Article

That Ain't You: Blocking Spearphishing Through Behavioral Modelling

Authors:

Gianluca Stringhini,

Olivier ThonnardAuthors Info & Claims

DIMVA 2015: Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 9148

Pages 78 - 97

https://doi.org/10.1007/978-3-319-20550-2_5

Published: 09 July 2015 Publication History

Abstract

One of the ways in which attackers steal sensitive information from corporations is by sending spearphishing emails. A typical spearphishing email appears to be sent by one of the victim's coworkers or business partners, but has instead been crafted by the attacker. A particularly insidious type of spearphishing emails are the ones that do not only claim to be written by a certain person, but are also sent by that person's email account, which has been compromised. Spearphishing emails are very dangerous for companies, because they can be the starting point to a more sophisticated attack or cause intellectual property theft, and lead to high financial losses. Currently, there are no effective systems to protect users against such threats. Existing systems leverage adaptations of anti-spam techniques. However, these techniques are often inadequate to detect spearphishing attacks. The reason is that spearphishing has very different characteristics from spam and even traditional phishing. To fight the spearphishing threat, we propose a change of focus in the techniques that we use for detecting malicious emails: instead of looking for features that are indicative of attack emails, we look for emails that claim to have been written by a certain person within a company, but were actually authored by an attacker. We do this by modelling the email-sending behavior of users over time, and comparing any subsequent email sent by their accounts against this model. Our approach can block advanced email attacks that traditional protection systems are unable to detect, and is an important step towards detecting advanced spearphishing attacks.

References

[1]

Hacking attack at RSA targeted Flash flaw. http://www.ft.com/cms/s/2/96518afc-5cb1-11e0-ab7c-00144feab49a.html

[2]

Shamoon was an external attack on Saudi oil production. http://www.infosecurity-magazine.com/view/29750/shamoon-was-an-external-attack-on-saudi-oil-production/

[3]

SpamAssassin: performance. http://wiki.apache.org/spamassassin/UsingNetworkTests

[4]

Abbasi, A., Chen, H., Nunamaker, J.F.: Stylometric identification in electronic markets: scalability and robustness. J. Manage. Inform. Syst. 25, 49---78 2008

Digital Library

[5]

Afroz, S., Brennan, M., Greenstadt, R.: Detecting hoaxes, frauds, and deception in writing style online. In: IEEE Symposium on Security and Privacy 2012

Digital Library

[6]

Aloul, F., Zahidi, S., El-Hajj, W.: Two factor authentication using mobile phones. In: IEEE/ACS International Conference on Computer Systems and Applications 2009

[7]

Calix, K., Connors, M., Levy, D., Manzar, H., MCabe, G., Westcott, S.: Stylometry for e-mail author identification and authentication. In: Proceedings of CSIS Research Day, Pace University 2008

[8]

Corney, M.W.: Analysing E-mail Text Authorship for Forensic Purposes

[9]

Drucker, H., Wu, D., Vapnik, V.N.: Support vector machines for spam categorization. IEEE Trans. Neural Networks 10, 1048---1054 1999

Digital Library

[10]

Egele, M., Stringhini, G., Kruegel, C., Vigna, G.: COMPA: detecting compromised social network accounts. In: Symposium on Network and Distributed System Security NDSS 2013

[11]

Fette, I., Sadeh, N., Tomasic, A.: Learning to Detect Phishing Emails

[12]

Forsyth, R., Holmes, D.: Feature finding for text classification. Literary Linguist. Comput. 11, 163---174 1996

[13]

Frantzeskou, G., Stamatatos, E., Gritzalis, S., Chaski, C.E., Howald, B.S.: Identifying authorship by byte-level n-grams: the source code author profile scap method. Int. J. Digit. Evid. 2007

[14]

Hao, S., Syed, N.A., Feamster, N., Gray, A.G., Krasser, S.: Detecting spammers with SNARE: spatio-temporal network-level automatic reputation engine. In: USENIX Security Symposium 2009

Digital Library

[15]

Iqbal, F., Hadjidj, R., Fung, B., Debbabi, M.: A novel approach of mining write-prints for authorship attribution in e-mail forensics. Digit. Invest. 5, S42---S51 2008

Digital Library

[16]

Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 50, 94---100 2007

Digital Library

[17]

John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying spamming botnets using botlab. In: USENIX Symposium on Networked Systems Design and Implementation NSDI 2009

Digital Library

[18]

Kakavelakis, G., Beverly, R., Young, J.: Auto-learning of SMTP TCP transport-layer features for spam and abusive message detection. In: USENIX Large Installation System Administration Conference 2011

Digital Library

[19]

Klimt, B., Yang, Y.: Introducing the enron corpus. In: CEAS 2004

[20]

Leiba, B.: DomainKeys Identified Mail DKIM: Using digital signatures for domain verification. In: CEAS 2007

[21]

Lin, E., Aycock, J., Mannan, M.: Lightweight client-side methods for detecting email forgery. In: Lee, D.H., Yung, M. eds. WISA 2012. LNCS, vol. 7690, pp. 254---269. Springer, Heidelberg 2012

[22]

Meyer, T., Whateley, B.: SpamBayes: effective open-source, Bayesian based, email classification system. In: CEAS 2004

[23]

Narayanan, A., Paskov, H., Gong, N.Z., Bethencourt, J., Stefanov, E., Shin, E.C.R., Song, D.: On the feasibility of internet-scale author identification. In: IEEE Symposium on Security and Privacy 2012

Digital Library

[24]

Pitsillidis, A., Levchenko, K., Kreibich, C., Kanich, C., Voelker, G.M., Paxson, V., Weaver, N., Savage, S.: Botnet Judo: fighting spam with itself. In: Symposium on Network and Distributed System Security NDSS 2010

[25]

Platt, J., et al.: Sequential minimal optimization: a fast algorithm for training support vector machines

[26]

Ramachandran, A., Feamster, N., Vempala, S.: Filtering spam with behavioral blacklisting. In: ACM Conference on Computer and Communications Security CCS 2007

Digital Library

[27]

Sahami, M., Dumais, S., Heckermann, D., Horvitz, E.: A Bayesian approach to filtering junk e-mail. In: Learning for Text Categorization 1998

[28]

Sculley, D., Wachman, G.M.: Relaxed online SVMs for spam filtering. In: ACM SIGIR Conference on Research and Development in Information Retrieval 2007

Digital Library

[29]

Stolfo, S.J., Hershkop, S., Hu, C.-W., Li, W.-J., Nimeskern, O., Wang, K.: Behavior-based modeling and its application to email analysis. ACM Trans. Internet Technol. TOIT 6, 187---221 2006

Digital Library

[30]

Stolfo, S.J., Hershkop, S., Wang, K., Nimeskern, O., Hu, C.-W.: Behavior profiling of email. In: Chen, H., Miranda, R., Zeng, D.D., Demchak, C.C., Schroeder, J., Madhusudan, T. eds. ISI 2003. LNCS, vol. 2665, pp. 74---90. Springer, Heidelberg 2003

Digital Library

[31]

Stringhini, G., Egele, M., Zarras, A., Holz, T., Kruegel, C., Vigna, G.: B@BEL: leveraging email delivery for spam mitigation. In: USENIX Security Symposium 2012

Digital Library

[32]

Stringhini, G., Holz, T., Stone-Gross, B., Kruegel, C., Vigna, G.: BotMagnifier: locating spambots on the internet. In: USENIX Security Symposium 2011

Digital Library

[33]

Stringhini, G., Thonnard, O.: That ain't you: detecting spearphishing emails before they are sent. arXiv preprint arXiv:1410.6629 2014

[34]

Symantec Corp. Symantec intelligence report 2013. http://www.symanteccloud.com/mlireport/SYMCINT_2013_01_January.pdf

[35]

Taylor, B.: Sender reputation in a large webmail service. In: CEAS 2006

[36]

The Radicati Group. Email Statistics Report. http://www.radicati.com/wp/wp-content/uploads/2011/05/Email-Statistics-Report-2011-2015-Executive-Summary.pdf

[37]

Thonnard, O., Bilge, L., O'Gorman, G., Kiernan, S., Lee, M.: Industrial espionage and targeted attacks: understanding the characteristics of an escalating threat. In: Balzarotti, D., Stolfo, S.J., Cova, M. eds. RAID 2012. LNCS, vol. 7462, pp. 64---85. Springer, Heidelberg 2012

Digital Library

[38]

Threatpost. New Email Worm Turns Back the Clock on Virus Attacks 2010. http://threatpost.com/en_us/blogs/new-email-worm-turns-back-clock-virus-attacks-090910

[39]

Trend Micro Inc., Spear-Phishing Email: Most Favored APT Attack Bait 2012

[40]

Tweedie, F., Baayern, R.: How variable may a constant be? Measures of lexical richness in perspective. Comput. Humanit. 32, 323---352 1998

[41]

Venkataraman, S., Sen, S., Spatscheck, O., Haffner, P., Song, D.: Exploiting network structure for proactive spam mitigation. In: USENIX Security Symposium 2007

Digital Library

[42]

Wong, M., Schlitt, W.: RFC 4408: Sender Policy Framework SPF for Authorizing Use of Domains in E-Mail, Version 1 2006. http://tools.ietf.org/html/rfc4408

[43]

Xie, Y., Yu, F., Achan, K., Panigrahy, R., Hulten, G., Osipkov, I.: Spamming botnets: signatures and characteristics. SIGCOMM Comput. Commun. Rev. 38, 171---182 2008

Digital Library

[44]

Yule, G.: The Statistical Study of Literary Vocabulary. Cambridge University Press, Cambridge 1944

[45]

Zalewski, M.: p0f v3 2012. http://lcamtuf.coredump.cx/p0f3/

[46]

Zhang, Y., Hong, J.I., Cranor, L.F.: Cantina: A Content-based Approach to Detecting Phishing Web Sites

[47]

Zheng, R., Li, J., Chen, H., Huang, Z.: A framework for authorship identification of online messages: writing-style features and classification techniques. J. Am. Soc. Inform. Sci. Technol. 57, 378---393 2005

Digital Library

Cited By

Tofighi MOusat BZandi JSchafir EKharraz A(2024)Constructs of Deceit: Exploring Nuances in Modern Social Engineering AttacksDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_6(107-127)Online publication date: 17-Jul-2024
https://dl.acm.org/doi/10.1007/978-3-031-64171-8_6
Chitare NCoventry LNicholson J(2023)“It may take ages”: Understanding Human-Centred Lateral Phishing Attack Detection in OrganisationsProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617116(344-355)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3617072.3617116
Kontogeorgopoulos KKritikos K(2023)Overview of Social Engineering Protection and Prevention MethodsComputer Security. ESORICS 2023 International Workshops10.1007/978-3-031-54204-6_4(64-83)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-54204-6_4
Show More Cited By

Recommendations

This ain't your dose: sensor spoofing attack on medical infusion pump
WOOT'16: Proceedings of the 10th USENIX Conference on Offensive Technologies

Sensors measure physical quantities of the environment for sensing and actuation systems, and are widely used in many commercial embedded systems such as smart devices, drones, and medical devices because they offer convenience and accuracy. As many ...
Spam ain't as diverse as it seems: throttling OSN spam with templates underneath
ACSAC '14: Proceedings of the 30th Annual Computer Security Applications Conference

In online social networks (OSNs), spam originating from friends and acquaintances not only reduces the joy of Internet surfing but also causes damage to less security-savvy users. Prior countermeasures combat OSN spam from different angles. Due to the ...
Preventing Spam Email by Delivery Limitation in RMX
IDEAS '15: Proceedings of the 19th International Database Engineering & Applications Symposium

On the rule-based email exchange system called RMX, similar to general mailing lists, anyone can send emails by sending to an address unique to RMX. However, there is a security problem that we cannot prevent spam emails and accidentally sending email ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

DIMVA 2015: Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 9148

July 2015

336 pages

ISBN:9783319205496

Editors:
Magnus Almgren
Chalmers University of Technology, Gothenburg, Sweden
,
Vincenzo Gulisano
Chalmers University of Technology, Gothenburg, Sweden
,
Federico Maggi
Politecnico di Milano, Milan, Italy

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 09 July 2015

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

20
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Tofighi MOusat BZandi JSchafir EKharraz A(2024)Constructs of Deceit: Exploring Nuances in Modern Social Engineering AttacksDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_6(107-127)Online publication date: 17-Jul-2024
https://dl.acm.org/doi/10.1007/978-3-031-64171-8_6
Chitare NCoventry LNicholson J(2023)“It may take ages”: Understanding Human-Centred Lateral Phishing Attack Detection in OrganisationsProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617116(344-355)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3617072.3617116
Kontogeorgopoulos KKritikos K(2023)Overview of Social Engineering Protection and Prevention MethodsComputer Security. ESORICS 2023 International Workshops10.1007/978-3-031-54204-6_4(64-83)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-54204-6_4
Karimi YSquicciarini AWilson S(2022)Automated Detection of Doxing on TwitterProceedings of the ACM on Human-Computer Interaction10.1145/35551676:CSCW2(1-24)Online publication date: 11-Nov-2022
https://dl.acm.org/doi/10.1145/3555167
Evans KAbuadbba AWu TMoore KAhmed MPogrebna GNepal SJohnstone M(2022)RAIDER: Reinforcement-Aided Spear Phishing DetectorNetwork and System Security10.1007/978-3-031-23020-2_2(23-50)Online publication date: 9-Dec-2022
https://dl.acm.org/doi/10.1007/978-3-031-23020-2_2
Ling ZFeng HDing XWang XGao CYang P(2022)Spear Phishing Email Detection with Multiple Reputation Features and Sample EnhancementScience of Cyber Security10.1007/978-3-031-17551-0_34(522-538)Online publication date: 10-Aug-2022
https://dl.acm.org/doi/10.1007/978-3-031-17551-0_34
van den Hout TWabeke TMoura GHesselman C(2022)LogoMotive: Detecting Logos on Websites to Identify Online Scams - A TLD Case StudyPassive and Active Measurement10.1007/978-3-030-98785-5_1(3-29)Online publication date: 28-Mar-2022
https://dl.acm.org/doi/10.1007/978-3-030-98785-5_1
Derakhshan AHarris IBehzadi MMohan CSung A(2021)Detecting Telephone-based Social Engineering Attacks using Scam SignaturesProceedings of the 2021 ACM Workshop on Security and Privacy Analytics10.1145/3445970.3451152(67-73)Online publication date: 28-Apr-2021
https://dl.acm.org/doi/10.1145/3445970.3451152
Arya SChamotra S(2021)Multi Layer Detection Framework for Spear-Phishing AttacksInformation Systems Security10.1007/978-3-030-92571-0_3(38-56)Online publication date: 16-Dec-2021
https://dl.acm.org/doi/10.1007/978-3-030-92571-0_3
Cui QJourdan GBochmann GOnut I(2021)Proactive Detection of Phishing Kit TrafficApplied Cryptography and Network Security10.1007/978-3-030-78375-4_11(257-286)Online publication date: 21-Jun-2021
https://dl.acm.org/doi/10.1007/978-3-030-78375-4_11
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents