Date post: | 07-Aug-2015 |
Category: |
Technology |
Upload: | gianluca-stringhini |
View: | 219 times |
Download: | 5 times |
That Ain’t You:
Detecting Spearphishing
Through Behavioral Modelling
Gianluca Stringhini and Olivier Thonnard
2
Spearphishing is a big threat“Targeted” phishing
Common attack vector to penetrate corporate and government networks
That Ain't You: Detecting Spearphishing Through Behavioral Modelling
We focus on the most dangerous type of spearphishing: the one coming from one of your colleagues’ computer, which has been compromised
That Ain't You: Detecting Spearphishing Through Behavioral Modelling 3
Traditional Anti-spam techniques
Content analysis (what?)Origin analysis (who?)
That Ain't You: Detecting Spearphishing Through Behavioral Modelling 4
Anti-spam techniques fall shortReason 1: Similarity
Vs
Reason 2: Right origin
That Ain't You: Detecting Spearphishing Through Behavioral Modelling 5
Anti-spam techniques fall shortReason 3: Anti-spam looks for malicious content
From: Canadian Pharmacy
Buy Viagra for cheap!
The language in spearphishing emails if often similar to regular business emails
From: [email protected]
Here is the latest report
We need something else
That Ain't You: Detecting Spearphishing Through Behavioral Modelling 7
Our approach - IdentityMailerBehavioral modelingPeople develop habits when sending emails
Emails sent by an attacker will look different!
behavioral model
That Ain't You: Detecting Spearphishing Through Behavioral Modelling 8
Isn’t this too heavy?
We operate on the sending side• Four times less emails to process• We can verify a user’s identity (2FA)
We need to ensure that the identity verification process happens rarely
That Ain't You: Detecting Spearphishing Through Behavioral Modelling 9
Learning a user’s behavior
• We extract a feature vector for each email• We use both emails from the user and from other
people in the organization → resilient to evasion!• We leverage SVMs to build the model
We do not have to observe any attack email!
That Ain't You: Detecting Spearphishing Through Behavioral Modelling 10
Features representing an emailWe can’t use traditional anti-spam detection features
Writing-habit features• Frequency of functional words• Style characteristics
Composition-habit features• HTML in emails• Number of recipients• Time of compositions
Interaction-habit features• With which people does the user frequently interact?
That Ain't You: Detecting Spearphishing Through Behavioral Modelling 11
Checking emails against the model• We check every email sent against the sending
user’s behavioral model• If an anomaly is raised, we start an identity-
verification process (2FA)• If the user confirms her identity, we call the email a
false positive• Otherwise, we blocked an attack!
Evaluation
That Ain't You: Detecting Spearphishing Through Behavioral Modelling 13
Evaluation Datasets
Legitimate email datasets• Enron email dataset (126,075 emails, 148 users)• Contributed dataset (1,776 emails)
Malicious email datasets• “Generic” spam (43,274 emails)• Spam sent by compromised accounts (17,473
emails)• Spearphishing emails (546 emails)
That Ain't You: Detecting Spearphishing Through Behavioral Modelling 14
Analysis of the classifier
We learned a behavioral model for each of the 148 users in the Enron dataset
How accurate are these behavioral models?
It really depends on the activity history of the user• A user who sent 1,000 emails: 8% FP, 90% TP • A user who sent 8,000 emails: 1%FP, 96% TP
That Ain't You: Detecting Spearphishing Through Behavioral Modelling 15
Detection of attacks
We “injected” the various attack emails into the Enron dataset, and tested whether IdentityMailer can detect them
On average, IdentityMailer is able to detect and block 90% or more advanced spearphishing emails for any given user
Current systems detect none of them
That Ain't You: Detecting Spearphishing Through Behavioral Modelling 16
Limitations
• IdentityMailer needs to observe many emails to perform well• Users might get annoyed by the identity verification process• An attacker might play a replay attack
That Ain't You: Detecting Spearphishing Through Behavioral Modelling 17
Conclusions
We presented IdentityMailer, a system to protect a user identity when sending emails
This is an important step towards detecting and blocking advanced spearphishing emails