VeriActor: Dynamic Generation of Challenge-Response Questions for Enhanced Email Sender Verification

Challenge-response mechanisms have become widely adopted as a means of user verification. In this process, users are required to provide a set of challenge questions, with their actual answers serving as a means to authenticate the user's identity. Despite the widespread usability of challenge-response as an authentication mechanism, it remains vulnerable to evasion by attackers who can employ social engineering tactics or gather information to guess or steal the necessary credentials. To address this inherent challenge, this paper presents a novel technique for dynamically generating challenge-response questions based on authentic historical interactions, such as daily communication via email or messaging platforms. We developed deep learning models, utilizing language models such as BERT, and employed semantic analysis to extract and validate highly usable challenge-response questions. These questions are designed to be easily answerable by legitimate users while presenting an unpredictable challenge to potential attackers. As an effective use case demonstration for our proposed system, we developed an email sender verification system capable of real-time identification of suspicious email senders. This system prompts the senders with carefully crafted challenge questions based on previous email exchanges with authentic users, enabling the identification of advanced spear-phishing emails that would otherwise remain undetected. We evaluated the effectiveness of our system, named VeriActor, through the use of annotated datasets and a user study. The experimental results exhibited promising outcomes, with a verification accuracy of 87.8% and a protection accuracy of 83.33%.