2001 FREENIX Track Technical Program

2001 FREENIX Track Technical Program - Abstract

MEF: Malicious Email Filter
A UNIX Mail Filter that Detects Malicious Windows Executables

Matthew G. Schultz and Eleazar Eskin, Columbia University; Erez Zadok, State University of New York at Stony Brook; Manasi Bhattacharyya and Salvatore J. Stolfo, Columbia University

Abstract

We present Malicious Email Filter, MEF, a freely distributed malicious binary filter incorporated into Procmail that can detect malicious Windows attachments by integrating with a UNIX mail server. The system has three capabilities: detection of known and unknown malicious attachments, tracking the propagation of malicious attachments and efficient model update algorithms.

The system filters multiple malicious attachments in an email by using detection models obtained from data mining over known malicious attachments. It leverages preliminary research in data mining applied to malicious executables which allows the detection of previously unseen, malicious attachments. In addition, the system provides a method for monitoring and measurement of the spread of malicious attachments. Finally, the system also allows for the efficient propagation of detection models from a central server. These updated models can be downloaded by a system administrator and easily incorporated into the current model. The system will be released under GPL in June 2001.

View the full text of this paper in HTML form, PDF form, and PostScript form.
If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
To become a USENIX Member, please see our Membership Information.

Need help? Use our Contacts page.

Last changed: 13 Feb 2002 ml

Technical Program

Conference index

USENIX home

MEF: Malicious Email Filter A UNIX Mail Filter that Detects Malicious Windows Executables

Abstract

MEF: Malicious Email Filter
A UNIX Mail Filter that Detects Malicious Windows Executables