Check out the new USENIX Web site.
2001 USENIX Annual Technical Conference, June 25-30, 2001, Boston, MA

Pp. 245–252 of the Proceedings

next up previous
Next: Introduction

MEF: Malicious Email Filter
A UNIX Mail Filter that Detects Malicious Windows Executables

Matthew G. Schultz and Eleazar Eskin
Department of Computer Science
Columbia University
{mgs,eeskin}@cs.columbia.edu - Erez Zadok
Department of Computer Science
State University of New York at Stony Brook
ezk@cs.sunysb.edu - Manasi Bhattacharyya, and Salvatore J. Stolfo
Department of Computer Science
Columbia University
{mb551,sal}@cs.columbia.edu

Abstract:

We present Malicious Email Filter, MEF, a freely distributed malicious binary filter incorporated into Procmail that can detect malicious Windows attachments by integrating with a UNIX mail server. The system has three capabilities: detection of known and unknown malicious attachments, tracking the propagation of malicious attachments and efficient model update algorithms.

The system filters multiple malicious attachments in an email by using detection models obtained from data mining over known malicious attachments. It leverages preliminary research in data mining applied to malicious executables which allows the detection of previously unseen, malicious attachments. In addition, the system provides a method for monitoring and measurement of the spread of malicious attachments. Finally, the system also allows for the efficient propagation of detection models from a central server. These updated models can be downloaded by a system administrator and easily incorporated into the current model. The system will be released under GPL in June 2001.



 
next up previous
Next: Introduction
Matthew G. Schultz
2001-05-01




This paper was originally published in the Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, June 25-30, 2001, Boston, Masssachusetts, USA

Last changed: 21 June 2001 bleu

Technical Program
Conference index
USENIX Home