Title: Fully Automated Real-time Spear Phishing Detection
Speaker: Lior Gavish(Barracuda)
Date: November 1, 2017
Location: Gates 463A
In the past few years, spear phishing and email-borne social engineering have become one of the most costly security threats, causing over $5 billion in reported losses. These attacks take several forms: some ask the recipient to wire transfer money to the attacker's account, others ask for W2 forms containing social security numbers, and some trick the recipient into sending their credentials by impersonating a widely used service like Microsoft Outlook. Existing security systems fail to detect spear phishing, because the emails typically do not contain overtly malicious attachments or links, and are personalized to each recipient. Prior research requires manual work from security analysts to inspect emails individually, and suffers from low accuracy and a high false positive rate.
We present Sentinel, a security system that automatically detects and quarantines spear phishing attacks in real-time using supervised learning, without requiring any manual analysis or configuration. The key insight of Sentinel is to automatically learn the historical communication patterns of each organization, and use these patterns to detect anomalies. Sentinel leverages the APIs of cloud-based email systems (e.g., Office 365 and GMail), both to automatically learn the historical communication patterns of each organization within hours, and to quarantine emails in real-time. Sentinel achieves false positive rates of less than one in a million emails, and accuracy above 95%.