Detecting methods of virus email based on mail header and encoding anomaly

Abstract

In this paper, we try to develop a machine learning-based virus email detection method. The key feature of this paper is employing Mail Header and Encoding Anomaly(MHEA) [1]. MHEA is capable to distinguish virus emails from normal emails, and is composed of only 5 variables, which are obtained from particular email header fields. Generating signature from MHEA is easier than generating signature by analyzing a virus code, therefore, we feature MHEA as signature to distinguish virus emails. At first, we refine the element of MHEA by association analysis with our email dataset which is composed of 4,130 virus emails and 2,508 normal emails. The results indicate that the one element of MHEA should not be used to generate MHEA. Next, we explore a way to apply MHEA into detection methods against virus emails. Our proposed method is a hybrid of matching signature from MHEA(signature-based detection) and detecting with AdaBoost (anomaly detection). Our preliminary evaluation shows that f 1 measure is 0.9928 and error rate is 0.75% in the case of our hybrid method, which outperforms other types of detection methods. © 2009 Springer Berlin Heidelberg.