2001 FREENIX Track Technical Program - Abstract
MEF: Malicious Email Filter
Matthew G. Schultz and Eleazar Eskin, Columbia University; Erez Zadok, State University of New York at Stony Brook; Manasi Bhattacharyya and Salvatore J. Stolfo, Columbia University
A UNIX Mail Filter that Detects Malicious Windows Executables
We present Malicious Email Filter, MEF, a freely distributed malicious
binary filter incorporated into Procmail that can detect malicious Windows
attachments by integrating with a UNIX mail server. The system has three
capabilities: detection of known and unknown malicious attachments, tracking
the propagation of malicious attachments and efficient model update algorithms.
The system filters multiple malicious attachments in an email by using
detection models obtained from data mining over known malicious
attachments. It leverages preliminary research in data mining applied
to malicious executables which allows the detection of previously
unseen, malicious attachments.
In addition, the system provides a method for monitoring and measurement of the
spread of malicious attachments. Finally, the system also allows for the
efficient propagation of detection models from a central server. These updated
models can be downloaded by a system administrator and easily incorporated into
the current model.
The system will be released under GPL in June 2001.