Detecting Abnormal Changes in E-mail Traffic Using Hierarchical Fuzzy Systems

Abstract

E-mail traffic analysis is an area of work that focuses on extracting information about the behaviour of e-mail users based on the sender, receiver, and date/time information taken from the header section of e-mail messages. Such work has applications for law enforcement where investigators and analysts require techniques to assist them with finding unusual or suspicious patterns from large amounts of communication log data. This paper describes work using hierarchical fuzzy systems to detect abnormal changes in e-mail traffic behaviour, through the fusion of e-mail traffic behaviour measurements. The paper focuses on the use of three different hierarchical fuzzy system architectures, to determine the effect that input variable groupings have on the abnormality ratings given to the communication links of suspect e-mail accounts. The case study demonstrates the use of the three hierarchical fuzzy system architectures for analysing suspect e-mail accounts belonging to the Enron e-mail corpus.