Researchers Win $100,000 For New Spear-Phishing Detection Method

An anonymous reader writes: Facebook has awarded this year's Internet Defense Prize worth $100,000 to a team of researchers from the University of California, Berkeley, who came up with a new method of detecting spear-phishing attacks in closely monitored enterprise networks. The team created a detection system -- called DAS (Directed Anomaly Scoring) -- that identifies uncommon patterns in emails communications. They trained DAS by having it analyze 370 million emails from one single large enterprise with thousands of employees, sent between March 2013 and January 2017.

"Out of 19 spearphishing attacks, our detector failed to detect 2 attacks," the research team said. "Our detector [also] achieved an average false positive rate of 0.004%," researchers added, pointing out that this is almost 200 times better than previous research.

Honorable mentions went two other projects, one for using existing static analysis techniques to find a large number of vulnerabilities in Linux kernel drivers, and another for preventing specific classes of vulnerabilities in low-level code.

Fools

[fahrbot-bot]

Researchers Win $100,000 For New Spear-Phishing Detection Method

You fools! The fish can use this for defense in the upcoming Global Fish War.

Re:Fools

[__aaclcg7560]

That's why my daddy always used a quarter-stick of dynamite when fishing. The fishes won't know what hit them first.

Should be 100% detection

So they trained their algorithm using the data set, and then ran their algorithm against said data set.

So how come they didn't get 100% success?

Re: Should be 100% detection

You can easiy get 100% avoidance by just not using email and otherwise communicating with anybody.

Re: Should be 100% detection

[__aaclcg7560]

You can easiy get 100% avoidance by just not using email and otherwise communicating with anybody.

The prime contractor for the government project that I work on implemented an aggressive phishing campaign by their security consultants. Click on phishing email, take more training. Click on too many phishing emails, get written up. My coworkers and I stopped reading emails from the prime contractor, which was mostly password reset and IT notifications. Upper management is confused as to why so many project managers are relaying information in the weekly staff meetings instead of email. Maybe they should ask their security consultants.

The honourable mentions are just Rust?

Honorable mentions went two other projects, one for using existing static analysis techniques to find a large number of vulnerabilities in Linux kernel drivers, and another for preventing specific classes of vulnerabilities in low-level code.

It sounds to me like using the Rust programming language would have solved those problems. Rust is a systems programming language that guarantees memory safety and thread safety. It is also statically typed. If more software were written or rewritten in Rust, including the Linux kernel, then I think we'd have far more secure and safe software available to us.

Re:The honourable mentions are just Rust?

"guarantees memory safety and thread safety"
This is not the first language to make this claim. Statistically speaking Rust is barely a blip on the list of languages being used today. The problem of creating secure applications resides in the developers who use the languages. An incompetent programmer can take the safest language in existence and create the most insecure applications in record time. This is especially true when working in the low level code used in operating systems and device drivers. And stop using the word "guarantee" because if it the language was truly guaranteed then the user could hold Rust responsible for all the monetary or other damages done when the supposedly guaranteed programming language gets exploited. I work for a company required to undertake PCI audits. The auditors had the word "guaranteed" sprinkled throughout all their marketing materials and company literature. So I asked them if we passed their audit and someone compromised our PCI processing systems could we get our money back? If you are going to through around the word guarantee you best be able to back up your claims.

17/19 is not 100%

It only takes one attack to get info to drain entire accounts.

No one should have won if this was the best effort. What a joke.

Manageable number of false positives

[cmseagle]

Their sample was 370 million emails over the course of four years. With a false positive rate of 0.004%, that works out to about 10 messages per day for a company with "thousands of employees." Impressive.

Re:Manageable number of false positives

[taustin]

That's almost 1.5 million false positives, which works out to high hundreds or low thousands per employee.

Versus 19 attacks, 2 of which slipped through.

It is an accomplishment, but that's 1.5 million opportunities to ignore important, legitimate messages from business associates. One much make certain that one's employees are well trained in what this system actually can do.

Re:Manageable number of false positives

Rate of 0.004% on 370 million is 14,800... not 1,480,000.

Re:Manageable number of false positives

[__aaclcg7560]

Rate of 0.004% on 370 million is 14,800... not 1,480,000.

The Windows Calculator was always dodgy with large numbers.

Re:Manageable number of false positives

So about 870 false warnings for every real phishing attack detected. Still seems like some work left to do...

Re:Manageable number of false positives

[guruevi]

What actually happens is that people won't trust the 19 that it actually detects.

Even if you ameliorate the statistics and say this is across 10,000 users which would be the best case, you're still talking about 1 positive warning for every ~10 negative warnings.

Re:Manageable number of false positives

[guruevi]

That's still 14,800 errors per 19 or simplified:
1 out of 778 warnings is true.

Having nothing is better than this, give me $100,000 for saying "educate your users" and you'll have a much better detection rate. The stats have to be reversed, you should only have ~1% erroneous warnings.

Re:Release

You mean someone didn't leak them already? I thought that was game here.

C'mon bureaucrats waddya waiting for? Overpaid IRS employees you've had plenty of time.

Yay Linux!

[Gravis+Zero]

The "honorable mention" found 158 critical zero-day in Linux kernel drivers (out of thousands of drivers). While it's horrible that they existed, it's fantastic that there is a tool that can find them really quickly! I hope it can be adapted to work on drivers for other kernels. :)

Re:Yay Linux!

Yeah, and look at the comparison chart and how well it compares to the competitors!

Oh, wait. Something off about the chart...

PGP

[Hentes]

Seriously, it's been over two decades.

Re: PGP

Yeah, it's been two decades and email encryption and signing is still a horrible user experience, even for security professionals who understand it. It's no wonder it hasn't taken off.

You mean just like CRM114, but less effective?

Detecting "anomalies" is old hat in software, and works much better with Markovian rather than Bayesian analys. And it's *much* faster in C than in "objective free programming". See the source code at:

* http://crm114.sourceforge.net/

Another possible tactic

[Bohnanza]

They could try telling people what to look out for instead of scaring them with arcane and meaningless terms such as "spear-phishing"

Re:Another possible tactic

[jbmartin6]

I like to use the word "scam" instead which people already understand.