Behavior Profiling of Email

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2665)


This paper describes the forensic and intelligence analysis capabilities of the Email Mining Toolkit (EMT) under development at the Columbia Intrusion Detection (IDS) Lab. EMT provides the means of loading, parsing and analyzing email logs, including content, in a wide range of formats. Many tools and techniques have been available from the fields of Information Retrieval (IR) and Natural Language Processing (NLP) for analyzing documents of various sorts, including emails. EMT, however, extends these kinds of analyses with an entirely new set of analyses that model “user behavior”. EMT thus models the behavior of individual user email accounts, or groups of accounts, including the “social cliques” revealed by a user’s email behavior.


Intrusion Detection User Account Forensic Analysis Fraud Detection Cosine Distance 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    M. Bhattacharyya, S. Hershkop, E. Eskin, and S. J. Stolfo. MET: An Experimental System for Malicious Email Tracking. In Proceedings of the 2002 New Security Paradigms Workshop (NSPW-2002). Virginia Beach, VA, September, 2002.Google Scholar
  2. 2.
    C. Bron, J. Kerbosch Finding all cliques of an undirected graph Comm. ACM 16(9) (1973) 575–577.zbMATHCrossRefGoogle Scholar
  3. 3.
    E. Eskin, A. Arnold, M. Prerau, L. Portnoy and S. J. Stolfo. A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data Data Mining for Security Applications. Kluwer 2002.Google Scholar
  4. 4.
    George H. John and Pat Langley. Estimating continuous distributions in bayesian classifiers In Proceedings of the Eleventh Conference on Uncertainty in Artificial Intelligence. Pages 338–345, 1995Google Scholar
  5. 5.
    Wenke Lee, Sal Stolfo, and Kui Mok. Mining Audit Data to Build Intrusion Detection Models In Proceedings of the Fourth International Conference on Knowledge Discovery and Data Mining (KDD’ 98), New York, NY, August 1998Google Scholar
  6. 6.
    Wenke Lee, Sal Stolfo, and Phil Chan. Learning Patterns from Unix Process Execution Traces for Intrusion Detection AAAI Workshop: AI Approaches to Fraud Detection and Risk Management, July 1997Google Scholar
  7. 7.
    Matthew G. Schultz, Eleazar Eskin, and Salvatore J. Stolfo. Malicious Email Filter — A UNIX Mail Filter that Detects Malicious Windows Executables. Proceedings of USENIX Annual Technical Conference-FREENIX Track. Boston, MA: June 2001.Google Scholar
  8. 8.
    Damashek, M. Gauging Similarity with n-grams: language independent categorization of text Science, 267(5199), 843–848, 1995.CrossRefGoogle Scholar
  9. 9.
    Mitchell, T. Machine Learning, McGraw-Hill, 1997, pg. 180–183.Google Scholar
  10. 10.
    Hogg, R.V. Introduction to Mathematical Statistics, Prentice Hall, 1994.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  1. 1.Columbia UniversityNew YorkUSA

Personalised recommendations