Information Technology Reference
In-Depth Information
Simply having a tool to peer into the email behavior of the enclave provided a
quick and effective response by one observer. The value of this type of technology to
a large organization is noteworthy. A large enterprise that may manage 10's of thou-
sands of hosts with several large NOC's would benefit greatly from early observation
and detection and a quick response to avoid saturation of the enterprise. Indeed, the
cost in time of staff to eradicate a virus on so many hosts makes a MET-like system a
sensible protection mechanism, with demonstrable ROI. This, however, illuminates
issues regarding response.
4.2
Response
There is also an interesting issue to consider regarding response to detected errant
email events. MET is designed to detect errant email behavior in real time to prevent
viral propagations (both inbound and outbound) from saturating an enterprise or en-
clave, to eliminate inbound SPAM, detect Spam bots utilizing (compromised) ma-
chines within an organization and other detectable misuses of email services. The
behavior models employed compare recent email flows to longer-term profiles. The
time to gather recent behavior statistics in order to detect an errant email event pro-
vides a window of opportunity for a viral or spam propagation to succeed in spreading
to some number of hosts, until sufficient statistics have been gathered and tested in
order to generate an alarm and subsequent corrective action taken. The number of
successfully infected hosts targeted by the emails that leak out prior to detection, will
vary depending upon a number of factors including network connectivity (especially
the density of the cliques of the first victim).
This notion is discussed in a recent paper [15] that considers essentially propaga-
tion rates through a network defined by address book entries and the “social network
links” defined therein among members of a network community, and subsequent
strategies for managing and protecting address book data from the prying eyes of
malicious code. It is important to note that viruses, such as Hybris, that do not attack
address book data may follow a completely different propagation strategy not infer-
able from address book data. In such cases, EMT's account behavior models would
likely detect viral spreads simply by noting abnormal account or attachment behav-
iors.
An alternative architectural strategy for a deployed MET/EMT system, reminiscent
of router rate limiting technology to limit congestion, is to delay delivery of suspi-
cious emails until such time as sufficient statistics have been gathered in order to
determine more accurately whether a propagation is ongoing, or not. A recent paper
by Williamson [14] notes the same strategy. Here, suspicious emails may be those
deemed possibly anomalous to one or more of the behavior models computed by
EMT and deployed in MET. Delaying delivery time would naturally reduce the op-
portunity for a propagation to saturate an environment, preventing fewer emails from
leaking out. If no further evidence is developed suggesting an errant email event, the
mail server would simply forward held emails. In the case where sufficient evidence
reveals a malicious email event, such emails may be easily quarantined, followed by
informative messages sent back to the client that originated those messages.
Even if the system incorrectly deems an email event as abnormal, and subsequently
incorrectly quarantines emails, a simple means of allowing users to release these can
