Abstract
While existing security mechanisms often work well against most known attack types, they are typically incapable of addressing semantic attacks. Such attacks bypass technical protection systems by exploiting the emotional response of the users in unusual technical configurations rather than by focussing on specific technical vulnerabilities. We show that semantic attacks can easily be performed in a cloud environment, where applications that would traditionally be run locally may now require interaction with an online system shared by several users. We illustrate the feasibility of an automated semantic attack in a popular cloud storage environment, evaluate its impact and provide recommendations for defending against such attacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Schneier, B.: Inside risks: semantic network attacks. Commun. ACM 43(12), 168 (2000)
Tiantian Qi.: An investigation of heuristics of human judgement in detecting deception and potential implications in countering social engineering. In: IEEE International Conference on Intelligence and Security Informatics, pp. 152–159, New Brunswick, USA, May 2007
Chen, Y., Katz, R.H.: Glimpses of the Brave New World for Cloud Security. Feature Article. HPC in the Cloud, 22 Feb 2011
Mulazzani, M., Schrittwieser, S., Leithner, M., Huber, M.: Dark clouds on the horizon: using cloud storage as attack vector and online slack space. In: Proceedings of the 20th USENIX Conference on Security, CA, USA, 10–12 Aug 2011
Levine, T.R., Kim, R.K., Park, H.S., Hughes, M.: Deception detection accuracy is a predictable linear function of message veracity base-rate: a formal test of Park and Levine probability model. Commun. Monogr. 73, 243–260 (2006)
Hinson, G.: Social engineering techniques, risks and controls. The EDP Audit, Control, and Security. Newsletter 37, 32–45 (2008)
Latze, C., Ultes-Nitsche, U.: How to Protect even Naive User against Phishing, Pharming and MITM Attacks. Communication Systems, Networks, and Applications, pp. 111–116, Beijing, China, Oct 2007
Yahoo Inc. What is a sign-in seal? Retrieved from Yahoo Security Center. http://security.yahoo.com/article.html?aid=2006102507 (2012)
Trusteer. Rapport Overview. Retrieved from Trusteer Building Trust Online. http://www.trusteer.com/product/trusteer-rapport (2011)
Bacon, J., Evans, D., Eyers, D.M., Migliavacca, M., Pietzuch, P., Shand, B.: Enforcing end-to-end application security in the cloud. In: 11th International Middleware Conference, Bangalore, India, Nov 2010
Hasan, M.I., Prajapati, N.B.: An attack vector for deception through persuasion used by Hackers and Crackers. Networks and Communications, pp. 254–258, ISBN 978-1-4244-5364-1, 27-29 Dec 2009
Mitnick, K., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. Wiley, Indianapolis (2002), ISBN 978-0471237129
Jordan, M., Goudey, H.: The signs, and semiotics of the successful semantic attack. In: 14th Annual EICAR Conference, Malta, pp. 344–364. 2005
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag London
About this paper
Cite this paper
Heartfield, R., Loukas, G. (2013). On the Feasibility of Automated Semantic Attacks in the Cloud. In: Gelenbe, E., Lent, R. (eds) Computer and Information Sciences III. Springer, London. https://doi.org/10.1007/978-1-4471-4594-3_35
Download citation
DOI: https://doi.org/10.1007/978-1-4471-4594-3_35
Published:
Publisher Name: Springer, London
Print ISBN: 978-1-4471-4593-6
Online ISBN: 978-1-4471-4594-3
eBook Packages: EngineeringEngineering (R0)