A Behavior-Based Approach to Securing Email Systems

  • Salvatore J. Stolfo
  • Shlomo Hershkop
  • Ke Wang
  • Olivier Nimeskern
  • Chia-Wei Hu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2776)

Abstract

The Malicious Email Tracking (MET) system, reported in a prior publication, is a behavior-based security system for email services. The Email Mining Toolkit (EMT) presented in this paper is an offline email archive data mining analysis system that is designed to assist computing models of malicious email behavior for deployment in an online MET system. EMT includes a variety of behavior models for email attachments, user accounts and groups of accounts. Each model computed is used to detect anomalous and errant email behaviors. We report on the set of features implemented in the current version of EMT, and describe tests of the system and our plans for extensions to the set of models.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Bhattacharyya, M., Hershkop, S., Eskin, E., Stolfo, S.J.: MET: An Experimental System for Malicious Email Tracking. In: Proceedings of the 2002 New Security Paradigms Workshop (NSPW-2002), Virginia Beach, VA (September 2002)Google Scholar
  2. 2.
    Zhiqiang, B., Faloustos, C.: Flip Korn: The DGX Distribution for Mining Massive, Skewed Data (2001)Google Scholar
  3. 3.
    Bron, C., Kerbosch, J.: Finding all cliques of an undirected graph. Comm. ACM 16(9), 575–577 (1973)MATHCrossRefGoogle Scholar
  4. 4.
    Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.J.: A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data. In: Data Mining for Security Applications. Kluwer, Dordrecht (2002) (to appear)Google Scholar
  5. 5.
    John, G.H., Langley, P.: Estimating continuous distributions in bayesian classifiers. In: Proceedings of the Eleventh Conference on Uncertainty in Artificial Intelligence, pp. 338–345 (1995)Google Scholar
  6. 6.
    Lee, W., Stolfo, S., Mok, K.: Mining Audit Data to Build Intrusion Detection Models. In: Wu, X., Kotagiri, R., Korb, K.B. (eds.) PAKDD 1998. LNCS, vol. 1394. Springer, Heidelberg (1998)Google Scholar
  7. 7.
    Lee, W., Stolfo, S., Chan, P.: Learning Patterns from Unix Process Execution Traces for Intrusion Detection. In: AAAI Workshop: AI Approaches to Fraud Detection and Risk Management (July 1997)Google Scholar
  8. 8.
    MySQL (2002), http://www.mysql.org
  9. 9.
    Niblack, W., et al.: The QBIC project: querying images by content using color, texture, and shape. In: Proceedings of the SPIE (February 1993)Google Scholar
  10. 10.
    Procmail (2002), http://www.procmail.org
  11. 11.
    Sendmail (2002), http://www.sendmail.org
  12. 12.
    Schultz, M.G., Eskin, E., Stolfo, S.J.: Malicious Email Filter – A UNIX Mail Filter that Detects Malicious Windows Executables. In: Proceedings of USENIX Annual Technical Conference — FREENIX Track, Boston, MA (June 2001)Google Scholar
  13. 13.
    Smith, J.R.: Integrated Spatial and Feature Image Systems: Retrieval, Compression and Analysis. PhD thesis, Columbia University (1997)Google Scholar
  14. 14.
    Williamson, M.M.: Throttling viruses: Restricting propagation to defeat malicious mobile code. In: Prof. ACSAC Security Conference, Las Vegas, NV (2002)Google Scholar
  15. 15.
    Newman, M.E., Forrest, S., Balthrup, J.: Email networks and the spread of computer viruses. The American Physical Society (2002)Google Scholar
  16. 16.
    Damashek, M.: Gauging similarity with n-grams: language independent categorization of text. Science 267(5199), 843–848 (1995)CrossRefGoogle Scholar
  17. 17.
    Mitchell, T.M.: Machine Learning, pp. 180–183. McGraw-Hill, New York (1997)MATHGoogle Scholar
  18. 18.
    Hogg, R.V., Craig, A.T.: Introduction to Mathematical Statistics, pp. 293–301. Prentice Hall, Englewood Cliffs (1994)Google Scholar
  19. 19.
    Schonlau, M., DuMouchel, W., Ju, W.H., Karr, A.F., theus, M., Vardi, Y.: Computer Intrusion Detecting Masquerades. Statistical Science 16 (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Salvatore J. Stolfo
    • 1
  • Shlomo Hershkop
    • 1
  • Ke Wang
    • 1
  • Olivier Nimeskern
    • 1
  • Chia-Wei Hu
    • 1
  1. 1.Fu Foundation School of Engineering & Applied Science Computer Science Dept.Columbia UniversityUSA

Personalised recommendations