A Behavior-Based Approach to Securing Email Systems

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2776)


The Malicious Email Tracking (MET) system, reported in a prior publication, is a behavior-based security system for email services. The Email Mining Toolkit (EMT) presented in this paper is an offline email archive data mining analysis system that is designed to assist computing models of malicious email behavior for deployment in an online MET system. EMT includes a variety of behavior models for email attachments, user accounts and groups of accounts. Each model computed is used to detect anomalous and errant email behaviors. We report on the set of features implemented in the current version of EMT, and describe tests of the system and our plans for extensions to the set of models.


User Account Attack Strategy Hellinger Distance Email Account Security Analyst 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bhattacharyya, M., Hershkop, S., Eskin, E., Stolfo, S.J.: MET: An Experimental System for Malicious Email Tracking. In: Proceedings of the 2002 New Security Paradigms Workshop (NSPW-2002), Virginia Beach, VA (September 2002)Google Scholar
  2. 2.
    Zhiqiang, B., Faloustos, C.: Flip Korn: The DGX Distribution for Mining Massive, Skewed Data (2001)Google Scholar
  3. 3.
    Bron, C., Kerbosch, J.: Finding all cliques of an undirected graph. Comm. ACM 16(9), 575–577 (1973)zbMATHCrossRefGoogle Scholar
  4. 4.
    Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.J.: A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data. In: Data Mining for Security Applications. Kluwer, Dordrecht (2002) (to appear)Google Scholar
  5. 5.
    John, G.H., Langley, P.: Estimating continuous distributions in bayesian classifiers. In: Proceedings of the Eleventh Conference on Uncertainty in Artificial Intelligence, pp. 338–345 (1995)Google Scholar
  6. 6.
    Lee, W., Stolfo, S., Mok, K.: Mining Audit Data to Build Intrusion Detection Models. In: Wu, X., Kotagiri, R., Korb, K.B. (eds.) PAKDD 1998. LNCS, vol. 1394. Springer, Heidelberg (1998)Google Scholar
  7. 7.
    Lee, W., Stolfo, S., Chan, P.: Learning Patterns from Unix Process Execution Traces for Intrusion Detection. In: AAAI Workshop: AI Approaches to Fraud Detection and Risk Management (July 1997)Google Scholar
  8. 8.
    MySQL (2002),
  9. 9.
    Niblack, W., et al.: The QBIC project: querying images by content using color, texture, and shape. In: Proceedings of the SPIE (February 1993)Google Scholar
  10. 10.
    Procmail (2002),
  11. 11.
    Sendmail (2002),
  12. 12.
    Schultz, M.G., Eskin, E., Stolfo, S.J.: Malicious Email Filter – A UNIX Mail Filter that Detects Malicious Windows Executables. In: Proceedings of USENIX Annual Technical Conference — FREENIX Track, Boston, MA (June 2001)Google Scholar
  13. 13.
    Smith, J.R.: Integrated Spatial and Feature Image Systems: Retrieval, Compression and Analysis. PhD thesis, Columbia University (1997)Google Scholar
  14. 14.
    Williamson, M.M.: Throttling viruses: Restricting propagation to defeat malicious mobile code. In: Prof. ACSAC Security Conference, Las Vegas, NV (2002)Google Scholar
  15. 15.
    Newman, M.E., Forrest, S., Balthrup, J.: Email networks and the spread of computer viruses. The American Physical Society (2002)Google Scholar
  16. 16.
    Damashek, M.: Gauging similarity with n-grams: language independent categorization of text. Science 267(5199), 843–848 (1995)CrossRefGoogle Scholar
  17. 17.
    Mitchell, T.M.: Machine Learning, pp. 180–183. McGraw-Hill, New York (1997)zbMATHGoogle Scholar
  18. 18.
    Hogg, R.V., Craig, A.T.: Introduction to Mathematical Statistics, pp. 293–301. Prentice Hall, Englewood Cliffs (1994)Google Scholar
  19. 19.
    Schonlau, M., DuMouchel, W., Ju, W.H., Karr, A.F., theus, M., Vardi, Y.: Computer Intrusion Detecting Masquerades. Statistical Science 16 (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  1. 1.Fu Foundation School of Engineering & Applied Science Computer Science Dept.Columbia UniversityUSA

Personalised recommendations