Holmes: An Efficient and Lightweight Semantic Based Anomalous Email Detector

Email threat is a serious issue for enterprise security, which consists of various malicious scenarios, such as phishing, fraud, blackmail and malvertisement. Traditional anti-spam gateway commonly requires to maintain a greylist to filter out unexpected emails based on suspicious vocabularies existed in the mail subject and content. However, the signature-based approach cannot effectively discover novel and unknown suspicious emails that utilize various hot topics at present, such as COVID-19 and US election. To address the problem, in this paper, we present Holmes, an efficient and lightweight semantic based engine for anomalous email detection. Holmes can convert each event log of email to a sentence through word embedding then extract interesting items among them by novelty detection. Based on our observations, we claim that, in an enterprise environment, there is a stable relation between senders and receivers, but suspicious emails are commonly from unusual sources, which can be detected through the rareness selection. We evaluate the performance of Holmes in a real-world enterprise environment, in which it sends and receives around 5,000 emails each day. As a result, Holmes can achieve a high detection rate (output around 200 suspicious emails per day) and maintain a low false alarm rate for anomaly detection

An adaptive approach for internet phishing detection based on log data

The Internet has become one of the most important daily socials, financial and other activities. the number of customers who use the Internet to conduct their business and purchases is very large. This results in billions of dollars being transferred every day online. Such a large amount of money attracts the attention of cybercriminals to carry out their illegal activities. “Fraud” is one of the most dangerous of these methods, especially phishing, where attackers try to steal user credentials using fraudulent emails, fake websites, or both. The proposed system for this paper includes efficient data extraction from the web file through data collection and preprocessing. and web usage mining procedure to extract features that demonstrate user behavior. and feature-extracting URL analysis to detect website phishing addresses. After that, the features from the above two parts are combined to make the number of features sixty-three. Finally, a classification algorithm (Random Forests) is applied to determine if website addresses are phishing or legitimate. Suggested algorithms performance is determined by using a confusion matrix and a number of metrics that shows the robustness of the proposed system

Detecting and characterizing lateral phishing at scale

We present the first large-scale characterization of lateral phishing attacks, based on a dataset of 113 million employee-sent emails from 92 enterprise organizations. In a lateral phishing attack, adversaries leverage a compromised enterprise account to send phishing emails to other users, benefit-ting from both the implicit trust and the information in the hijacked user's account. We develop a classifier that finds hundreds of real-world lateral phishing emails, while generating under four false positives per every one-million employee-sent emails. Drawing on the attacks we detect, as well as a corpus of user-reported incidents, we quantify the scale of lateral phishing, identify several thematic content and recipient targeting strategies that attackers follow, illuminate two types of sophisticated behaviors that attackers exhibit, and estimate the success rate of these attacks. Collectively, these results expand our mental models of the 'enterprise attacker' and shed light on the current state of enterprise phishing attacks

Phishing Sites Detection from a Web Developer’s Perspective Using Machine Learning

The Internet has enabled unprecedented communication and new technologies. Concomitantly, it has brought the bane of phishing and exacerbated vulnerabilities. In this paper, we propose a model to detect phishing webpages from a web developer’s perspective. From this standpoint, we design 120 novel features based on content from a webpage, four time-based and two search-based novel features, plus we use 34 other content-based and 11 heuristic features to optimize the model. Moreover, we select Random Committee (Base learner: Random Tree) for our framework since it has the best performance after comparing with six other algorithms: Hellinger Distance Decision Tree, SVM, Logistic Regression, J48, Naive Bayes, and Random Forest. In real-time experiments, the model achieved 99.4% precision and 98.3% MCC with 0.1% false positive rate in 5-fold crossvalidation using the realistic scenario of an unbalanced dataset

A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks

Social engineering is used as an umbrella term for a broad spectrum of computer exploitations that employ a variety of attack vectors and strategies to psychologically manipulate a user. Semantic attacks are the specific type of social engineering attacks that bypass technical defences by actively manipulating object characteristics, such as platform or system applications, to deceive rather than directly attack the user. Commonly observed examples include obfuscated URLs, phishing emails, drive-by downloads, spoofed web- sites and scareware to name a few. This paper presents a taxonomy of semantic attacks, as well as a survey of applicable defences. By contrasting the threat landscape and the associated mitigation techniques in a single comparative matrix, we identify the areas where further research can be particularly beneficial

MARA and public user characteristics in response to phishing emails

“Social Engineering” refers to the attacks that deceive, persuade and influence an individual to provide information or perform an action that will benefit the attackers. Fraudulent and deceptive individuals use social engineering traps and tactics through Social Networking Sites (SNSs) and electronic communication forms to trick users into obeying them, accepting threats, falling victims to various silent crimes such as phishing, clickjacking, malware installation, sexual abuse, financial abuse, identity theft and physical crime. Although computers can enhance our work activities, e.g., through greater efficiency in document production and ease of communication., the reliance on its benefits has reduced with the introduction of social engineering threats. Phishing email results in significant losses, estimated at billions of dollars, to organisations and individual users every year. According to the 2019 statistics report from retruster.com, the average financial cost of a data breach is 3.8 million dollars, with 90% of it coming from phishing attacks on user accounts. To reduce users’ vulnerability to phishing emails, we need first to understand the users’ detection behaviour. Many research studies focus only on whether participants respond to phishing or not. A widely held view that we endorse is that this continuing challenge of email is not wholly technical in nature and thereby cannot be entirely resolved through technical measures. Instead, we have here a socio-technical problem whose resolution requires attention to both technical issues and end-users’ specific attitudes and behavioural characteristics. Using a sequential exploratory mixed method approach, qualitative grounded theory is used to explore and generate an in-depth understanding of what and why the phishing characteristics influence email users to judge the attacker as credible. Quantitative experiments are used to relate participants’ characteristics with their behaviour. The study was carefully designed to ensure that valid data could be collected without harm to participants, and with University Ethics Committee approval. The research output is a new model to explain the impact of users’characteristics on their detection behaviour. The model was tested through two study groups, namely Public and MARA . In addition, the final model was tested using structural equation modelling (SEM). This showed that the proposed model explains 17% and 39%, respectively, for the variance in Public and MARA participants’ tendency to respond to phishing emails. The results also explained which, and to what extent, phishing characteristics influence users’ judgement of sender credibility.“Social Engineering” refers to the attacks that deceive, persuade and influence an individual to provide information or perform an action that will benefit the attackers. Fraudulent and deceptive individuals use social engineering traps and tactics through Social Networking Sites (SNSs) and electronic communication forms to trick users into obeying them, accepting threats, falling victims to various silent crimes such as phishing, clickjacking, malware installation, sexual abuse, financial abuse, identity theft and physical crime. Although computers can enhance our work activities, e.g., through greater efficiency in document production and ease of communication., the reliance on its benefits has reduced with the introduction of social engineering threats. Phishing email results in significant losses, estimated at billions of dollars, to organisations and individual users every year. According to the 2019 statistics report from retruster.com, the average financial cost of a data breach is 3.8 million dollars, with 90% of it coming from phishing attacks on user accounts. To reduce users’ vulnerability to phishing emails, we need first to understand the users’ detection behaviour. Many research studies focus only on whether participants respond to phishing or not. A widely held view that we endorse is that this continuing challenge of email is not wholly technical in nature and thereby cannot be entirely resolved through technical measures. Instead, we have here a socio-technical problem whose resolution requires attention to both technical issues and end-users’ specific attitudes and behavioural characteristics. Using a sequential exploratory mixed method approach, qualitative grounded theory is used to explore and generate an in-depth understanding of what and why the phishing characteristics influence email users to judge the attacker as credible. Quantitative experiments are used to relate participants’ characteristics with their behaviour. The study was carefully designed to ensure that valid data could be collected without harm to participants, and with University Ethics Committee approval. The research output is a new model to explain the impact of users’characteristics on their detection behaviour. The model was tested through two study groups, namely Public and MARA . In addition, the final model was tested using structural equation modelling (SEM). This showed that the proposed model explains 17% and 39%, respectively, for the variance in Public and MARA participants’ tendency to respond to phishing emails. The results also explained which, and to what extent, phishing characteristics influence users’ judgement of sender credibility