A combined feature selection approach for malicious email detection based on a comprehensive email dataset

Han Zhang; Yong Shi; Ming Liu; Libo Chen; Songyang Wu; Zhi Xue

doi:10.1186/s42400-024-00309-6

Cybersecurity (Feb 2025)

A combined feature selection approach for malicious email detection based on a comprehensive email dataset

Han Zhang,
Yong Shi,
Ming Liu,
Libo Chen,
Songyang Wu,
Zhi Xue

Affiliations

Han Zhang: School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University
Yong Shi: School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University
Ming Liu: School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University
Libo Chen: School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University
Songyang Wu: The Third Research Institute of Ministry of Public Security
Zhi Xue: School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University

DOI: https://doi.org/10.1186/s42400-024-00309-6
Journal volume & issue: Vol. 8, no. 1
pp. 1 – 22

Abstract

Read online

Abstract In recent years, new malicious email attacks have emerged. We summarize two major challenges in the current field of malicious email detection using machine learning algorithms. (1) Current works on malicious email detection use different datasets and lack a unified and comprehensive open source dataset standard for evaluating detection performance. In addition, outdated data makes it difficult to detect new types of malicious email attacks. (2) There are limitations in feature selection and extraction. Relying only on static features or body textual features cannot satisfy the detection of both common phishing or spam email and new malicious emails that exploit protocol vulnerabilities. To address these problems, we propose the Exploiting Protocol Vulnerability Malicious Email (EPVME) dataset, which contains 49,136 malicious email samples. The EPVME dataset is constructed by summarizing and simulating the novel types of malicious email attacks that exploit email protocol vulnerabilities. In our dataset, the coverage of the types of malicious emails and the number of them are significantly increased. By collecting the currently available open source datasets, we build a large-scale dataset with 660,985 samples. Through two sets of comparative experiments on the dataset containing EPVME, we verify the necessity, reliability, and validity of the EPVME dataset. By using a large and comprehensive open source email dataset, we hope to help subsequent work on malicious email detection achieve comparative performance. Furthermore, we propose a new feature selection and construction method that combines both static features and textual features. We extract 79 static features from both the header and body parts of email samples, perform textual feature extraction on the pre-processed body parts, and combine various machine learning algorithms for detection model construction and experimental comparison. Our detection model can achieve an accuracy of 99.968% and a false positive rate of 0.099%.

Published in Cybersecurity

ISSN: 2523-3246 (Online)
Publisher: SpringerOpen
Country of publisher: Singapore
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering: Electronics: Computer engineering. Computer hardware; Science: Mathematics: Instruments and machines: Electronic computers. Computer science
Website: https://cybersecurity.springeropen.com/

About the journal

Abstract

Keywords