An Email Attachment is Worth a Thousand Words, or Is It?

There is an extensive body of research on Social Network Analysis (SNA) based on the email archive. The network used in the analysis is generally extracted either by capturing the email communication in From, To, Cc and Bcc email header fields or by the entities contained in the email message. In the latter case, the entities could be, for instance, the bag of words, url's, names, phones, etc. It could also include the textual content of attachments, for instance Microsoft Word documents, excel spreadsheets, or Adobe pdfs. The nodes in this network represent users and entities. The edges represent communication between users and relations to the entities. We suggest taking a different approach to the network extraction and use attachments shared between users as the edges. The motivation for this is two-fold. First, attachments represent the "intimacy" manifestation of the relation's strength. Second, the statistical analysis of private email archives that we collected and Enron email corpus shows that the attachments contribute in average around 80-90% to the archive's disk-space usage, which means that most of the data is presently ignored in the SNA of email archives. Consequently, we hypothesize that this approach might provide more insight into the social structure of the email archive. We extract the communication and shared attachments networks from Enron email corpus. We further analyze degree, betweenness, closeness, and eigenvector centrality measures in both networks and review the differences and what can be learned from them. We use nearest neighbor algorithm to generate similarity groups for five Enron employees. The groups are consistent with Enron's organizational chart, which validates our approach.Comment: 12 pages, 4 figures, 7 tables, IML'17, Liverpool, U

A machine learning approach to detect insider threats in emails caused by human behaviour

In recent years, there has been a significant increase in insider threats within organisations and these have caused massive losses and damages. Due to the fact that email communications are a crucial part of the modern-day working environment, many insider threats exist within organisations’ email infrastructure. It is a well-known fact that employees not only dispatch ‘business-as-usual’ emails, but also emails that are completely unrelated to company business, perhaps even involving malicious activity and unethical behaviour. Such insider threat activities are mostly caused by employees who have legitimate access to their organisation’s resources, servers, and non-public data. However, these same employees abuse their privileges for personal gain or even to inflict malicious damage on the employer. The problem is that the high volume and velocity of email communication make it virtually impossible to minimise the risk of insider threat activities, by using techniques such as filtering and rule-based systems. The research presented in this dissertation suggests strategies to minimise the risk of insider threat via email systems by employing a machine-learning-based approach. This is done by studying and creating categories of malicious behaviours posed by insiders, and mapping these to phrases that would appear in email communications. Furthermore, a large email dataset is classified according to behavioural characteristics of employees. Machine learning algorithms are employed to identify commonly occurring insider threats and to group the occurrences according to insider threat classifications.Dissertation (MSc (Computer Science))--University of Pretoria, 2020.Computer ScienceMSc (Computer Science)Unrestricte