Behavior Profiling of Email

Stolfo, Salvatore J.; Hershkop, Shlomo; Wang, Ke; Nimeskern, Olivier; Hu, Chia-Wei

doi:10.1007/3-540-44853-5_6

Cited by 40 publications

(30 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Stolfo et al presented Email Mining Toolkit (EMT) [29,30]. This tool mines email logs to find cliques of users who frequently contact each other.…”

Section: Related Workmentioning

confidence: 99%

“…Techniques that leverage the similarities in the email templates or fingerprint the email lists to which bots send emails [24,32,43] work well in detecting spam and bot-infected machines, but fall short in detecting one-of-a-kind targeted email attacks, in which an attacker crafts an email tailored to the victim, and sends it only once. Even systems that look for changes of behavior in email accounts leverage the fact that accounts compromised by the same cybercriminals will show a similar behavior [10,29,30].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

That Ain’t You: Blocking Spearphishing Through Behavioral Modelling

Stringhini

Thonnard

2015

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

Abstract. One of the ways in which attackers steal sensitive information from corporations is by sending spearphishing emails. A typical spearphishing email appears to be sent by one of the victim's coworkers or business partners, but has instead been crafted by the attacker. A particularly insidious type of spearphishing emails are the ones that do not only claim to be written by a certain person, but are also sent by that person's email account, which has been compromised. Spearphishing emails are very dangerous for companies, because they can be the starting point to a more sophisticated attack or cause intellectual property theft, and lead to high financial losses. Currently, there are no effective systems to protect users against such threats. Existing systems leverage adaptations of anti-spam techniques. However, these techniques are often inadequate to detect spearphishing attacks. The reason is that spearphishing has very different characteristics from spam and even traditional phishing. To fight the spearphishing threat, we propose a change of focus in the techniques that we use for detecting malicious emails: instead of looking for features that are indicative of attack emails, we look for emails that claim to have been written by a certain person within a company, but were actually authored by an attacker. We do this by modelling the email-sending behavior of users over time, and comparing any subsequent email sent by their accounts against this model. Our approach can block advanced email attacks that traditional protection systems are unable to detect, and is an important step towards detecting advanced spearphishing attacks.

show abstract

“…Stolfo et al presented Email Mining Toolkit (EMT) [29,30]. This tool mines email logs to find cliques of users who frequently contact each other.…”

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

That Ain’t You: Blocking Spearphishing Through Behavioral Modelling

Stringhini

Thonnard

2015

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

show abstract

“…The studies in [28], [29] focus on communication patterns or profiles of applications instead of broader network traffic. Concurrent with our work, [30], [31] are most similar in spirit, and in a sense are complementary, to ours.…”

Section: Related Workmentioning

confidence: 99%

Internet Traffic Behavior Profiling for Network Security Monitoring

Bhattacharyya

2008

IEEE/ACM Trans. Networking

View full text Add to dashboard Cite

Abstract-Recent spates of cyber-attacks and frequent emergence of applications affecting Internet traffic dynamics have made it imperative to develop effective techniques that can extract, and make sense of, significant communication patterns from Internet traffic data for use in network operations and security management. In this paper, we present a general methodology for building comprehensive behavior profiles of Internet backbone traffic in terms of communication patterns of end-hosts and services. Relying on data mining and entropy-based techniques, the methodology consists of significant cluster extraction, automatic behavior classification and structural modeling for in-depth interpretive analyses. We validate the methodology using data sets from the core of the Internet.

show abstract

“…The Email Mining Toolkit (EMT) [13] provides interaction metrics while [4] aims at extracting the underlying activity structure. However all of these lack the notion of applied resources (e.g.…”

Section: Related Workmentioning

confidence: 99%