CADUE: Content-agnostic detection of unwanted emails for enterprise security

Mohamed Nabeel, Enes Altinisik, Haipei Sun, Issa Khalil, Hui Wang, Ting Yu

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

2 Citations (Scopus)

Abstract

End-to-end email encryption (E2EE) ensures that an email could only be decrypted and read by its intended recipients. E2EE's strong security guarantee is particularly desirable for the enterprises in the event of breaches: even if attackers break into an email server, under E2EE no contents of emails are leaked. Meanwhile, E2EE brings significant challenges for an enterprise to detect and filter unwanted emails (spams and phishing emails). Most existing solutions rely heavily on email contents (i.e., email body and attachments), which would be difficult when email contents are encrypted. In this paper, we investigate how to detect unwanted emails in a content-agnostic manner, that is, without access to the contents of emails at all. Our key observation is that the communication patterns and relationships among internal users of an enterprise contain rich and reliable information about benign email communications. Combining such information with other metadata of emails (headers and subjects when available), unwanted emails can be accurately distinguished from legitimate ones without access to email contents. Specifically, we propose two types of novel enterprise features from enterprise email logs: sender profiling features, which capture the patterns of past emails from external senders to internal recipients; and enterprise graph features, which capture the co-recipient and the sender-recipient relationships between internal users. We design a classifier utilizing the above features along with existing meta-data features. We run extensive experiments over a real-world enterprise email dataset, and show that our approach, even without any content-based features, achieves high true positive rate of 95.2% and low false positive rate of 0.3% with such stringent constraints.

Original languageEnglish
Title of host publicationProceedings of 2021 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021
PublisherAssociation for Computing Machinery
Pages205-219
Number of pages15
ISBN (Electronic)9781450390583
DOIs
Publication statusPublished - 6 Oct 2021
Event24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021 - Virtual, Online, Spain
Duration: 6 Oct 20218 Oct 2021

Publication series

NameACM International Conference Proceeding Series

Conference

Conference24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021
Country/TerritorySpain
CityVirtual, Online
Period6/10/218/10/21

Keywords

  • End-to-end email encryption
  • Enterprise logs
  • Phishing
  • Spam

Fingerprint

Dive into the research topics of 'CADUE: Content-agnostic detection of unwanted emails for enterprise security'. Together they form a unique fingerprint.

Cite this