| Online email archives can store years worth of sensitive personal and business information. However, the standard authentication mechanism used by most email archives, reusable text passwords, is weak and can easily be compromised. To protect such archives, I propose a novel user-specific design for an anomaly-based email archive intrusion detection system. The design contains two parts---user-tailored modelling and user-involved alarm response. As a first step towards building such a system, I have developed a simple probabilistic model of user email behavior that correlates email senders and users' dispositions of email messages. In tests using data gathered from three months of observed user behavior and synthetic models of attacker behavior, this model exhibits a low rate of false positives (generally one false alarm every few weeks) while still detecting most attacks. These results suggest that anomaly detection is a feasible strategy for securing email archives, one that does not require changes in user authentication or access patterns. |
PDF Full Text Request