Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing Behavioral Features for Email Classification.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Analyzing Behavioral Features for Email Classification."— Presentation transcript:

1 Analyzing Behavioral Features for Email Classification

2 Steve Martin, Anil Sewani, Blaine Nelson, Karl Chen, and Anthony Joseph {steve0, anil, nelsonb, quarl, adj}@cs.berkeley.edu University of California at Berkeley

3 The Problem: Email Abuse Email has become globally ubiquitous –By 2006, email traffic is expected to surge to 60 billion messages daily. However, spam accounts for half the email sent on a daily basis worldwide. Nearly all of the most virulent worms of 2004 spread by email. Email system abuse results in huge damage costs.

4 Current Email Analysis Many current methods for detecting email abuse examine characteristics of incoming email. Example: Spam Detection –Calculate statistical features on received mail and classify each message separately. Example: Virus Scanning –Generate a hash value on each incoming message, compare with stored database of values. –Signatures must be predetermined by human analyst. Can be effective, but room for improvement.

5 Our Approach Huge corpus of ignored data: outgoing email! –Can’t profile user email behavior with incoming email. –Outgoing email contains this information. Calculate features on outgoing email. –Observe a wide variety of statistics. Build a statistical understanding of user behavior. –Use to classify email sent by individual users. –Can detect sudden changes in behavior, such as worm/spam activity.

6 Ex. Outgoing Email Features Per-Email Features Email Contains HTML? Email Contains Scripts? Email Contains Images? Email Contains Links? MIME Types of Attachments Number of Attachments Number of Words in Body Number of Words in Subject Number of Chars in Subject... Per-User Features (calc’d over a window of email) Frequency of Email Sending No. of Unique ‘To’ Addr. No. of Unique ‘From’ Addr. Ratio Emails w/ Attachments Average Word Length Avg. No. of Words/Body Avg. No. of Words/Subject Variance in Word Length Variance in No. Words/Body...

7 1. Histogram Analysis Histograms of separate users over specific features allow similarity estimation. Example below: on left, two users, same feature. On right, difference between values. –Shows how these users differ over this feature. –Can use to detect differences in behavior between these two users.

8 Per-Feature Histograms

9 2. Covariance Analysis Goal: identify features that vary most significantly with the labels. Method 1: Principal Component Analysis (PCA) –Determines a linear combination of relevant features that maximize variance. –Does not take labels or redundancy into account. Method 2: Directions of Max Covariance –Determines directions in feature space that maximize the covariance between data and labels. –Modified to take potential feature redundancy into account.

10 Greedy Feature Ranking Rank features with a simple greedy approach using Directions of Max Covariance: –Rank features by their contribution to the first principal component of covariance matrix: cov[data,labels Feature Ranking Algorithm Set F = all features While F is not empty: CovMat = Empirical Covariance Matrix V = principle component vector of CovMat via SVD. Select feature f from principle component of V Modify (deflate) CovMat to eliminate redundancy F = F - f

11 Feature Ranking Results

12 Application: Worm Detection Can apply statistical learning on outgoing email to detect/prevent novel worm propagation. –Success depends on ability of features to identify anomalous behavior. Constructed training/test sets of real email traffic artificially ‘infected’ with viruses. Applied feature selection techniques, then tested with different models.

13 Example Results Features added greedily using selection algorithm. Graphs show exists an optimal set of features, beyond which performance decreases. Support Vector MachinesNaïve Bayes Classifier

14 Conclusions and Future Work Conclusion: analysis of email behavior could have many applications. –Feature selection is extremely important to model performance. In the future, study effects of feature selection on classification accuracy for other statistical models Try similar analysis on existing anti-spam solutions. Cluster user behavior into sets of common models describing general behavior patterns.

Download ppt "Analyzing Behavioral Features for Email Classification."

Similar presentations

Applications of one-class classification

Applications of one-class classification
Component Analysis (Review)

Component Analysis (Review)
Principal Component Analysis Based on L1-Norm Maximization Nojun Kwak IEEE Transactions on Pattern Analysis and Machine Intelligence, 2008.

Principal Component Analysis Based on L1-Norm Maximization Nojun Kwak IEEE Transactions on Pattern Analysis and Machine Intelligence, 2008.
Data Mining Feature Selection. Data reduction: Obtain a reduced representation of the data set that is much smaller in volume but yet produces the same.

Data Mining Feature Selection. Data reduction: Obtain a reduced representation of the data set that is much smaller in volume but yet produces the same.
Dimensionality Reduction PCA -- SVD

Dimensionality Reduction PCA -- SVD
An Overview of Machine Learning

An Overview of Machine Learning
Minimum Redundancy and Maximum Relevance Feature Selection

Minimum Redundancy and Maximum Relevance Feature Selection
Face Recognition and Biometric Systems

Face Recognition and Biometric Systems
CSC 380 Algorithm Project Presentation Spam Detection Algorithms Kyle McCombs Bridget Kelly.

CSC 380 Algorithm Project Presentation Spam Detection Algorithms Kyle McCombs Bridget Kelly.
SurroundSense: Mobile Phone Localization via Ambience Fingerprinting Written by Martin Azizyan, Ionut Constandache, & Romit Choudhury Presented by Craig.

SurroundSense: Mobile Phone Localization via Ambience Fingerprinting Written by Martin Azizyan, Ionut Constandache, & Romit Choudhury Presented by Craig.
Learning on User Behavior for Novel Worm Detection.

Learning on User Behavior for Novel Worm Detection.
EE 290A: Generalized Principal Component Analysis Lecture 6: Iterative Methods for Mixture-Model Segmentation Sastry & Yang © Spring, 2011EE 290A, University.

EE 290A: Generalized Principal Component Analysis Lecture 6: Iterative Methods for Mixture-Model Segmentation Sastry & Yang © Spring, 2011EE 290A, University.
UNDERSTANDING VISIBLE AND LATENT INTERACTIONS IN ONLINE SOCIAL NETWORK Presented by: Nisha Ranga Under guidance of : Prof. Augustin Chaintreau.

UNDERSTANDING VISIBLE AND LATENT INTERACTIONS IN ONLINE SOCIAL NETWORK Presented by: Nisha Ranga Under guidance of : Prof. Augustin Chaintreau.
Using Structure Indices for Efficient Approximation of Network Properties Matthew J. Rattigan, Marc Maier, and David Jensen University of Massachusetts.

Using Structure Indices for Efficient Approximation of Network Properties Matthew J. Rattigan, Marc Maier, and David Jensen University of Massachusetts.
Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.

Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.
Pattern Recognition. Introduction. Definitions.. Recognition process. Recognition process relates input signal to the stored concepts about the object.

Pattern Recognition. Introduction. Definitions.. Recognition process. Recognition process relates input signal to the stored concepts about the object.
Statistical Methods for long-range forecast By Syunji Takahashi Climate Prediction Division JMA.

Statistical Methods for long-range forecast By Syunji Takahashi Climate Prediction Division JMA.
SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.

SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.
TrustPort Net Gateway Email traffic protection. WWW.TRUSTPORT.COM Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.
Spam? Not any more !! Detecting spam emails using neural networks ECE/CS/ME 539 Project presentation Submitted by Sivanadyan, Thiagarajan.

Spam? Not any more !! Detecting spam s using neural networks ECE/CS/ME 539 Project presentation Submitted by Sivanadyan, Thiagarajan.

Similar presentations

Ads by Google