Conversation-depth social engineering attack detection using attributes from automated dialog engagement
Inventors
Porras, Phillip • Nitz, Kenneth • Skinner, Keith • Freitag, Dayne
Assignees
Publication Number
US-12267361-B2
Publication Date
2025-04-01
Expiration Date
2042-11-29
Interested in licensing this patent?
MTEC can help explore whether this patent might be available for licensing for your application.
Abstract
A method of determining an adversarial attack playbook includes receiving, from an adversarial actor, an electronic communication intended for a target user. The method includes engaging in a deep dialog with the adversarial actor by deploying a synthetic persona dynamically during the electronic communication. The deep dialog includes multiple rounds of communication exchanges. The method includes determining a length and type of the deep dialog to obtain attributes related to the adversarial actor. The method includes identifying a conversational pattern from the deep dialog. The conversational pattern comprises dialog interaction elements utilized by the adversarial actor. The method includes dynamically producing, based on the conversational pattern, the playbook associated with the adversarial actor. The playbook is indicative of a dialog interaction strategy implemented by the adversarial actor. The method includes providing the playbook to a social engineering attack (SEA) system in order to detect, avoid and/or mitigate future attacks.
Core Innovation
The invention provides a computer-implemented method and system for determining an adversarial attack playbook associated with an adversarial actor. It does this by receiving electronic communications from adversarial actors and engaging them in a deep dialog using a synthetic persona, where the dialog consists of multiple rounds of exchanges. During these interactions, the system aims to elicit attributes from the adversarial actor and identify conversational patterns comprising dialog interaction elements employed by the adversary.
Based on the observed patterns and extracted attributes, the system dynamically creates a playbook reflecting the dialog interaction strategy used by the adversarial actor. This playbook is then provided to a social engineering attack (SEA) system, which can utilize the information to detect, avoid, or mitigate present and future social engineering attacks more effectively. The solution leverages machine learning, natural language processing, and classification methodologies to analyze and interact with adversarial actors at scale.
The problem addressed by this invention is that existing SEA defense systems are largely ineffective at detecting or mitigating attacks once an initial phishing message has bypassed state-of-the-art (SOTA) filters and a dialog with a target is initiated. Traditional systems focus on filtering the initial message and lack the capability to recognize advanced playbooks or ongoing adversarial interactions. The described approach overcomes this weakness by actively engaging attackers in conversation to mine latent attributes and dialog patterns, enabling proactive detection and prevention of sophisticated SEA strategies.
Claims Coverage
The patent contains four independent claims, each covering core inventive features related to playbook determination through synthetic persona engagement and dialog analysis.
Determining an adversarial attack playbook via deep dialog with synthetic persona
The method involves: - Receiving an electronic communication from an adversarial actor intended for a target user. - Engaging in a deep dialog with the adversarial actor by dynamically deploying a synthetic persona, where the dialog consists of two or more rounds of electronic exchanges. - Determining the length and type of the dialog to obtain one or more attributes related to the adversarial actor. - Identifying a conversational pattern from the dialog based on these attributes, with the pattern comprising conversation depth and class labels for attributes in each round. - Dynamically producing a playbook based on the conversational pattern that indicates the adversarial actor's dialog strategy. - Providing the playbook to an SEA system for detection, avoidance, and/or mitigation of attacks.
System utilizing dialog manager and counterphish elicitation for playbook extraction
The system comprises: - A dialog manager configured to engage in deep dialogs with adversarial actors. - A counterphish elicitation system to extract data from these dialogs. - Processors and data storage with instructions to: - Receive electronic communications intended for a target. - Deploy synthetic personas for multi-round dialog. - Determine dialog length and type to elicit adversary attributes. - Identify conversational patterns based on attributes, using class labels for dialog depth and message content. - Automatically generate and provide the adversarial playbook to an SEA system.
Computing device for adversarial playbook determination using dialog analysis
The inventive feature involves a computing device with: - Processors and data storage executing instructions to: - Receive adversarial communications intended for targets. - Deploy a synthetic persona for multi-round dialog engagement. - Determine dialog length and type for attribute extraction. - Identify conversational patterns by analyzing dialog depth and class labels for each round. - Produce and provide the adversarial actor's playbook to an SEA system for enhanced detection, avoidance, or mitigation.
Non-transitory computer-readable medium with instructions for playbook extraction from dialog
The article comprises: - A non-transitory computer-readable medium storing instructions to: - Receive an electronic communication from an adversarial actor to a target user. - Engage in deep dialogs with the adversarial actor via a synthetic persona in two or more rounds. - Determine the dialog’s length and type to obtain adversary attributes. - Identify conversational patterns based on dialog depth and attribute class labels. - Produce the adversary's dialog playbook dynamically and provide it to an SEA system for future attack mitigation.
The claims collectively protect methods, systems, devices, and storage media for dynamically generating adversarial playbooks through deep dialog engagement via synthetic personas. Core inventive aspects include dialog-driven attribute harvesting, machine learning-based identification of conversational patterns, automatic playbook creation, and use of these playbooks by SEA systems for enhanced attack defense.
Stated Advantages
Enhances the detection, avoidance, and mitigation of social engineering attacks by enabling the identification of adversarial strategies beyond initial messages.
Collects latent forensic indicators and dialog patterns that are revealed only during multi-round, in-depth exchanges, providing deeper threat intelligence.
Enables scalability in collecting adversarial engagement patterns, allowing coverage of attacks that bypass state-of-the-art filtering technologies.
Allows for both proactive and retrospective identification of sophisticated attacks, including attacks that previously evaded detection.
Facilitates the development of new heuristics and detection models to improve future social engineering attack prevention.
Documented Applications
Enhancing enterprise security systems to detect and mitigate sophisticated phishing and social engineering attacks through automated dialog engagement.
Retrospectively mining message inboxes to identify previously undetected or ongoing social engineering attack conversations.
Proactively scanning incoming communications to anticipate and prevent future social engineering attacks using dynamically generated playbooks.
Training and updating machine learning models for message classification and playbook recognition in cyber threat detection platforms.
Deployment as cloud-based, distributed, or enterprise-installed systems for threat detection, alerting, and network defense services.
Providing threat intelligence services or integration with existing enterprise security frameworks, including dialogue-driven canary accounts and counterphishing strategies.
Interested in licensing this patent?