Researchers at Ben-Gurion University of the Negev (BGU) have developed a new way to detect new and unknown malicious emails, sent by hackers to deliver dangerous content to victims via attachments or links to malicious websites. The method is more accurate than the most popular antivirus software products on the market, the researchers said in a statement on Thursday.
“Existing email analysis solutions only analyze specific email elements using rule-based methods, and don’t analyze other important parts,” said Nir Nissim, head of the David and Janet Polak Family Malware Lab at the cyber department of the university. Antivirus software solutions mainly use “signature-based detection methods, and therefore are insufficient for detecting new, unknown malicious emails.”
The new method, called Email-Sec-360°, was developed by Aviad Cohen, a PhD student and researcher at the BGU Malware Lab. The research, published in the scientific journal Expert Systems with Applications, is based on machine learning methods and makes use of 100 general descriptive features extracted from the various components of emails, including the header, its body and attachments. The methodology provides “enhanced threat detection in real time,” the statement said.
For their experiments, the researchers used a collection of 33,142 emails (12,835 malicious and 20,307 benign) obtained between 2013 and 2016. They compared their detection model to 60 industry-leading antivirus engines as well as previous research, and found their system outperformed the next best antivirus engine by 13 percent — significantly better than other products including those of antivirus firms Kaspersky, MacAfee and Avast.
“In future work, we are interested in extending our research and integrating analysis of attachments such as PDFs and Microsoft Office documents within Email-Sec-360°, since these are often used by hackers to get users to open and propagate viruses and malware,” Nissim said. These analysis methods have already been developed by the BGU lab, he said.
The Malware Lab researchers are also considering developing an online system that evaluates the security risk posed by an email message. It would be based on advanced machine learning methods and allow users worldwide to submit suspicious email messages and instantly obtain a maliciousness score and a recommendation on how to treat the email.
In addition, the system would assist in collecting benign and malicious emails for research purposes which, due to privacy issues, is currently a very difficult task for researchers in this arena.