-
In-context learning for the classification of manipulation techniques in phishing emails
Authors:
Antony Dalmiere,
Guillaume Auriol,
Vincent Nicomette,
Pascal Marchand
Abstract:
Traditional phishing detection often overlooks psychological manipulation. This study investigates using Large Language Model (LLM) In-Context Learning (ICL) for fine-grained classification of phishing emails based on a taxonomy of 40 manipulation techniques. Using few-shot examples with GPT-4o-mini on real-world French phishing emails (SignalSpam), we evaluated performance against a human-annotat…
▽ More
Traditional phishing detection often overlooks psychological manipulation. This study investigates using Large Language Model (LLM) In-Context Learning (ICL) for fine-grained classification of phishing emails based on a taxonomy of 40 manipulation techniques. Using few-shot examples with GPT-4o-mini on real-world French phishing emails (SignalSpam), we evaluated performance against a human-annotated test set (100 emails). The approach effectively identifies prevalent techniques (e.g., Baiting, Curiosity Appeal, Request For Minor Favor) with a promising accuracy of 0.76. This work demonstrates ICL's potential for nuanced phishing analysis and provides insights into attacker strategies.
△ Less
Submitted 26 June, 2025;
originally announced June 2025.
-
Measuring Modern Phishing Tactics: A Quantitative Study of Body Obfuscation Prevalence, Co-occurrence, and Filter Impact
Authors:
Antony Dalmiere,
Zheng Zhou,
Guillaume Auriol,
Vincent Nicomette,
Pascal Marchand
Abstract:
Phishing attacks frequently use email body obfuscation to bypass detection filters, but quantitative insights into how techniques are combined and their impact on filter scores remain limited. This paper addresses this gap by empirically investigating the prevalence, co-occurrence patterns, and spam score associations of body obfuscation techniques. Analysing 386 verified phishing emails, we quant…
▽ More
Phishing attacks frequently use email body obfuscation to bypass detection filters, but quantitative insights into how techniques are combined and their impact on filter scores remain limited. This paper addresses this gap by empirically investigating the prevalence, co-occurrence patterns, and spam score associations of body obfuscation techniques. Analysing 386 verified phishing emails, we quantified ten techniques, identified significant pairwise co-occurrences revealing strategic layering like the presence of text in images with multipart abuse, and assessed associations with antispam scores using multilinear regression. Text in Image (47.0%), Base64 Encoding (31.2%), and Invalid HTML (28.8%) were highly prevalent. Regression (R${}^2$=0.486, p<0.001) linked Base64 Encoding and Text in Image with significant antispam evasion (p<0.05) in this configuration, suggesting potential bypass capabilities, while Invalid HTML correlated with higher scores. These findings establish a quantitative baseline for complex evasion strategies, underscoring the need for multi-modal defences against combined obfuscation tactics.
△ Less
Submitted 25 June, 2025;
originally announced June 2025.
-
RadIoT: Radio Communications Intrusion Detection for IoT - A Protocol Independent Approach
Authors:
Jonathan Roux,
Eric Alata,
Guillaume Auriol,
Mohamed Kaâniche,
Vincent Nicomette,
Romain Cayre
Abstract:
Internet-of-Things (IoT) devices are nowadays massively integrated in daily life: homes, factories, or public places. This technology offers attractive services to improve the quality of life as well as new economic markets through the exploitation of the collected data. However, these connected objects have also become attractive targets for attackers because their current security design is ofte…
▽ More
Internet-of-Things (IoT) devices are nowadays massively integrated in daily life: homes, factories, or public places. This technology offers attractive services to improve the quality of life as well as new economic markets through the exploitation of the collected data. However, these connected objects have also become attractive targets for attackers because their current security design is often weak or flawed, as illustrated by several vulnerabilities such as Mirai, Blueborne, etc. This paper presents a novel approach for detecting intrusions in smart spaces such as smarthomes, or smartfactories, that is based on the monitoring and profiling of radio communications at the physical layer using machine learning techniques. The approach is designed to be independent of the large and heterogeneous set of wireless communication protocols typically implemented by connected objects such as WiFi, Bluetooth, Zigbee, Bluetooth-Low-Energy (BLE) or proprietary communication protocols. The main concepts of the proposed approach are presented together with an experimental case study illustrating its feasibility based on data collected during the deployment of the intrusion detection approach in a smart home under real-life conditions.
△ Less
Submitted 9 November, 2018;
originally announced November 2018.
-
Specification-Based Protocol Obfuscation
Authors:
Julien Duchene,
Eric Alata,
Vincent Nicomette,
Mohamed Kaâniche,
Colas Le Guernic
Abstract:
This paper proposes a new obfuscation technique of a communication protocol that is aimed at making the reverse engineering of the protocol more complex. The obfuscation is based on the transformation of protocol message format specification. The obfuscating transformations are applied to the Abstract Syntax Tree (AST) representation of the messages and mainly concern the ordering or aggregation o…
▽ More
This paper proposes a new obfuscation technique of a communication protocol that is aimed at making the reverse engineering of the protocol more complex. The obfuscation is based on the transformation of protocol message format specification. The obfuscating transformations are applied to the Abstract Syntax Tree (AST) representation of the messages and mainly concern the ordering or aggregation of the AST nodes. The paper also presents the design of a framework that implements the proposed obfuscation technique by automatically generating, from the specification of the message format, a library performing the corresponding transformations. Finally, our framework is applied to two real application protocols (Modbus and HTTP) to illustrate the relevance and efficiency of the proposed approach. Various metrics recorded from the experiments show the significant increase of the complexity of the obfuscated protocol binary compared to the non-obfuscated code. It is also shown that the execution time and memory overheads remain acceptable for a practical deployment of the approach in operation.
△ Less
Submitted 25 July, 2018;
originally announced July 2018.
-
Empirical analysis and statistical modeling of attack processes based on honeypots
Authors:
Mohamed Kaaniche,
Y. Deswarte,
Eric Alata,
Marc Dacier,
Vincent Nicomette
Abstract:
Honeypots are more and more used to collect data on malicious activities on the Internet and to better understand the strategies and techniques used by attackers to compromise target systems. Analysis and modeling methodologies are needed to support the characterization of attack processes based on the data collected from the honeypots. This paper presents some empirical analyses based on the da…
▽ More
Honeypots are more and more used to collect data on malicious activities on the Internet and to better understand the strategies and techniques used by attackers to compromise target systems. Analysis and modeling methodologies are needed to support the characterization of attack processes based on the data collected from the honeypots. This paper presents some empirical analyses based on the data collected from the Leurr{é}.com honeypot platforms deployed on the Internet and presents some preliminary modeling studies aimed at fulfilling such objectives.
△ Less
Submitted 6 April, 2007;
originally announced April 2007.
-
Lessons Learned from the deployment of a high-interaction honeypot
Authors:
Eric Alata,
Vincent Nicomette,
Mohamed Kaâniche,
Marc Dacier,
Matthieu Herrb
Abstract:
This paper presents an experimental study and the lessons learned from the observation of the attackers when logged on a compromised machine. The results are based on a six months period during which a controlled experiment has been run with a high interaction honeypot. We correlate our findings with those obtained with a worldwide distributed system of lowinteraction honeypots.
This paper presents an experimental study and the lessons learned from the observation of the attackers when logged on a compromised machine. The results are based on a six months period during which a controlled experiment has been run with a high interaction honeypot. We correlate our findings with those obtained with a worldwide distributed system of lowinteraction honeypots.
△ Less
Submitted 6 April, 2007;
originally announced April 2007.
