An Initial Study on Personalized Filtering Thresholds in Defending Sequential Spear Phishing Attacks

Different from spam and regular phishing attacks, spear phishing attacks target a small group of people, and the attackers usually make elaborate plans before attacking. There is existing work on classifying spear phishing emails where a threshold value is used to balance misclassified normal emails and misclassified malicious emails. However, most existing systems use a uniform threshold for all users, while in reality users may differ in how susceptible they are to phishing attacks and their access to critical information. Existing work on setting personalized thresholds assumes that the attacker compromises multiple users simultaneously to maximize his expected utility. However, an attacker may be only interested in specific credential information, which could be accessed by a group of users. In this situation, a sequential attack is more reasonable for the attacker to reduce the cost of launching attacks and the likelihood of detection. We propose a Stackelberg game model to calculate the optimal solution for the sequential attack situation and formulate a bilevel optimization problem for the defender. By exploiting the structure of the bilevel problem, we propose a single level formulation called PEDS that is equivalent to the bilevel problem. Experimental results show that PEDS can solved within 60 seconds even when the number of users is 70, and the thresholds computed by PEDS lead to significant higher defender utilities as compared with existing approaches.