Holmes: An Efficient and Lightweight Semantic Based Anomalous Email Detector

by   Peilun Wu, et al.

Email threat is a serious issue for enterprise security, which consists of various malicious scenarios, such as phishing, fraud, blackmail and malvertisement. Traditional anti-spam gateway commonly requires to maintain a greylist to filter out unexpected emails based on suspicious vocabularies existed in the mail subject and content. However, the signature-based approach cannot effectively discover novel and unknown suspicious emails that utilize various hot topics at present, such as COVID-19 and US election. To address the problem, in this paper, we present Holmes, an efficient and lightweight semantic based engine for anomalous email detection. Holmes can convert each event log of email to a sentence through word embedding then extract interesting items among them by novelty detection. Based on our observations, we claim that, in an enterprise environment, there is a stable relation between senders and receivers, but suspicious emails are commonly from unusual sources, which can be detected through the rareness selection. We evaluate the performance of Holmes in a real-world enterprise environment, in which it sends and receives around 5,000 emails each day. As a result, Holmes can achieve a high detection rate (output around 200 suspicious emails per day) and maintain a low false alarm rate for anomaly detection.


page 1

page 3

page 5


Fine-grained Anomaly Detection in Sequential Data via Counterfactual Explanations

Anomaly detection in sequential data has been studied for a long time be...

ToLeRating UR-STD

A new emerging paradigm of Uncertain Risk of Suspicion, Threat and Dange...

Coding of Graphs with Application to Graph Anomaly Detection

This paper has dual aims. First is to develop practical universal coding...

Zero Day Threat Detection Using Graph and Flow Based Security Telemetry

Zero Day Threats (ZDT) are novel methods used by malicious actors to att...

Hunter in the Dark: Discover Anomalous Network Activity Using Deep Ensemble Network

Machine learning (ML)-based network intrusion detection system (NIDS) pl...

Sequential anomaly detection with sampling constraints

The problem of sequential anomaly detection is considered, where multipl...

Please sign up or login with your details

Forgot password? Click here to reset