That Ain't You: Detecting Spearphishing Through Behavioral Modelling

transcript

That Ain’t You:

Detecting Spearphishing

Through Behavioral Modelling

Gianluca Stringhini and Olivier Thonnard

Spearphishing is a big threat“Targeted” phishing

Common attack vector to penetrate corporate and government networks

That Ain't You: Detecting Spearphishing Through Behavioral Modelling

We focus on the most dangerous type of spearphishing: the one coming from one of your colleagues’ computer, which has been compromised

That Ain't You: Detecting Spearphishing Through Behavioral Modelling 3

Traditional Anti-spam techniques

Content analysis (what?)Origin analysis (who?)

Anti-spam techniques fall shortReason 1: Similarity

Reason 2: Right origin

Anti-spam techniques fall shortReason 3: Anti-spam looks for malicious content

From: Canadian Pharmacy

To: victim@gmail.com

Buy Viagra for cheap!

The language in spearphishing emails if often similar to regular business emails

From: boss@company.com

To: guy@company.com

Here is the latest report

We need something else

Our approach - IdentityMailerBehavioral modelingPeople develop habits when sending emails

Emails sent by an attacker will look different!

behavioral model

Isn’t this too heavy?

We operate on the sending side• Four times less emails to process• We can verify a user’s identity (2FA)

We need to ensure that the identity verification process happens rarely

Learning a user’s behavior

• We extract a feature vector for each email• We use both emails from the user and from other

people in the organization → resilient to evasion!• We leverage SVMs to build the model

We do not have to observe any attack email!

Features representing an emailWe can’t use traditional anti-spam detection features

Writing-habit features• Frequency of functional words• Style characteristics

Composition-habit features• HTML in emails• Number of recipients• Time of compositions

Interaction-habit features• With which people does the user frequently interact?

Checking emails against the model• We check every email sent against the sending

user’s behavioral model• If an anomaly is raised, we start an identity-

verification process (2FA)• If the user confirms her identity, we call the email a

false positive• Otherwise, we blocked an attack!

Evaluation

Evaluation Datasets

Legitimate email datasets• Enron email dataset (126,075 emails, 148 users)• Contributed dataset (1,776 emails)

Malicious email datasets• “Generic” spam (43,274 emails)• Spam sent by compromised accounts (17,473

emails)• Spearphishing emails (546 emails)

Analysis of the classifier

We learned a behavioral model for each of the 148 users in the Enron dataset

How accurate are these behavioral models?

It really depends on the activity history of the user• A user who sent 1,000 emails: 8% FP, 90% TP • A user who sent 8,000 emails: 1%FP, 96% TP

Detection of attacks

We “injected” the various attack emails into the Enron dataset, and tested whether IdentityMailer can detect them

On average, IdentityMailer is able to detect and block 90% or more advanced spearphishing emails for any given user

Current systems detect none of them

Limitations

• IdentityMailer needs to observe many emails to perform well• Users might get annoyed by the identity verification process• An attacker might play a replay attack

Conclusions

We presented IdentityMailer, a system to protect a user identity when sending emails

This is an important step towards detecting and blocking advanced spearphishing emails

Questions?

g.stringhini@ucl.ac.uk

@gianluca_string

That Ain't You: Detecting Spearphishing Through Behavioral Modelling

Technology