.14

McAlaney J, Hills PJ (2020) Understanding phishing email processing and perceived trustworthiness through eye tracking. Front Psychol 11:1756. https://doi.org/10.3389/fpsyg.2020.01756

Huang L, Jia S, Balcetis E, Zhu Q (2022) ADVERT: an adaptive and data-driven attention enhancement mechanism for phishing prevention. IEEE Trans Inform Forensic Secur 17:2585–2597. https://doi.org/10.1109/TIFS.2022.3189530

Anderson B, Vance A, Eargle D (2013) Is your susceptibility to phishing dependent on your memory?. WISP 2012 Proceedings. p 40. https://aisel.aisnet.org/wisp2012/40

Xiong A, Proctor RW, Yang W, Li N (2017) Is domain highlighting actually helpful in identifying phishing web pages? Hum Factors 59(4):640–660. https://doi.org/10.1177/0018720816684064

Nunez PL et al (1997) EEG coherency. Electroencephalogr Clin Neurophysiol 103(5):499–515. https://doi.org/10.1016/S0013-4694(97)00066-7

Wang J, Wang M (2021) Review of the emotional feature extraction and classification using EEG signals. Cognitive Robotics 1:29–40. https://doi.org/10.1016/j.cogr.2021.04.001

Gomez-Barrero M, Maiorana E, Galbally J, Campisi P, Fierrez J (2017) Multi-biometric template protection based on homomorphic encryption. Pattern Recogn 67:149–163. https://doi.org/10.1016/j.patcog.2017.01.024

Neupane A, Saxena N, Hirshfield L (2017) Neural underpinnings of website legitimacy and familiarity detection. In: Proceedings of the 26th International Conference on World Wide Web. WWW ’17: 26th International World Wide Web Conference. International World Wide Web Conferences Steering Committee. https://doi.org/10.1145/3038912.3052702

Neupane A, Saxena N, Kuruvilla K, Georgescu M, Kana R (2014) Neural signatures of user-centered security: An fMRI study of phishing, and malware warnings. In: Proceedings 2014 Network and Distributed System Security Symposium. Network and Distributed System Security Symposium. Internet Society. https://doi.org/10.14722/ndss.2014.23056

Thông tin
Thông tin xuất bản

Personal Technologies

Thông tin tác giả