Too often harmless-looking email in fact contains dangerous attachments or links. Researchers at Israel’s Ben-Gurion University have found a new method that uses machine learning algorithms to detect malicious emails that most commercially available security products cannot.
Called Email-Sec-360°, the technique was developed by Aviad Cohen, a Ph.D. student and researcher at the David and Janet Polak Family Malware Lab at the Ben-Gurion University of the Negev.
The method leverages 100 general descriptive features extracted from all email components, including the header, body and attachments. It employs Natural Language Processing (NLP) to analyze the email’s textual content for linguistic patterns, and the Hidden Markov Model (HMM) to look into URLs and email addresses to distinguish benign from malicious mail.
Researchers used 33,142 emails and compared the model to 60 industry-leading anti-virus engines. Email-Sec-360 scored 0.875 in the true positive scale, where the next best-performing antivirus solutions, Cyren, Sophos, Avira and F-Secure, scored 0.77, 0.746, 0.727 and 0.709, respectively
“Existing solutions only analyze specific e-mail elements using rule-based methods and signature-based detection methods,” said Dr. Nir Nissim, head of the Malware Lab. “These are insufficient for detecting new and unknown malicious emails.”
Results of the research were published at the scientific journal Expert Systems with Applications.
“Detecting that a virtual server has been compromised is extremely important for organizational security,” said the researchers in the abstract. “We used a collection of real-world, professional, and notorious ransomware and a collection of legitimate programs. The results show that our methodology is able to detect anomalous states of a virtual machine, as well as the presence of both known and unknown ransomware.”
Researchers intend to extend their study and integrate analysis of attachments such as PDFs and Microsoft Office documents with Email-Sec-360°. They are also looking at developing an online system to evaluate the security risk posed by an email message.