SubStop: An analysis on subscription email bombing attack and machine learning based mitigation

IF 3.2 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

High-Confidence Computing Pub Date : 2022-12-01 DOI:10.1016/j.hcc.2022.100086

Aurobinda Laha , Md Tahmid Yasar , Yu Cheng

{"title":"SubStop: An analysis on subscription email bombing attack and machine learning based mitigation","authors":"Aurobinda Laha , Md Tahmid Yasar , Yu Cheng","doi":"10.1016/j.hcc.2022.100086","DOIUrl":null,"url":null,"abstract":"<div><p>Email Bombing, a kind of denial-of-service (DoS) attack is crippling internet users and is on the rise recently. A particularly notorious type is the Subscription Bombing attack, where a victim user’s inbox is bombarded with a stream of subscription emails at a particular period. This kind of attack helps the perpetrator to hide their real motive in lieu of a barrage of legitimate-looking emails. The main challenge for detecting subscription bombing attacks is that most of the attacking email appears to be legitimate and benign and thus can bypass existing anti-spam filters. In order to shed some light on the direction of detecting the bombing attacks, in this paper we first conduct some reverse engineering study on the Gmail anti-spam mechanism (as the information is not publicly available) and in-depth feature analysis of real-life bombing attack emails. Leveraging the insights from our reverse engineering study and data analysis, we propose a novel layered detection architecture, termed as SubStop, to detect and mitigate subscription bombs. SubStop exploits the statistics of incoming volume, source domain distribution, the correlation among different features, and implements machine learning to achieve effective detection. In specific, we utilize the weighted support vector machine (WSVM) and properly tune the class weights to achieve high accuracy in detecting bombing attacks. Despite the scarcity of public email data sets, we conduct extensive experiments on a real-life subscription bomb attack and real-time attacks using our bombing simulation script (which is facilitated by our reverse engineering findings), on test email accounts. Detailed experimental results show that our proposed architecture is very robust and highly accurate in detecting and mitigating a subscription bombing attack.</p></div>","PeriodicalId":100605,"journal":{"name":"High-Confidence Computing","volume":"2 4","pages":"Article 100086"},"PeriodicalIF":3.2000,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2667295222000381/pdfft?md5=4ca251eb346b7cfcf32d162755dca9ea&pid=1-s2.0-S2667295222000381-main.pdf","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"High-Confidence Computing","FirstCategoryId":"1085","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2667295222000381","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Email Bombing, a kind of denial-of-service (DoS) attack is crippling internet users and is on the rise recently. A particularly notorious type is the Subscription Bombing attack, where a victim user’s inbox is bombarded with a stream of subscription emails at a particular period. This kind of attack helps the perpetrator to hide their real motive in lieu of a barrage of legitimate-looking emails. The main challenge for detecting subscription bombing attacks is that most of the attacking email appears to be legitimate and benign and thus can bypass existing anti-spam filters. In order to shed some light on the direction of detecting the bombing attacks, in this paper we first conduct some reverse engineering study on the Gmail anti-spam mechanism (as the information is not publicly available) and in-depth feature analysis of real-life bombing attack emails. Leveraging the insights from our reverse engineering study and data analysis, we propose a novel layered detection architecture, termed as SubStop, to detect and mitigate subscription bombs. SubStop exploits the statistics of incoming volume, source domain distribution, the correlation among different features, and implements machine learning to achieve effective detection. In specific, we utilize the weighted support vector machine (WSVM) and properly tune the class weights to achieve high accuracy in detecting bombing attacks. Despite the scarcity of public email data sets, we conduct extensive experiments on a real-life subscription bomb attack and real-time attacks using our bombing simulation script (which is facilitated by our reverse engineering findings), on test email accounts. Detailed experimental results show that our proposed architecture is very robust and highly accurate in detecting and mitigating a subscription bombing attack.

查看原文本刊更多论文

SubStop:订阅邮件轰炸攻击和基于机器学习的缓解分析

电子邮件轰炸是一种拒绝服务(DoS)攻击，它使互联网用户陷入瘫痪，最近呈上升趋势。一种特别臭名昭著的类型是订阅轰炸攻击，即受害者用户的收件箱在特定时期受到订阅电子邮件流的轰炸。这种攻击有助于犯罪者隐藏他们的真实动机，而不是发送大量看起来合法的电子邮件。检测订阅轰炸攻击的主要挑战是，大多数攻击电子邮件似乎是合法和良性的，因此可以绕过现有的反垃圾邮件过滤器。为了阐明检测轰炸攻击的方向，在本文中，我们首先对Gmail反垃圾邮件机制进行了一些逆向工程研究(由于信息不公开)，并对现实生活中的轰炸攻击邮件进行了深入的特征分析。利用我们的逆向工程研究和数据分析的见解，我们提出了一种新的分层检测架构，称为SubStop，以检测和减轻订阅炸弹。SubStop利用传入量统计、源域分布统计、不同特征之间的相关性统计，并通过机器学习实现有效检测。具体地说，我们利用加权支持向量机(WSVM)并适当调整类权值，以达到更高的爆炸攻击检测精度。尽管缺乏公共电子邮件数据集，但我们在测试电子邮件帐户上使用我们的轰炸模拟脚本(由我们的逆向工程发现促进)对现实生活中的订阅炸弹攻击和实时攻击进行了广泛的实验。详细的实验结果表明，我们提出的结构在检测和减轻订阅轰炸攻击方面具有很强的鲁棒性和较高的准确性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

High-Confidence Computing

CiteScore

4.70

自引率

0.00%

发文量