Behavior-based modeling and its application to Email analysis

Authors:
Salvatore J. Stolfo;Shlomo Hershkop;Chia-Wei Hu;Wei-Jen Li;Olivier Nimeskern;Ke Wang
Affiliations:
Columbia University, New York, NY;Columbia University, New York, NY;Columbia University, New York, NY;Columbia University, New York, NY;Columbia University, New York, NY;Columbia University, New York, NY
Venue:
ACM Transactions on Internet Technology (TOIT)
Year:
2006

Citing 22
Cited 17

An Intrusion-Detection Model

IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Mining association rules between sets of items in large databases

SIGMOD '93 Proceedings of the 1993 ACM SIGMOD international conference on Management of data
Mining in a data-flow environment: experience in network intrusion detection

KDD '99 Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining
Temporal sequence learning and data reduction for anomaly detection

ACM Transactions on Information and System Security (TISSEC)
Algorithm 457: finding all cliques of an undirected graph

Communications of the ACM
The "DGX" distribution for mining massive, skewed data

Proceedings of the seventh ACM SIGKDD international conference on Knowledge discovery and data mining
NATE: Network Analysis of Anomalous Traffic Events, a low-cost approach

Proceedings of the 2001 workshop on New security paradigms
Machine Learning

Machine Learning
Mimicry attacks on host-based intrusion detection systems

Proceedings of the 9th ACM conference on Computer and communications security
Distributed Data Mining in Credit Card Fraud Detection

IEEE Intelligent Systems
Anomaly Detection over Noisy Data using Learned Probability Distributions

ICML '00 Proceedings of the Seventeenth International Conference on Machine Learning
MEF: Malicious Email Filter - A UNIX Mail Filter That Detects Malicious Windows Executables

Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference
Learning Program Behavior Profiles for Intrusion Detection

Proceedings of the Workshop on Intrusion Detection and Network Monitoring
Bursty and hierarchical structure in streams

Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
Throttling Viruses: Restricting propagation to defeat malicious mobile code

ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
"Why 6?" Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
MET: an experimental system for Malicious Email Tracking

Proceedings of the 2002 workshop on New security paradigms
Information-Theoretic Measures for Anomaly Detection

SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Intrusion detection using sequences of system calls

Journal of Computer Security
Detecting malicious software by monitoring anomalous windows registry accesses

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Behavior profiling of email

ISI'03 Proceedings of the 1st NSF/NIJ conference on Intelligence and security informatics
Estimating continuous distributions in Bayesian classifiers

UAI'95 Proceedings of the Eleventh conference on Uncertainty in artificial intelligence

Summarizing email conversations with clue words

Proceedings of the 16th international conference on World Wide Web
High-speed detection of unsolicited bulk emails

Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems
Information leak detection in financial e-mails using mail pattern analysis under partial information

AIC'07 Proceedings of the 7th Conference on 7th WSEAS International Conference on Applied Informatics and Communications - Volume 7
Automated social hierarchy detection through email network analysis

Proceedings of the 9th WebKDD and 1st SNA-KDD 2007 workshop on Web mining and social network analysis
Segmentation and Automated Social Hierarchy Detection through Email Network Analysis

Advances in Web Mining and Web Usage Analysis
Email Accessibility and Social Networking

OCSC '09 Proceedings of the 3d International Conference on Online Communities and Social Computing: Held as Part of HCI International 2009
SMS-Watchdog: Profiling Social Behaviors of SMS Users for Anomaly Detection

RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
BARTER: Behavior Profile Exchange for Behavior-Based Admission and Access Control in MANETs

ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
Hit-list worm detection and bot identification in large networks using protocol graphs

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
In-depth behavior understanding and use: The behavior informatics approach

Information Sciences: an International Journal
Outsourcing home network security

Proceedings of the 2010 ACM SIGCOMM workshop on Home networks
Analyzing group communication for preventing data leakage via email

CollSec'10 Proceedings of the 2010 international conference on Collaborative methods for security and privacy
The data modeling considered correlation of information leakage detection and privacy violation

ACIIDS'11 Proceedings of the Third international conference on Intelligent information and database systems - Volume Part II
Email shape analysis

ICDCN'10 Proceedings of the 11th international conference on Distributed computing and networking
Social feature-based enterprise email classification without examining email contents

Journal of Network and Computer Applications
Behaviour-Based web spambot detection by utilising action time and action frequency

ICCSA'10 Proceedings of the 2010 international conference on Computational Science and Its Applications - Volume Part II
When daily deal services meet Twitter: understanding Twitter as a daily deal marketing platform

Proceedings of the 3rd Annual ACM Web Science Conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

The Email Mining Toolkit (EMT) is a data mining system that computes behavior profiles or models of user email accounts. These models may be used for a multitude of tasks including forensic analyses and detection tasks of value to law enforcement and intelligence agencies, as well for as other typical tasks such as virus and spam detection. To demonstrate the power of the methods, we focus on the application of these models to detect the early onset of a viral propagation without “content-base ” (or signature-based) analysis in common use in virus scanners. We present several experiments using real email from 15 users with injected simulated viral emails and describe how the combination of different behavior models improves overall detection rates. The performance results vary depending upon parameter settings, approaching 99 % true positive (TP) (percentage of viral emails caught) in general cases and with 0.38 % false positive (FP) (percentage of emails with attachments that are mislabeled as viral). The models used for this study are based upon volume and velocity statistics of a user's email rate and an analysis of the user's (social) cliques revealed in the person's email behavior. We show by way of simulation that virus propagations are detectable since viruses may emit emails at rates different than human behavior suggests is normal, and email is directed to groups of recipients in ways that violate the users' typical communications with their social groups.