Information Technology Reference
In-Depth Information
A Behavior-Based Approach to Securing Email Systems
Salvatore J. Stolfo, Shlomo Hershkop, Ke Wang,
Olivier Nimeskern, and Chia-Wei Hu
450 Computer Science Building
Fu Foundation School of Engineering & Applied Science
Computer Science Dept., Columbia University, USA
{sal,shlomo,kewang,on2005,charlie}@cs.columbia.eduz
Abstract.
The Malicious Email Tracking (MET) system, reported in a prior
publication, is a behavior-based security system for email services. The Email
Mining Toolkit (EMT) presented in this paper is an offline email archive data
mining analysis system that is designed to assist computing models of mali-
cious email behavior for deployment in an online MET system. EMT includes a
variety of behavior models for email attachments, user accounts and groups of
accounts. Each model computed is used to detect anomalous and errant email
behaviors. We report on the set of features implemented in the current version
of EMT, and describe tests of the system and our plans for extensions to the set
of models.
1 Introduction
The
Email Mining Toolkit
(EMT) is an offline data analysis system designed to assist
a security analyst compute, visualize and test models of email behavior for use in a
MET system [0]. In this paper, we present the features and architecture of the imple-
mented and operational MET and EMT systems, and illustrate the types of discoveries
possible over a set of email data gathered for study.
EMT computes information about email flows from and to email accounts, aggre-
gate statistical information from groups of accounts, and analyzes content fields of
emails without revealing those contents. Many previous approaches to “anomaly
detection” have been proposed, including research systems that aim to detect masque-
raders by modeling command line sequences and keystrokes [0,0].
MET is designed to protect user email accounts by modeling user email flows and
behaviors to detect misuses that manifest as abnormal email behavior. These misuses
can include malicious email attachments, viral propagations, SPAM email, and email
security policy violations. Of special interest is the detection of polymorphic virii that
are designed to avoid detection by signature-based methods, but which may likely be
detected via their behavior.
The finance, and telecommunications industries have protected their customers
from fraudulent misuse of their services (fraud detection for credit card accounts and
telephone calls) by profiling the behavior of individual and aggregate groups of cus-
tomer accounts and detecting deviations from these models. MET provides behavior-
based protection to Internet user email accounts, detecting fraudulent misuse and
policy violations of email accounts by, for example, malicious viruses.
A behavior-based security system such as MET can be architected to protect a cli-
ent computer (by auditing email at the client), an enclave of hosts (such as a LAN
