In the chapter, we propose our adaptive strategies. First, we use phishing concept hierarchy for adjusting learning goal and plan. Contrast strategy is further applied to help users to converge the recognition of certain phishing attacks, while analogy strategy is used to improve the users’ knowledge transfer ability.
5.1 Adaptive learning based on phishing concept hierarchy
Learning security is usually not a primary goal of users in Internet and the time of users spending in anti-phishing educations vary. Therefore, it is important to design different learning plans according to distinct learning periods. Phishing concept hierarchy in Chapter 3 is proposed to organize phishing attack knowledge. Figure 20 shows an example of phishing concept hierarchy. The higher concept consists of more phishing attack knowledge but rougher. For example, “Homograpgy” is phishing attack that spoof users by using mimic URL.
However there are many techniques to construct a mimic URL such as “Add Word”, “Delete Word” and “Replace Similar Word”. These techniques are described more detailedly than
“Homograpgy”. Thus, “Add Word”, “Delete Word” and “Replace Similar Word” is the sub-domain of “Homograpgy”. We can construct a hierarchy between detailed concept of
“Homograpgy”and its sub-concept.
Figure 20. Phishing Concept Hierarchy
Before introducing our adaptive ideas, we first define user learning portfolio. A user learning Portfolio UP is a set of UPi = (Mi, APi, Ai,Ti) where Mi is the current mission number, APi is the current visiting page, Ai is the action record and Ti is the current time. For example, user in mission M=(1,1, homograph) clicks a phishing link, then the user learning portfolio UP records ((1,1, homograph) ,(1,1) , ‘click’ ,’14:00:00’ ). According to different learning periods, our system will adjust different learning goal (different level in concept hierarchy).
The basic idea is that users learned this phishing concept if they have learned certain instances of this concept. Therefore, in a limited time period, we first introduce the overview of phishing attack knowledge. As time goes by, the detailed phishing attack techniques will continue to be introduced. Example 2 show we adjust learning plans in different time period.
Example 2
According to the concept hierarchy and user portfolio in Figure 18, if the number of phishing
attacks users can identify is more than a threshold, than we assume that users have finished in learning the sub-concept. If the number of finished sub-concept more than a threshold, we assume that users have finished learning the concept. At the first five minutes, we train user with the highest level concept, in this period, for example, to teach to avoid “Homograpgy”
without classifying what technique use in “Homograpgy”; thus, if users have finished learning
“Homograpgy” than we assume that users have finished in learning. In the next period, we will teach more detailed phishing attack in next level of concept hierarchy, users need to finish learning these detailed phishing attack.
5.2 Adaptive Learning Strategies
Although phishing concept hierarchy can be used to adjust learning plan, the users’
learning abilities are still critical. If users cannot understand phishing concepts in time, designed learning may not be achieved. Hence, our idea is to speed up learning phishing concept by providing legitimate page. This strategy is so-called the contrast strategy. By comparing phishing page and legitimate page, users can observe the difference between them easier. This difference is indeed a phishing attack technique presented via the phishing features. The following example shows how the contrast strategy works.
Example 3
In Figure 20, the mission is “Find Job by yes123 mail”, users need to go to Gmail to receive mail sent by “yes123”, than go to “yes123” and login. There are three pages in the mission,
“Gmail”, “yes123 login” and “yes123 home”. And we use this mission to teach user
“Homography” shown in Figure 21.(a). If users can not identify “Homography” in page
“Gmail”, then will restart the mission with the scenario that the page “Gmail” is legitimate shown in 21.(b). Thus, user can compare phishing page and legitimate page.
(a)
(b)
Figure 21. Contrast strategy in Adaptive Game Content Selection
The most important goal of anti-phishing educations is to teach users how to prevent phishing attacks in their daily life. Therefore, the knowledge transfer abilities of users which are to apply phishing knowledge to detect phishing pages with different scenarios are essential.
Our idea of improving the knowledge transfer ability is to provide different phishing pages with the same phishing attack. This is so-called the analogy strategy. By previous experiences, user can understand how this phishing attack works easier. Example 5 shows the analogy strategy in our proposed system.
Example 5
In Figure 21, the mission is “Find Job by yes123 mail”, users need to go to Gmail to receive mail send by “yes123”, than go to “yes123” and login. If users can identify phishing attack in this mission shown in Figure 22.(a). We will select another mission shown in Figure 22.(b) with the same phishing attack to test the knowledge transfer ability of users.
(a)
(b)
Figure 22. Analogy strategy in Adaptive Game Content Selection
In our proposed system, adaptive strategy based on phishing concept hierarchy is prior to the contrast strategy and the analogy strategy. After learning whole phishing concepts, the analogy strategy is then applied to improve the knowledge transfer ability. Once users misjudge a phishing page, the contrast strategy is applied to help users to understand this embedded phishing attack knowledge. In the next chapter, we will propose our system containing knowledge acquisition module, mission generation module and adaptive game engine. The experiment results are also provided in the next chapter.