A Behavior-Based Approach to Securing Email Systems

  title={A Behavior-Based Approach to Securing Email Systems},
  author={S. Stolfo and Shlomo Hershkop and Ke Wang and Olivier Nimeskern and Chia-Wei Hu},
The Malicious Email Tracking (MET) system, reported in a prior publication, is a behavior-based security system for email services. [] Key Method EMT includes a variety of behavior models for email attachments, user accounts and groups of accounts. Each model computed is used to detect anomalous and errant email behaviors. We report on the set of features implemented in the current version of EMT, and describe tests of the system and our plans for extensions to the set of models.

WORM DETECTION: a monitoring behaviour based system

The purpose is to create an on-line monitoring system which can identify anomalies on a selected network and can react against them, and to find a behavioural signature for worm, so antivirus software from daily updates is free.

A Framework to Detect Novel Computer Viruses via System Calls

A framework for detecting self-propagating email viruses based on deterministic system calls derived from associated email client’s dynamic link libraries (DLLs) and how to monitor and detect abnormal system calls in real-time from an email application.

Behavior-based email analysis with application to spam detection

The Email Mining Toolkit is a data mining toolkit designed to analyze offline email corpora, including the entire set of email sent and received by an individual user, revealing much information about individual users as well as the behavior of groups of users in an organization.

Analyzing Behavioral Features for Email Classification

The use of empirical analysis is used to select an optimum, novel collection of behavioral features of a user’s email traffic that enables the rapid detection of abnormal email activity and a demonstration of the effectiveness of outgoing email analysis using an application that detects worm propagation is demonstrated.

Stopping Spam by Extrusion Detection

End users are often unaware that their systems have been compromised and are being used to send bulk unsolicited email (spam). We show how automated processing of the email logs recorded on the

Email communications analysis: how to use computational intelligence methods and tools?

  • M. NegnevitskyM. LimJ. HartnettL. Reznik
  • Computer Science
    CIHSPS 2005. Proceedings of the 2005 IEEE International Conference on Computational Intelligence for Homeland Security and Personal Safety, 2005.
  • 2005
A review of the work related to the areas of dynamic modeling and link prediction of social networks, and anomaly detection for detecting changes in the behavior of e-mail usage and the feasibility of neural networks and fuzzy logic methodologies applications for a change detection system design are discussed.

Research on Behavior Statistic Based Spam Filter

Combing the common features of email messages, especially most of spam presence of hyperlink, the URL model is built and several behavior recognizing models can cooperate to detect spam.

Email Communities of Interest

The flow and frequency of user email is measured toward the identification of communities of interest (COI)–groups of users that have a common bond that will be useful in automating email management, e.g., topical classification, flagging important missives, and SPAM mitigation.

User profiling based on multiple aspects of activity in a computer system

Preliminary studies show that the proposed profiling method could be useful in detecting an intruder masquerading as an authorized user of the computer system.

Indirect Human Computer Interaction-Based Biometrics for Intrusion Detection Systems

  • R.V. Yampolskiy
  • Computer Science
    2007 41st Annual IEEE International Carnahan Conference on Security Technology
  • 2007
This paper concentrates on the review and analysis of indirect human computer interaction-based biometrics frequently used in intrusion detection systems and an experimental demonstration of an intrusion detection system based on network traffic analysis.



MET: an experimental system for Malicious Email Tracking

MET is a database of statistics about the trajectory of email attachments in and out of a network system, and the culling together of these statistics across networks to present a global view of the spread of the malicious software.

MEF: Malicious Email Filter - A UNIX Mail Filter That Detects Malicious Windows Executables

A freely distributed malicious binary filter incorporated into Procmail that can detect malicious Windows attachments by integrating with a UNIX mail server and allows for the efficient propagation of detection models from a central server.

Learning Patterns from Unix Process Execution Traces for Intrusion Detection

The preliminary experiments to extend the work pioneered by Forrest on learning the (normal abnormal) patterns of Unix processes can be used to identify misuses of and intrusions in Unix systems indicate that machine learning can play an important role by generalizing stored sequence information to perhaps provide broader intrusion detection services.

Mining Audit Data to Build Intrusion Detection Models

A data mining framework for constructing intrusion detection models to mine system audit data for consistent and useful patterns of program and user behavior, and use the set of relevant system features presented in the patterns to compute classifiers that can recognize anomalies and known intrusions.

Throttling viruses: restricting propagation to defeat malicious mobile code

  • Matthew M. Williamson
  • Computer Science
    18th Annual Computer Security Applications Conference, 2002. Proceedings.
  • 2002
A simple technique to limit the rate of connections to "new" machines that is remarkably effective at both slowing and halting virus propagation without affecting normal traffic is described.

Email networks and the spread of computer viruses.

Empirically the structure of this network of connections between individuals over which the virus spreads is investigated using data drawn from a large computer installation, and the implications for the understanding and prevention of computer virus epidemics are discussed.

Gauging Similarity with n-Grams: Language-Independent Categorization of Text

A language-independent means of gauging topical similarity in unrestricted text by combining information derived from n-grams with a simple vector-space technique that makes sorting, categorization, and retrieval feasible in a large multilingual collection of documents.

The "DGX" distribution for mining massive, skewed data

This paper proposes a new probability distribution, the Discrete Gaussian Exponential (DGX), to achieve excellent fits in a wide variety of settings; this new distribution includes the Zipf distribution as a special case.

Computer Intrusion: Detecting Masquerades

This document is intended to be used for educational purposes only, and should not be used as a guide to deal with individuals or groups unfamiliar with the use of these services.

Research and Development in Knowledge Discovery and Data Mining

This work presents an approach to goal recognition which uses a Dynamic Belief Network to represent domain features needed to identify users' goals and plans, and applies simple learning techniques to learn significant actions in the domain.