TY - GEN
T1 - CADUE
T2 - 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021
AU - Nabeel, Mohamed
AU - Altinisik, Enes
AU - Sun, Haipei
AU - Khalil, Issa
AU - Wang, Hui
AU - Yu, Ting
N1 - Publisher Copyright:
© 2021 ACM.
PY - 2021/10/6
Y1 - 2021/10/6
N2 - End-to-end email encryption (E2EE) ensures that an email could only be decrypted and read by its intended recipients. E2EE's strong security guarantee is particularly desirable for the enterprises in the event of breaches: even if attackers break into an email server, under E2EE no contents of emails are leaked. Meanwhile, E2EE brings significant challenges for an enterprise to detect and filter unwanted emails (spams and phishing emails). Most existing solutions rely heavily on email contents (i.e., email body and attachments), which would be difficult when email contents are encrypted. In this paper, we investigate how to detect unwanted emails in a content-agnostic manner, that is, without access to the contents of emails at all. Our key observation is that the communication patterns and relationships among internal users of an enterprise contain rich and reliable information about benign email communications. Combining such information with other metadata of emails (headers and subjects when available), unwanted emails can be accurately distinguished from legitimate ones without access to email contents. Specifically, we propose two types of novel enterprise features from enterprise email logs: sender profiling features, which capture the patterns of past emails from external senders to internal recipients; and enterprise graph features, which capture the co-recipient and the sender-recipient relationships between internal users. We design a classifier utilizing the above features along with existing meta-data features. We run extensive experiments over a real-world enterprise email dataset, and show that our approach, even without any content-based features, achieves high true positive rate of 95.2% and low false positive rate of 0.3% with such stringent constraints.
AB - End-to-end email encryption (E2EE) ensures that an email could only be decrypted and read by its intended recipients. E2EE's strong security guarantee is particularly desirable for the enterprises in the event of breaches: even if attackers break into an email server, under E2EE no contents of emails are leaked. Meanwhile, E2EE brings significant challenges for an enterprise to detect and filter unwanted emails (spams and phishing emails). Most existing solutions rely heavily on email contents (i.e., email body and attachments), which would be difficult when email contents are encrypted. In this paper, we investigate how to detect unwanted emails in a content-agnostic manner, that is, without access to the contents of emails at all. Our key observation is that the communication patterns and relationships among internal users of an enterprise contain rich and reliable information about benign email communications. Combining such information with other metadata of emails (headers and subjects when available), unwanted emails can be accurately distinguished from legitimate ones without access to email contents. Specifically, we propose two types of novel enterprise features from enterprise email logs: sender profiling features, which capture the patterns of past emails from external senders to internal recipients; and enterprise graph features, which capture the co-recipient and the sender-recipient relationships between internal users. We design a classifier utilizing the above features along with existing meta-data features. We run extensive experiments over a real-world enterprise email dataset, and show that our approach, even without any content-based features, achieves high true positive rate of 95.2% and low false positive rate of 0.3% with such stringent constraints.
KW - End-to-end email encryption
KW - Enterprise logs
KW - Phishing
KW - Spam
UR - http://www.scopus.com/inward/record.url?scp=85117693051&partnerID=8YFLogxK
U2 - 10.1145/3471621.3471862
DO - 10.1145/3471621.3471862
M3 - Conference contribution
AN - SCOPUS:85117693051
T3 - ACM International Conference Proceeding Series
SP - 205
EP - 219
BT - Proceedings of 2021 24th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2021
PB - Association for Computing Machinery
Y2 - 6 October 2021 through 8 October 2021
ER -