Information Technology Reference
In-Depth Information
strategies are to send 20 attack emails, each with 2, 3 and 5 randomly chosen ad-
dresses. The value, 20, is of no concern here, since detection is based solely on each
email. The last strategy is to send a single email to all potential email addresses.
During the detection phase, each attack email is examined and compared with previ-
ously classified enclave cliques. An alarm is triggered if the recipient list of the email
is not a subset of any of the known enclave cliques. Finally, 10 replications of simu-
lation are run and the resulting statistics are listed below. As expected from intuition,
it is easier to detect a potential anomaly if the size of the recipient list of the attack
email is large.
In the case of user cliques, the following simulation is performed. 200 emails are
sent from an account to 10 potential recipients according to some rules. Each email
has a recipient list size that is no larger than 5 and whose actual size is determined
based on Zipf distribution, where the rank of the size of recipient lists is in decreasing
order of the size; i.e. single-recipient emails have a rank of 1 and 5-recipient emails
have a rank of 5. Furthermore, a random rank is assigned to its potential recipients
and this rank is constant across all emails sent. Once the recipient list size of an email
is determined, the actual recipients of that email is generated based on generalized
Zipf distribution. Finally, a threshold of 50 was used to qualify any pair of accounts to
be in a same clique.
Five different attack strategies were simulated and tested. The first strategy sends a
distinct email to all potential recipient addresses, one at a time. The second, third and
fourth attack strategies send 20 attack emails, each with 2, 3 and 5 randomly chosen
addresses. The value, 20, is of no concern here, since detection is based solely on each
email. The last strategy sends a single email to all potential email addresses. During
the detection phase, each attack email is examined and compared with previously
classified enclave cliques. An alarm is triggered if the recipient list of the email is not
a subset of any of the known enclave cliques. Finally, 10 replications of the simula-
tion were run and the resulting statistics are listed below. As expected from intuition,
it is easier to detect a potential anomaly if the size of the recipient list of the attack
email is large.
Table 2.
Simulation of enclave cliques, with 5 attack strategies.
Attack Strategy
Detection Rate
Send to all addresses, one at a time
0
Send many emails, each containing 2 ran-
dom addresses
7 %
Send many emails, each containing 3 ran-
dom addresses
17 %
Send many emails, each containing 5 ran-
dom addresses
30 %
Send 1 email, containing all addresses
90 %
In terms of attack strategies used, the same 5 strategies are used, as in the case of
enclave cliques. During the detection phase, each attack email is examined and com-
pared with previously classified user cliques. An alarm is triggered if the recipient list
of the email is not a subset of any of the known user cliques. Finally, 30 replications
of simulation are run and the resulting statistics are listed below. As is also expected
