المفاهيم الأساسية
Adversarial phishing webpages that can bypass machine learning-based phishing detectors pose a significant threat to end-users, as they can be equally effective in deceiving human users compared to unperturbed phishing webpages.
الملخص
The study examines the perception of users towards adversarial phishing webpages that can bypass machine learning-based phishing website detectors (ML-PWD). The researchers conducted two user studies (n=470) to investigate how well users can distinguish legitimate webpages from unperturbed phishing webpages, as well as from adversarial phishing webpages.
Key findings:
- Adversarial phishing webpages are a threat to both users and ML-PWD, as most of them have comparable effectiveness in deceiving users compared to unperturbed phishing webpages.
- Not all adversarial perturbations are equally effective - webpages with added typos are significantly more noticeable to users.
- Users' self-reported frequency of visiting a brand's website has a statistically significant negative correlation with their phishing detection accuracy, likely due to overconfidence.
- Textual indicators play a major role in users' decision-making process when judging the legitimacy of a webpage.
The researchers release their user study resources, including questionnaires, codebook, data, and code, to facilitate future research on evasion attacks against ML-PWD.
الإحصائيات
"Phishing is the topmost form of cybercrime, with reported victim loss allegedly increasing by over 1000% since 2018."
"According to the FBI's 2022 crime data, phishing is the topmost form of cybercrime."
اقتباسات
"Adversarial phishing is a threat to both users and ML. In particular, three out of the four adversarial perturbations we considered have comparable effectiveness in deceiving users when compared to unperturbed phishing webpages—but the latter cannot bypass the ML-PWD."
"Not all adversarial perturbations are equally effective. In particular, adversarial webpages with added typos are more noticeable to users, as confirmed by statistical tests."
"As a surprising and counter-intuitive observation, users' self-reported frequency of visiting a brand's website has a statistically significant negative correlation with their phishing detection accuracy."