[01] Ahmad Uways Zulkurnain, Department of Computer Science, Faculty of Computing, Universiti Teknologi Malaysia, Skudai, Johor Bahru, Johor, Malaysia. [02] Ahmad Kamal Bin Kamarun Hamidy, Department of Computer Science, Faculty of Computing, Universiti Teknologi Malaysia, Skudai, Johor Bahru, Johor, Malaysia. [03] Affandi Bin Husain, Department of Computer Science, Faculty of Computing, Universiti Teknologi Malaysia, Skudai, Johor Bahru, Johor, Malaysia. [04] Hassan Chizari, Department of Computer Science, Faculty of Computing, Universiti Teknologi Malaysia, Skudai, Johor Bahru, Johor, Malaysia.

Protected from threats that can Information assets is the lifeblood for every organization and also for individual. These assets must be jeopardized the confidentiality, integrity and availability of the information. This is why the information security is important. Since the introduction of Internet and ICT, the information has been digitized for ease of information exchange which also increasing the risks to the information security. Nevertheless, the rapid growth in technology enables digital or technical based threats and attacks to be easily detected and prevented. This makes people with malicious intents turn their focus into another more sophisticated and hard-to-detect attacks, which is through social engineering. Social engineering preys on psychological and emotional aspects of human to gain access to restricted area or obtain sensitive information for various purposes. There are several human psychological traits that have been used by social engineers to manipulate human as human is the weakest link in information security. By using these traits, attacking strategy is laid out to accomplish the attacker’s mission whether to gain access or to gather critical information. In this paper, few researches regarding mitigation of social engineering will be discussed. Social engineering mitigation method can be roughly divided into human based detection and technology based detection. Each of the mitigation methods proposed in the researches has its own strength and weaknesses. It has been found that using just one category of mitigation method is not enough to detect and prevent the social engineering attacks. The methods need to be used together to enhance and increase the accuracy of detection so that the social engineering attacks can be stop and prevented.

Social Engineering, Attacks, Mitigations, Artificial Intelligence, Honeypot

[01] Algarni, A. et. al. (2013). Social Engineering in Social Networking Sites : Affect-Based Model. The 8th International Conference for Internet Technology and Secured Transactions (ICITST). 9-12 December. London, United Kingdom : IEEE, 508-515. [02] Barraclough, P.A. et. al. (2013). Intelligent Phishing Detection And Protection Scheme For Online Transactions. Journal of Expert Systems with Applications. Volume 40(11). 4697-4706. [03] Bustard, J. D.et. al. (2013). Targeted Biometric Impersonation. International Workshop on Biometrics and Forensics (IWBF). 4-5 April. Lisbon, Portugal : IEEE, 1-4. [04] Gulenko, I. (2013). Social Against Social Engineering: Concept And Development Of A Facebook Application To Raise Security And Risk Awareness. Journal of Information Management & Computer Security. Volume 21(2), 91-101. Emerald Group Publishing Limited. [05] Haddadi, H. and P. Hui, P. (2010). To Add Or Not To Add: Privacy and Social Honeypots. IEEE International Conference on Communications Workshops (ICC). 23-27 May. Capetown, South Africa : IEEE, 1-5. [06] He, B. et. al. (2013). A Defence Scheme Against Identity Theft Attack Based On Multiple Social Networks. Journal of Expert Systems With Application. Volume 41(5), 2345-2352. [07] Islam, R. and Abawajy, J. (2013). A Multi-Tier Phishing Detection And Filtering Approach. Journal of Network and Computer Applications. Volume 36(1). 324-335. [08] Jin, X. et. al. (2011). A Data Mining-Based Spam Detection System For Social Media Networks. International Conference on Very Large Data Bases (VLDB). 29 August - 3 September. Seattle, WA. 1458-1461. [09] Khonji, M. et. al. (2013). Phishing Detection: A Literature Survey. IEEE Communications Surveys & Tutorials. Volume 15(4), 2091-2121. IEEE. [10] Lee, K. et. al. (2010a). The Social Honeypot Project : Protecting Online Communities from Spammers. Proceedings of the 19th International Conference on World Wide Web. Raleigh, North Carolina, United States : ACM, 1139-1140. [11] Lee, K. et. al. (2010b). Uncovering Social Spammers: Social Honeypots + Machine Learning. Proceedings of the 33rd International ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR). Geneva, Switzerland : ACM, 435-442. [12] Li, B. Y. L. et. al. (2013). Using Kinect For Face Recognition Under Varying Poses, Expressions, Illumination And Disguise. IEEE Workshop on Applications of Computer Vision (WACV). 15-17 January. Tampa, Florida : IEEE, 186-192. [13] Mitnick, K. D. (2003). Are You The Weak Link. Harvard Business Review, 81(4), 18-20. [14] Oosterloo, B. (2008). Managing Social Engineering Risk. Master, University of Twente, Netherlands. [15] Pavlidis, I. and Symosek, P. (2000). The Imaging Issue In An Automatic Face/Disguise Detection System. Proceedings of the IEEE Workshop on Computer Vision Beyond the Visible Spectrum: Methods and Applications. 16 June. Hilton Head, SC : IEEE, 15-24. [16] Peltier, T. R. (2007). Social Engineering: Concepts and Solutions. Information Systems Security. Volume 15(5), 13-21. [17] Sandouka, H. et. al. (2009). Social Engineering Detection using Neural Networks. International Conference on CyberWorlds. 7-11 September. Bradford, United Kingdom: IEEE, 273-278. [18] Siponen, M. (2006). Information Security Standards Focus On The Existence Of Process,Not Its Content. Communications of the ACM, 49(8), 97-100. [19] Smith, A. et. al. (2013). Improving Awareness of Social Engineering Attacks. In Dodge Jr., R. C. and Futcher, L. (Eds.). Information Assurance and Security Education and Training (pp. 249-256). Berlin-Heidelberg : Springer. [20] Spinapolice, M. (2011). Mitigating the Risk of Social Engineering Attacks. Master, Rochester Institute of Technology, New York, United States. [21] Twitchell, D. P. (2006). Social Engineering In Information Assurance Curricula. Proceedings Of The 3rd Annual Conference On Information Security Curriculum Development (Info Sec CD). 22-23 September. Kennesaw, Georgia, United States : ACM, 191-193. [22] Walden, I. and Flanagan, A. (2003). Honeypots: A Sticky Legal Landscape. Rutgers Computer and Technology Law Journal. Volume 29(2). 317-370. [23] Wenda, D. and Ning, D. (2012). A Honeypot Detection Method Based on Characteristic Analysis and Environment Detection. In Chen, R. (Ed.). International Conference in Electrics, Communication and Automatic Control Proceedings (pp. 201-206). New York : Springer. [24] Workman, M. (2007). Gaining Access with Social Engineering: An Empirical Study of the Threat. Volume 16(6). 315-331. [25] Xie, M. et. al. (2007). HoneyIM: Fast Detection and Suppression of Instant Messaging Malware in Enterprise-like Networks. Twenty-Third Annual Computer Security Applications Conference (ACSAC). 10-14 December, Miami Beach, Florida : IEEE, 64-73. [26] Yang, A. Y. et. al. (2010). Towards A Robust Face Recognition System Using Compressive Sensing. INTERSPEECH 2010 : 11th Annual Conference of the International Speech Communication Association (ISCA). 26-30 September. Makuhari, Chiba, Japan : ISCA, 2250-2253.