skip to main content
An illustration of a snake wrapping around an email inbox screen on a computer.
Illustration by Justin Renteria.

Phishing for information

An assistant professor of computer science is helping to thwart increasingly dangerous email phishing attacks.

Every email user has likely heard of the age-old email scam: A prince from another country needs your help and will pay you handsomely — all he needs is your bank account number.

But the original 90s email scam has gotten a chilling update: Hackers can now hijack your email address and send emails from your address to your personal contacts. Neither you nor the recipient will know.

Gang Wang, an assistant professor of computer science is meeting the challenge of security breaches due to these socially engineered phishing attacks head on. With a grant from the National Science Foundation, Wang is designing novel techniques that combine both human intelligence and machine learning to combat real-world phishing attacks.

“Right now, automated detection systems run by algorithms tend to let questionable emails go through because false detections can be costly to users,” said Wang. “Think about all the email you receive in a day and how frustrated you would be if you were constantly missing important messages.”

“What I am hoping to accomplish with this grant is to combine the nuance of human understanding in the smaller amount of emails that are questionable and develop techniques to help machines more easily uncover new attacks while maintaining the reliability of the system.”

The crux of the email phishing problem is twofold.

While machines are excellent at combing through huge amounts of data very quickly, they are not good at detecting nuanced cues humans could otherwise readily detect. Secondly, no matter how sophisticated the machine learning models employed are, advanced machine learning models only use historical data and are ineffective at detecting new threats that invariably pop up.

In some cases it may take only one or two emails to breach a large system.

“What I am hoping to accomplish with this grant is to combine the nuance of human understanding in the smaller amount of emails that are questionable and develop techniques to help machines more easily uncover new attacks while maintaining the reliability of the system.” -Gang Wang

Gang Wang
Gang Wang, an assistant professor of computer science.

Wang’s project has three broad goals: develop new measurement tools to automatically diagnose vulnerabilities in the existing phishing defense for email and social network systems; create novel machine learning interpretation techniques to drastically enhance users’ ability for phishing detection; and identify new crowdsourcing methods to produce reliable and real-time phishing alerts.

Preliminary results showed that carefully crafted phishing emails can penetrate most existing defenses, including Gmail, Outlook, and iCloud, leaving users exposed to phishing without any warnings. Wang based his findings on a scanning of 1 million domains and a penetration test on 35 email services.

Wang will study the effectiveness of his techniques using automated methods to block the massive phishing attacks with clear malicious signals while delivering the small portion of uncertain messages to users for further investigation.

To improve the ability of users to detect phishing, Wang will investigate fundamental techniques to translate machine learning results to human-interpretable semantics to assist users' decision-making. The crowdsourced user results will then be aggregated to produce real-time phishing alerts for the broad Internet community.

While the cyber underbelly of phishing scams is scary uncharted territory for many large institutions and shows no signs of disappearing, Wang is helping unsuspecting email users from ever being hooked.

If you want to have an impact on our students and faculty like those featured in this magazine, go here to support the College of Engineering. For more information, call (540) 231-3628.