Information Technology Reference
In-Depth Information
Furthermore, by analyzing only attachment flows, it is possible that benign attach-
ments that share characteristics of self-propagating attachments will be incorrectly
identified as malicious (e.g., a really good joke forwarded among many friends).
Although the core ideas of MET are valid, another layer of protection for malicious
misuse of emails is warranted. This strategy involves the computation of behavior
models of email accounts and groups of accounts, which then serve as a baseline to
detect errant email uses, including virus propagations, SPAM mailings and email
security policy violations. EMT is an offline system intended for use by security per-
sonnel to analyze email archives and generate a set of attachment models to detect
self-propagating virii. User account models including frequency distributions over a
variety of email recipients, and typical times of emails are sent and received. Aggre-
gate populations of typical email groups and their communication behavior intended
to detect violations of group behavior indicative of viral propagations, SPAM, and
security policy violations.
Models that are computed by EMT offline serve as the means to identify anoma-
lous, atypical email behavior at run time by way of the MET system. MET thus is
extended to test not only attachment models, but user account models as well. It is
interesting to note that the account profiles EMT computes are used in two ways. A
long term profile serves as a baseline distribution that is compared to recent email
behavior of a user account to determine likely abnormality. Furthermore, the account
profiles may themselves be compared to determine subpopulations of accounts that
behave similarly. Thus, once an account is determined to behave maliciously, similar
behaving accounts may be inspected more carefully to determine whether they too are
behaving maliciously.
The basic architecture of the EMT system is a graphical user interface (GUI) sit-
ting as a front-end to an underlying database (eg., MySQL [0]) and a set of applica-
tions operating on that database. Each application either displays information to an
EMT analyst, or computes a model specified for a particular set of emails or accounts
using selectable parameter settings. Each is described below. By way of an example,
Fig. 3 displays a collection of email records loaded into the database. This section
allows an analyst to inspect each email message and mark or label individual mes-
sages with a class label for use in the supervised machine learning applications de-
scribed in a later section. The results of any analyses update the database of email
messages (and may generate alerts) that can be inspected in the messages tab.
2.1
Attachment Statistics and Alerts
EMT runs an analysis on each attachment in the database to calculate a number of
metrics. These include, birth rate, lifespan, incident rate, prevalence, threat, spread,
and death rate. They are explained fully in [0].
Rules specified by a security analyst using the alert logic section of MET are
evaluated over the attachment metrics to issue alerts to the analyst. This analysis may
be executed against archived email logs using EMT, or at runtime using MET. The
initial version of MET provides the means of specifying thresholds in rule form as a
collection of Boolean expressions applied to each of the calculated statistics. As an
example, a basic rule might check for each attachment seen:
