Asaf Cidon: Distinguished Paper Award at Usenix Security 2019

Eliese Lissner
August 19, 2019

The newest addition to the Columbia University EE Faculty team, Assistant Professor Asaf Cidon co-authored a paper titled “Detecting and Characterizing Lateral Phishing at Scale” which recently won the Distinguished Paper Award, presented by Usenix Security. This particular award was awarded to only 1% of the submitted papers to the conference. Cidon along with co-authors, Grant HoLior Gavish, Marco Schweighauser, Vern PaxsonStefan SavageGeoffrey M. Voelker, & David Wagner co-authored the paper.

“I am honored that our team received the award. This was a collaborative effort between multiple universities and industries, and the student who led the project, Grant Ho, deserves most of the credit. The award is a testament to the fact that large-scale data science and machine learning are crucial in researching and stopping increasingly sophisticated social-engineering driven cyberattacks. One of my main goals in joining Columbia University is to continue this type of work in order to get a much better understanding of the tactics and incentives of cybercriminals. I'm extremely excited to get started!” Cidon said.

The paper presents the first large-scale characterization for an increasingly prevalent and important cyberattack: lateral phishing. The paper also presents a machine-learning based detector that can automatically detect and stop this attack.

Studies have shown that over 90% of cyber breaches start with a phishing email. Historically, attackers would send phishing from email accounts external to the organization. However, the team has seen a significant rise in email-borne attacks where the attacker first compromises an email account within the organization, and then uses it to launch phishing emails internally to other employees.

In the study, the team characterized attacks from more than 100 million emails, comprising 92 organizations and found several interesting takeaways:

  • Over 10% of incidents result in a successful additional internal compromise (representing a much higher success rate than attacks originating externally).
  • The majority of attacks are relatively simple phishing emails. However, a significant percentage of attackers do heavily tailor their emails to information specific to the recipient's role and the context of the organization.
  • More than 30% of attackers engage in some kind of sophisticated behavior: either by hiding their presence in the attack (e.g., deleting outgoing emails) or by engaging with the recipient of the attack on order to ensure it is successful.

Cidon and team also developed a proof of concept of a machine learning based detector, which can detect the vast majority of these attacks at a high precision with a low and manageable false positive rate.

Cidon also presented another accepted paper at the conference, titled “High Precision Detection of Business Email Compromise”. This paper focuses on the detection of another type of email-borne attack, where the attacker uses social engineering and impersonation to trick the recipient to send a wire transfer to a bank account owned by the attacker, or send sensitive information, such as PII.

Usenix Security is the premier conference for computer system security and privacy.