Access the full text.
Sign up today, get DeepDyve free for 14 days.
Loading next page...
/lp/association-for-computing-machinery/behavior-based-modeling-and-its-application-to-email-analysis-EUyZ9Qgi2c
References (50)
-
C. Warrender, S. Forrest, Barak Pearlmutter (1999)
Detecting intrusions using system calls: alternative data modelsProceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344)
-
E. Eskin (2000)
Anomaly Detection over Noisy Data using Learned Probability Distributions -
O. Aalen, H. Gjessing (2001)
Understanding the shape of the hazard rate: a process point of view (With comments and a rejoinder by the authors)Statistical Science, 16
-
Ieee Symposium on Security and Privacy E Perils of User Tracking Using Zero- Permission Mobile Apps -
Zhiqiang Bi, C. Faloutsos, Flip Korn (2001)
The "DGX" distribution for mining massive, skewed data -
Wenke Lee, Dong Xiang (2001)
Information-theoretic measures for anomaly detectionProceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001
-
productivity gains EMT may offer when deployed for these law enforcement and intelligence applications -
Anup Ghosh, A. Schwartzbard, M. Schatz, Schatz
The Advanced Computing Systems Association Proceedings of the Workshop on Intrusion Detection and Network Monitoring Learning Program Behavior Profiles for Intrusion Detection Learning Program Behavior Prooles for Intrusion Detection -
P. Chan, Wei Fan, A. Prodromidis, S. Stolfo (1999)
Distributed data mining in credit card fraud detectionIEEE Intell. Syst., 14
-
D. Denning (1986)
An Intrusion-Detection Model1986 IEEE Symposium on Security and Privacy
-
Nong Ye (2000)
A Markov Chain Model of Temporal Behavior for Anomaly Detection -
M. Mahoney, P. Chan (2001)
Detecting novel attacks by identifying anomalous network packet headers -
(2003)
Finding Friends and Enemies through the Analysis of Clique Dynamics -
M. Damashek (1995)
Gauging Similarity with n-Grams: Language-Independent Categorization of TextScience, 267
-
T. Lane, C. Brodley (1998)
Temporal sequence learning and data reduction for anomaly detectionACM Trans. Inf. Syst. Secur., 2
-
Douglas Abraham (1971)
Mathematical statisticsTechnometrics, 63
-
Carol Taylor, J. Alves-Foss (2001)
NATE: Network Analysis ofAnomalousTrafficEvents, a low-cost approach -
(2006)
Behavior-Based Modeling and Its Application to Email Analysis @BULLET 221 -
(1997)
Integrated spatial and feature image systems: Retrieval, compression and analysis -
H. Javitz, A. Valdes (1994)
The NIDES Statistical Component Description and Justification -
D. Wagner, Paolo Soto (2002)
Mimicry attacks on host-based intrusion detection systems -
M. Schultz, E. Eskin, E. Zadok, Manasi Bhattacharyya, S. Stolfo (2001)
USENIX Association Proceedings of the FREENIX Track : 2001 USENIX Annual -
S. Hofmeyr, S. Forrest, Anil Somayaji (1998)
Intrusion Detection Using Sequences of System CallsJ. Comput. Secur., 6
-
Schonlau M. (2001)
Computer intrusion detecting masqueradesStatist. Sci., 16
-
(2003)
Host-based Anomaly Detection by Wrapping File System Accesses -
10.1109/TSE.1987.232894
-
Wenke Lee, S. Stolfo, K. Mok (1999)
Mining in a data-flow environment: experience in network intrusion detection -
George John, P. Langley (1995)
Estimating Continuous Distributions in Bayesian Classifiers -
E. Eskin, Andrew Arnold, Michael Prerau, Leonid Portnoy, S. Stolfo (2002)
A Geometric Framework for Unsupervised Anomaly Detection -
M. Newman, S. Forrest, Stephanie Forrest, Justin Balthrop (2002)
Email networks and the spread of computer viruses.Physical review. E, Statistical, nonlinear, and soft matter physics, 66 3 Pt 2A
-
T. Lane, C. Brodley (1999)
Temporal sequence learning and data reduction for anomaly detectionACM Transactions on Information and System Security, 2
-
Matthias Schonlau, W. DuMouchel, Wen-Hua Ju, A. Karr, Martin Theusan, Y. Vardi (2001)
Computer Intrusion: Detecting MasqueradesStatistical Science, 16
-
Proceedings of the 7th ACM SIGKDD Int'l Conf. on Knowledge Discovery and Data Mining -
Matthew Williamson (2002)
Throttling viruses: restricting propagation to defeat malicious mobile code18th Annual Computer Security Applications Conference, 2002. Proceedings.
-
C. Bron, J. Kerbosch (1973)
Finding all cliques of an undirected graphCommunications of The ACM
-
10.21236/ADA451576
-
K. Tan, R. Maxion (2002)
"Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detectorProceedings 2002 IEEE Symposium on Security and Privacy
-
W. Niblack, R. Barber, W. Equitz, M. Flickner, E. Glasman, D. Petkovic, P. Yanker, C. Faloutsos, G. Taubin (1993)
QBIC project: querying images by content, using color, texture, and shape, 1908
-
E. Eskin, Andrew Arnold, Michael Prerau (2002)
A GEOMETRIC FRAMEWORK FOR UNSUPERVISED ANOMALY DETECTION: DETECTING INTRUSIONS IN UNLABELED DATA -
Frank Apap, A. Honig, Shlomo Hershkop, E. Eskin, S. Stolfo (2002)
Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses -
Manasi Bhattacharyya, Shlomo Hershkop, E. Eskin (2002)
MET: an experimental system for Malicious Email Tracking -
J. Kleinberg (2002)
Bursty and Hierarchical Structure in StreamsData Mining and Knowledge Discovery, 7
-
Wenke Lee, S. Stolfo, P. Chan (1997)
Learning Patterns from Unix Process Execution Traces for Intrusion Detection -
Wenke Lee, S. Stolfo, K. Mok (1998)
Mining Audit Data to Build Intrusion Detection Models -
(2003)
Received October ACM Transactions on Internet Technology -
D. Watts (2003)
Six Degrees: The Science of a Connected Age -
Wenke Lee, S. Stolfo (2000)
A framework for constructing features and models for intrusion detection systemsACM Trans. Inf. Syst. Secur., 3
-
C. Bron, J. Kerbosch (1973)
Algorithm 457: finding all cliques of an undirected graphCommunications of the ACM, 16
-
R. Agrawal, T. Imielinski, A. Swami (1993)
Mining association rules between sets of items in large databasesProceedings of the 1993 ACM SIGMOD international conference on Management of data
-
S. Stolfo, Shlomo Hershkop, Ke Wang, Olivier Nimeskern, Chia-Wei Hu (2003)
Behavior Profiling of Email
- Publisher
- Association for Computing Machinery
- Copyright
- Copyright © 2006 by ACM Inc.
- ISSN
- 1533-5399
- DOI
- 10.1145/1149121.1149125
- Publisher site
- See Article on Publisher Site
Abstract
The Email Mining Toolkit (EMT) is a data mining system that computes behavior profiles or models of user email accounts. These models may be used for a multitude of tasks including forensic analyses and detection tasks of value to law enforcement and intelligence agencies, as well for as other typical tasks such as virus and spam detection. To demonstrate the power of the methods, we focus on the application of these models to detect the early onset of a viral propagation without “content-base ” (or signature-based) analysis in common use in virus scanners. We present several experiments using real email from 15 users with injected simulated viral emails and describe how the combination of different behavior models improves overall detection rates. The performance results vary depending upon parameter settings, approaching 99 % true positive (TP) (percentage of viral emails caught) in general cases and with 0.38 % false positive (FP) (percentage of emails with attachments that are mislabeled as viral). The models used for this study are based upon volume and velocity statistics of a user's email rate and an analysis of the user's (social) cliques revealed in the person's email behavior. We show by way of simulation that virus propagations are detectable since viruses may emit emails at rates different than human behavior suggests is normal, and email is directed to groups of recipients in ways that violate the users' typical communications with their social groups.
Journal
ACM Transactions on Internet Technology (TOIT) – Association for Computing Machinery
Published: May 1, 2006