Yiru Li
Carleton University
Canada

Anil Somayaji
Carleton University
Canada

Online email archives are an underprotected yet extremely sensitive
information resource. Email archives can store years worth of
personal and business email in an easy-to-access form, one that is
much easier to compromise than messages being transmitted ``on the
wire.'' Most email archives, however, are protected by reusable
passwords that are often weak and can be easily compromised. To
protect such archives, we propose a novel {\em user-centric design}
for an anomaly-based email archive intrusion detection system. As a
first step towards building such a system, we have developed a simple
probabalistic model of user email behavior that correlates email
senders and a user's disposition of emails. In tests using data
gathered from three months of observed user behavior and synthetic
models of attacker behavior, this model exhibits a low rate of false
positives (generally one false alarm every few weeks) while still
detecting most attacks. These results suggest that anomaly detection
is a feasible strategy for securing email archives, one that does not
require changes in user authentication or access patterns.

Keywords: anomaly intrusion detection, user behavior modeling, statistical models, email account security

Read Paper (in PDF)