Ben-Gurion University researchers compared their detection model to 60 industry-leading antivirus engines as well as previous research, and found their system outperformed the next best antivirus engine by 13 percent — significantly better than such products including Kaspersky, MacAfee and Avast. Source: Ben-Gurion U. (Cyber@bgu)Ben-Gurion University researchers compared their detection model to 60 industry-leading antivirus engines as well as previous research, and found their system outperformed the next best antivirus engine by 13 percent — significantly better than such products including Kaspersky, MacAfee and Avast. Source: Ben-Gurion U. (Cyber@bgu)In an effort to thwart unknown, malicious emails, researchers from Ben-Gurion University of the Negev (BGU) Malware Lab have created a new technique for detecting malicious emails that might one day rival the most popular antivirus software products currently on the market.

"Existing email analysis solutions only analyze specific email elements using rule-based methods, and don't analyze other important parts," says Dr. Nir Nissim, head of the David and Janet Polak Family Malware Lab at Cyber@BGU, and a member of the Department of Industrial Engineering and Management. "Moreover, existing antivirus engines primarily use signature-based detection methods, and therefore are insufficient for detecting new, unknown malicious emails."

Called Email-Sec-360°, the technique takes a page from machine learning methods, leveraging 100 standard descriptive features culled from all facets of an email, including the body, the header and any attachments. Capable of providing enhanced threat detection in real-time, the technique doesn’t require internet access, meaning it can be deployed by both organizations and individuals alike.

To determine the success rate of the new technique, researchers worked with a database of over 33,000 emails, of which over 12,800 were malicious and over 20,000 were benign. Measuring their model against well-known antivirus programs showed that the Ben Gurion model outperformed the second best antivirus program by 13 percent.

"In future work, we are extending our research and integrating analysis of attachments such as PDFs and Microsoft Office documents within Email-Sec-360°, since these are often used by hackers to get users to open and propagate viruses and malware," Dr. Nissim said. "These analysis methods have already been developed by the David and Janet Polak Family Malware Lab at BGU."

The research team hopes to develop an online system that will help evaluate the security risk of email messages submitted by users worldwide. The system would incorporate advanced machine learning methods to determine the threat the emails posed, possibly assigning a maliciousness score.

To contact the author of this article, email mdonlon@globalspec.com