This Article 
 Bibliographic References 
 Add to: 
Detecting Targeted Malicious Email
May-June 2012 (vol. 10 no. 3)
pp. 64-71
Rohan M. Amin, George Washington University
Julie J.C.H. Ryan, George Washington University
Johan Rene van Dorp, George Washington University
Targeted malicious emails (TME) for computer network exploitation have become more insidious and more widely documented in recent years. Beyond spam or phishing designed to trick users into revealing personal information, TME can exploit computer networks and gather sensitive information. They can consist of coordinated and persistent campaigns that can span years. A new email-filtering technique based on email's persistent-threat and recipient-oriented features with a random forest classifier outperforms two traditional detection methods, SpamAssassin and ClamAV, while maintaining reasonable false positive rates.

1. Targeted Trojan Email Attacks, briefing 08/2005, Nat'l Infrastructure Security Co-ordination Centre, 2005;
2. Targeted Trojan Email Attacks, tech. cybersecurity alert TA05-189A, US-CERT, 2005;
3. J.A. Lewis, "Holistic Approaches to Cybersecurity to Enable Network Centric Operations," statement before Armed Services Committee, Subcommittee on Terrorism, Unconventional Threats and Capabilities, 110th Cong., 2nd sess., 1 April 2008.
4. 2009 Report to Congress of the U.S.-China Economic and Security Review Commission, report, Nov. 2009;
5. B. Krekel, Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation, Oct. 2009;
6. I. Androutsopoulos et al., "An Experimental Comparison of Naive Bayesian and Keyword-Based Anti-Spam Filtering with Personal E-mail Messages," Proc. 23rd Ann. Int'l ACM SIGIR Conf. Research and Development in Information Retrieval, ACM, 2000, pp. 160–167.
7. R.M. Amin, "Detecting Targeted Malicious Email through Supervised Classification of Persistent Threat and Recipient Oriented Features," PhD thesis, Dept. Eng. and Applied Sciences, George Washington Univ., 2011.
8. L. Breiman, "Random Forests," Machine Learning, vol. 45, no. 1, 2001, pp. 5–32.
9. T. Hastie, R. Tibshirani, and J. Friedman, The Elements of Statistical Learning: Data Mining, Inference, and Prediction, 2nd ed., Springer, 2008.
10. E. Hutchins, M. Cloppert, and R. Amin, "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains," Proc. 6th Int'l Conf. Information Warfare and Security (ICIW 11), Academic Conferences, 2011, pp. 113–125.
1. M. Wong and W. Schlitt, "Sender Policy Framework (SPF) for Authorizing User of Domains in E-Mail," tech. memo, Internet Soc., 2006;
2. M. Sahami et al., A Bayesian Approach to Filtering Junk Email, tech. report WS-98-05, Am. Assoc. Artificial Intelligence, 1998.
3. R. Beverly and K. Sollins, Exploiting Transport-Level Characteristics of Spam, tech. report MIT-CSAIL-TR-2008-008, Computer Science and Artificial Intelligence Lab, MIT, 2008.
4. D. Erickson, M. Casado, and N. McKeown, "The Effectiveness of Whitelisting: A User-Study," Proc. Conf. Email and Anti-Spam, 2008;
5. M. Tran and G. Armitage, "Evaluating the Use of Spam-Triggered TCP Rate Control to Protect SMTP Servers," Proc. Australian Telecom. Networks and Applications Conf. (ATNAC 04), ATNAC, 2004, pp. 329-335.
6. R.M. Amin, "Detecting Targeted Malicious Email through Supervised Classification of Persistent Threat and Recipient Oriented Features," PhD thesis, George Washington Univ., 2011.

Index Terms:
email, spam, threat, targeted attacks, TME spear phishing, recipient
Rohan M. Amin, Julie J.C.H. Ryan, Johan Rene van Dorp, "Detecting Targeted Malicious Email," IEEE Security & Privacy, vol. 10, no. 3, pp. 64-71, May-June 2012, doi:10.1109/MSP.2011.154
Usage of this product signifies your acceptance of the Terms of Use.