Accession Number:



An Approach for Detecting Malicious Emails Using Runtime Monitoring with Hidden Data

Personal Author(s):

Corporate Author:

Naval Postgraduate School Monterey United States

Report Date:



Computer systems continue to be at risk of attack by malicious software that are attached to email. Email has been determined to be the cause of 80 of computer virus infections. Millions of dollars are lost yearly due to the damage brought by malicious emails. Popular approaches toward the defense against malicious emails are antivirus scanners and server-based filters. Further, state-of-the-art methods are being employed to enhance security against malicious programs. However, despite efforts being subjected toward the protection of personal information in emails, malicious programs continue to pose a significant threat. This thesis presents the application of a hybrid of Runtime Monitoring and Machine Learning for monitoring patterns of malicious emails. The system is designed in a way that it gathers malicious emails to determine whether they are suspicious, unknown, or benign. The application of runtime monitoring helps reduce the chance that suspicious emails are spread and lowers the likelihood that users will be threatened. Patterns were developed in to facilitate the detection of threats and apply rules to the identified rules validation, while at the same time tracking them. The runtime monitoring application system entails the detection of the malicious emails by assessing the pattern in which they are sent and qualifying them into different states identified as suspicious, unknown, or benign. Through the application of the system, it would be possible to eliminate threats posed to private individuals and corporations emanating from the malicious emails. We performed deterministic runtime monitoring, built a Hidden Markov Model HMM, and performed runtime monitoring with hidden data. It is the reasoning about the patterns of malicious emails with hidden artifacts that provides the potential of providing improved classification

Descriptive Note:

Technical Report



Communities Of Interest:

Modernization Areas:

Distribution Statement:

Approved For Public Release;

File Size: