Abstract
Spear phishing is a complex targeted attack which has rapidly increased in recent years. The traditional email features based on the sender’s behavior portrait cannot accurately characterize the spear phishing email, and the detection is often hampered when the data set is small. In order to tackle these problems, in this paper, we present a new approach for detecting spear phishing attacks in the full help of the local and external reputation features. Our method extracts 8 local and 6 external reputation features derived from an analysis of spear phishing emails, combined with 4 forwarding features and 20 general features for more accurate detection. Synthetic Minority Oversampling Technique (SMOTE) algorithm and an improved KM-SMOTE are applied on enhancing samples.We evaluate features on a multi-source data set of over 41 thousand emails and achieve the recall of 86.89\(\%\), the accuracy of 88.33\(\%\) in identifying spear phishing emails. With SMOTE, we improve the recall and precision to 91.80\(\%\) and 93.55\(\%\), and the false positive rate is reduced by at least 22\(\%\). With KM-SMOTE, we achieve better maximum recall of 95.08\(\%\), precision of 93.55\(\%\) and F1-score of 94.31\(\%\).
Supported by Youth Innovation Promotion Association, CAS (No. 2020166), Key Laboratory of Network Assessment Technology, Chinese Academy of Sciences and Beijing Key Laboratory of Network Security and Protection Technology.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Internet Crime Report. https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf (2020)
Internet Security Threat Report. https://docs.broadcom.com/doc/istr-24-2019-en (2019)
Data Breach Investigations Report. https://www.verizon.com/business/en-gb/resources/reports/2020-data-breach-investigations-report.pdf (2020)
Unchit, P., Das, S., Kim, A., Camp, L.J.: Quantifying susceptibility to spear phishing in a high school environment using signal detection theory. In: Clarke, N., Furnell, S. (eds.) HAISA 2020. IAICT, vol. 593, pp. 109–120. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57404-8_9
Hongfu, H.U., Peng, G.: Mechanism of phishing email detection based on user interaction and its realization. Comput. Eng. Appl. (2017)
Stringhini, G., Thonnard, O.: That ain’t you: blocking spearphishing through behavioral modelling. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 78–97. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_5
Spear phishing attack detection. https://apps.dtic.mil/sti/pdfs/ADA540272.pdf (2011)
Dewan, P., Kashyap, A., Kumaraguru, P.: Analyzing social and stylometric features to identify spear phishing emails. In: 2014 APWG symposium on electronic crime research (ecrime), pp. 1–13. IEEE (2014)
Amiri, I.S., Akanbi, O.A., Fazeldehkordi, E.: A machine-learning approach to phishing detection and defense. Syngress (2014)
Adewumi, O.A., Akinyelu, A.A.: A hybrid firefly and support vector machine classifier for phishing email detection. Kybernetes (2016)
L.W.G: Research on harpoon attack model and detection in advanced persistent threats, Ph.D. dissertation, University of Electronic Science and Technology of China (2020)
Chi, Y.P., Ling, Z.T., Ping, X.U., Yang, J.X.: Method of spearphishing attack detection. In: Computer Engineering and Design (2018)
Fernández, A., LóPez, V., Galar, M., Del Jesus, M.J., Herrera, F.: Analysing the classification of imbalanced data-sets with multiple classes: binarization techniques and ad-hoc approaches. Knowl.-Based Syst. 42, 97–110 (2013)
Chawla, N.V., Bowyer, K.W., Hall, L.O., Kegelmeyer, W.P.: Smote: synthetic minority over-sampling technique. J. Artif. Intell. Res. 16, 321–357 (2002)
Z.M.: Identification of encrypted traffic as small sample of class-imbalance, Ph. D. dissertation, Harbin Institute of Technology (2013)
Liu, Z., Zeng, Y., Zhang, P., Xue, J., Zhang, J., Liu, J.: An imbalanced malicious domains detection method based on passive DNS traffic analysis. Secur. Commun. Netw. 2018(4), 1–7 (2018)
Ding, X., Liu, B., Jiang, Z., Wang, Q., Xin, L.: Spear phishing emails detection based on machine learning. In: 2021 IEEE 24th International Conference on Computer Supported Cooperative Work in Design (CSCWD), pp. 354–359. IEEE (2021)
Ho, G., et al.: Detecting and characterizing lateral phishing at scale. In: 28th USENIX Security Symposium (USENIX Security 19), pp. 1273–1290 (2019)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ling, Z., Feng, H., Ding, X., Wang, X., Gao, C., Yang, P. (2022). Spear Phishing Email Detection with Multiple Reputation Features and Sample Enhancement. In: Su, C., Sakurai, K., Liu, F. (eds) Science of Cyber Security. SciSec 2022. Lecture Notes in Computer Science, vol 13580. Springer, Cham. https://doi.org/10.1007/978-3-031-17551-0_34
Download citation
DOI: https://doi.org/10.1007/978-3-031-17551-0_34
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17550-3
Online ISBN: 978-3-031-17551-0
eBook Packages: Computer ScienceComputer Science (R0)